DFRWS 2015 EU Tutorials Information
Continuing with recent success at DFRWS USA, DFRWS EU will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS EU 2015.
GRR Incident Response Framework
Andreas Moser (Google)
This workshop is another instance of the very successful workshops we
gave last year at both DFRWS conferences. It is going to be a short
introduction to the GRR system for people who have not used it before
and afterwards will be pure hands-on work.
Participants will get access to a fully set up GRR environment
including machines to investigate running Windows and Linux and will
learn how to use the investigation techniques GRR provides to solve
various forensics tasks. Those tasks range from pretty easy ones like
reading files or registry keys to advanced forensics techniques like
grabbing artifacts directly from live memory across the whole testbed
at the same time.
Knowledge of GRR is no prerequisite for this workshop but if you'd
like to attend, we'd kindly ask you to bring a laptop capable of web
browsing. If this is not feasible for some reason, there is of course
also the option to collaborate with other participants.
Digital Forensics Framework - Part I
Frederic Baguelin & Solal Jacob (ArxSys)
This workshop is a tutorial about how to use DFF to perform a full forensics analysis.
DFF is an open-source tool which can be used to conduct an analysis of a hard disk, memory snapshot or a virtual machine.
During the workshop we will explain how to use DFF's graphical interface to analyze a provided disk image, following a forensics process.
We will see how to import dumps in different format, then how to use the different modules to extract information in order to perform an
analysis of the recovered data and metadata.
Then we will use the search & filter engine to find and correlate evidences related to the case given as exercises.
Once the interesting
evidences founded
we will see how to export the data and create a report.
Participant will have to bring a laptop running windows or linux (ubuntu, debian) to install the software packages we will provide and to copy or download the dump of the case we will use as exercise. No special knowledge is required for this training
We will review this different capabilities of DFF :
File System modules : ntfs, fat, hfs (recovering deleted files, carving MFT entry)
Memory analysis
Skype analysis
Sqlite analysis
Registry analysis
Events logs analysis
Antivirus scanner
Metadata & search engine
Filtering
Bookmarking
Tagging
Exporting
Digital Forensics Framework - Part II
Frederic Baguelin & Solal Jacob (ArxSys)
Automate your forensics analysis (Developing modules for Digital
Forensics Framework)
DFF is an open-source framework that allows you to conduct a
forensics analysis. DFF can be used from a shell
or from a graphical interface. But, more than that, DFF provides
advanced scripting capability. During this workshop we will explain and
help you
to create your own DFF modules to automate your daily tasks or to
research some specific artifacts in registry, processus (ram) ,
filesystems data & metadata, sqlite databases, windows event logs etc...
Participant will have to bring a laptop running windows or Linux
(Ubuntu, Debian) to install the software packages we will provide
and to copy or download the dump of the case we will use as exercise. A
knowledge of Python language is preferred to get fully benefit of the
training.
Digital Memory Forensic interactive workshop
Michael Cohen, Johannes Stüettgen. (Google)
In the past few years memory analysis has proven extremely useful for
detecting malware and advanced threats on potentially compromised
systems. This workshop explores the art and science of memory analysis
using open source tools. The workshop will be hands on and allow
participants to try these techniques themselves on sample images and
live analysis of their own machines. The workshop will concentrate on the
recently released Rekall platform - an advanced memory analysis and
acquisition tool with unique capabilities.
We will cover the following topics:
1) Memory acquisition
- Utilizing the pmem project's set of tools (Winpmem for windows,
osxpmem and pmem module for linux), We cover memory acquisition
techniques and the challenges that are faced by acquisition tools. We
explore some common antiforensic techniques which may disrupt
acquisition. We illustrate how the pmem memory acquisition suite
allows analysis of live memory by common open source analysis suites.
2) Basic memory analysis concepts:
- How do we make sense of memory?
- What is a profile? How do we get one? Before memory can be analyzed,
we need to generate a profile for the specific kernel which is
running. In this part of the tutorial we discuss how to obtain a
profile for a Linux system, or a new kind of windows system. We also
look at generating profiles for other windows modules (e.g. not the
kernel).
3) Virtual Memory and Paging.
- What is an address space? We discuss virtual page translation. This
is a fundamental concept of memory analysis and is required to
understand what the results mean. For example we discuss questions
such as:
I discovered a string of interest in memory - which process owns it?
I found a page which claims its invalid - yet memory analysis
tools are able to use it. What does it mean for a page to be “In Transition”?
We the consider page translation process in common operating systems such as
windows, linux and OSX and how the operating system uses the pagefile.
Rekall is able to incorporate the pagefile into the analysis vastly increasing
the available evidence for the analyst.
4) Basic Memory analysis technique:
- We discuss common memory analysis techniques. By understanding how
tools employ these techniques and how antiforensics can defeat this
analysis we can understand what the limitations of these techniques
are. In this part of the workshop participants will try their hand in
implementing antiforensic techniques and see how common tools and
techniques can be defeated:
- Windows: The windows kernel debugger block, Linked list
following, VAD tree traversal. Pooltag scanning.
- Linux: Linked list following, Function pointer dereferencing for
detecting hooks.
5) Extracting binaries from memory:
- PE File format - how to dump executables from memory (e.g.
pedump, procdump).
- Dumping packed binaries. Reconstructing import tables for
reverse engineering.
6) Memory management techniques:
- Kernel memory management - Pools and pool tags.
- Pool scanners (psscan, filescan, driverscan)
- Windows Kernel Objects - the object manager. Object allocation
strategy and recovering objects from memory.
- Scanning for kernel objects in memory. Discontiguous scanners over
sparse virtual address spaces.
- The PFN database. Physical to Virtual mapping. What process owns
this physical pages? Finding hidden processes using the PFN database.
- Process memory management. The VAD tree. Inspecting the VAD Using
the VAD to find hidden files.
- Process hollowing - a common malware technique.
7) Hooking.
- Kernel mode hooks:
- Driver hooking - how malware subverts device drivers.
- Usermode hooks:
- Dll injection and trampoline hooks. (FinFisher, Finspy etc)
8) Miscellaneous memory analysis techniques:
- Registry dumping
- Analysis of userspace memory management. Service scanning, Bash
scanning, Command prompt scanner.
Delegates are encouraged to follow
along with their laptops. We will provide tools, documentation and
sample images which participants can use to follow along.
Required software:
- Virtual machine or real machine running Windows 7.
- Virtual machine or real machine running Linux.
For this workshop we will try a novel approach - the workshop will be conducted using a hands on, interactive tutorial. This will be using the
Rekall webconsole to host an interactive book with the workshop, and
users can explore the memory images and extend the analysis; This
means the workshop will be more interactive than ever and exercises can be continued after the workshop as well.
Common Criteria for Digital Forensics Experts
Hans Henseler & Sophie Loenhout
This workshop will consist of a presentation of draft common criteria for Digital Forensics experts in Dutch Court Cases.
Digital forensics experts are invited to participate and discuss the draft version of the standards. All
participants of DFRWS EU 2015 are welcome but we specially invite persons that have experience as an expert witness defending their computer forensic reports in court.
We will foster discussion on challenges in recognizing Digital Forensics experts: the rapid growth and ubiquity of digital information and the rapid change in underlying technologies
Setting common criteria for Digital Forensics experts is important for international harmonization of forensic computer science. The NRGD hopes to learn from similar initiatives in other countries and
encourages other countries to learn from the results and ideas that will be presented during the
workshop. The NRGD also encourages non-Dutch experts to register as an expert in the NRGD register.
A draft version of the standards will be handed out on paper for discussion. The standards will be
presented by one or more members of the Advisory Committee for Standards that has drafted these
standards. Both authors will be present at DFRWS EU 2015 in Dublin and it is likely that other members
of this committee will also attend.
Participants are not required to bring a laptop.
First European Workshop on Data Analytics for Information Security and Forensics (E-DAIS)
The amount of digital data relevant to early detection and investigation of cybercrimes is expanding rapidly. The sources of data are numerous and various, and becoming more so. This represents an enormous challenge for security professionals and law enforcement agencies. Tools and technologies for addressing this challenge are limited, proprietary and interoperate poorly, if at all. There are shortages of technical and analytical expertise, while workflows and processes are inconsistent. The result is that investigations are delayed and/or sub-optimally pursued, and judicial outcomes suffer. At the same time, collection of large quantities of data causes risks to privacy and human rights of the persons and organizations being investigated. Tool vendors largely ignore this issue, and national data protection regulations often provide exceptions for government agencies collecting and analysing data for intelligence and crime prevention purposes with limited public oversight.
European Commission is seeking innovative solutions to these problems. Horizon 2020 Secure Societies Work programme 2014-2015, for instance, contains a dedicated topic “FCT 1 - 2015: Forensics topic 1: Tools and infrastructure for the fusion, exchange and analysis of big data for forensic investigation” aimed at the development of holistic technical, legal and procedural solutions to investigative analysis of large amounts of data.
E-DAIS workshop aims to establish the European cross-disciplinary forum for discussing societal and technical problems and possible solutions surrounding the use of big data for information security and forensics. It is expected that these discussions will serve as a catalyst for collaborative research in 2014 leading to preparation of H2020 project proposals.