DFRWS 2015 Tutorials Information

Continuing with last year's success, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2015.


GRR Rapid Response

Sunday 1:00pm - 5:00pm (Note: this session is all afternoon)
Greg Castle, Google Inc.

This workshop is another instance of the GRR workshops at last year's DFRWS conferences. It will be a short introduction for people new to GRR, followed by pure hands-on work.

Participants will get access to a fully set up GRR environment, including machines to investigate running Windows and Linux, and will learn how to use GRR to solve various forensics tasks. Those tasks range from pretty easy ones like reading files or registry keys to advanced forensics techniques like grabbing artifacts directly from live memory across the whole testbed at the same time.

Knowledge of GRR is no prerequisite for this workshop but if you'd like to attend, we'd kindly ask you to bring a laptop capable of web browsing. If this is not feasible for some reason, there is of course also the option to collaborate with other participants.

Creating forensic tools in Go

Sunday 1:00pm - 3:00pm
Vico Marziale and Joe Sylve, BlackBag Technologies

In this hands-on workshop attendees will learn how to develop forensics tools in Google's Go programming language. We will first present an overview of the Go programming language, focused on those parts that are most useful for developing forensics tools, and then present a simple parser for a commonly encountered forensic artifact. Last, attendees will develop a simple parser for another common forensics artifact, with the assistance of the presenters.

This workshop is intended for forensics tool developers. Some programming experience is a must, preferably in a C-like language, but no experience with Go specifically is required.

Participants should bring a laptop with Go installed prior to the workshop (Go implementations are available for all common OSs). They will be provided with handouts of a Go "cheat sheet" and a copy of the presentation slides.

Vehicle forensics

Sunday 3:00pm - 5:00pm
Ben Lemere, Berla Corporation

This workshop will be in the form of a presentation at an intermediate technical level.

Over the past several years, automotive manufactures have been adding advanced technology to seamlessly and safely integrate access to our digital lives from within our vehicles. The industry is evolving from making vehicles that simply take us from one destination to another, to vehicles that create an experience that entertains and informs us as well as facilitates voice and data communications while we travel.

Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. Many systems record events such as when and where a vehicle's lights are turned on, which doors are opened and closed at specific locations, and even where the vehicle is when Bluetooth devices connect. This feature is critical, for example, to investigators who do not have a suspect's phone but need information from it. Having a suspect's supported vehicle is the next best thing and can provide much of the same information.

This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This presentation will address the data stored in several different infotainment and telematics systems and touch on methods to acquire and analyze it.


Reverse Engineering with Rekall

Wednesday 1:00pm - 5:00pm
Michael Cohen, Google

Memory forensics has become increasingly useful in recovering important forensically significant information. From detecting and analyzing malware to understanding how common applications store forensically significant information, reverse engineering is a useful skill.

This workshop is a hands-on application of useful reverse engineering tools and techniques employed in order to rapidly extract forensically significant information. That is, this workshop's aim is not to understand every aspect of an application's operation - rather we use common tools and techniques to rapidly extract just the information we care about in a forensic investigative context.

To this end we apply the tools available within the Rekall memory analysis tool to several different scenarios:

- Analyze a strand of malware, and develop a query to hunt for indicators to search across a fleet of enterprise systems with GRR.

- Reverse engineer a number of user-space applications, and extract passwords, keys and user activity history. We then use these findings to write new Rekall plugins to automatically extract these artifacts.

- Finally we put these ideas together, by writing an entity collector, an entity search query, and hunt with GRR across the fleet for the newly discovered.

This will be a hands on workshop, participants are expected to bring their own laptops with one of the major OS's installed (OSX, Linux or Windows). The instructor will provide memory images and tools required before the workshop.

Although no special prerequisites exist, participants will benefit most from this workshop if they already have a basic understanding of memory analysis and are not afraid to look at hex dumps or the command line :-).

Bitcurator: Redacting and providing access to data from disk images

Wednesday 1:00pm - 5:00pm
Christopher Lee and Kam Woods, University of North Carolina

This workshop is designed for two different, but complementary audiences:

- Professionals responsible for managing collections of born-digital data archivists, manuscript curators, librarians or others who are responsible for acquiring or transferring collections of digital materials, particularly those that are received on removable media.

- Digital forensics researchers and practitioners who would like to learn about and provide feedback on strategies for redacting data from disk images and/or providing access to the data to third parties.

Through a combination of presentation and hands-on exercises, this workshop will demonstrate several technical approaches to redacting and providing access to data from disk images, using combinations of open-source software. Two approaches to access will be demonstrated. First, bca-webtools provides access to disk images over the web using open-source software including The Sleuth Kit, PyTSK, libewf, and the Flask web framework. Institutions can point bca-webtools at a local directory that contains raw or forensically-packaged disk images, and the software will create a web portal that allows users to browse the file systems, download files, and examine disk image metadata. Second, users can search and navigate DFXML metadata directly by querying a database, in order to e.g. find items of a particular file type or from a given date.

Disk images can contain numerous forms of sensitive or private data that should not be freely disclosed to the general public. We will illustrate two main approaches to addressing this issue (both based on first running bulk_extractor to identify potentially sensitive patterns): (1) use dedicated scripts to generate redacted versions of files or disk images, which can then be used as the basis for access copies, and (2) masking parts of disk images from view, so they cannot be accessed when navigating the disk images using the bca-webtools described above.

Participants should bring a laptop computer with an Intel Core i5 or Core i7 machine (or AMD equivalent) running a 64-bit version of Windows 7, Windows 8, Mac OS 10.9 (or newer), or a 64-bit Linux variant. At least 4GB RAM (8GB RAM strongly recommended). Minimum 10GB free hard disk space (20GB is preferred). The BitCurator virtual machine (see below) is approximately 8GB when uncompressed. It is configured to automatically expand in size up to 256GB.

Prior to the workshop, participants should install the BitCurator VM or Live CD: http://wiki.bitcurator.net/. An up-to-date version of VirtualBox: https://www.virtualbox.org/wiki/Downloads. The VirtualBox Extension Pack (to be installed on the host system - just download and double-click on the file once you've installed VirtualBox). The VirtualBox software requires that Intel VT-x virtualization extensions are enabled in the system BIOS.

Python scripting in Autopsy

Wednesday 1:00pm - 5:00pm
Brian Carrier, Basis Technology

Autopsy 3 is an open-source digital forensics platform that now has support for Python modules. If you want to quickly write some fancy digital forensics analytics, then an Autopsy Python module is the perfect place for it. Autopsy allows you to support file system, carved, or logical files without you needing to worry about where they came from.

Autopsy makes it easy for results to be shown in the UI without you needing to write any UI code (you just post name and value pairs to the database). If you just want to focus on data analysis and not where your data is coming from, UIs, or reports, then Autopsy is what you want.

The first part of the workshop will be an overview of writing Autopsy modules. We'll start with the sample modules and edit as needed.

The second part will be hack-a-thon style and you get to write whatever module you want and we'll answer questions that you have along the way.

There will be a prize for the best module.

Participants should bring a laptop computer that has Autopsy 3 installed.


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.