DFRWS 2016 EU Tutorials Information

Continuing with recent success at DFRWS USA, DFRWS EU will offer an expanded opportunity to present workshops and vendor-agnostic tutorial sessions. The blend of practitioners, leading researchers and forensic tool developers attending the conference presents a unique environment for collaboration and knowledge-sharing in this format. Please indicate your intent to attend any of these FREE tutorials when you register for DFRWS EU 2016.

Virtual Currencies

André Fischer, Jakob Hasse & Thomas Gloe (dence GmhH, Germany)

Virtual currencies perceived an increasing interest during the last years. Decentralised and open variants, like Bitcoin, operate independent to authorities like central banks and governments. Such virtual currencies are often referred as free and liberal money. A huge difference and advantage to normal, regulated currencies is that the access and participation in a virtual currency network like the creation of a bank account is not limited by a registration process or solvency check. Account numbers can be created at any time and everywhere. Because account numbers (commonly known as addresses) are not registered by known users, payments and money transfers appear to be pseudonymously. Special approaches are needed when virtual currencies are involved in the investigation of a crime.

The most famous virtual currency is Bitcoin, with a market capitalization of more than $4 Billion. Building blocks of Bitcoin and its derivatives are cryptographic protocols and the use of a public ledger – the blockchain –, where a record of all transactions is stored and can be viewed by the public. The aim of the workshop is to give an introduction to virtual currencies on the example of Bitcoin. The workshop includes lecture like introductions to the topic combined with practical trainings.

Evidence Exchange between Courts in Europe: a standard proposal to be discussed.

M.A. Biasiotti, M. Epifani, F. Turchi, and J. C. Deprez, N. Matskanis

This workshop will discuss various outcomes, including legislation, recommendations, guidelines, and technical standards, developed by the EVIDENCE project for the European Commission in order to establish a Common European Framework for the application of new technologies in the collection, use and exchange of evidence in transnational judicial cases. The project examined these topics from different standpoints (legal, data privacy, standardization, and technical issues) and taking into account the needs of various stakeholders (law enforcement, independent forensic experts, judicial authorities and defense lawyers).

The discussion will focus on the following topics:
  • Validation of the the adequacy of the recently proposed standards DFAX/CybOX for the representation of data and metadata involved in a digital evidence exchange, including the whole evidence life-cycle from chain of custody to the output of a forensics analysis.
  • Identify how DFAX/CybOX may need to be adapted for transnational Electronic Evidence exchange. For instance,
    • By complementing CybOX with additional elements specific to forensic analysis
    • By providing a library of forensic actions
    • Which technical solutions may be more suitable for improving the exchange of electronic evidence in terms of efficiency, reliability and trust.
    • Review how a software proof of concept achieves implementing the DFAX standard and evaluate how it facilitates an efficient, reliable and trusted exchange of electronic evidence.

Microsoft Exchange Forensics: Looking Beyond User Data

O. O'Connor (Salesforce)

In most organisations Microsoft Exchange is far more than a mail system: it is the organisational memory, storing huge volumes of email as well as calendars, contacts, notes, task lists etc. While the evidence stored in Exchange is of great evidential value, investigations involving Exchange can be complex due to limited audit trails and poor forensic preparedness.

Fortunately, the number of forensically-valuable artefacts inside Exchange mailboxes is increasing. For example, recent versions of Exchange and Outlook store now store key configuration and usage data within user mailboxes rather than on end-user devices. When dealing with a modern Exchange environment, or with Exchange Online in Office 365, these artefacts can be rich enough to reconstruct user activity at a very granular level, including details of content accessed and client devices used.

This interactive workshop will examine the structure and contents of modern Exchange mailboxes, including system folders, hidden user folders and hidden system data. An investigative approach will be demonstrated which is based on “in-mailbox” forensic artefacts rather than on analysis of client systems, and a sample of in-mailbox artefacts will be presented.

Plaso Parser Workshop

Daniel White (Google)

Plaso is the Python based back-end engine used by log2timeline and other forensic tools for automatic creation of "super timelines". During this workshop, you'll learn how to create robust parsers and how to write plugins to expand functionality of the Plaso. Next time you come across an obscure log file or ambiguous Registry key in the course of an investigation, you'll have the ability to package up your knowledge into a piece of reusable code that you can share across your team and with the wider DFIR community.

Fun with the beast: Traffic Mining (TM) using Brain and Tranalyzer

Stefan Burschka (RUAG)

This two-part workshop is literally defined by the title: using your brain and Tranalyzer you will do a hands on job of an analyst trying to find anomalies in real IP traffic. You might get stuck in a foxhole and have to learn how to dig yourself out. Nothing is like it initially seems, or maybe it is.

The workshop is adressed at anyone who is willing to learn a bit more detail about IP traffic and the way of flow based TM. A linux laptop and working knowledge of command line bash is required, rudimentary knowledge of AWK and gnuplot is nice to have.

  • Short introduction to the most important IP protocols and header features
  • Exercise: Tell me everything about THIS packet
  • Introduction to Tranalyzer
    • Philosophy, configuration and compilation ops
    • Most important plugins including config constants
    • Flows and global reports
    • How to write your own plugin in C
  • Handson exercises in groups or alone on several PCAPS

Attendees will receive related data via memory stick.

Sponsored tutorial: Analysis of deleted data

Roman Locher, CTO, Arina AG

Deleted data exists on pretty much any storage device. Usually the operation system and the running processes are responsible for generating the majority of deleted files on a system. But if deleted objects have been caused through user action, we can expect that the content of those files might be interesting for our investigation. We will show you which different types of deleted data exist, how they are created and what recovery techniques in forensics products are available today.

Windows Event Log analysis: Gathering great information the easy way!

Roman Locher, CTO, Arina AG

The Windows Event Log is a great place to find useful information, stored in a human readable format. In this workshop we will show you how to find, load, analyze and search collected Event Logs from a Windows computer. You get to know where to look for interesting records about the usage of a system and actions taken by the user. Don't be surprised in the future if you are spending much more time analyzing Event Logs, instead of browsing through abstruse registry keys.


©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.