The osquery File Carver

Nick Anderson

Track 1

Osquery is a cross platform open source agent designed to pull system telemetry without modifying system state of the host. This observe and report premise has served us well but as our needs and security goals change so must the demands we make of our tools. In 2017 we introduced a new feature to osquery – the ability to pull remote files from a system for further analysis. In this talk we’ll introduce the file carving capability of osquery as well as the motivations for shipping this feature, discuss the design goals and non-goals of the carver, and talk about some use-case wins we’ve had with this new capability at Facebook.

Nick Anderson

Nick Anderson is a security engineer at Facebook, focused on building and scaling infrastructure for detecting compromise at Facebook. He is one of the core maintainers and developers for Facebook’s osquery project, an open source tool used for intrusion detection, systems operations, and compliance. When Nick isn’t focused on host based security telemetry problems he enjoys cooking, brewing beer, and lock picking.