4th annual
OSDF

#OSDFcon

Basis Technology logo

Open Source Digital Forensics
Conference

WESTFIELDS MARRIOTT
CHANTILLY, VA

Optional Tutorials: November 4, 2013
Conference: November 5, 2013

QUESTIONS? Call +1-617-386-2090 or write conference@basistech.com

About

The 4th Annual Open Source Digital Forensics conference offers investigators and developers the opportunity to learn about the latest advancements in free and extensible open source software, allowing users to add new tools to their arsenal without impacting budgets. Attendees will network with fellow users and developers, learn best practices, and help direct the future of open source digital forensics.

The conference spans four days of engaging content:

  • Nov 4: Tutorials and OMFW 2013
  • Nov 5: Conference Presentations
  • Nov 6-7: Autopsy 3 Training

View previous years’ conferences.

Conference Program*

7:30 Registration and Breakfast
8:30 Welcome
8:40 Forensics Visualizations With Open Source Tools Presenter: Simson Garfinkel Download slides

There is a deep belief among computer forensics practitioners that improved visualizations will make it easier to address the onslaught of data that we face daily. But creating a good visualization is hard work. Many visualizations require careful planning and tuning, and they do not readily generalize to other data sets, let alone other practitioners or organizations. A second problem faced by open source practitioners is deciding which visualization technology to use — there are so many to choose from, including static PDF files, static web pages, and interactive graphics. Then there is the purpose of the visualization, whether it is to help the investigator find new information or to explain a complicated case to a third party. This talk describes visualization choices, shows examples drawn from open source data sets, and discusses the visualization choices made in the development of scale-free one-page PDF visualizations for pcap files (tcpflow) and disk images (bulk_extractor).

9:15 The State of Volatility: Open Source Memory Forensics Presenters: The Volatility Development Team

Memory forensics continues to be one of the most exciting and innovative disciplines in the area of digital forensics. It is a powerful capability that has dramatically changed the way we perform digital investigations and provides a mechanism for addressing many of the challenges of digital investigators. The driving force behind this staggering pace of innovation has been an active open source community that brings together both researchers and practitioners around a common framework.

This presentation will begin by providing a brief introduction and overview of Volatility, the open source memory forensics framework. It will provide an overview of the current state of memory forensics analysis and discuss a number of significant contributions to the field within the last year. It will also discuss highlights from this year’s Open Memory Forensics Workshop (OMFW) and the Volatility Plugin Contest. Finally, this presentation will discuss the newly formed Volatility Foundation, a non-profit that has been established to protect the rights of the Volatility community and developers. This presentation also provides an opportunity for people to meet the Volatility development team and to learn about new opportunities to engage this exciting community.

9:50 Autopsy 3: Extensible Desktop Forensics Presenter: Brian Carrier Download slides

Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.

10:25 Break
10:40 Challenge Results
11:15 A Tool for Answering the Question: What Changed on Disk? Presenter: Stuart Maclean Download slides

A program called VirtualMachineFS is described. It permits the comparison of virtual machine disk images. The program recognizes the machine snapshot feature of popular virtualization engines. This feature is used in malware analysis systems (such as Cuckoo Sandbox) to sanitize the filesystem of a virtual machine disk after each malware sample execution. Used in conjunction with disk forensics tools such as Sleuthkit, VirtualMachineFS can quickly and easily show the investigator exactly where virtual machine disk contents change as malware samples are run. Such information complements, enriches and verifies the file system change reporting facilities of existing malware analysis engines.

11:50 Lunch
  Track 1 Track 2
13:00 Bulk_Extract Like a Boss Presenter: Jon Stewart Download slides

bulk_extractor is a fast, powerful tool that every investigator should have in their toolbox. bulk_extractor searches digital media and evidence files for common artifacts and patterns, and its multi-threaded design takes full advantage of your hardware to get initial results faster than any other tool. It works on Windows, Linux, and MacOS X.

This presentation covers command-line operation and gives an overview of each “scanner” in bulk_extractor. We’ll spend some time discussing how to take advantage of its search capabilities for use with your own keywords, including how to specify different encodings and pulling out surrounding context in the data. Finally, we’ll show how to work with bulk_extractor’s output so you can continue your investigation without starting over.

An API for API Hookers: Taking A Closer Look At Malware Presenter: Stuart Maclean Download slides

A method for automated hook function generation is described. Hook functions are used by programs to instrument and monitor other programs. User-space hooking is employed to study malicious software. The malware is executed in a sandbox environment and its actions recorded as it calls functions from system libraries. The method as presented solves, at least partially, the problem of writing individual hook functions for the hundreds or possibly thousands of entry points into a system library, e.g. the Win32 API.

13:35 Break Break
13:40 Making Molehills Out of Mountains: Data Reduction Using Sleuth Kit Tools Presenter: Tobin Craig Download slides

Historically, a computer examiner would be tasked to identify files within acquired data sets which contained keywords. Identified file were reported to the investigating agent, who would then supply additional keywords, and the process would continue. This cyclic approach is impracticable for larger acquisitions. The DOT OIG CCU routinely sees data sets in excess of 5TB per case. To meet this challenge, a means of identifying those files of potential investigative interest has been developed. Extracted data is provided to the investigator, who can review the data without the need to learn specialized reviewing tools, in a forensically sound manner.

This method is best suited to investigations involving several computers across a company network, ideally in the investigation of white collar crime, although it may also be applied with examiner discretion to other case types.

In addition, the proposed solution makes use of open source forensic software, and is currently deployed by DOT CCU as part of a portable examination. The script provides the means to conduct an automated extraction of those files most likely to be of investigative interest. Extraction is conducted across all forensically acquired images, and extensive examination notes are generated automatically.

MASTIFF: Automated Static Analysis Framework Presenter: Tyler Hudak Download slides

Malware analysis consists of two phases – static and dynamic analysis. Dynamic analysis, or analyzing the behavior of a sample, has already been automated in numerous projects. Static analysis, or analyzing key characteristics of a sample, has not been automated in projects. Therefore, responders must manually run tools or program scripts that automate the process. This leads to situations where analysis occurs slowly and inefficiently.

To alleviate the inefficiency, MASTIFF, a new open-source static analysis automation framework, was created and released earlier this year. This presentation will introduce MASTIFF and discuss:

  • Automating static analysis and the problems associated with it
  • How MASTIFF overcomes problems
  • MASTIFF’s capabilities and how it works
  • How MASTIFF can be expanded by anyone using plug-ins
  • Changes to MASTIFF since its initial release

Demonstrations of MASTIFF on malicious files will also be performed.

14:15 Break Break
14:20 FIREBrick: Open Source Forensic Hardware Platform Presenter: Pavel Gladyshev

Until now, open source forensic tools were almost exclusively software. There are some inherent advantages in having a specialized hardware platform for digital forensics, such as more direct/efficient use of processing hardware, and the ability to peer-review the functionality of the forensic appliance. DigitalFIRE has developed an open source forensic disk imaging and write blocking platform called FIREBrick. This device can be built by end users from off-the-shelf mass produced components, with the total cost of parts about $200.

The system’s open source firmware enables it to achieve imaging throughput of up to 4GB/min, and the system is easily assembled with just a screwdriver. Competing with commercial write blockers/imagers is not the objective of this project. Instead, its focus is on a highly configurable and open platform that is cost effective and community developed.

Doing More With Less: Triaging Compromised Systems With Constrained Resources Presenter: Willi Ballenthin Download slides

During large scale or time limited investigations, forensic triage analysis yields results that clarify the scope of an engagement faster than deep-dive analysis. But it still doesn’t make sense to capture 5GB when 75MB will do. In this presentation, we’ll discuss which artifacts we’d snipe if there were only 75MB to spend.

To judge the critical artifacts, we’ll review open source techniques that analysts use to efficiently perform triage analysis. We’ll talk about cross platform tools, including: python-registry and a complete suite of Registry analysis utilities, INDXParse.py and its associated GUI-based $MFT explorer, and python-evtx/LfLe.py with their integrated event log viewer. Each section consists of a short explanation of the related artifact, a rapid tutorial of the tool, and a concise case study. We’ll also contrast these approaches with other excellent solutions such as RegRipper, The Sleuth Kit, and libevtx. The ultimate goal is to enable an investigator to review many systems while relying on the capacity of a cheap Flash USB drive.

We’ll close the presentation with a discussion of artifacts that are not easily captured or analyzed with limited resources, such as volume shadow copies or memory dumps.

14:55 Break Break
15:00 Computer Forensic Triage Using Manta Ray Presenters: Doug Koster & Kevin Murphy Download slides

Manta Ray builds off of our efforts with TAPEWORM. MantaRay is a suite of python scripts that perform the same triage steps we introduced in TAPEWORM including (Log2timeline, Volatility, ExifTool, RegRipper, Bulk_Extractor). Manta Ray will contain additional functionality including; script to extract all registry hives from disk image (overt, deleted, unallocated, shadow volumes) and then extract useful information from all hives and present this information to users in a single report, as well as a RegRipper like script that extracts information from .plist files.

Manta Ray will be integrated into the upcoming SIFT 3.0 release, thus making it easily accessible to any examiners that download the SIFT. The goal of this workshop is to demonstrate how the tool works as well as walking the users through how to interpret the tools output. Figuring out what to do with the data extracted by Manta Ray is where the true value of the tool becomes apparent, especially when all of the data is viewed in aggregate.

SIFTER: Search Indices for Text Evidence Relevancy Presenter: Nicole L. Beebe Download slides

SIFTER is being released open-source during summer 2013, and instantiates five years of research to thematically cluster and relevancy rank string search hits. SIFTER is ‘Google’ for digital forensics investigators, enabling them to realistically conduct text-based searches. Valuable digital evidence in many cases is textual in nature, yet existing tools and approaches make it simply unrealistic to search through millions of search hits to find the couple percent that are important to the case. SIFTER is a fundamental paradigm shift in string searching for digital forensic investigators. Now they can review hits ranked based on features typically related to hit relevancy. They can also review hits clustered-individually and regionally-based on thematically related content. This enables investigators to quickly and reliably ignore remaining hits in clusters or cluster regions deemed irrelevant, or alternatively, drill down into clusters and regions to find more relevant hits when some are found. SIFTER is supported by published research, was a funded development project for real-world users, and will soon be available to users as a stand-alone tool. Developers of existing open-source and industry leading closed-source tools will also benefit from this presentation, since the SIFTER approach can be integrated into existing tools.

15:35 Break
15:40 Plaso: Exploration of the Inner Workings of the Framework Presenter: Kristinn Gudjonsson Download slides

This talk will discuss the architecture of the new log2timeline backend engine, Plaso. Now written in Python, Plaso is a complete rewrite of the old Perl-based engine. And it contains vastly different architecture that may be relatively complex for external developers to fully grasp.

This talk will explain the inner workings of the framework, how it can be used to assist in parser or plugin development, and applications for more advanced analysis using the console.

16:15 Open Source Requirements Discussion
16:35 Lightning Talks
17:00 Networking Cocktail Reception

* Agenda is subject to change

Speakers

Willi Ballenthin Consultant, Mandiant Doing More with Less: Triaging Compromised Systems With Constrained Resources

Willi Ballenthin is a consultant at Mandiant who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys developing tools or techniques in the evenings. Willi is the author of a number of cross-platform Python libraries including python-registry, python-evtx, and INDXParse.py.

Nicole L. Beebe, Ph.D Assistant Professor, The University of Texas at San Antonio SIFTER - Search Indices for Text Evidence Relevancy

Nicole L. Beebe is an Assistant Professor in the Department of Information Systems & Cyber Security, at the University of Texas at San Antonio. Dr. Beebe has over 15 years of commercial and government experience in digital forensics. She was a computer crime investigator for the Air Force Office of Special Investigations from 1998-2007. Dr. Beebe is a licensed private investigator and holds two certifications in digital forensics (EnCE and ACE). Her digital forensics research was published in the Journal of Digital Investigation and Decision Support Systems, and she has an article forthcoming in IEEE Transactions on Information Forensics and Security.

Brian Carrier VP of Digital Forensics, Basis Technology Autopsy 3: Extensible Desktop Forensics

Brian leads the digital forensics team at Basis Technology, delivering services and developing custom systems. He is the author of the book File System Forensic Analysis and developer of several open source digital forensics analysis tools, including The Sleuth Kit and the Autopsy digital forensics platform. Brian has a Ph.D. in computer science from Purdue University and worked previously for @stake as a research scientist and the technical lead for their digital forensics lab. Brian is on the committees of many conferences, workshops and technical working groups, including the Annual DFRWS Conference and the Digital Investigation Journal.

Tobin Craig Lab Chief, US Department of Transportation (DOT) Making Molehills Out of Mountains: Data Reduction Using Sleuth Kit Tools

Tobin Craig is the Laboratory Chief for CCU. He has over 25 years of international forensic science experience in eight different disciplines, working for both the British and the United States governments. He has successfully designed and managed forensic laboratories in Northern Ireland, as well as the US Secret Service, VA OIG, and NASA. He is a CFCE, a CCE, a CISSP, and a Member of the Royal Society of Chemistry.....just not a programmer.

Simson Garfinkel Associate Professor, Naval Postgraduate School Forensics Visualizations with Open Source Tools

Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School. Based in Arlington VA, Garfinkel’s research interests include computer forensics, the emerging field of usability and security, personal information management, privacy, information policy, and terrorism. He holds six US patents for his computer-related research and has published dozens of journal and conference papers in security and computer forensics.

Pavel Gladyshev Programme Director of MSc in Forensic Computing & Cybercrime Investigation, University College Dublin FIREBrick: Open Source Forensic Hardware Platform

Dr. Pavel Gladyshev is a lecturer at the University College Dublin (Ireland), where he is directing Digital Forensics Investigation Research Laboratory (DigitalFIRE). Dr. Gladyshev holds a Ph.D. in the field of digital forensics and is one of the founders of the state machine theory of digital forensic analysis. Prior to joining the university, Dr. Gladyshev worked as an IT forensics analyst at the Dublin practice of Ernst & Young. He continues to actively work as a consultant in criminal and civil investigations. Dr. Gladyshev serves on the INTERPOL steering committee on IT Crime.

Kristinn Gudjonsson Security Engineer, Google Plaso - Exploration of the Inner Workings of the Framework

Kristinn Gudjonsson is a senior security engineer at Google, focused on forensics, incident response, tool development, and whatever gets thrown his way. Prior to joining Google, he worked as a technical security manager at ArionBanki and before then, as a security/incident response/forensics consultant at Skyggnir. Kristinn holds a M.Sc. degree in computer engineering from INT (Institut National des Telecommunications) in Paris as well as a B.Sc. degree in electrical and computer engineering from the University of Iceland. Kristinn also holds several certifications, including GCIA, GCIH and GCFA Gold. Kristinn is the creator of the tool log2timeline, and now one of the core developers of the new backend engine of log2timeline, called Plaso.

Tyler Hudak Sr. Security Consultant, KoreLogic Security MASTIFF: Automated Static Analysis Framework

Tyler Hudak is a Senior Security Consultant for KoreLogic Security and has extensive real-world experience in malware analysis and incident handling for Fortune 500 firms. Tyler is a member of the Forum of Incident Response and Security Teams (FIRST) and leads the FIRST Malware Analysis Special Interest Group. He has presented at several conferences, participates on the board of the NorthEast Ohio Information Security Forum, and maintains a blog at http://secshoggoth.blogspot.com.

Doug Koster Senior Computer Forensic Examiner, ManTech Computer Forensic Triage Using Manta Ray

Doug Koster is a forensic examiner and python programmer working for ManTech, CFIA. Doug has 13 years of experience performing dead-box forensics for various government customers. Doug holds a MS in Computer & Information Systems an MBA as well as the following certifications; EnCE, GCFA, GCFE, A+ & PMP.

Stuart Maclean Software Engineer, University of Washington A Tool For Answering the Question: What Changed on Disk?
An API for API Hookers: Taking A Closer Look At Malware

Stuart Maclean is a software engineer at the University of Washington, Seattle, USA. He has been developing software, mostly in Java and C, for use in cybersecurity for about 2 years. His interests include disk forensics, emulators, malware analysis sandboxes, and most other things to answer the question, "What does this program do?" Stuart holds a Ph.D. in Computer Science from the University of Southampton, England.

Jon Stewart Founder, Lightbox Technologies Bulk_Extract Like a Boss

Jon Stewart is a software developer and founder of Lightbox Technologies. Jon is one of the creators of Lightgrep, a new regular expression search engine for forensics. He was previously employed as director of software development for Guidance Software, Inc. At Guidance, he helped design, develop, and evangelize the EnScript programming language embedded in the company’s EnCase software. He also created Guidance’s eDiscovery Suite, a distributed application for searching and collecting documents from systems over a network. Jon lives in Washington, DC.

The Volatility Development Team The State of Volatility: Open Source Memory Forensics

The authors of this presentation are the core developers of The Volatility Framework. They are also analysts who have spent the past decade using memory analysis on a daily basis to augment digital investigations, malware analysis, and reverse engineering. This team actively maintains and supports Volatility software development and its thriving community. The team also offers the authoritative training in memory and malware analysis for numerous commercial and government organizations around the world. The authors have presented at a variety of industry conferences that include RSA, Blackhat, Defcon, DoD Cyber Crime Conference, DFRWS, American Academy of Forensics Sciences, and Europol’s High Tech Crime Expert Meeting.

Optional Tutorials

Computer Forensic Triage using MantaRay Doug Koster & Kevin Murphy
8:30am–12:00pm (registration begins at 8:00 am)
Complimentary networking lunch from 12:00pm–1:00pm

MantaRay is a suite of python scripts that automate a number of popular open source tools after s(Log2timeline, Volatility, ExifTool, RegRipper, Bulk_Extractor). MantaRay will contain additional functionality including; a script to extract all registry hives from disk image (overt, deleted, unallocated, shadow volumes) and then extract useful information from all hives and present this information to users in a single report, as well as a triage script that extracts useful information from .plist files and presents that information the user in a triage report.

MantaRay will be integrated into the upcoming SIFT 3.0 release, thus making it easily accessible to any examiners that download the SIFT (http://computer-forensics.sans.org/community/downloads). The goal of this workshop is to demonstrate how the tool works as well as walking the users through how to interpret the tools output. Figuring out what to do with the data extracted by MantaRay is where the true value of the tool becomes apparent, especially when all of the data is viewed in aggregate.  Please see www.mantarayforensics.com for more information on the tool, or to download a copy.

What to Bring

Students should bring a laptop with either VMware workstation or VMware player so they can boot the VM and follow along with the instructors.

To access all of the Downloads for the MantaRay tutorial, visit mantarayforensics.com/osdfcon/ and download all of the listed items. Please note that you will need to register for a new user account first.

$125
Introduction to Plaso Development Elizabeth Schweinsberg, Kristinn Gudjonsson, & Joachim Metz
8:30 am–12:00 pm (registration begins at 8:00 am)
Complimentary networking lunch from 12:00pm–1:00pm

This workshop begins with an overview of the tools, architecture, and relevant APIs for plugin and parser development. Then we will review how to develop a new parser or plugin for plaso with a codelab. We will also discuss how some of the existing parsers were developed end-to-end.

What to Bring

  • Laptop with Python 2.7
  • Build Plaso: http://plaso.kiddaland.net/developer/building-the-tool. It takes about an hour, since there are several libraries to download and build. If you are having trouble with the build, contact the developer list and include the error. There will be limited time to assist with the build on site; therefore it is strongly recommended that all registrants complete the build before this session begins.
$125
Plaso Hack-a-thon Elizabeth Schweinsberg, Kristinn Gudjonsson, & Joachim Metz
1:00 pm–4:30 pm (registration begins at 12:00 pm)
Complimentary networking lunch from 12:00pm–1:00pm

This workshop for core plaso developers will focus on getting parser, plugin(s) or output module(s) started. Plaso developers/instructors will be available to guide development, answer style guide questions, and conduct code reviews while you wait.

Prerequisite: Please bring a parser, plugin or output idea with you. If you intend to develop a parser, please bring a sanitized sample file that can be used to test the parser. If you intend to write a registry plugin, bring in a registry hive that contains this key. If you intend to write an output module, it is advised to know the structure of the output prior to the start of this workshop.

What to Bring

  • Laptop with Python 2.7
  • Build Plaso: http://plaso.kiddaland.net/developer/building-the-tool. It takes about an hour, since there are several libraries to download and build. If you are having trouble with the build, contact the developer list and include the error. There will be limited time to assist with the build on site; therefore it is strongly recommended that all registrants complete the build before this session begins.
$125
Practical Incident Response with GRR Darren Bilby
1:00pm–4:30pm (registration begins at 12:00 pm)
Complimentary networking lunch from 12:00pm–1:00pm

This workshop will cover installation, client deployment, management and the basics of extending the GRR framework (code.google.com/p/grr). GRR is an open source, scalable, cross platform response tool for handling small or massive scale incidents in real time. The system is built on top of other major open source projects such as The Sleuth Kit, Volatility, Plaso and AFF4, and combines these tools into a scalable automation framework that can be used for live forensics.

This workshop will cover the GRR architecture, deploying and customizing GRR clients, automated data collection, hunting, remote memory analysis with volatility, using the console, and the basics of writing custom flows to automate tasks.

What to Bring

A laptop computer with:

  • Required: A 64 bit Ubuntu 12.04 or later install with at least 1GB of RAM to run the GRR server on. This can be a VM (e.g. vmware, virtualbox).
  • Required: A Windows client machine (XP SP2 or later preferably) that can connect to your server instance, a VM is fine.
  • Required: A working install of GRR server, as per https://code.google.com/p/grr/wiki/GettingStarted. Please contact grr-users@googlegroups.com for assistance.

Note: Amazon EC2 is what we often use for our testing, so it may be easy to use this in class in place of local VMs, but it does mean relying on the hotel wifi.

Questions for the instructor may be emailed to: darrenbilby@gmail.com

$125

Cancellation Policy

Refunds for tutorial cancellations are not permitted after October 18, 2013. Refunds for conference cancellations are not permitted after October 25, 2013. All cancellations must be received in writing via email: conference@basistech.com

Contest

Autopsy Platform Module Development Contest

Autopsy logo

For the first time, Basis Technology organized an Autopsy Module Writing Contest. Developers could write add-on modules to Autopsy and submit them before the conference. Attendees of the conference voted and cash prizes were awarded.

First Prize

Willi Ballenthin won first prize ($1,500) with his registry analysis modules that allow you to navigate registry hives from within Autopsy. He actually made two modules that can be used independently.

Minimum version of Autopsy required: 3.0.7

License of source code: Apache 2

Second Prize

Petter Bjelland won 2nd prize ($500) with his fuzzy hash module that uses sdhash to find files that are similar to other files. Petter donated his prize to the Red Cross to benefit victims of Typhoon Haiyan in the Philippines.

Minimum version of Autopsy required: 3.0.7

License: Apache 2.0

Video of submission (he could not attend OSDFCon):

Basis Technology will be doing the contest again next year, so start writing! Refer to the Developer's Guide for details. See below for the rules from this year's contest as a guide for what to develop and the Autopsy Github page for some module ideas.

Guidelines

Based on the Volatility Framework 2013 Plugin Contest

  1. The goal of this contest is to create innovative, interesting, and useful modules with Autopsy; there is no requirement to use only Java to develop your module.
  2. Modules must provide value in a forensics use case.
  3. Modules must work with Autopsy 3.0.5+
  4. The top 3 winners of the contest will receive the prizes referenced above.
  5. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
  6. By submitting an entry, you declare that you have the right to license and submit the module.
  7. The contest organizers will test the module before the conference to verify that it operates as stated.
  8. You must either give a 5 minute presentation and demo at the 4th Annual Open Source Digital Forensics Conference or submit a 5 minute video. If you cannot attend the conference, the video must be submitted by October 28, 2013.
  9. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
  10. Group entries are allowed; prizes will be paid to the person designated by the group.
  11. Employees of Basis Technology are not eligible.

Sponsors

Department of Homeland Security logo Basis Technology logo

OSDF IS PART OF BASIS TECH WEEK

Basis Technology logo