Presentations and Publications

Week in the Life of a DFIR May 2013 at Security BSides New Orleans

What would you say... ya do here?  Follow along the fast paced world of Incident Response as one intrepid responder goes through a typical week of chasing down malware infections, domain hijackings, and possible data breaches.

DFIR is the intersection of all Security topics, not just dead disk forensics.  We aren’t jacks of all trades, we are the masters of all trades.  See how different tools work together to produce the big picture of what’s happening on your network with some “ripped from the headlines” examples.

Taking Your Registry Analysis to the Next Level June 2012 at SANS Digital Forensics and Incident Response Summit

Contemporary Registry Analysis involves sifting through a registry hive for a list of keys, subkeys, and values. These lists of keys have been gathered over time from Windows 
resources and investigators’ notes, but are they the right ones for your organization to be looking at? The next level of registry analysis is comparing the registry you have with 
what’s “normal”.

What is normal? We will share the results of data-mining the malware analysis that AV companies have published to and the common -- and not so common -- places to hide while comparing them to contemporary research. Then, we’ll look at using existing tools to #nd out what keys are normal in your enterprise. From there, you can save analysis time by fltering out the normal, and focusing on the unique.

Adventures in Disk Image Processing with Open Source Tools June 2011 at The SleuthKit and Open Source Forensics Conference

This talk will chronicle the endeavor to build software to perform routine processing of Windows hard drive disk image using publicly available tools with an emphasis on open source. The goal is to create timelines, extract files, and initiate of collection of operating system information from the registry with the push of a button. The tools exist separately to handle each of the actions, but the combination of these tasks will expedite analysts’ response. There was additional emphasis on aligning the tools on the same platform and language.

Is this Normal? The ABCDEs of Registry Analysis January 2011 at DoD CyberCrime Conference

Harnessing the Registry January 2010 at DoD CyberCrime Conference

First Responders Guide to Computer Forensics: Advanced Topics 2005 from CERT

Wrote Module 1: Log File Analysis

This module focuses on log file analysis, specifically post-event analysis using Swatch and Log Parser. We explain how to install, configure, and execute Swatch and Log Parser and provide several sample configurations for each.

Elizabeth Schweinsberg,
Jun 28, 2012, 2:16 PM
Elizabeth Schweinsberg,
Jun 28, 2012, 2:17 PM
Elizabeth Schweinsberg,
May 28, 2013, 2:46 PM
Elizabeth Schweinsberg,
Jun 28, 2012, 2:19 PM