DFRWS 2014 EU Tutorials Information


Continuing with recent success at DFRWS USA, DFRWS EU will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS EU 2014.



GRR Incident Response Framework


Michael Cohen, Andreas Moser (Google)

This workshop will cover installation, client deployment, management and the basics of extending the GRR framework (code.google.com/p/grr). GRR is an open source, scalable, cross platform response tool for handling small or massive scale incidents in real time. The system is built on top of other major open source projects such as The Sleuth Kit, Rekall, Plaso and AFF4, and combines these tools into a scalable automation framework that can be used for live forensics.
This workshop will cover the GRR architecture, deploying and customizing GRR clients, automated data collection, hunting, remote memory analysis with Rekall, using the console, and the basics of writing custom flows to automate tasks.


Video File Fragment Recovery using Defraser


Rikkert Zoun (Netherlands Forensic Institute)

This is a hands-on workshop on video file carving and repair using the open source tool "Defraser", developed at the Netherlands Forensic Institute. Unlike conventional data recovery tools, Defraser incorporates advanced knowledge of video file structures, enabling it to recover even incomplete remnants of deleted video files. Typically, it is used for forensic examination of smartphone or consumer camera memory and PC or DVR hard drives.
The workshop introduces the functionalities of Defraser, through hands-on exercises, working towards the analysis of a smartphone memory card dump containing partially overwritten video recordings. The aim of the workshop is to provide the participants with enough knowledge to be able to use Defraser in their own investigations effectively and efficiently.


Real Network Forensics KungFu


Kelvin WONG, Alan HO and Anthony LAI (VXRL)

Most of the ‘Network Forensics’ only focus on the packet (pcap) and net-flow analysis but it is just a part of the investigation. Investigator is not a ’Prophet‘, it is impossible to capture the traffic before the incident occurred, to trace the intruder/attacker. Network Forensics should cover not only the captured traffic but also all of the network-related evidences (located at memory, registry, web-applications and, of course network traffic) acquired from the compromised machine. The workshop will concentrate on the practical skills and recommend a best solution to the forensics professionals by a case study. Also we will demonstrate a new project (proposed by Ran2) which could identify the attacker at the early stage for the ease of the further investigation.


Memory forensic analysis workshop


Michael Cohen, Johannes Stuettgen. (Google)

This workshop will cover the memory analysis process, from acquisition to analysis using open source tools, such as Rekall, Winpmem and Volatility. The workshop specifically focuses on detecting typical Malware in memory images, using techniques such as Hook detection, list following and scanning. We apply these technique to Windows, OSX and Linux images. The workshop will also cover common anti-forensics techniques.
This workshop will also demonstrate Live Memory Analysis. We recommend delegates come with a Windows Virtual Machine installed so they can run analysis directly on its Live Memory in real time.


Practical Cloud Forensics: Forensic Analysis of OpenStack Cloud Computing Platform


Lee Tobin, DigitalFIRE (Ireland)
Paulo Roberto Nunes de Souza, DigitalFIRE (Ireland)
Afrah Almansoori, Dubai Police (UAE)
Pavel Gladyshev, DigitalFIRE (Ireland)
Babak Habibnia, University College Dublin (Ireland)


Given the current rate of cloud adoption, the ability to investigate attacks and misuses of IT cloud installations is going to be essential for corporate IT security and the law enforcement. OpenStack software (www.openstack.org), the foundation of Ubuntu Cloud distribution, is one of the most accessible open source platforms for cloud computing. This half-day workshop will explore the main components of OpenStack (Nova compute, Nova block storage, Swift distributed persistent object storage, Keystone authentication service, Neutron networking, and Glade UI) and the key forensic artifacts associated with them. The presented concepts & artifacts will be illustrated with a running example of an OpenStack investigation that the attendees will be able to follow on their laptops hands-on using supplied evidential data and DigitalFIRE’s virtual cloud environment for VirtualBox.
The workshop is aimed at digital forensic practitioners and researchers with some investigative experience and a working knowledge of Linux system administration. A familiarity with kernel-based virtual machines (kvm) and Python programming is an advantage although not strictly required.

 

©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.