2013 Tutorials

MantaRay is a suite of python scripts that automate a number of popular open source tools after s(Log2timeline, Volatility, ExifTool, RegRipper, Bulk_Extractor). MantaRay will contain additional functionality including; a script to extract all registry hives from disk image (overt, deleted, unallocated, shadow volumes) and then extract useful information from all hives and present this information to users in a single report, as well as a triage script that extracts useful information from .plist files and presents that information the user in a triage report.

MantaRay will be integrated into the upcoming SIFT 3.0 release, thus making it easily accessible to any examiners that download the SIFT (http://computer-forensics.sans.org/community/downloads). The goal of this workshop is to demonstrate how the tool works as well as walking the users through how to interpret the tools output. Figuring out what to do with the data extracted by MantaRay is where the true value of the tool becomes apparent, especially when all of the data is viewed in aggregate.  Please see www.mantarayforensics.com for more information on the tool, or to download a copy.

What to Bring

Students should bring a laptop with either VMware workstation or VMware player so they can boot the VM and follow along with the instructors.

To access all of the Downloads for the MantaRay tutorial, visit mantarayforensics.com/osdfcon/and download all of the listed items. Please note that you will need to register for a new user account first.

This workshop begins with an overview of the tools, architecture, and relevant APIs for plugin and parser development. Then we will review how to develop a new parser or plugin for plaso with a codelab. We will also discuss how some of the existing parsers were developed end-to-end.

What to Bring

• Laptop with Python 2.7
• Build Plaso:  http://plaso.kiddaland.net/developer/building-the-tool. It takes about an hour, since there are several libraries to download and build. If you are having trouble with the build, contact the developer list and include the error. There will be limited time to assist with the build on site; therefore it is strongly recommended that all registrants complete the build before this session begins.

This workshop for core plaso developers will focus on getting parser, plugin(s) or output module(s) started. Plaso developers/instructors will be available to guide development, answer style guide questions, and conduct code reviews while you wait.

Prerequisite: Please bring a parser, plugin or output idea with you. If you intend to develop a parser, please bring a sanitized sample file that can be used to test the parser. If you intend to write a registry plugin, bring in a registry hive that contains this key. If you intend to write an output module, it is advised to know the structure of the output prior to the start of this workshop.

What to Bring

• Laptop with Python 2.7
• Build Plaso: http://plaso.kiddaland.net/developer/building-the-tool. It takes about an hour, since there are several libraries to download and build. If you are having trouble with the build, contact the developer list and include the error. There will be limited time to assist with the build on site; therefore it is strongly recommended that all registrants complete the build before this session begins.

This workshop will cover installation, client deployment, management and the basics of extending the GRR framework (code.google.com/p/grr). GRR is an open source, scalable, cross platform response tool for handling small or massive scale incidents in real time. The system is built on top of other major open source projects such as The Sleuth Kit, Volatility, Plaso and AFF4, and combines these tools into a scalable automation framework that can be used for live forensics.

This workshop will cover the GRR architecture, deploying and customizing GRR clients, automated data collection, hunting, remote memory analysis with volatility, using the console, and the basics of writing custom flows to automate tasks.

What to Bring

A laptop computer with:

• Required: A 64 bit Ubuntu 12.04 or later install with at least 1GB of RAM to run the GRR server on. This can be a VM (e.g. vmware, virtualbox).
• Required: A Windows client machine (XP SP2 or later preferably) that can connect to your server instance, a VM is fine.
• Required: A working install of GRR server, as per https://code.google.com/p/grr/wiki/GettingStarted. Please contact grr-users@googlegroups.com for assistance.

Note: Amazon EC2 is what we often use for our testing, so it may be easy to use this in class in place of local VMs, but it does mean relying on the hotel wifi.

Questions for the instructor may be emailed to:

darrenbilby@gmail.com