October 2, 2012
- Automating Forensic Pre-Processing Using Open Source Tools (SIFT & Python)
- Using Autopsy 3.0
- Digital Memory Forensics Workshop
- Cancellation Policy
Tutorial: Automating Forensic Pre-Processing Using Open Source Tools (SIFT & Python)
Schedule: 8:30am-12:00pm, with two 15-minute breaks (registration begins at 8:00 am; lunch provided at 12:00 pm)
This workshop introduces a new Linux-based VM named TAPEWORM (TASC Pre-Processing Exploitation & Workflow Management System). This VM presents a GUI interface to the end user, allowing the user to choose one or more pre-processing steps to kick off and run sequentially, with no further user interaction. TAPEWORM can process disk images or individual folders. The open source tools/processes that TAPEWORM automates are: Supertimeline Creation, Bulk_Extractor, RegRipper, ExifTool, Foremost, KML creation from EXIF data containing GPS coordinates, Volatility. TAPEWORM identifies the partitions on a disk image and runs each tool selected against every partition on a hard drive. The workshop will demonstrate how to run TAPEWORM, as well as how to interpret the data generated by the open source tools called by TAPEWORM.
What to Bring
This workshop will include the TAPEWORM VM, as well as test images and pre-processed output data, delivered either on a thumb-drive or DVD. Participants must bring their own laptop. Participants will need to install VMware (either workstation or player) prior to the workshop.
Tutorial: Using Autopsy 3.0
Schedule: 1:00 pm – 4:30 pm, with two 15-minute breaks (registration begins at 11:30 am; lunch provided at 12:00 pm)
In this tutorial, you will learn about using Autopsy 3.0. Autopsy is a graphical interface to The Sleuth Kit and other open source tools. Version 3 is a complete rewrite from version 2 and was designed to be easier to use and focuses on providing fast results to the investigator, with an easy to use interface. This tutorial will guide the audience through the process of making cases, adding images, and analyzing the data. The tutorial will outline how to configure the application and generate reports. Sample images will be provided. Students must have their own Windows laptops.
What to Bring
Please bring a Windows laptop with 10GB of free space.
Tutorial: Digital Memory Forensics Workshop
Schedule: 1:00 pm – 4:30 pm,with two 15-minute breaks (registration begins at 11:30 am; lunch provided at 12:00 pm)
In the past few years Volatility has taken the pride of place of being the foremost tool for memory analysis of Windows systems. Although Volatility is a powerful analysis platform, the currently released Volatility is limited to some Windows platforms (although 64 bit platform support should be released by the time the tutorial takes place).
To fully harness the power of Volatility, it is often necessary to develop plugins to implement new analysis ideas, or to add support to other operating systems. In particular, we will be discussing a new project to enhance Volatility by refining the APIs, adding a new and enhanced user interface, and adding multi operating system support (Linux, MacOSX). This workshop will focus on developing external programs using Volatility as well as simply using the code for analysis.
We will cover the following topics:
1) Memory Acquisition
- Volatility contains a full imaging solution for both Windows and Linux systems (we should also have OS X support soon). In addition to obtaining a fixed memory image, there is support for the analysis of live systems.
- We describe how to image and analyze live Linux systems.
- We describe how to image and analyze live Windows systems (32-bit and 64-bit).
2) Basic Memory Analysis Concepts
- What is a profile? How do we get one? Before Volatility can analyze any system, we need to generate a profile for it. In this part of the tutorial we discuss how to obtain a profile for a Linux system or a new kind of Windows system (possibly a version not supported yet by Volatility).
- What is an address space? We discuss virtual page translation. This is a fundamental concept of memory analysis and is required to understand what the results mean. For example we discuss questions such as:
- I discovered a string of interest in memory – which process owns it?
- I found a page which claims it is invalid – yet Volatility is able to use it. What does it mean for a page to be “In Transition”?
3) Memory Analysis Technique:
We discuss some operating system specific techniques. By understanding how Volatility gives us these solutions, and their pros and cons we can understand what the limitations of these techniques are:
- Windows: Linked list following, VAD tree traversal, Pooltag scanning
- Linux: Linked list following, allocation strategies (slab allocator)
4) Volatility Framework:This will be an introduction to the major components in Volatility. We will be considering the upcoming release candidate to see all the features that are available:
- Volatility code tour
- How to write short utility scripts
- How to write plugins adding exported functionality
- Generating C type information for applications, kernel structure or file formats. This is used to harness the Volatility binary parsing engine in implementing novel work.
For the remainder of the tutorial, images will be provided for attendees to experiment with on their laptops, or attendees can use the images they obtained in phase 1. Prior to the tutorial we will make available some interesting images with malware infections, which we will use to demonstrate the techniques.
What to Bring
Attendees are encouraged to bring their own laptop computers and follow along with the instructor. Volatility is supported under all major operating systems, so attendees should have no problem using their laptops. For the imaging session, attendees may follow along if they have the required environment set up (for building and acquiring), either as a virtual machine or on their own systems:
- For Linux memory acquisition: We use the kernel headers to compile the module (these are usually shipped with the OS distribution).
- For Windows memory acquisition: To build, we require a copy of Microsoft Driver Development Kit (DDK), which is freely available from Microsoft. For those who wish to use them, we will be providing pre-compiled binaries for Win32 and Win64.
Refunds for tutorial cancellations are not permitted after September 12, 2012. Refunds for conference cancellations are not permitted after September 20, 2012. All cancellations must be received in writing via email: firstname.lastname@example.org
*Agenda is subject to change.