DFRWS 2012 Tutorials Information

For the first time in 2012, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2012.


Memory forensics with Volatility

Sunday 12:30-5:00 PM (Note: this session is all afternoon)
Dr. Michael Cohen - Senior Software Engineer, Google Inc.

The Open Memory Forensics Tutorial will cover forensic memory analysis using open source tools, such as The Volatility Memory Analysis Framework. In particular we focus on explaining the algorithms behind the tool, and cover the pros and cons of each technique, as applicable in practice. We show how Volatility can be used to perform more challenging and advanced tasks by scripting the interface. Both Linux and Windows operating systems will be analysed.

Automating the forensics triage process using Python and Linux

Sunday 12:30-2:30 PM
Doug Koster, Senior Computer Forensic Analyst, TASC

This session will demonstrate Python scripts written to automate portions of the forensic triage process that most forensic examiners perform on every drive they look at. These scripts are all GUI driven so that they are usable by examiners even if they are not familiar with Linux. Tasks automated include: creating a SuperTimeline from a disk image, carving files from unallocated disk space, running multiple Anti-Virus scanners against either a disk image or a folder, and gathering EXIF and Registry data from a disk image. In addition, we will cover a scripted approach to identifying files of interest on systems that benefits from the collective knowledge of forensic examiners in a group.

Google Analytics(tm) Cookies and the Forensic Implications

Sunday 3:00-5:00 PM
James Meyer, Forensics Track Instructor, Defense Cyber Investigations Training Academy

Through compare and contrast with standard HTTP cookies, this presentation will offer an in-depth look at the internal workings of Google Analytics(tm) cookies. Over the years, cookies have been disregarded in forensic examinations. For the most part, cookies were merely used to show that a user account had accessed a Web site. With the advent of Google Analytics (GA) cookies, the landscape has changed. GA cookies use a set, documented structure that enables a forensic investigator to obtain useful information pertaining to how the user accessed the target site, as well as key words used to locate the site and in some instances, how many pages were viewed.


Using bulk_extractor for digital forensics triage and cross-drive analysis

Wednesday 12:30-2:30 PM
Simson Garfinkel, Naval Postgraduate School

This tutorial will provide an in-depth introduction to the use of bulk_extractor, a high-speed feature extractor tool that can be used with any kind of digital forensics data. The tutorial will discuss how to use bulk_extractor for rapid triage of new media, how to use bulk_extractor's post-processing features for file identification and cross-drive correlation, and how to tune bulk_extractor to improve performance. Finally the internal design of the program will be presented, with instructions on how to develop new bulk_extractor modules.

Advanced Registry forensics with Registry Decoder

Wednesday 12:30-2:30 PM
Dr. Lodovico Marziale, Digital Forensics Solutions, LLC

It is well known in the digital forensics community that the Microsoft Windows registry contains a wealth of forensically interesting information including a history of attached devices, a list of user accounts, visited URLs, and much more. Analysis of these artifacts is essential in many types of investigations, such as data exfiltration and computer intrusion. And, while basic techniques for analysis of single hive files are common knowledge, more advanced techniques are less well known. This tutorial on registry analysis focusing on such advanced techniques as multi-machine correlation, incorporating registry backups into investigations, and using the registry for malware analysis. In order to demonstrate these techniques, we will use the free and open source Registry Decoder tool for registry analysis.

Forensic Triage & Scalable Data Correlation with sdhash

Wednesday 3:00-5:00 PM
Dr. Vassil Roussev, University of New Orleans

The similarity digest hash (sdhash) tool allows analysts to efficiently correlate data objects based on common content. It can: a) identify the presence of embedded/trace evidence (e.g., file remnants on a disk target); b) correlate multiple versions of the same artifact (code, text, compound documents); and c) cross-correlate different representations--on-disk, in-RAM, network flow--of the same/similar object. The primary objective of the tutorial is to provide hands-on training on how to install and use sdhash in real-world cases, how to structure queries, and interpret the results. A secondary object is to provide an introduction on how to integrate libsdbf---the library behind sdhash---into other tools, and use it for rapid development of custom solutions.

Challenges in Forensic Analysis of Smartphone Memory (Flash)

Wednesday 3:00-5:00 PM
Eoghan Casey, Johns Hopkins University

There have been major advances in our ability to acquire the complete contents of Flash memory on smartphones, including iPhone, Android and Blackberry. Now digital forensic practitioners and researchers are working hard to salvage usable data from these memory dumps, including deleted items. There is still much work to be done in this area, and there are are various challenges to overcome. This hands-on tutorial immerses Digital Forensic Practitioners and Researchers smartphone memory dumps and explores the following:
  • Different formats of information stored on smartphones
  • Common shortcomings of current smartphone forensic tools
  • Limitations of decrypting memory contents
  • Challenges in locating and interpreting orphaned SQLite records
  • Shortcomings of reassembling fragmented digital photographs
  • Pitfalls of reassembling fragmented digital video files
  • Questions regarding historical geolocation details


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.