Event banner

Microsoft Detection and Response Team (DART) AMA

Event Ended
Tuesday, Mar 15, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Detection and Response Team (DART) AMA!   About DART: Our job is to respond to compromises and help our customers become cyber-resilient. This is al...
Trevor_Rusher
Updated Feb 16, 2022
AMA
Chad_Munkelt's avatar
Chad_Munkelt
Copper Contributor
Mar 15, 2022
For someone who is trying to build out their internal DFIR capabilities, what are a few key areas you would recommend they focus on? What are your thoughts on live triage vs traditional forensics (disk images etc.)?
kshitijk's avatar
kshitijk
Icon for Microsoft rankMicrosoft
Mar 15, 2022
Have a playbook to follow -- identify your requirements and needs before an incident strikes. What are your requirements to gather a disk image or triage data? What tools do you need, and do you have them ready? What stakeholders need to be made aware, for legal and compliance reasons? Do site managers know what they need to do to actually acquire the evidence you need? Plan ahead so that execution can be efficient. It probably won't be perfect even then, but it'll still get your team answers faster. As for live triage vs. deadbox analysis, abide by organizational/evidence preservation/legal and compliance requirements first 🙂 That said, live triage data can be collected and analyzed much more quickly than a disk image can be obtained...
Date and Time
Mar 15, 20229:00 AM - 10:00 AM PDT