DFRWS 2013 Tutorials Information
Continuing with last year's inaugural success, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2013.
Sunday
Advanced Smartphone Forensics & Incident Response
Sunday 12:30-5:00 PM
(Note: this session is all afternoon)
Eoghan Casey and Bradley Schatz
Smartphones can contain information that is useful in any type of criminal investigation or civil litigation, and these devices have increasingly become a target of cyber-attack and malware. An increasing number of tablet computers are adopting smartphone technology.
Recent advances in digital forensics enable practitioners to recover data from Flash memory and volatile memory on smartphones. However, despite these advances, most organizations and forensic practitioners are poorly prepared to analyze smartphones and associated malware.
This workshop focuses on smartphones as sources of evidence, introducing forensic practitioners, incident responders, computer security professionals, and military personnel to advanced methods of recovering and analysing digital evidence from these devices.
This hands-on tutorial immerses Digital Forensic Practitioners and Researchers in smartphone memory dumps (both Flash and RAM) and explores the following topics: hardware acquisition, recovering file system information, salvaging deleted records, obtaining artifacts of user activity, reassembling fragmented photographs, volatile data analysis, and mobile malware analysis.
Intrusion Forensics
Sunday 13:30-2:30 PM
(Note: this session is all afternoon)
Cory Altheide, Senior Security Engineer at Google
"Intrusion Forensics" is a four hour, hands-on workshop designed to familiarize the participants with the core principles involved when performing system compromise investigations. These types of investigations frequently require a non-linear approach and offer a compelling use case for a variety of open source forensics tools. The workshop will consist of a series of short lectures describing the intrusion life cycle and the artifacts created by attackers during each step of an intrusion, followed by hands-on exercises examining these artifacts using completely free, open-source tools. This workshop is developed and delivered by Cory Altheide, lead author of "Digital Forensics With Open Source Tools."
Wednesday
Timeline Analysis with l2t and plaso
Wednesday 12:30-5:00 PM
(Note: this session is all afternoon)
Kristinn Gudjonsson, Senior Security Engineer at Google, Inc
Elizabeth Schweinsberg, Security Engineer at Google, Inc
Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lies on the drive.
This workshop will introduce analysts to the new log2timeline tool and how it can be utilized to quickly solve different types of investigations. During the workshop there will be two hand-on samples that include malware and malicious insider (more formally known as a bad bad boy) investigation.
Small data forensics on a large scale
Wednesday 12:30-2:30 PM
Candice Quates and Vassil Roussev
We define small data forensics as
non-grep tools and methods for examining data pieces; we are interested in ways to identify, classify, and correlate them to extract forensic insight. Such tools are primarily for triage and incident response and need to be fast and scalable.
In this tutorial, we will work through a series of practical examples of using sdhash for data and code forensics that cannot be readily achieved by other means. We will also show how our new tool for compressed data classification--zsniff--can provide insight into the content of unknown data.
Memory Forensics to Defeat Encryption, Find Malware, and Help You Lose Weight
Wednesday 3:00-5:00 PM
Jesse Kornblum, Facebook
Memory forensics can help an investigation in ways which are
unmatched. Memory images contain user data which is unavailable from
other sources, such as encryption keys and full-content network
traffic. Simple methods can be used to automatically highlight
artifacts of interest. Previously existing memory images on a system
may give the examiner these kinds of details from an earlier time in
the computer's history. This workshop will provide an overview of the
capabilities of memory forensics and go through some examples of
real-world cases.