The 5th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on November 5, 2014 at the Westin Washington Dulles in Herndon, VA. This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback.
As an investigator, you should attend to learn about new tools and meet the developers building the software. As a developer, you should attend to raise awareness of your efforts. Everyone should consider submitting a talk to share their experiences and work.
We’ll post updates on Twitter using #osdfcon.
Developers can submit modules to the Autopsy Module Writing Contest for cash prizes. Submissions are due by October 20, 2014.
|Time||Track 1||Track 2|
|8:00 am||Registration and Breakfast|
|9:00 am||Welcome and Conference Overview|
|9:10 am||Autopsy 3.1: Faster, Better, and still Free
speaker: Brian Carrier (slides)
|9:45 am||Supersize your Internet Timeline with Google Analytic Artifacts
speakers: Mari DeGrazia & John DuMont (slides)
|10:35 am||Vortessence – Automating Memory Forensics
speaker: Endre Bangerter & Beni Urech (slides)
|11:10 am||Challenge Results|
|12:40 pm||What’s New in RegRipper
speaker: Harlan Carvey (slides)
|Sceadan – Systematic Classification Engine for Advanced Data Analysis
speakers: Nicole L. Beebe & Simson Garfinkel (slides)
|1:20 pm||Python Autopsy: Easier Forensics Scripting (not dead snakes)
speaker: Richard Cordovano (slides)
|Live Disk Forensics on Bare Metal
speakers: Hongyi Hu & Chad Spensky (slides)
|2:00 pm||A Case Study on Network Anti-Forensics
speaker: Ben Schmidt (slides)
|Incident Response with STIX and Autopsy
speaker: Ann Priestman (slides)
|2:55 pm||Timeline Visualization in Autopsy
speaker: Jonathan Millman (slides)
|A Differential Approach to Analysis of Malware in Memory
speaker: Dr. Vico Marziale (slides)
|3:35 pm||MEDS: Malware Evolution Discovery System
speaker: Antonio Cesar Vargas (slides)
|Fresh Produce: How We Can Integrate Our Forensic Tools Into Great Workflows Without Crazy File Formats
speaker: William Ballenthin (slides)
|4:15 pm||Next Generation Memory Forensics
speakers: The Volatility Development Team (slides)
|4:50 pm||Lightning Talks|
|5:15 pm||Networking Cocktail Reception|
Autopsy 3.1: Faster, Better, and still Free
2 years and 10 point releases after the release of 3.0.0, Autopsy™ 3.1 has been released. It has many performance improvements and feature enhancements. This talk will cover what is new in Autopsy, including multi-threaded ingest pipelines to take better advantage of multi-core systems, hash sets that users can create and update, image galleries to better organize images, improved timelines, and mobile phone support. We’ll also cover the basics of Autopsy for audience members who have not seen or used it before. Autopsy 3 is a windows-based open source digital forensics platform that has all of the basic features needed to conduct a digital investigation.
Supersize your Internet Timeline with Google Analytic Artifacts
Verizon RISK Team
What Internet evidence might you be missing? Learn how to find additional information by leveraging the artifacts left behind by Google Analytics.
These artifacts include valuable information such as timestamps, search terms and referral pages. Learn how to utilize a Google Analytics Python script to recover these artifacts from Browser history, cache files, RAM, unallocated space, iTunes backup and more.
Vortessence – Automating memory forensics
Endre Bangerter and Beni Urech
Bern University of Applied Sciences, Security Engineering Lab
Memory forensics is a key technique for detecting and analyzing malware and related attack tools. While there are several memory forensics tools, the Volatility framework is probably the most widely used and significant tool.
Volatility features a large number of commands, which for Windows systems roughly fall into two categories. One consists of commands that are more directly geared towards detecting malware specific artifacts such as code injections, or various kinds of hooks. The other category consists of commands that allow inspecting the state of the system being investigated. For instance, one can display running processes, loaded DLLs, drivers, etc.
To detect malware using the latter tools, the analyst is typically looking for anomalous system properties. A simple example would be a bogus process name or processes which are started from unusual directories. Stuxnet for instance, introduces two malicious instances of the alleged “lsass.exe” process, which feature a wrong parent process. Another, more subtle anomaly, would be an unusually low or high number of DLLs in a certain process.
The key point is that finding these anomalies requires lots of encyclopedic knowledge about the state of a non-infected Windows system. This knowledge is hard to memorize (at least for some of us). Moreover, searching for actual discrepancies deviating from the clean state can be a quite boring and rather mechanical task.
Due to laziness and lack of brain capacity we have developed a Volatility based tool that automates the process of finding certain anomalies in memory images. The idea underlying our tool is on a high level rather straightforward: We first generate a whitelist of known clean memory states, and then detect malware by checking for deviations from the whitelist. The anomalies are described in a report that is automatically generated by the tool. The tool thus allows to detect certain anomalies more efficiently and likely covers more anomalies than most humans will be able to memorize.
Let us sketch in some more detail how our tool works. We first obtain memory images of known clean systems, and extract from these images a large number of properties (e.g., parent – child relationships of processes, drivers loaded, which process contains what DLLs, and many many more) using various Volatility tools. The resulting data is stored in a database. To analyze a potentially infected image, we again perform property extraction using Volatility, and then check the resulting values against the whitelist stored in the database.
Another more advanced and “researchy” component of the tool does not use Volatility, but rather takes a “binary diffing” approach by comparing known clean memory images with the image to be analyzed. A simple byte-wise diffing won’t be successful; our tool rather has the capability to identify relevant modifications. This diffing approach allows finding, for instance, hooks and memory injections using a different method than the heuristics used by the malware tools of Volatility. Moreover, by combining both approaches we can reduce the false positive rate of the current Volatility tools.
We have tested our tool with real world malware samples and the results are encouraging. For instance, in the case of Stuxnet, we can automatically identify many of its infection characteristics, with a relatively moderate false positive rate. We believe that our tool is quite useful for practitioners, and we are going to opensource it in the second half of 2014.
What’s New in RegRipper
In this presentation, we will discuss updates to RegRipper (RR), which include:
- Plugins have four options for output formats: ‘regular’, bodyfile, TLN, csv
- Artifact categories
- Usage examples; how to get the most out of RR
Sceadan – Systematic Classification Engine for Advanced Data Analysis
Nicole L. Beebe
University of Texas at San Antonio
Naval Postgraduate School
Data type classification involves the determination of “type” (e.g. image, HTML text, video, etc.) without reference to metadata (e.g. file names, extensions, or network headers) or explicit reference to file signatures (e.g. “magic numbers”). Use cases involve classification of deleted data fragments, triage and disk profiling, search hit relevancy ranking, intrusion detection, and data loss prevention. Naïve statistical classification via machine learning has been studied by academics for over a decade, however, the research has netted varied results and failed to net any widely available open source tools. Researchers at UTSA and NPS have significantly advanced the state of the art in naïve statistical data type classification and have instantiated their findings in an open-source tool called SCEADAN. We used skillfully crafted training sets to perform statistical, n-gram based analysis to predict data type across 48 file/data/encoding types. Prediction accuracies vary across data types, but SCEADAN averages 75-90% accuracy and automatically produces confusion matrices. SCEADAN comes with a built-in model but researchers can easily train their own.
Python Autopsy: Easier Forensics Scripting (not dead snakes)
Lots of people love to write code in Python and lots of people have been disappointed that they couldn’t write Autopsy™ modules in Python. That has now changed. Autopsy allows you to write ingest modules in Python so that you can more easily analyze file content. Ingest modules allow you to access any file in a disk image or set of logical files and allow full access to the database and blackboard. Writing a Python Autopsy module is the easiest way to search for and analyze files in a custom way. This talk is for the Python lovers who want to learn about the basics of making an Autopsy module, and why it will make your life easier.
Live Disk Forensics on Bare Metal
Hongyi Hu & Chad Spensky
MIT Lincoln Laboratory
We have developed a hardware/software-based framework to perform live disk forensics on both physical and virtual machines. For physical machines, we developed a hardware SATA sensor capable of passively monitoring disk traffic. Similarly, for virtual machines, we inserted hooks into KVM and Xen to provide similar monitoring capabilities. Our software tools use The Sleuth Kit, pyTSK and analyzeMFT to convert the raw disk traffic into semantically useful data in real time. Our platform is difficult to detect and can perform functions such as live forensic analysis, tamper-resistant logging, and replay of disk events with minimal impact to the system under test.
Thus, our framework provides researchers and developers a rich toolset for building live forensics and monitoring applications and for conducting forensics research.
A Case Study on Network Anti-Forensics
Forensic analysts have plenty to worry about when it comes to the security of their network. Seldom do they worry about their packet analysis software. We will demonstrate why they should.
In this talk, we detail how we uncovered a handful of remotely exploitable Wireshark vulnerabilities and deployed them as anti-forensic measures during DEFCON 20 and 21 CTF. These vulnerabilities can be used to compromise Wireshark by sending specially crafted input to a live sniffer, or by supplying a malicious packet capture. We walk through exploitation of these vulnerabilities to cause denial of service conditions and to execute arbitrary code on modern operating systems.
We dive into the inner workings of the Wireshark network capture and reconstruction tool. We detail the interactions between protocol layers, Wireshark’s dissector model, and mitigations built into the Wireshark common API. We walk through the reconstruction of popular network traffic, from Ethernet frame to IP packet to TCP stream to application data. We highlight where things can (and often do) go wrong and how to exploit this popular software package. We close by offering suggestions for how Wireshark and other forensic tools can mitigate risk and decrease their attack surface.”
Incident Response with STIX and Autopsy
When responding to a computer incident, you may want to scan the hard drive for signatures and indicators from known malware and threat actors. STIX™ is a standardized way to share information about cyber threats. It is being used in the US Government and in industry to share intelligence. This presentation will talk about how you can use STIX with the open source Autopsy™ tool to find files, registry keys, and other indicators that other incident responders have also seen.
Timeline Visualization in Autopsy
Timeline analysis can be an important digital forensics analysis technique. At previous OSDFCons, there have been presentations about collecting temporal data from various sources, but there has not been much available for open source tools to help visualize the results besides text-based methods. This talk will cover a new Autopsy™ timeline module that focuses on visualizing large amounts of event data. The module provides several display techniques to help reduce information overload, such as description zooming and filtering. The timeline includes temporal data from file system activity and other artifacts, such as web activity and the registry.
A Differential Approach to Analysis of Malware in Memory
Dr. Vico Marziale
Detecting malware is difficult, and analyzing a detected piece of malware’s behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach. In this session we present a novel technique for leveraging multiple snapshots of physical RAM for malware detection and analysis. We will also present DAMM, a tool for differential analysis of malware in memory
The techniques presented can be utilized in any size infrastructure where malware is a threat (everywhere). The presentation will contain two scenarios based on real world malware samples, demonstrating the technique in use in a manner that attendees will be able to directly apply to their own malware analysis efforts.
MEDS: Malware Evolution Discovery System
Antonio Cesar Vargas
Malware, or malicious software, aﬀects every computing device at our disposal, including personal computers, dedicated servers and more recently, mobile devices such as smart phones and tablets. The information stored on these devices makes them attractive targets for illegal ﬁnancial gain by cybercriminals, and corporate espionage or even strategic operations by government agencies. Yet, traditional detection measures are increasingly ineﬀective at detecting the extensive number of malware variants. To make matters worse, these variants are becoming commodity products whose manufacture is facilitated by an underground industry that seeks to meet demands for products that can bypass current anti-malware technologies. Consequently, most present malware is not new since the development of new “from-scratch” malware is not economically viable for the underground malware industry. Instead, most malware found in the wild is a modiﬁcation or feature upgrade of previously created malware.
This presentation attempts to frame the malware problem from the perspective of the evolutionary production of malware. The goal is to present the design of an architecture that allows researchers to discover generative malware, and show an initial implementation of the Malware Evolution Discovery System (MEDS). MEDS supports the creation of phylogenetic trees of malware, and attempts to make predictions of generative malware by applying two models of supervised regression analysis on malware samples and their corresponding phylogenetic tree. Finally, the MEDS framework is made available as an open source project, thus providing an innovative tool that has been previously unavailable for the cybersecurity and digital forensics communities.
Fresh Produce: How We Can Integrate Our Forensic Tools Into Great Workflows Without Crazy File Formats
As a forensic analyst that is driven by really large investigations, I have some issues with many popular forensic tools (open source included). Ignoring buggy scripts and broken interpretations, it bothers me that many tools are not designed with more than one workflow in mind. So, I’d like to share with you a novel way for tools to easily integrate on small, medium, and large scales: “user defined output formatting”. After defining the concept, I’ll demonstrate how it saves significant developer and investigator effort, and how it can lead to more complete forensic analysis. Next, we’ll walk through the implementation of “user defined output formatting” in a common forensic tool (such as RegRipper or Volatility), and you’ll be surprised how minimal the changes are. Finally, we’ll discuss the future of forensic tool workflows, and how we can all do our part to improve the integration of forensic tools everywhere. By the end, you’ll be sold that “user defined output formatting” is a neat idea, and ready to try it out during your following investigation.
Next Generation Memory Forensics
The Volatility Development Team
The Volatility Foundation
The previous year has seen a number of exciting advances in the field of memory forensics. In particular, we have seen expanded support for Windows 8 and robust support for Mac OS X. There has also been a lot of innovative research into extracting memory resident artifacts from applications. This includes extracting cryptographic material from encryption programs and user activity from chat clients and web browsers. As the relatively young and exciting field of memory forensics continues to rapidly evolve, it also continues to change the way we approach all types of digital investigations.
In this presentation, we will highlight many of these advances within the latest 2.4 release of Volatility, including showing how investigators can incorporate these advanced capabilities into their own analysis efforts. We also discuss where the field of memory forensics is headed, including the expanded focus from kernel artifacts to those left by applications. While current memory analysis research allows for deep recovery of kernel artifacts, such as lists of processes, kernel modules, and network connections, the majority of userland (process) analysis has historically focused on extracting memory regions to disk for analysis with strings and regular expressions. This presentation will discuss recent research efforts to analyze the memory resident artifacts of popular applications commonly used on both Windows and Mac.
By the end of the presentation, attendees will know about the latest advances in memory forensics and how they can be rapidly utilized in the field. They will also know what to expect from future memory forensics research efforts, and how some of the current gaps in memory forensics analysis are being addressed.
Willi Ballenthin is a consultant at FireEye who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys reverse engineering malware, developing forensic techniques, and exploring the cutting edge. Willi is the author of a number of cross-platform Python libraries including python-registry, python-evtx, and INDXParse.py.
Nicole L. Beebe
Nicole L. Beebe is an Assistant Professor in the Department of Information Systems & Cyber Security, at the University of Texas at San Antonio. Dr. Beebe has over fifteen years of commercial and government experience in digital forensics. She was a computer crime investigator for the Air Force Office of Special Investigations from 1998-2007. She is a licensed private investigator and holds two certifications in digital forensics (EnCE and ACE). She has published digital forensics research in Journal of Digital Investigation, Decision Support Systems, and IEEE Transactions on Information Forensics and Security.
Brian leads the digital forensics team at Basis Technology, delivering services and developing custom systems. He is the author of the book File System Forensic Analysis and developer of several open source digital forensics analysis tools, including The Sleuth Kit and the Autopsy digital forensics platform. Brian has a Ph.D. in computer science from Purdue University and worked previously for @stake as a research scientist and the technical lead for their digital forensics lab. Brian is on the committees of many conferences, workshops and technical working groups, including the Annual DFRWS Conference and the Digital Investigation Journal.
Harlan Carvey is a Sr Researcher with Dell SecureWorks CTU team. He is the author of RegRipper, and the author of 7 DFIR books, with 5 editions translated into 4 foreign languages. Harlan cannot pronounce “malware” correctly.
Richard is a software engineer on the digital forensics team at Basis Technology. He is currently the development team lead for Autopsy. Prior to joining Basis Technology, Richard did software development at the Defense Cyber Crime Center (DC3). Before finding his niche in the world of digital forensics, Richard’s career included writing ballistic missile defense simulation software, writing business intelligence software, and a brief stint in the video games industry. Richard earned a Master of Science degree in Computer Science at Colorado Technical University and a Bachelor of Science Degree with a minor in Applied Mathematics at the University of Colorado.
Mari DeGrazia has over 12 years in information technology as well as a Bachelors of Science in Computer Science from Hawaii Pacific University. In addition to her degree she has achieved the following certifications: EnCE, CHFI, CCFE, AME and MCSE.
Over the course of her career, Mari has provided services such as database design and implementation, programming, networking administration and computer forensics. Currently she works for the Verizon RISK Team as a computer forensics examiner.
In her spare time she enjoys researching forensic artifacts, which includes writing and releasing open source tools.
Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School. Based in Arlington VA, Garfinkel’s research interests include digital forensics, usable security, data fusion, information policy and terrorism. He holds seven US patents for his computer-related research and has published dozens of research articles on security and digital forensics. He is an ACM Fellow and an IEEE Senior Member, as well as a member of the National Association of Science Writers.
Hongyi Hu is a researcher in the Cyber System Assessments Group at MIT Lincoln Laboratory. His work focuses on mobile authentication systems, low level hardware instrumentation and analysis. His research interests also include cyberpolicy, privacy, security economics, psychology, and intellectual property.
Dr. Vico Marziale
Dr. Vico Marziale, Managing Partner at 504ENSICS Labs in New Orleans has a PhD in Computer Science from the University of New Orleans. His day-to-day includes work all over the computer security space: penetration testing, digital forensic investigation, malware analysis and incident response. What he actually enjoys doing though, is research and development for new tools and techniques supporting all of those other activities. He is co-developer of the Scalpel file carver, Registry Decoder for Windows registry forensics and Spotlight Inspector for analysis of OSX Spotlight metadata indexes. He has published and/or presented and/or demo’ed all over including DFRWS, OSDF, BlackHat, multiple Security BSides, DOD Cybercrime, and RSA. Vico is also one of the organizers of Security BSides NOLA.
Jonathan is a UI-focused software engineer on the digital forensics team at Basis Technology. Prior to joining Basis Technology, Jonathan was a software developer at the MIT Humans and Automation Lab and a musically inspired 3D animator for SoundSpectrum and Harmonix Music Systems. Jonathan holds a BS in Computer Science and Digital Art from Northeastern University.
Ann Priestman is a software engineer on the digital forensics team at Basis Technology, where she works on mobile forensics and cyber security modules for Autopsy. Prior to joining Basis Technology, Ann worked as a cryptanalyst and programmer for the Department of Defense. She received her BS in Computer Science and Mathematics from the University of Maryland, Baltimore County.
As the Lord Commander of Security Research at Narf Industries, Ben Schmidt relentlessly penetrates complex systems. Since 2012, Ben has been a core member of “Samurai”, competing in (and winning) many world-wide CTF competitions. He is a passionate practitioner of memory corruption, a strong believer in the awesome power of “”strings”", and a leading expert in the field of completely epic pwnage. Ben has a MS in Computer Science from the University of Tulsa, and is not a CISSP.
Chad Spensky is a member of the Cyber System Assessments Group at MIT Lincoln Laboratory. His current research interests include: authentication protocols, malware analysis, cyber-physical security, novel introspection techniques, and smart card security.
Antonio Cesar Vargas
Antonio Cesar Vargas is a new graduate from John Jay College of Criminal Justice under the Digital Forensic and Cybersecurity Masters program. Cesar holds a Bachelors of Science degree in Computer Science from Queens College. He provides consulting services related with PCI-DSS compliance and on his spare he does malware research, especially malware that targets the Android operating system.
The Volatility Development Team
The authors of this presentation are the core developers of The Volatility Framework (@volatility) and the authors of the highly anticipated book, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. These are the same analysts who have spent the past decade using memory analysis on a daily basis to augment digital investigations, malware analysis, and reverse engineering. This team actively maintains and supports the Volatility software and its thriving community. This team also offers the authoritative training in memory and malware analysis, which has been taught for numerous commercial and government organizations around the world. They have presented at a variety of industry leading conferences that include RSA, Blackhat, Defcon, DoD Cyber Crime Conference, DFRWS, American Academy of Forensics Sciences, and Europol’s High Tech Crime Expert Meeting.
Nov 4: Optional Workshops (not included in basic registration)
Nov 5: Conference
Nov 6-7: Autopsy 3 Training (not included in basic registration)