Remote DFIR Investigations –  Introducing the Open Advanced Forensic Examiner


Rich will present on the OAFE device and how it has transformed the way we conduct investigates across our network.  The OAFE is a forensic analysis bastion host used to conduct DFIR in remote environments. It is built on OSS and includes DPI, NetFlow, network malware detection, IDS, EDR, DNS logging, big data analysis (ELK), and malware sandboxing.  We would also like to release a fork of the code at BrrCon.  Our current version of the OAFE runs headless on Ubuntu.  The system currently uses centralized signatures for network malware detection, syslog for reporting remotely, and a SIEM for alerting.  Rich will focus on the tools and how they fit into the investigative process.  He will have a general discussion about some of the wins we’ve had with the OAFE device and how they have reduced our Mean Time to Response (MTTR) significantly.


Rich Baker is currently a forensic investigative Director within Optum Technology with decades of experience in Information Security and Incident Response (IR).  Optum Technology is the innovative & technical arm of the fortune 6 UnitedHealth Group, the largest private health care organization in America. He has pervious lead IR teams at the US EPA, the NC HHS, and Guidance software.  At Optum Rich leads the security investigations of recently acquired entities using a combination of COTS, OSS and custom built. Rich is currently member of Guidance Software’s customer advisory board.