Investigating Linux Endpoints

Asif Matadar
Tanium

Track 1

Investigating Linux endpoints is often seen by experienced and inexperienced Investigators alike as “too complicated”, “where do I start?” or even “it’s not worth the effort”. This talk will demystify these common misconceptions and provide the attendees invaluable insights by investigating Linux endpoints using a scenario-based investigation, where the attendees will gain theoretical and practical familiarity of artefacts when investigating Linux endpoints that are often overlooked in a methodical manner. The scenario-based investigation will consist of an advanced adversary that has infiltrated an organisation and compromised multiple Linux endpoints. The remit of the DFIR team is to identify all of the compromised Linux endpoints by undertaking unique triage analysis at scale and undergo forensic examination of the Linux endpoints by using Open-source software (OSS).

About Asif Matadar

Asif (@d1r4c) is Director of Endpoint Detection & Response (EDR) at Tanium where he utilises his experience and knowledge of Incident Response, Endpoint Forensics and Threat Landscape to support high-profile clients.

Asif has over 8 years experience in incident response leading high-profile cases, such as advanced targeted attacks, nation-state attacks, highly complex incidents, data breaches along with penetration tests on infrastructure, web and mobile applications.

Asif has particular interest in research where he has delivered presentations at industry recognised conferences around the world with a keen focus on memory analysis and automation, *nix based forensics, PowerShell as a defence capability, cloud forensics, and triage analysis.