DFRWS 2016 Tutorials Information

DFRWS offers an expanded opportunity to learn from workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS 2016.


Coding Digital Forensics Tools in Go

Sunday 1:00pm - 5:00pm (Note: this session is all afternoon)
Lodovico Marziale and Joe Sylve, BlackBag Technologies

In this hands-on workshop attendees will learn how to develop forensics tools in Google's Go programming language. We will first present an overview of the Go programming language, focused on those parts that are most useful for developing forensics tools, and then present a simple parser for a commonly encountered forensic artifact. Last, attendees will develop a simple parser for another common forensics artifact, with the assistance of the presenters.

This workshop is intended for forensics tool developers. Some programming experience is a must, preferably in a C-like language, but no experience with Go specifically is required.

Participants will be provided with handouts of a Go "cheat sheet" and a copy of the presentation slides. Participants will also need to have Go installed (on their platform of choice - all common OSs are supported).

Hands-On With Open Source Similarity Digests

Sunday 1:00pm - 3:00pm
Jon Oliver, Trend Micro

Similarity digests are an efficient way to search for similar files - the file(s) may match some malicious code - or some desired text - or a HTML document. They are also a useful tool in digital forensics and security applications. In this workshop, we will use open source similarity digests (Ssdeep, TLSH, Sdhash and Nilsimsa) and perform a range of exercises including matching files, considering how documents can be modified to avoid matching, setting thresholds, and considerations concerning false positive matches. We will perform exercises on a range of file types including HTML files, executable files, text documents, and image files.


Table Topping for Incident and Data Breach Response

Wednesday 1:00pm - 5:00pm
Brian Roux, Hangartner, Rydberg & Terrell LLC

Many security incident and data breach response planners include table topping exercises as part of their plan to test plan comprehensiveness, identify single points of failure, and ensure key actors are familiar with the plan's details. This session will discuss the basics of conducting table top exercises, and conduct a mock exercise to demonstrate the practice. The session will include an interactive discussion before and after the mock exercise.

Using GRR and Rekall for Scalable Memory Analysis

Wednesday 1:00pm - 5:00pm
Michael Cohen, Google

Memory analysis is now a routine and essential technique in triaging and responding to security incidents. Rekall is an advanced, open source memory analysis framework boasting a large number of plugins implementing state of the art memory analysis techniques.

This interactive workshop will specifically focus on using GRR and Rekall in a large scale environment, such as a corporate incident response team. The workshop will be divided into a number of areas:

1. Use of Rekall interactively. This is a short introduction to the Rekall tool and will cover some common plugins and techniques. We cover use of Rekall for Windows, Linux and OSX machines, as well as using Rekall for memory acquisition.

2. Use of GRR. The GRR incident response tool will be installed and configured by participants. We have a short introduction to what GRR is, how it works, and how one can use it.

3. Use of Rekall for hunting. Rekall is embedded in the GRR enterprise incident response tool. This allows Rekall to perform automated memory analysis on the entire fleet in detecting advanced threats. We use this unique capability to detect anomalies between a group of systems, some of which may be compromised.

4. Searching the enterprise. We introduce the new search capability developed within Rekall using the EFilter forensic filtering library. This allows us to craft a search expression using an SQL-like language to reveal certain anomalies.

Users should have a laptop with one of the major operating systems (Windows, Linux, OSX) with a web browser.

IED Forensics: Hunting the IED Engineer

Wednesday 3:30pm - 5:30pm
Larry Leibrock

The forensics examiner's (FE) role in some national-security investigations is undergoing significant change. There are tensions between laboratory forensics examination and on-site exploitation of devices of intelligence interest. Increasingly some FE's are taking a role in coordinating the collection plan, site exploitation and in some cases full-spectrum evidence/intelligence collection to support targeting and actioning high-value-individuals.

In this workshop, participants will be guided through a case study of an intelligence-based terrorist narrative. We will review the issue of understanding the target's lifestyle or pattern of life. Then, we will discuss the investigation of edge devices and the cloud. Next we will collectively critically assess the description of the forensic collection plan and associated checklist. Last, participants will be provided with messaging traffic and other forensic artifacts for analysis.

A Windows-based notebook and portable storage of at least 128 GB (at a minimum) are necessary to participate in the workshop.


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.