Lurking in the Shadows

Explore advanced techniques for malware analysis and recovery in this 55-minute conference talk from Hack3rcon II. Delve into the world of digital forensics as Tim Tomes and Mark Baggett demonstrate the power of Volume Shadow Copies for recovering deleted malware and investigating cyber incidents. Learn about the Spirit Box tool for Linux and Windows systems, understand Protected Device Names, and witness hands-on demonstrations of creating and manipulating Volume Shadow Copies. Gain insights into using VSS Admin commands and scripts, and discover potential bugs in these techniques. Enhance your cybersecurity skills with practical knowledge applicable to both offensive and defensive security practices.

Introductions
Title
Agenda
Tim Tomes
Spirit Box
Linux
Windows
Protected Device Names
Demo
What is it
Volume Shadow Copies
Manual Demo
Creating Directory
Creating Volume Shadow Copy
Deleting the Malware
Volume Shadow Copy
Deleting Malware
Commands
VSS Admin
VSS Script
Bugs