DFRWS 2014 Tutorials Information

Continuing with last year's inaugural success, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2014.


GRR Tutorial

Sunday 1:00pm - 5:00pm (Note: this session is all afternoon)
Andy Moser, Google Inc.

This workshop will go through a set of exercises using GRR, with short practical discussions and explanations of architecture and design spread through the 3.5 hours.
The workshop is hands on and is roughly divided into the following modules: GRR architecture overview, Do Something Useful With GRR / Getting started, Client Customization, Using the Console, Running a Hunt, and Create a new Artifact.

RE(:) go

Sunday 1:00pm - 3:00pm
Golden G. Richard III: University of New Orleans and Arcane Alloy, LLC

Reverse engineering involves deep analysis of the code, structure, and functionality of software using both static and dynamic methods. Increasingly, digital forensics investigations involve reverse engineering efforts, to understand the potential impact of malware on an investigation, to reveal the origins of cyber attacks, and to determine what mitigations might be necessary. This workshop provides attendees with a gentle (but not too gentle) introduction to issues in reverse engineering modern malware, including necessary prerequisite knowledge, useful tools and techniques, and potential pitfalls.

The workshop also surveys common languages used for malware development and in addition to covering fundamentals, focuses on reverse engineering go (golang) applications. Go is a potentially attractive target for malware development and a viable alternative to C, because it is fast, portable, easy to use, has ready access to low level interfaces, and generates completely self-contained executables.

The goal of the workshop is to appeal to the generally curious, to researchers for whom having malware analysis skills might be useful, and to academics considering introducing reverse engineering modules into their computer security curriculum. Attendees are assumed not to be prone to psychotic episodes when exposed to Intel assembler and to be at least a little bit interested in go.

SQLite Analysis

Sunday 3:00pm - 5:00pm
Eoghan Casey, MITRE

SQLite databases are becoming more widely used on smartphones and tablets, as well as in desktop applications such as Skype and Firefox. Many smartphone apps on Android and iOS devices store user data in SQLite databases. How can you pull out useful information from these database files if your tools do not know the database schema used by the app? How do you find deleted records in SQLite databases? In addition, these databases maintain data integrity with the help of Journal and Write Ahead Log files. From a forensic viewpoint, it is important to understand the impact that these files have on what you see or do not see.

This hands-on workshop will provide you with the necessary database concepts to write your own custom queries in order to extract the data from the SQLite databases in a more meaningful way than simply dumping everything. You will also learn about the SQLite file structure, including areas that can contain deleted information. At the end of the session you will have a collection of sample SQLite queries that you can use as a template to create your own. You will also understand how to recover deleted records from a SQLite file.


Timeline Analysis

Wednesday 1:00pm - 5:00pm (Note: this session is all afternoon)
Elizabeth Schweinsberg, Incident Responder at Google, Inc

Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lines on the drive.

And with the introduction of the new log2timeline engine called plaso, things are changing even more. The next generation of log2timeline produces standard data with more features, which in turn opens up new ways of analyzing the massive dataset the tool extracts from any given drive.

The purpose of this workshop is to introduce analysts with the new log2timeline tool and how it can be utilized to quickly solve different types of investiations. During the workshop there will be two hands-on samples -- a malware investigation and malicious insider one.

Memory Forensics, beginner level

Wednesday 1:00pm - 5:00pm (Note: this session is all afternoon)
Michael Cohen, Senior Software Engineer, Google Inc.
Johannes Stuttgen, Department of Computer Science, Friedrich-Alexander University of Erlangen-Nuremberg

The workshop will be interactive using open source memory analysis tools, with hands on exercises mixed with theory talks which explain the basic theory required to understand the output of the tool. In particular, the workshop will be focused on the new Rekall memory analysis framework.

In the past few years memory analysis has proven extremely useful for detecting malware and advanced threats on potentially compromised systems. This workshop explores the art and science of memory analysis using open source tools. The workshop will be hands on and allow participants to try these techniques themselves on sample images and live analysis of their own machines.


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.