2017 Abstracts


Alexa, Are You Skynet?

Brian Moran & Jessica Hyde
BriMor Labs & Magnet Forensics

This is not yet another internet of things (YAIOT) presentation. Our talk will discuss our research journey as we took an in-depth forensic dive into the data that is stored, transmitted, and can be recovered, from the Alexa portion of the Amazon ecosystem.
Our primary focus is on the data that can be recovered across a variety of Amazon devices and how it can benefit a forensic analyst. We explore the use of different hardware in the Alexa portion of the Amazon ecosystem, which includes Fire TV/Fire Stick, Echo, and explore how they all integrate with the Alexa app. If the Alexa powered Echo is always listening, what information is actually stored, what is transmitted to the Amazon ecosystem, and can this information help during an investigation?


Correlating Autopsy Cases

Brian Carrier
Basis Technology

Most of us don’t have photographic memories and therefore can’t look at our computer screens and remember that we saw a file or phone number 2 months ago in a previous case. That’s why we built the Autopsy Correlation Engine. It allows you to store forensic artifacts in a central database that spans cases. It will then help you with your current case by telling you where else the file or email was previously seen so that you can make connections that you didn’t know about.
The Correlation Engine can be used to make links within the same case and between cases. It will record when you mark something as evidence and will alert you when it is seen again in the future. It can also be used as a central hash database server to track the NIST NSRL or your notable hash sets.
This talk will cover how to use the Correlation Engine and how to configure it in with both a small SQLite deployment or a larger PostgreSQL lab.


Understanding Mac OS File System Events with FSEventParser

Nicole Ibrahim
G-C Partners, LLC

Apple OS X and iOS both generate a log of changes called FSEvent logs.
FSEvent’s can be instrumental to an investigation! Learn when and where you can find them, how to interpret them and how to use an open-source tool to easily view this historical treasure trove.

Using G-C Partners’ FSEventParser we will review the type of data contained in this change log and how it can be relevant to an investigation such as files that previously existed on a system but have since been deleted, original names of files that have been renamed, mount events, websites visited, files sent to the Trash, and much more. Understand the caveats and current limitations of the artifact and ways to overcome them. FSEvents may just become one of your first-line go to artifacts when conduction Apple forensics, whether it be a MacBook, iMac, or a jailbroken iPhone and FSEventParser a new tool to add to your arsenal.


The Rekall Agent – Leveraging cloud technologies for DFIR at scale.

Michael Cohen
Google Inc.

Rekall has recently grown from a pure memory analysis framework to a complete incident response tool, able to perform sophisticated triaging and forensic analysis. The Rekall Agent is an open source, free, distributed endpoint DFIR tool based on the Rekall framework. The main goals of the Rekall Agent are: very high scalability, ease of deployment, and enterprise grade security and auditing workflows. Rekall Agent is suitable for deployment in any organization from small to the largest enterprises. Rekall achieves this scalability by leveraging on the Google Cloud Platform – a highly scalable, featureful and cost effective suite of global services. Since Rekall Agent is deployed in the cloud, it is very easy to deploy and it automatically scales up to any size deployment required. This workshop will guide participants in deploying and using the Rekall Agent in the cloud.


Some Cool Mac Stuff

Jon Stewart
Stroz Friedberg

Since the fall of 2014, when MacOS X 10.10 (Yosemite) was released, forensics tools have not been reading… eh, call it, say, 50%… of the files on HFS+ volumes correctly. We will discuss HFS+ compression in-depth and show you how we’ve reduced correct support for HFS+ compression to practice with the Sleuthkit.

But that’s not all! We will also talk about Alias v3 structures in Mac plist files–the LNK files of the Mac world–and give you better support for parsing them. Chances are good we’ll figure out some other cool Mac stuff between the CFP deadline and the conference, too.


A Database for Forensics – Artifact Correlation with ArangoDB

David Cowen & Matthew Seyer
G-C Partners, LLC

Finally, a database solution that works with forensic artifacts! Two years ago we reviewed forensic artifacts in Elastic, last year we correlated them with SQLite making use of JSON objects. This year we utilize a new database that combines the best of both worlds. Tools often display flat output of highly nested data structures which can leave out important structure fields that can provide useful in the correlation process. While Elastic was nice for storing artifacts as nested data and has fast search capabilities, it is not a true database and there is no way to look at relational data. SQLite solves the relational linkages between artifacts but is not an efficient solution as it struggles with nested records. A better solution is to have a database that can store nested data and still be relational. These requirements fit perfectly for a multi-model database. Lucky for us, ArangoDB not only meets the requirements but also provides features which can shine new light on our analysis.


The Death (and Life) of Deleted File Contents

Jim Jones
George Mason University

Digital data dies an uncertain death. Delete a file today, and the content might be entirely destroyed immediately, or maybe some of it survives for a few hours, days, or longer. For a forensic investigator, this is good news – residual fragments of a deleted file might be recoverable days, months, even years after the file was deleted. But why? What factors drive this persistence, and can those factors be understood well enough to predict the decay pattern of different files on different systems and under different circumstances? To help answer this question, we developed a methodology and software tools to trace the contents of a deleted file over time using sequential snapshots. By recording the actions taken between each snapshot, and by conducting controlled experiments with many files, we generate decay curves and datasets which can be subsequently analyzed for factors affecting deleted file content persistence. Understanding these factors can support triage decisions and interpretation of results, e.g., should I expect to find anything on media X from event Y at time T, and what does it mean if I don’t? We present our methodology and software tools (GitHub: jjonesu/DeletedFilePersistence), as well as a collection of preliminary results on magnetic hard disks, flash memory sticks, SD cards, and embedded flash memory.


Rapid Incident Response

Asif Matadar
Stroz Friedberg

During large-scale incident response investigations, we often come across situations where we undertake repetitive tasks so that includes memory, triage and hunting for malware or adversaries.

When dealing with large-scale investigations that span geographical locations it is imperative that Investigators can provide rapid results to the client using effective collaboration so undertaking manual tasks is not effective and a certain level of automation is required.

This talk will walk-through different techniques that are required to provide these results for Windows and UNIX environments and the importance of triage and memory analysis during an investigation and how it is a vital component that is often neglected during incident response investigations.

Gone are the days of undertaking full disk imaging when it does not warrant it and move more towards triage and memory analysis as vital components within incident response. This talk will detail the different tools and techniques that can be used to ensure that adversaries or malware can be identified during investigations for Windows and UNIX environments. Finally, I’ll talk about innovative ways of optimising memory analysis and how one can process memory dumps in a much more efficient manner.


Triaging Media with Autopsy

Basis Technology

Sometimes you have all day to analyze every bit of a system, and other times you have time for only a subset of the system. Autopsy now includes features that allow you to quickly analyze and make decisions faster. This talk is about those new features and how to use them.

With the latest releases of Autopsy, you can now skip the acquisition step and make a VHD image while you are analyzing a device. You can also make filters so that only a subset of files are analyzed by Autopsy and therefore you can focus on the data that you care about more quickly. Finally, you can create profiles that allow you to press a single button and have Autopsy know what filters to apply and what modules to run.

If you are in situations where time is short, then the new Autopsy features can help you out. This talk will show you how.


Defending in the Dark: Guerrilla Tactics for Mobile Incident Response

Andrew Hoog

As Android and iOS evolve, they increasingly remove access to APIs critical for visibility into the health of a device. While improving the overall security of the ecosystem, this has the opposite impact on defenders, who are left blind trying to defend against attacks.

As a technique to address this challenge, I developed and open source ios-triage (https://github.com/ahoog42/ios-triage), an incident response cli tool for iOS device. This tool extract diagnostic and backup data from an OS device and tailors the reporting to defenders. It can also perform basic differential analysis and ultimately the goal is to facilitate anonymized crowd-sourced data analysis to help identify compromised phone.

This talk will provide an overview of the issues defenders face as well as explore and demo the ios-triage tool.


Plug Me In Renzik, Autopsy Plugins Now And In The Future.

Mark McKinnon
Davenport University

Autopsy is a GUI based platform to perform forensic analysis on digital media/files. The platform was designed to allow plugins so that an examiner can extend Autopsy’s ability to perform more detailed analysis. This presentation will look at the modules that I and others have created to extend Autopsy’s functionality. We will discuss/show current plugins and how to use them and what changes/additions can or need to be made as well as look into the future and see what Autopsy plugins examiners want/need.


How I met your browser: going incognito doesn’t hide your browsing from Ragamuffin.

Alessandro De Vito

Nowadays, the browser represents the gate between a human and its virtual world, making it one of the most challenging attack vectors and a source of invaluable relevance during a forensic analysis.

In this talk I will introduce theoretical and practical methodologies to perform an analysis of the Google Chrome web browser address space, dissecting – in a forensically-sound manner – the data structures implemented by the Blink rendering engine and its JavaScript V8 engine. In addition, some case studies will be presented with the help of Chrome Ragamuffin: a new Volatility plugin that makes the analyst able to gain a new set of artifacts otherwise unattainable by existing forensic tools. It provides an API to perform in depth analysis on Google Chrome internal structures, overcoming in fact the limits introduced by the modern anti-forensic techniques such as the incognito mode.


IO – Simplistic Forensic Imaging

Keith Bertolino
Cipher Tech Solutions, Inc.

After receiving one too many 2TB forensic images from operational teams claiming to have successfully imaged a 32GB flash drive, Cipher Tech decided to undertake the project of building a zero-click imaging tool that eliminates user error without sacrificing quality or speed.

At the same time, our imaging framework was designed from the ground-up with the ability to snap-in triage modules that can run in parallel with imaging producing actionable intelligence before the E01 is ever dropped into a forensic analysis platform. So long as the snap-in modules are designed efficiently, several modules can be run alongside the imaging process with zero impact on the overall imaging time.


FLOSS every day – automatically extracting obfuscated strings from malware

William Ballenthin

The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files. Malware analysts, forensic investigators, and incident responders can use FLOSS to quickly extract sensitive strings to identify indicators of compromise (IOCs).

Malware authors encode strings in their programs to hide malicious capabilities and impede reverse engineering. Even simple encoding schemes defeat the ‘strings’ tool and complicate static and dynamic analysis. FLOSS uses advanced static analysis techniques, such as emulation, to deobfuscate encoded strings.

Incident responders and forensic analysts that understand how to interpret the strings found in a binary will understand FLOSS’s output. FLOSS extracts higher value strings, as strings that are obfuscated typically contain the most sensitive configuration resources – including malicious domains, IP addresses, suspicious file paths, and other IOCs. FLOSS is more robust than ‘strings’, so in our technique talk we’ll spend some time describing the computer science that powers the tool, and why it works. We’ll also show FLOSS in action, as it decodes configurations from a dozen obfuscated malware families.