2016 Workshops


C#’ening your forensic tools

Eric Zimmerman
Kroll Cyber Security

This workshop will discuss various free, open source forensic tools including parsers for lnk files, jump lists, Registry hives, amcache, prefetch, shellbags, and more. It will include discussions on the importance of each artifact, discussions on the binary layout of each artifact and examples of using tools to parse the artifacts. The lab will allow for hands on usage of the tools and a deeper exploration of the layout of the artifacts as they exist on disk. Many of the tools allow for exporting data to a variety of formats which allows for integrating things into a larger tool chain.

Additionally, examples of integrating the core parsers will be discussed which allows for users to integrate the parsers in other applications without having to rely on any existing command line or GUI tool.

What to Bring:

  • Windows Laptop or VM
  • .net 4.6 installed


Hunting Malwares Using Memory Forensics

Varun Nair

Memory forensics is an investigative technique used in malware analysis, reverse engineering, digital forensics and incident response. With adversaries becoming more sophisticated and carrying out advanced attacks targeting critical infrastructures, Data Centers, private and public organizations, detecting, responding to, and investigating such intrusions are critical for information security professionals. Memory Forensics has become a must-have skill for fighting advanced malware, targeted attacks and security breaches. This training touches on the topic of malware, Windows internals, and techniques to perform malware and Rootkit investigations of real world memory samples using open source advanced memory forensics framework (Volatility). The training also teaches how to incorporate memory forensics into malware analysis and sandbox technology

What to Bring:

  • Laptop (4Gb RAM, 80 GB HD)
  • USB Flash Drive.


Python Scripting in Autopsy

Brian Carrier
Basis Technology

Autopsy 4 is an open source digital forensics platform that now has support for Python modules. If you want to quickly write some fancy digital forensics analytics, then an Autopsy Python module is the perfect place for it. Autopsy allows you to support file system, carved, or logical files without you needing to worry about where they came from. Autopsy makes it easy for your results to be shown in the UI without you needing to write any UI code (you just post name and value pairs to the database). If you just want to focus on data analysis and not where your data is coming from, UIs, or reports, then Autopsy is what you want. Plus, each release has 20,000+ downloads, so you get greater reach with your modules.

The first part of the workshop will be an overview of writing Autopsy modules. We’ll start with the sample modules and edit as needed. The second part will be hack-a-thon style and you get to write whatever module you want and we’ll answer questions that you have along the way. We’ll have a prize for the best module. The course assumes that you have basic Python knowledge.

What to Bring:

  • Windows laptop
  • Your favorite Python text editor installed
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/


Memory Forensics Workshop

Jamie Levy
Volatility Foundation

Memory forensics is a hot topic these days– one that every DFIR analyst should know. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses. As these adversaries become more stealthy, memory forensics may be the only way to uncover their activity. This workshop demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.

What to Bring:
Laptop with the following minimum specifications:

  • 2.0 GHz, multi-core CPU
  • 4 GB of RAM
  • 20 GB of disk space
  • USB 2.0/3.0 ports
  • Wireless Network Interface Card
  • Software: Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own native laptop, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.

A USB thumbdrive with evidence and tools will be provided.