DFRWS 2015 EU Tutorials Information

Continuing with recent success at DFRWS USA, DFRWS EU will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS EU 2015.

GRR Incident Response Framework

Andreas Moser (Google)

This workshop is another instance of the very successful workshops we gave last year at both DFRWS conferences. It is going to be a short introduction to the GRR system for people who have not used it before and afterwards will be pure hands-on work.

Participants will get access to a fully set up GRR environment including machines to investigate running Windows and Linux and will learn how to use the investigation techniques GRR provides to solve various forensics tasks. Those tasks range from pretty easy ones like reading files or registry keys to advanced forensics techniques like grabbing artifacts directly from live memory across the whole testbed at the same time.

Knowledge of GRR is no prerequisite for this workshop but if you'd like to attend, we'd kindly ask you to bring a laptop capable of web browsing. If this is not feasible for some reason, there is of course also the option to collaborate with other participants.

Digital Forensics Framework - Part I

Frederic Baguelin & Solal Jacob (ArxSys)

This workshop is a tutorial about how to use DFF to perform a full forensics analysis.
DFF is an open-source tool which can be used to conduct an analysis of a hard disk, memory snapshot or a virtual machine. During the workshop we will explain how to use DFF's graphical interface to analyze a provided disk image, following a forensics process.
We will see how to import dumps in different format, then how to use the different modules to extract information in order to perform an analysis of the recovered data and metadata. Then we will use the search & filter engine to find and correlate evidences related to the case given as exercises.
Once the interesting evidences founded we will see how to export the data and create a report.
Participant will have to bring a laptop running windows or linux (ubuntu, debian) to install the software packages we will provide and to copy or download the dump of the case we will use as exercise. No special knowledge is required for this training
We will review this different capabilities of DFF :
File System modules : ntfs, fat, hfs (recovering deleted files, carving MFT entry)
Memory analysis
Skype analysis
Sqlite analysis
Registry analysis
Events logs analysis
Antivirus scanner
Metadata & search engine

Digital Forensics Framework - Part II

Frederic Baguelin & Solal Jacob (ArxSys)

Automate your forensics analysis (Developing modules for Digital Forensics Framework)
DFF is an open-source framework that allows you to conduct a forensics analysis. DFF can be used from a shell or from a graphical interface. But, more than that, DFF provides advanced scripting capability. During this workshop we will explain and help you to create your own DFF modules to automate your daily tasks or to research some specific artifacts in registry, processus (ram) , filesystems data & metadata, sqlite databases, windows event logs etc...
Participant will have to bring a laptop running windows or Linux (Ubuntu, Debian) to install the software packages we will provide and to copy or download the dump of the case we will use as exercise. A knowledge of Python language is preferred to get fully benefit of the training.

Digital Memory Forensic interactive workshop

Michael Cohen, Johannes Stüettgen. (Google)

In the past few years memory analysis has proven extremely useful for detecting malware and advanced threats on potentially compromised systems. This workshop explores the art and science of memory analysis using open source tools. The workshop will be hands on and allow participants to try these techniques themselves on sample images and live analysis of their own machines. The workshop will concentrate on the recently released Rekall platform - an advanced memory analysis and acquisition tool with unique capabilities.
We will cover the following topics:
1) Memory acquisition
- Utilizing the pmem project's set of tools (Winpmem for windows, osxpmem and pmem module for linux), We cover memory acquisition techniques and the challenges that are faced by acquisition tools. We explore some common antiforensic techniques which may disrupt acquisition. We illustrate how the pmem memory acquisition suite allows analysis of live memory by common open source analysis suites.
2) Basic memory analysis concepts:
- How do we make sense of memory?
- What is a profile? How do we get one? Before memory can be analyzed, we need to generate a profile for the specific kernel which is running. In this part of the tutorial we discuss how to obtain a profile for a Linux system, or a new kind of windows system. We also look at generating profiles for other windows modules (e.g. not the kernel).
3) Virtual Memory and Paging.
- What is an address space? We discuss virtual page translation. This is a fundamental concept of memory analysis and is required to understand what the results mean. For example we discuss questions such as:
I discovered a string of interest in memory - which process owns it?
I found a page which claims its invalid - yet memory analysis tools are able to use it. What does it mean for a page to be “In Transition”?
We the consider page translation process in common operating systems such as windows, linux and OSX and how the operating system uses the pagefile. Rekall is able to incorporate the pagefile into the analysis vastly increasing the available evidence for the analyst.
4) Basic Memory analysis technique:
- We discuss common memory analysis techniques. By understanding how tools employ these techniques and how antiforensics can defeat this analysis we can understand what the limitations of these techniques are. In this part of the workshop participants will try their hand in implementing antiforensic techniques and see how common tools and techniques can be defeated:
- Windows: The windows kernel debugger block, Linked list following, VAD tree traversal. Pooltag scanning.
- Linux: Linked list following, Function pointer dereferencing for detecting hooks.
5) Extracting binaries from memory:
- PE File format - how to dump executables from memory (e.g. pedump, procdump).
- Dumping packed binaries. Reconstructing import tables for reverse engineering.
6) Memory management techniques:
- Kernel memory management - Pools and pool tags.
- Pool scanners (psscan, filescan, driverscan)
- Windows Kernel Objects - the object manager. Object allocation strategy and recovering objects from memory.
- Scanning for kernel objects in memory. Discontiguous scanners over sparse virtual address spaces.
- The PFN database. Physical to Virtual mapping. What process owns this physical pages? Finding hidden processes using the PFN database.
- Process memory management. The VAD tree. Inspecting the VAD Using the VAD to find hidden files.
- Process hollowing - a common malware technique.
7) Hooking.
- Kernel mode hooks:
- Driver hooking - how malware subverts device drivers.
- Usermode hooks:
- Dll injection and trampoline hooks. (FinFisher, Finspy etc)
8) Miscellaneous memory analysis techniques:
- Registry dumping - Analysis of userspace memory management. Service scanning, Bash scanning, Command prompt scanner.
Delegates are encouraged to follow along with their laptops. We will provide tools, documentation and sample images which participants can use to follow along.
Required software:
- Virtual machine or real machine running Windows 7.
- Virtual machine or real machine running Linux.
For this workshop we will try a novel approach - the workshop will be conducted using a hands on, interactive tutorial. This will be using the Rekall webconsole to host an interactive book with the workshop, and users can explore the memory images and extend the analysis; This means the workshop will be more interactive than ever and exercises can be continued after the workshop as well.

Common Criteria for Digital Forensics Experts

Hans Henseler & Sophie Loenhout

This workshop will consist of a presentation of draft common criteria for Digital Forensics experts in Dutch Court Cases. Digital forensics experts are invited to participate and discuss the draft version of the standards. All participants of DFRWS EU 2015 are welcome but we specially invite persons that have experience as an expert witness defending their computer forensic reports in court.
We will foster discussion on challenges in recognizing Digital Forensics experts: the rapid growth and ubiquity of digital information and the rapid change in underlying technologies
Setting common criteria for Digital Forensics experts is important for international harmonization of forensic computer science. The NRGD hopes to learn from similar initiatives in other countries and encourages other countries to learn from the results and ideas that will be presented during the workshop. The NRGD also encourages non-Dutch experts to register as an expert in the NRGD register.
A draft version of the standards will be handed out on paper for discussion. The standards will be presented by one or more members of the Advisory Committee for Standards that has drafted these standards. Both authors will be present at DFRWS EU 2015 in Dublin and it is likely that other members of this committee will also attend.
Participants are not required to bring a laptop.

First European Workshop on Data Analytics for Information Security and Forensics (E-DAIS)

The amount of digital data relevant to early detection and investigation of cybercrimes is expanding rapidly. The sources of data are numerous and various, and becoming more so. This represents an enormous challenge for security professionals and law enforcement agencies. Tools and technologies for addressing this challenge are limited, proprietary and interoperate poorly, if at all. There are shortages of technical and analytical expertise, while workflows and processes are inconsistent. The result is that investigations are delayed and/or sub-optimally pursued, and judicial outcomes suffer. At the same time, collection of large quantities of data causes risks to privacy and human rights of the persons and organizations being investigated. Tool vendors largely ignore this issue, and national data protection regulations often provide exceptions for government agencies collecting and analysing data for intelligence and crime prevention purposes with limited public oversight.

European Commission is seeking innovative solutions to these problems. Horizon 2020 Secure Societies Work programme 2014-2015, for instance, contains a dedicated topic “FCT 1 - 2015: Forensics topic 1: Tools and infrastructure for the fusion, exchange and analysis of big data for forensic investigation” aimed at the development of holistic technical, legal and procedural solutions to investigative analysis of large amounts of data.

E-DAIS workshop aims to establish the European cross-disciplinary forum for discussing societal and technical problems and possible solutions surrounding the use of big data for information security and forensics. It is expected that these discussions will serve as a catalyst for collaborative research in 2014 leading to preparation of H2020 project proposals.


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.