DFRWS 2014 Tutorials Information
Continuing with last year's inaugural success, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2014.
Sunday
GRR Tutorial
Sunday 1:00pm - 5:00pm
(Note: this session is all afternoon)
Andy Moser, Google Inc.
This workshop will go through a set of exercises using GRR, with short
practical discussions and explanations of architecture and design
spread through the 3.5 hours.
The workshop is hands on and is roughly divided into the following modules: GRR architecture overview, Do Something Useful With GRR / Getting started, Client Customization, Using the Console, Running a Hunt, and Create a new Artifact.
RE(:) go
Sunday 1:00pm - 3:00pm
Golden G. Richard III: University of New Orleans and Arcane Alloy, LLC
Reverse engineering involves deep analysis of the code, structure, and
functionality of software using both static and dynamic
methods. Increasingly, digital forensics investigations involve reverse
engineering efforts, to understand the potential impact
of malware on an investigation, to reveal the origins of cyber attacks, and
to determine what mitigations might be necessary.
This workshop provides attendees with a gentle (but not too gentle)
introduction to issues in reverse engineering modern malware,
including necessary prerequisite knowledge, useful tools and techniques,
and potential pitfalls.
The workshop also surveys common languages used for malware development and
in addition to covering fundamentals, focuses on
reverse engineering go (golang) applications. Go is a potentially
attractive target for malware development and a viable alternative to C,
because it is fast, portable, easy to use, has ready access to low level
interfaces, and generates completely self-contained executables.
The goal of the workshop is to appeal to the generally curious, to
researchers for whom having
malware analysis skills might be useful, and to academics considering
introducing reverse engineering modules into their computer
security curriculum.
Attendees are assumed not to be prone to psychotic episodes when exposed to
Intel assembler and to be at least a little bit interested in go.
SQLite Analysis
Sunday 3:00pm - 5:00pm
Eoghan Casey, MITRE
SQLite databases are becoming more widely used on smartphones and tablets, as well as in desktop applications such as Skype and Firefox. Many smartphone apps on Android and iOS devices store user data in SQLite databases. How can you pull out useful information from these database files if your tools do not know the database schema used by the app? How do you find deleted records in SQLite databases? In addition, these databases maintain data integrity with the help of Journal and Write Ahead Log files. From a forensic viewpoint, it is important to understand the impact that these files have on what you see or do not see.
This hands-on workshop will provide you with the necessary database concepts to write your own custom queries in order to extract the data from the SQLite databases in a more meaningful way than simply dumping everything. You will also learn about the SQLite file structure, including areas that can contain deleted information. At the end of the session you will have a collection of sample SQLite queries that you can use as a template to create your own. You will also understand how to recover deleted records from a SQLite file.
Wednesday
Timeline Analysis
Wednesday 1:00pm - 5:00pm
(Note: this session is all afternoon)
Elizabeth Schweinsberg, Incident Responder at Google, Inc
Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lines on the drive.
And with the introduction of the new log2timeline engine called plaso, things are changing even more. The next generation of log2timeline produces standard data with more features, which in turn opens up new ways of analyzing the massive dataset the tool extracts from any given drive.
The purpose of this workshop is to introduce analysts with the new log2timeline tool and how it can be utilized to quickly solve different types of investiations. During the workshop there will be two hands-on samples -- a malware investigation and malicious insider one.
Memory Forensics, beginner level
Wednesday 1:00pm - 5:00pm
(Note: this session is all afternoon)
Michael Cohen, Senior Software Engineer, Google Inc.
Johannes Stuttgen, Department of Computer Science, Friedrich-Alexander University of Erlangen-Nuremberg
The workshop will be interactive using open source memory analysis
tools, with hands on exercises mixed with theory talks which explain
the basic theory required to understand the output of the tool. In
particular, the workshop will be focused on the new Rekall memory
analysis framework.
In the past few years memory analysis has proven extremely useful for
detecting malware and advanced threats on potentially compromised
systems. This workshop explores the art and science of memory analysis
using open source tools. The workshop will be hands on and allow
participants to try these techniques themselves on sample images and
live analysis of their own machines.