Organizing Sponsor

logo-BasisTech_green-2-01

2017 Workshops

Python Scripting in Autopsy

Oct 16 – 9:00am – 12:00pm

Richard Cordovano
Basis Technology

Autopsy 4 is an open source digital forensics platform that now has support for Python modules. If you want to quickly write some fancy digital forensics analytics, then an Autopsy Python module is the perfect place for it. Autopsy allows you to support file system, carved, or logical files without you needing to worry about where they came from. Autopsy makes it easy for your results to be shown in the UI without you needing to write any UI code (you just post name and value pairs to the database). If you just want to focus on data analysis and not where your data is coming from, UIs, or reports, then Autopsy is what you want. Plus, each release has 20,000+ downloads, so you get greater reach with your modules.

The first part of the workshop will be an overview of writing Autopsy modules. We’ll start with the sample modules and edit as needed. The second part will be hack-a-thon style and you get to write whatever module you want and we’ll answer questions that you have along the way. We’ll have a prize for the best module. The course assumes that you have basic Python knowledge.

What to Bring:

  • Windows laptop
  • Your favorite Python text editor installed
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/

How I Met Your Browser: Going incognito doesn’t hide your browsing from Ragamuffin

Oct 16 – 9:00am – 12:00pm

Alessandro Devito and Andrea Palazzo
TRUEL IT

Nowadays, the browser represents the gate between a human and its virtual world, making it one of the most challenging attack vectors and a source of invaluable relevance during a forensic analysis. Of course, we are able to analyze disk artifacts such as SQLite databases and cache data, but we have not appropriate tools that can perform a deeper analysis on the web browser status and user navigation.

This workshop will introduce Chrome Ragamuffin, a Volatility plugin designed to extract useful artifacts from the Web Browser address space. Starting from a memory dump, it makes the analyst able to extract a lot of useful information from a Google Chrome running instance, in order to get a detailed overview of the crucial events that took place within a browsing session (like client-side attacks).

What to Bring:

  • Laptop with >= 4GB of RAM (8GB recommended)
  • Volatility 2.6 installed
  • VirtualBox installation
  • 40GB of disk space
  • USB 2.0/3.0

Advanced Autopsy Python Plugin Workshop, Beyond the Basics

Oct 16 – 1:00pm – 4:00pm

Mark McKinnon
Davenport University

Autopsy is a GUI based platform to perform forensic analysis on digital media/files. The platform was designed to allow plugins so that an examiner can extend Autopsy’s ability to perform more detailed analysis. This workshop will look at Autopsy Python Plugin development going beyond the basics.

The following topics will be covered.
• GUI Settings panel usage.
• External program execution.
• Custom artifact and attribute creation.
• Importing different file formats (SQLite, CSV, etc..).
• Other topics.

What to Bring:

  • Windows laptop
  • Your favorite Python text editor installed
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/

Advanced Memory Forensics Workshop

Oct 16 – 1:00pm – 4:00pm

Jamie Levy
Volatility Foundation

Memory Forensics is a required skill for digital analysts these days; it is also a needed in order to keep up with advanced attackers. In addition to attackers avoiding disk, thousands of nodes and BYOD are increasing the complexity of investigations. Gone are the days when an analyst could examine one machine at a time- results must be quick and precise. Oftentimes if you are not proactive, you’ve already lost the war before you even knew it was raging.

This workshop demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.

What to Bring:

Hardware:
Laptop with the following minimum specifications:

  • 2.0 GHz, multi-core CPU
  • 4 GB of RAM
  • 20 GB of disk space
  • USB 2.0/3.0 ports
  • Wireless Network Interface Card

Software:
Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own native laptop, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.

A USB thumbdrive with evidence and tools will be provided.