2012 Conference Abstracts


Sleuthing Beyond the ‘Kit: The Best Of The Rest (slides)

Cory Altheide

In 2010, I presented an overview of the variety of tools available that empower a savvy examiner to perform an end-to-end examination using exclusively open source tools. A lot can change in two years, so it’s time for an update. Beside exploiting file system artifacts, I’ll focus on the best tools and methodologies for extracting valuable artifacts left behind by browsers, local applications, mobile devices, cloud services, and more.


Autopsy 3.0 (slides)

Brian Carrier

Autopsy 3.0 is a complete rewrite from Autopsy 2.0, and this talk will cover all of the things that are new about it. Multi-threaded ingest, triage, embedded databases, web artifact analysis, and indexed keyword search are just some of the new and exciting features. This talk is targeted towards both users and developers. Users will learn about the tool, and how they can use it. Developers will learn the basics of where they can incorporate their tools into the Autopsy workflow as modules.


Automated Forensics with the Sleuth Kit Framework (slides)

Eamonn Saunders

The Sleuth Kit Framework has been released, and this talk will cover how it affects you. The framework makes it easier to develop end-to-end digital forensics solutions. There are several core modules that have been released with the framework and more are on the way. Examples of current modules include: carving, hash calculation and lookup, regripper, entropy calculation, and flagging files based on name and extension.

Users will learn what the framework will provide in the future, and what they can do with it today. You’ll learn about the current modules and the tsk_analyzeimg tool that allows you to use them. Developers will learn how they can incorporate their analysis techniques into the framework to reach a broader audience. By using the framework, you don’t need to worry about how you get access to disk image contents. All you need to focus on is how to analyze file contents.


GRR Rapid Response (slides)

Darren Bilby

This presentation will introduce the GRR Rapid Response incident response framework. The project aims to produce an open source, scalable, cross platform response tool for handling small or massive scale incidents in real time. The system is built on top of other major open source projects such as The Sleuth Kit, Volatility, log2timeline and AFF4, and combines these tools into a scalable automation framework that can be used for live or offline forensics.

This presentation will demonstrate the current state of the project, including live memory analysis, enterprise wide hunting, rootkit detection and timelining running across OSX, Linux and Windows client platforms.


YAFFS2 Support for The Sleuth Kit (slides)

Andrew Hoog via Forensics

YAFFS2 is an important file system for embedded systems, and in particular mobile phones. YAFFS2 support in community oriented forensic tools has been lacking and we have incorporated YAFFS2 support directly into The Sleuth Kit.

This presentation will detail our work to bring YAFFS2 support into The Sleuth Kit, explaining both YAFFS2 as an important file system and even more so in mobile forensics. We’ll explain some of our own tools, detail how we took lessons learned and then incorporated them into The Sleuth Kit, with example code and design discussion. Finally we’ll give examples of using The Sleuth Kit on YAFFS2 file systems, obtained from real devices and how the community can leverage these examples.


Forensic Scanner (slides)

Harlan Carvey

This presentation discusses the development and demonstration of the use of a plugin-based forensic scanner for quickly and efficiently scanning acquired images for known issues and “low hanging fruit.” The purpose of such a tool is to increase the retention of “corporate knowledge,” to act as a force multiplier, and to free an analyst to perform deep analysis.


Cross-Drive Analysis with Bulk_Extractor and CDA Tool (slides)

Simson Garfinkel

Increasingly computer forensic investigations involve multiple pieces of media. There are phones, laptops, desktops, camera cards, information found on network servers, and even network packet traces. Traditional methods of analyzing each device in isolation fail, as does the the approach of joining all of the data into a single analysis set.

Cross-drive analysis (CDA) is a forensic technique that correlates information found on multiple digital devices (hard drives, camera cards, cell phones, etc.). Unlike existing approaches for analyzing multiple devices, CDA takes into account the number of devices on which identifiers are found, so that an email address that appears on three or four drives is more important than an email address that appears on just one or two. CDA can also be applied to a large corpus of drives, so that email addresses can automatically be pruned out if they appear in the “background.”

This talk presents the theory of cross-drive analysis, and presents three open source tools for performing cross drive analysis and visualizing the results. Examples will be drawn from both constructed and real data.


Advanced Registry Forensics with Registry Decoder (slides)

Dr. Lodovico Marziale

It is well known in the digital forensics community that the Microsoft Windows registry contains a wealth of forensically interesting information including a history of attached devices, a list of user accounts, visited URLs, and much more. Analysis of these artifacts is essential in many types of investigations, such as data exfiltration and computer intrusion. And, while basic techniques for analysis of single hive files are common knowledge, more advanced techniques are less well known. This session will focus on registry analysis including such advanced techniques as multi-machine correlation, incorporating registry backups into investigations, and using the registry for malware analysis. These techniques will be demonstrated using open source Registry Decoder tool for registry analysis.

The following topics will be covered:

  • Registry basics (briefly, should be prerequisite knowledge)
  • Registry Decoder usage demo
  • Integrating registry backups into an investigation
  • Correlating activity across machines using the registry
  • Using the registry for malware analysis
  • Spotting high-level events in registry timelines
  • Plug-in writing using the Registry Decoder API

Using and Developing with Open Source Forensics Software in Digital Archives Programs (slides)

Mark A. Matienzo

This presentation is a case study on the use of open source digital forensics software, including The Sleuth Kit, fiwalk, and bulk_extractor, in the context of digital archives programs at the Yale University Library (YUL). The YUL Manuscripts and Archives department and the Beinecke Rare Book and Manuscript Library have been collaborating semi-formally on developing shared infrastructure and workflows to support the accessioning, processing, and management of born-digital material, including legacy material received on physical media. In addition to describing how YUL has used these existing tools, we will also present the ways in which we have leveraged the ease of development on top of these open source applications, frameworks, and libraries. These tools include Gumshoe, a presentation interface for  filename- and metadata-layer data based on Ruby on Rails and Solr.


Analyzing Volume Shadow Snapshots (VSS) without Using Windows (slides)

Joachim Metz

Had enough of going through a lot of effort just to access the Volume Shadow Snapshots (VSS) directly from an image? The aim of the libvshadow project is to provide access to the VSS format directly from a RAW image. This presentation will cover a high level overview of the VSS format and discuss various consequences for forensic analysis. It will also discuss how the vshadowtools can be applied in forensic analysis.


In RAM We Trust: A Modern Approach to Forensic Processing (slides)

Vassil Roussev

The growth in forensic data volume is now an omnipresent concern. We are seeing some early development efforts that try to put together distributed systems to potentially deal with the onslaught of data, and developers are starting to realize that problems in the area of forensics bear close resemblance to the problems faced by big data companies. Thus, we could benefit significantly from utilizing open source solutions developed for these problems.

Unfortunately, current efforts exhibit a code-first-analyze-later approach, which misdiagnoses the technical problems faced in forensics and, therefore, the prescribed solutions are bound to disappoint either in terms of performance, or cost (or both). In this talk we present three main points:

1) Brief analysis of the technical challenges of digital forensic processing: We will show how they map to the different classes of scalable data processing solutions currently available. Our analysis points to the fact that forensics has a big data problem, but not a huge data problem. This distinction is critical in that it points to more efficient solutions that are based on in-memory data processing as opposed to the currently ubiquitous disk-centric approaches. One important result of this analysis is that blindly adopting open cloud and search technologies, such as Hadoop and Solr, and deploying them on a large number of VM instances is a very ineffective approach to scaling for our purposes.

2) Initial results of our infrastructure prototype: We will use our prototype to compare the use of in-RAM solutions for several key forensic problems to conventional approaches. We will also quantify the costs and benefits of each approach and show the inefficiency of the latter.

3) (time permitting) A brief demonstration of our work as deployed in our data center environment.


GUCS – File Similarity Digests Based on Text Content (slides)

Clay Shields

The Georgetown University Content Similarity (GUCS) tool works with text extracted from files or from file fragments to create portable similarity digests, which can be used for approximate file matching. Because GUCS works on text, it bypasses problems in recognizing files that have the same text but different formats, which may arise when comparing Word documents to PDF files. GUCS is based on known information-retreival techniques exported to a forensics setting. This talk will cover the basic IR techniques behind GUCS and will demonstrate the operation of the command-line tools that it provides.


RubyTSK: Ruby bindings for The Sleuth Kit (slides)

Matthew Stephens

This session will discuss Ruby extension providing bindings to the Sleuth Kit library. The presentation will walk through code samples, discuss the packaging of the library as a ruby gem and outline the road map for further development. Matthew Stephens is the author of the library in question and will be giving a talk geared towards developers, particularly those interested in further developing a Ruby API for The Sleuth Kit.


The Sleuth Kit & Apache Hadoop (slides)

Jon Stewart

We hear a lot in the news about the “Cloud” and “Big Data,” but it is hard not to be skeptical when most of our applications are still desktop-centric, single-threaded, and unreliable when confronted with large evidence sets. This talk discusses the Sleuth Kit Hadoop project, an effort to leapfrog conventional forensics software with highly scalable open source technology. After a brief overview of how Hadoop works, the architecture and feature set of the Sleuth Kit Hadoop project will be presented, followed by a demonstration, and instructions on how to install it on your own systems.