DFRWS 2012 Tutorials Information
For the first time in 2012, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2012.
Sunday
Memory forensics with Volatility
Sunday 12:30-5:00 PM (Note: this session is all afternoon)
Dr. Michael Cohen - Senior Software Engineer, Google Inc.
The Open Memory Forensics Tutorial will cover forensic memory analysis
using open source tools, such as The Volatility Memory Analysis
Framework. In particular we focus on explaining the algorithms behind
the tool, and cover the pros and cons of each technique, as applicable
in practice. We show how Volatility can be used to perform more
challenging and advanced tasks by scripting the interface. Both Linux
and Windows operating systems will be analysed.
Automating the forensics triage process using Python and Linux
Sunday 12:30-2:30 PM
Doug Koster, Senior Computer Forensic Analyst, TASC
This session will demonstrate Python scripts written to automate portions of
the forensic triage process that most forensic examiners perform on every
drive they look at. These scripts are all GUI driven so that they are usable
by examiners even if they are not familiar with Linux. Tasks automated
include: creating a SuperTimeline from a disk image, carving files from
unallocated disk space, running multiple Anti-Virus scanners against either a
disk image or a folder, and gathering EXIF and Registry data from a disk
image. In addition, we will cover a scripted approach to identifying files of
interest on systems that benefits from the collective knowledge of forensic
examiners in a group.
Google Analytics(tm) Cookies and the Forensic Implications
Sunday 3:00-5:00 PM
James Meyer, Forensics Track Instructor, Defense Cyber Investigations Training Academy
Through compare and contrast with standard HTTP cookies, this presentation will offer an in-depth look at the internal workings of Google Analytics(tm) cookies. Over the years, cookies have been disregarded in forensic examinations. For the most part, cookies were merely used to show that a user account had accessed a Web site. With the advent of Google Analytics (GA) cookies, the landscape has changed. GA cookies use a set, documented structure that enables a forensic investigator to obtain useful information pertaining to how the user accessed the target site, as well as key words used to locate the site and in some instances, how many pages were viewed.
Wednesday
Using bulk_extractor for digital forensics triage and cross-drive analysis
Wednesday 12:30-2:30 PM
Simson Garfinkel, Naval Postgraduate School
This tutorial will provide an in-depth introduction to the use of
bulk_extractor, a high-speed feature extractor tool that can be used
with any kind of digital forensics data. The tutorial will discuss how
to use bulk_extractor for rapid triage of new media, how to
use bulk_extractor's post-processing features for file identification
and cross-drive correlation, and how to tune bulk_extractor to improve
performance. Finally the internal design of the program will be
presented, with instructions on how to develop new bulk_extractor
modules.
Advanced Registry forensics with Registry Decoder
Wednesday 12:30-2:30 PM
Dr. Lodovico Marziale, Digital Forensics Solutions, LLC
It is well known in the digital forensics community that the Microsoft
Windows registry contains a wealth of forensically interesting information
including a history of attached devices, a list of user accounts, visited
URLs, and much more. Analysis of these artifacts is essential in many types
of investigations, such as data exfiltration and computer intrusion. And,
while basic techniques for analysis of single hive files are common
knowledge, more advanced techniques are less well known. This tutorial on
registry analysis focusing on such advanced techniques as multi-machine
correlation, incorporating registry backups into investigations, and using
the registry for malware analysis. In order to demonstrate these
techniques, we will use the free and open source Registry Decoder tool for
registry analysis.
Forensic Triage & Scalable Data Correlation with sdhash
Wednesday 3:00-5:00 PM
Dr. Vassil Roussev, University of New Orleans
The similarity digest hash (sdhash) tool allows analysts to efficiently
correlate data objects based on common content. It can: a) identify the
presence of embedded/trace evidence (e.g., file remnants on a disk
target); b) correlate multiple versions of the same artifact (code,
text, compound documents); and c) cross-correlate different
representations--on-disk, in-RAM, network flow--of the same/similar object.
The primary objective of the tutorial is to provide hands-on training on
how to install and use sdhash in real-world cases, how to structure
queries, and interpret the results. A secondary object is to provide an
introduction on how to integrate libsdbf---the library behind
sdhash---into other tools, and use it for rapid development of custom
solutions.
Challenges in Forensic Analysis of Smartphone Memory (Flash)
Wednesday 3:00-5:00 PM
Eoghan Casey, Johns Hopkins University
There have been major advances in our ability to acquire the complete
contents of Flash memory on smartphones, including iPhone, Android and
Blackberry. Now digital forensic practitioners and researchers are
working hard to salvage usable data from these memory dumps, including
deleted items. There is still much work to be done in this area, and
there are are various challenges to overcome. This hands-on tutorial
immerses Digital Forensic Practitioners and Researchers smartphone
memory dumps and explores the following:
- Different formats of information stored on smartphones
- Common shortcomings of current smartphone forensic tools
- Limitations of decrypting memory contents
- Challenges in locating and interpreting orphaned SQLite records
- Shortcomings of reassembling fragmented digital photographs
- Pitfalls of reassembling fragmented digital video files
- Questions regarding historical geolocation details