2015 Workshops

 

Plaso Parser Workshop

Instructor: Daniel White
Date/Time: October 27, 2015 (1:00 p.m. – 4:00 p.m.)

During this workshop, you’ll learn how to create robust parsers and plugins for the Plaso forensic tool. Next time you come across an obscure log file or ambiguous Registry key in the course of an investigation, you’ll have the ability to package up your knowledge into a piece of reusable code that you can share across your team and the wider DFIR community.

In this class, you’ll learn how to write both a file parser and sub-format plugin, which equip any forensic artifacts you come across.

What to Bring:

  • A laptop computer
  • Plaso development version alongside all dependencies installed, see Developers Guide for instructions. (Hint: installing the dependencies on Ubuntu is really easy – consider creating a virtual machine)
  • Your “can-do” spirit and love for python (we’ll settle for “tolerance”)
  • (optional) An idea and some sample data for a simple parser/plugin for a file, registry key or plist that you think will be valuable. We’ll provide some synthetic data to get you started, but if you complete that quickly, the idea is to go and create a new parser or plugin and if you’re the first one to submit some code you’ll earn a fabulous prize!

Python Scripting in Autopsy

Instructor: Basis Technology
Date/Time: October 27, 2015 (1:00 p.m. – 4:00 p.m.)

Autopsy 3 is an open source digital forensics platform that now has support for Python modules. If you want to quickly write some fancy digital forensics analytics, then an Autopsy Python module is the perfect place for it. Autopsy allows you to support file system, carved, or logical files without you needing to worry about where they came from. Autopsy makes it easy for your results to be shown in the UI without you needing to write any UI code (you just post name and value pairs to the database). If you just want to focus on data analysis and not where your data is coming from, UIs, or reports, then Autopsy is what you want. Plus, each release has 20,000+ downloads, so you get greater reach with your modules.

The first part of the workshop will be an overview of writing Autopsy modules. We’ll start with the sample modules and edit as needed. The second part will be hack-a-thon style and you get to write whatever module you want and we’ll answer questions that you have along the way. We’ll have a prize for the best module.

What to Bring:

  • A laptop with Windows 7
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/
  • 64-bit platform is preferred
  • 3 Ghz processor
  • We will have two images, some hash sets, etc. so you will need to have 20GB of free disk space
  • More memory is always better. We recommend 8 GB RAM or more