First official tour of DFIR.IT team started on DFRWS in Dublin - we headed there to attend DFRWS EU 2015 conference. Amazing time in Dublin was accompanied by sunny(!) weather, a proper pint of Guinness and some time to geek out - a perfect combination!
First and foremost!
Big THANK YOU to:
- all the speakers for SHARING their great research, interesting ideas, tools and projects.
- organization committee. Someone who never organized a conference doesn’t realize the amount of work, effort and devotion required for events like DFRWS to become successful.
- all the attendees - PEOPLE and ability to MEET and TALK with others are the secrets to great conference.
DFRWS EU started with Digital Forensics Framework workshop - if you’ve never used this framework - go and play with it as soon as possible and consider DFF when building IR toolkit. DFF features include reconstruction of VMware ‘vmdk’ files, support for multiple operating systems (Windows, Linux, OS X) file formats, memory analysis and many more. Workshops could have been ideal if participant were allowed to downloaded forensic images and install software before the class started. Sharing all the data via USB sticks with dozens of people was not the best idea ;)
Next was The Decision and it was extremely difficult where to ‘take our talents next’. Rekall and GRR workshops were conducted in parallel. As a clever bastards we’ve decided to split and share the knowledge and materials. It turns out we were not clever enough, Micheal Cohen workshops quickly extended the available space in the room..
Nevertheless, Andreas Moser workshop was a great hands on introduction to GRR open source project. Workshop allowed participants to collect and analyze forensics artifacts and hunt for evil. GRR has all the features that Incident Responders want to have to quickly react and respond to threats. It took us few seconds after workshop to decide - we are setting up some testing infrastructure with GRR. Stay tuned for more GRR goodies on DFIR.IT
The Search for MH370: Lessons from Inmarsat’s Flightpath Reconstruction Analysis
Even though this was not a typical computer forensics topic, “The Search for MH370…” was amazing presentation that reminded principal rule: even without sufficient data, investigators should always find a way to perform analysis.
Researchers presented analytical approach how to filter out noise and aggregate data in order to detect data exfiltration. One of the most interesting research papers on DFRWS. Authors promised to released the code after the conference. For the time being you can play with demo version here.
Technical case study that outlined the artifacts left on the system by Tor Browser. Apart from standard forensics go to places (vss, registry, prefetch files, etc) authors focused on artifacts left in memory and
pagefile.syswhich can be found, for instance by looking for HTTP-memory-only-PB string. It might be interesting to compare the usage of all the artifacts created by browsers in terms of private browsing or incognito mode.
Universal methodology of anomaly detection using memory IOC. Amount of data and artifacts stored in system memory snapshot allow openioc to detect UAC bypass, code injections, lateral movement and much more badness!
Micheal Cohen focused on Windows Kernel version variability and its effect on memory analysis. One of the differences highlighted during presentation was that struct layout does not change within same minor versions which is not the case for kernel global constants. Fundamental differences between Rekall and Volatility is how frameworks build profiles and how struct layout and finding kernel global constants might not only affect quality but be more prone to errors and susceptible to anti-forensics.
Most of the memory acquisition tools will acquire memory marked as RAM by OS, which will skip firmware memory ranges. In the light of recent events (Equation group, MAC persistent backdoor) ability of collecting firmware memory might be essential for investigators. Authors presented that firmware acquisition can be achieved by parsing configurations spaces of PCI devices and enumerating all MIMO regions which would be excluded when acquiring memory. In addition to that authors build volatility plugin for dumping ACPI tables to file system.
Researchers focused on investigating the digital traces found on SMART TVs. According to them, one of the biggest challenges is data acquisition. Even though, Smart TV from a hardware perspective is an embedded device, authors had to test different ways to obtain the data including eMMC five-wire method, NFI Memory Toolkit II and rooting the device. Analysis of the collected data allowed investigators to view system and network information, web browser and custom application activity.