Sponsored by
2013 Conference Abstracts
Forensics Visualizations With Open Source Tools (slides)
There is a deep belief among computer forensics practitioners that improved visualizations will make it easier to address the onslaught of data that we face daily. But creating a good visualization is hard work. Many visualizations require careful planning and tuning, and they do not readily generalize to other data sets, let alone other practitioners or organizations. A second problem faced by open source practitioners is deciding which visualization technology to use — there are so many to choose from, including static PDF files, static web pages, and interactive graphics. Then there is the purpose of the visualization, whether it is to help the investigator find new information or to explain a complicated case to a third party. This talk describes visualization choices, shows examples drawn from open source data sets, and discusses the visualization choices made in the development of scale-free one-page PDF visualizations for pcap files (tcpflow) and disk images (bulk_extractor).
The State of Volatility: Open Source Memory Forensics
The Volatility Development Team
Memory forensics continues to be one of the most exciting and innovative disciplines in the area of digital forensics. It is a powerful capability that has dramatically changed the way we perform digital investigations and provides a mechanism for addressing many of the challenges of digital investigators. The driving force behind this staggering pace of innovation has been an active open source community that brings together both researchers and practitioners around a common framework.
This presentation will begin by providing a brief introduction and overview of Volatility, the open source memory forensics framework. It will provide an overview of the current state of memory forensics analysis and discuss a number of significant contributions to the field within the last year. It will also discuss highlights from this year’s Open Memory Forensics Workshop (OMFW) and the Volatility Plugin Contest. Finally, this presentation will discuss the newly formed Volatility Foundation, a non-profit that has been established to protect the rights of the Volatility community and developers. This presentation also provides an opportunity for people to meet the Volatility development team and to learn about new opportunities to engage this exciting community.
Autopsy 3: Extensible Desktop Forensics (slides)
Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.
A Tool for Answering the Question: What Changed on Disk? (slides)
A program called VirtualMachineFS is described. It permits the comparison of virtual machine disk images. The program recognizes the machine snapshot feature of popular virtualization engines. This feature is used in malware analysis systems (such as Cuckoo Sandbox) to sanitize the filesystem of a virtual machine disk after each malware sample execution. Used in conjunction with disk forensics tools such as Sleuthkit, VirtualMachineFS can quickly and easily show the investigator exactly where virtual machine disk contents change as malware samples are run. Such information complements, enriches and verifies the file system change reporting facilities of existing malware analysis engines.
Bulk_Extract Like a Boss (slides)
bulk_extractor is a fast, powerful tool that every investigator should have in their toolbox. bulk_extractor searches digital media and evidence files for common artifacts and patterns, and its multi-threaded design takes full advantage of your hardware to get initial results faster than any other tool. It works on Windows, Linux, and MacOS X.
This presentation covers command-line operation and gives an overview of each “scanner” in bulk_extractor. We’ll spend some time discussing how to take advantage of its search capabilities for use with your own keywords, including how to specify different encodings and pulling out surrounding context in the data. Finally, we’ll show how to work with bulk_extractor’s output so you can continue your investigation without starting over.
An API for API Hookers: Taking A Closer Look At Malware (slides)
A method for automated hook function generation is described. Hook functions are used by programs to instrument and monitor other programs. User-space hooking is employed to study malicious software. The malware is executed in a sandbox environment and its actions recorded as it calls functions from system libraries. The method as presented solves, at least partially, the problem of writing individual hook functions for the hundreds or possibly thousands of entry points into a system library, e.g. the Win32 API.
Making Molehills Out of Mountains: Data Reduction Using Sleuth Kit Tools (slides)
Historically, a computer examiner would be tasked to identify files within acquired data sets which contained keywords. Identified file were reported to the investigating agent, who would then supply additional keywords, and the process would continue. This cyclic approach is impracticable for larger acquisitions. The DOT OIG CCU routinely sees data sets in excess of 5TB per case. To meet this challenge, a means of identifying those files of potential investigative interest has been developed. Extracted data is provided to the investigator, who can review the data without the need to learn specialized reviewing tools, in a forensically sound manner.
This method is best suited to investigations involving several computers across a company network, ideally in the investigation of white collar crime, although it may also be applied with examiner discretion to other case types.
In addition, the proposed solution makes use of open source forensic software, and is currently deployed by DOT CCU as part of a portable examination. The script provides the means to conduct an automated extraction of those files most likely to be of investigative interest. Extraction is conducted across all forensically acquired images, and extensive examination notes are generated automatically.
MASTIFF: Automated Static Analysis Framework (slides)
Malware analysis consists of two phases – static and dynamic analysis. Dynamic analysis, or analyzing the behavior of a sample, has already been automated in numerous projects. Static analysis, or analyzing key characteristics of a sample, has not been automated in projects. Therefore, responders must manually run tools or program scripts that automate the process. This leads to situations where analysis occurs slowly and inefficiently.
To alleviate the inefficiency, MASTIFF, a new open-source static analysis automation framework, was created and released earlier this year. This presentation will introduce MASTIFF and discuss:
- Automating static analysis and the problems associated with it
- How MASTIFF overcomes problems
- MASTIFF’s capabilities and how it works
- How MASTIFF can be expanded by anyone using plug-ins
- Changes to MASTIFF since its initial release
Demonstrations of MASTIFF on malicious files will also be performed.
FIREBrick: Open Source Forensic Hardware Platform
Until now, open source forensic tools were almost exclusively software. There are some inherent advantages in having a specialized hardware platform for digital forensics, such as more direct/efficient use of processing hardware, and the ability to peer-review the functionality of the forensic appliance. DigitalFIRE has developed an open source forensic disk imaging and write blocking platform called FIREBrick. This device can be built by end users from off-the-shelf mass produced components, with the total cost of parts about $200.
The system’s open source firmware enables it to achieve imaging throughput of up to 4GB/min, and the system is easily assembled with just a screwdriver. Competing with commercial write blockers/imagers is not the objective of this project. Instead, its focus is on a highly configurable and open platform that is cost effective and community developed.
Doing More With Less: Triaging Compromised Systems With Constrained Resources (slides)
During large scale or time limited investigations, forensic triage analysis yields results that clarify the scope of an engagement faster than deep-dive analysis. But it still doesn’t make sense to capture 5GB when 75MB will do. In this presentation, we’ll discuss which artifacts we’d snipe if there were only 75MB to spend.
To judge the critical artifacts, we’ll review open source techniques that analysts use to efficiently perform triage analysis. We’ll talk about cross platform tools, including: python-registry and a complete suite of Registry analysis utilities, INDXParse.py and its associated GUI-based $MFT explorer, and python-evtx/LfLe.py with their integrated event log viewer. Each section consists of a short explanation of the related artifact, a rapid tutorial of the tool, and a concise case study. We’ll also contrast these approaches with other excellent solutions such as RegRipper, The Sleuth Kit, and libevtx. The ultimate goal is to enable an investigator to review many systems while relying on the capacity of a cheap Flash USB drive.
We’ll close the presentation with a discussion of artifacts that are not easily captured or analyzed with limited resources, such as volume shadow copies or memory dumps.
Computer Forensic Triage Using Manta Ray (slides)
Doug Koster & Kevin Murphy
Manta Ray builds off of our efforts with TAPEWORM. MantaRay is a suite of python scripts that perform the same triage steps we introduced in TAPEWORM including (Log2timeline, Volatility, ExifTool, RegRipper, Bulk_Extractor). Manta Ray will contain additional functionality including; script to extract all registry hives from disk image (overt, deleted, unallocated, shadow volumes) and then extract useful information from all hives and present this information to users in a single report, as well as a RegRipper like script that extracts information from .plist files.
Manta Ray will be integrated into the upcoming SIFT 3.0 release, thus making it easily accessible to any examiners that download the SIFT. The goal of this workshop is to demonstrate how the tool works as well as walking the users through how to interpret the tools output. Figuring out what to do with the data extracted by Manta Ray is where the true value of the tool becomes apparent, especially when all of the data is viewed in aggregate.
SIFTER: Search Indices for Text Evidence Relevancy (slides)
SIFTER is being released open-source during summer 2013, and instantiates five years of research to thematically cluster and relevancy rank string search hits. SIFTER is ‘Google’ for digital forensics investigators, enabling them to realistically conduct text-based searches. Valuable digital evidence in many cases is textual in nature, yet existing tools and approaches make it simply unrealistic to search through millions of search hits to find the couple percent that are important to the case. SIFTER is a fundamental paradigm shift in string searching for digital forensic investigators. Now they can review hits ranked based on features typically related to hit relevancy. They can also review hits clustered-individually and regionally-based on thematically related content. This enables investigators to quickly and reliably ignore remaining hits in clusters or cluster regions deemed irrelevant, or alternatively, drill down into clusters and regions to find more relevant hits when some are found. SIFTER is supported by published research, was a funded development project for real-world users, and will soon be available to users as a stand-alone tool. Developers of existing open-source and industry leading closed-source tools will also benefit from this presentation, since the SIFTER approach can be integrated into existing tools.
Plaso: Exploration of the Inner Workings of the Framework (slides)
This talk will discuss the architecture of the new log2timeline backend engine, Plaso. Now written in Python, Plaso is a complete rewrite of the old Perl-based engine. And it contains vastly different architecture that may be relatively complex for external developers to fully grasp.
This talk will explain the inner workings of the framework, how it can be used to assist in parser or plugin development, and applications for more advanced analysis using the console.