DFRWS 2015 Tutorials Information
Continuing with last year's success, DFRWS will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2015.
Sunday
GRR Rapid Response
Sunday 1:00pm - 5:00pm
(Note: this session is all afternoon)
Greg Castle, Google Inc.
This workshop is another instance of the GRR workshops at last year's
DFRWS conferences. It will be a short introduction for people new to GRR,
followed by pure hands-on work.
Participants will get access to a fully set up GRR environment, including
machines to investigate running Windows and Linux, and will learn how to
use GRR to solve various forensics tasks. Those tasks range from
pretty easy ones like reading files or registry keys to advanced
forensics techniques like grabbing artifacts directly from live
memory across the whole testbed at the same time.
Knowledge of GRR is no prerequisite for this workshop but if you'd
like to attend, we'd kindly ask you to bring a laptop capable of web
browsing. If this is not feasible for some reason, there is of course
also the option to collaborate with other participants.
Creating forensic tools in Go
Sunday 1:00pm - 3:00pm
Vico Marziale and Joe Sylve, BlackBag Technologies
In this hands-on workshop attendees will learn how to develop forensics
tools in Google's Go programming language. We will first present an
overview of the Go programming language, focused on those parts that are
most useful for developing forensics tools, and then present a simple
parser for a commonly encountered forensic artifact. Last, attendees
will develop a simple parser for another common forensics artifact,
with the assistance of the presenters.
This workshop is intended for forensics tool developers. Some programming
experience is a must, preferably in a C-like language, but no experience
with Go specifically is required.
Participants should bring a laptop with Go installed prior to the
workshop (Go implementations are available for all common OSs).
They will be provided with handouts of a Go "cheat sheet" and a
copy of the presentation slides.
Vehicle forensics
Sunday 3:00pm - 5:00pm
Ben Lemere, Berla Corporation
This workshop will be in the form of a presentation at an intermediate
technical level.
Over the past several years, automotive manufactures have been adding
advanced technology to seamlessly and safely integrate access to our
digital lives from within our vehicles. The industry is evolving from
making vehicles that simply take us from one destination to another,
to vehicles that create an experience that entertains and informs us as
well as facilitates voice and data communications while we travel.
Vehicle Infotainment and Telematics systems store a vast amount of data
such as recent destinations, favorite locations, call logs, contact
lists, SMS messages, emails, pictures, videos, social media feeds, and
the navigation history of everywhere the vehicle has been. Many systems
record events such as when and where a vehicle's lights are turned on,
which doors are opened and closed at specific locations, and even where
the vehicle is when Bluetooth devices connect. This feature is critical,
for example, to investigators who do not have a suspect's phone but
need information from it. Having a suspect's supported vehicle is the
next best thing and can provide much of the same information.
This information is not easily retrievable and is typically stored in
several different systems within a vehicle not traditionally associated
with event data. This presentation will address the data stored in several
different infotainment and telematics systems and touch on methods to
acquire and analyze it.
Wednesday
Reverse Engineering with Rekall
Wednesday 1:00pm - 5:00pm
Michael Cohen, Google
Memory forensics has become increasingly useful in recovering important
forensically significant information. From detecting and analyzing malware
to understanding how common applications store forensically significant
information, reverse engineering is a useful skill.
This workshop is a hands-on application of useful reverse engineering
tools and techniques employed in order to rapidly extract forensically
significant information. That is, this workshop's aim is not to understand
every aspect of an application's operation - rather we use common tools
and techniques to rapidly extract just the information we care about in
a forensic investigative context.
To this end we apply the tools available within the Rekall memory analysis
tool to several different scenarios:
- Analyze a strand of malware, and develop a query to hunt for indicators
to search across a fleet of enterprise systems with GRR.
- Reverse engineer a number of user-space applications, and extract
passwords, keys and user activity history. We then use these findings
to write new Rekall plugins to automatically extract these artifacts.
- Finally we put these ideas together, by writing an entity collector,
an entity search query, and hunt with GRR across the fleet for the
newly discovered.
This will be a hands on workshop, participants are expected to bring
their own laptops with one of the major OS's installed (OSX, Linux or
Windows). The instructor will provide memory images and tools required
before the workshop.
Although no special prerequisites exist, participants will benefit most
from this workshop if they already have a basic understanding of memory
analysis and are not afraid to look at hex dumps or the command line :-).
Bitcurator: Redacting and providing access to data from disk images
Wednesday 1:00pm - 5:00pm
Christopher Lee and Kam Woods, University of North Carolina
This workshop is designed for two different, but complementary audiences:
- Professionals responsible for managing collections of born-digital
data archivists, manuscript curators, librarians or others who are
responsible for acquiring or transferring collections of digital
materials, particularly those that are received on removable media.
- Digital forensics researchers and practitioners who would like to
learn about and provide feedback on strategies for redacting data from
disk images and/or providing access to the data to third parties.
Through a combination of presentation and hands-on exercises, this
workshop will demonstrate several technical approaches to redacting
and providing access to data from disk images, using combinations of
open-source software. Two approaches to access will be demonstrated.
First, bca-webtools provides access to disk images over the web using
open-source software including The Sleuth Kit, PyTSK, libewf, and the
Flask web framework. Institutions can point bca-webtools at a local
directory that contains raw or forensically-packaged disk images, and
the software will create a web portal that allows users to browse the file
systems, download files, and examine disk image metadata. Second, users
can search and navigate DFXML metadata directly by querying a database, in
order to e.g. find items of a particular file type or from a given date.
Disk images can contain numerous forms of sensitive or private data
that should not be freely disclosed to the general public. We will
illustrate two main approaches to addressing this issue (both based
on first running bulk_extractor to identify potentially sensitive
patterns): (1) use dedicated scripts to generate redacted versions
of files or disk images, which can then be used as the basis for
access copies, and (2) masking parts of disk images from view, so
they cannot be accessed when navigating the disk images using the
bca-webtools described above.
Participants should bring a laptop computer with an Intel Core i5 or Core
i7 machine (or AMD equivalent) running a 64-bit version of Windows 7,
Windows 8, Mac OS 10.9 (or newer), or a 64-bit Linux variant. At least
4GB RAM (8GB RAM strongly recommended). Minimum 10GB free hard disk space
(20GB is preferred). The BitCurator virtual machine (see below) is
approximately 8GB when uncompressed. It is configured to automatically
expand in size up to 256GB.
Prior to the workshop, participants should install the BitCurator VM
or Live CD:
http://wiki.bitcurator.net/. An up-to-date version of
VirtualBox:
https://www.virtualbox.org/wiki/Downloads. The VirtualBox
Extension Pack (to be installed on the host system - just download
and double-click on the file once you've installed VirtualBox).
The VirtualBox software requires that Intel VT-x virtualization
extensions are enabled in the system BIOS.
Python scripting in Autopsy
Wednesday 1:00pm - 5:00pm
Brian Carrier, Basis Technology
Autopsy 3 is an open-source digital forensics platform that now has
support for Python modules. If you want to quickly write some fancy
digital forensics analytics, then an Autopsy Python module is the perfect
place for it. Autopsy allows you to support file system, carved, or
logical files without you needing to worry about where they came from.
Autopsy makes it easy for results to be shown in the UI without you
needing to write any UI code (you just post name and value pairs to the
database). If you just want to focus on data analysis and not where your
data is coming from, UIs, or reports, then Autopsy is what you want.
The first part of the workshop will be an overview of writing Autopsy
modules. We'll start with the sample modules and edit as needed.
The second part will be hack-a-thon style and you get to write whatever
module you want and we'll answer questions that you have along the way.
There will be a prize for the best module.
Participants should bring a laptop computer that has Autopsy 3 installed.