Rich will present on the OAFE device and how it has transformed the way we conduct investigates across our network. The OAFE is a forensic analysis bastion host used to conduct DFIR in remote environments. It is built on OSS and includes DPI, NetFlow, network malware detection, IDS, EDR, DNS logging, big data analysis (ELK), and malware sandboxing. We would also like to release a fork of the code at BrrCon. Our current version of the OAFE runs headless on Ubuntu. The system currently uses centralized signatures for network malware detection, syslog for reporting remotely, and a SIEM for alerting. Rich will focus on the tools and how they fit into the investigative process. He will have a general discussion about some of the wins we’ve had with the OAFE device and how they have reduced our Mean Time to Response (MTTR) significantly.