2017 Workshops

Python Scripting in Autopsy

Oct 16 – 9:00am – 12:00pm

Richard Cordovano
Basis Technology

Autopsy 4 is an open source digital forensics platform that now has support for Python modules. If you want to quickly write some fancy digital forensics analytics, then an Autopsy Python module is the perfect place for it. Autopsy allows you to support file system, carved, or logical files without you needing to worry about where they came from. Autopsy makes it easy for your results to be shown in the UI without you needing to write any UI code (you just post name and value pairs to the database). If you just want to focus on data analysis and not where your data is coming from, UIs, or reports, then Autopsy is what you want. Plus, each release has 20,000+ downloads, so you get greater reach with your modules.

The first part of the workshop will be an overview of writing Autopsy modules. We’ll start with the sample modules and edit as needed. The second part will be hack-a-thon style and you get to write whatever module you want and we’ll answer questions that you have along the way. We’ll have a prize for the best module. The course assumes that you have basic Python knowledge.

What to Bring:

  • Windows laptop
  • Your favorite Python text editor installed
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/

How I Met Your Browser: Going incognito doesn’t hide your browsing from Ragamuffin

Oct 16 – 9:00am – 12:00pm

Alessandro Devito
TRUEL IT

Nowadays, the browser represents the gate between a human and its virtual world, making it one of the most challenging attack vectors and a source of invaluable relevance during a forensic analysis. In this talk I will introduce theoretical and practical methodologies to perform an analysis of the Google Chrome web browser address space, dissecting – in a forensically-sound manner – the data structures implemented by the Blink rendering engine and its JavaScript V8 engine. In addition, some case studies will be presented with the help of Chrome Ragamuffin: a new Volatility plugin that makes the analyst able to gain a new set of artifacts otherwise unattainable by existing forensic tools. It provides an API to perform in depth analysis on Google Chrome internal structures, overcoming in fact the limits introduced by the modern anti-forensic techniques such as the incognito mode.

What to Bring:

 

Advanced Autopsy Python Plugin Workshop, Beyond the Basics

Oct 16 – 1:00pm – 4:00pm

Mark McKinnon
Davenport University

Autopsy is a GUI based platform to perform forensic analysis on digital media/files. The platform was designed to allow plugins so that an examiner can extend Autopsy’s ability to perform more detailed analysis. This workshop will look at Autopsy Python Plugin development going beyond the basics.

The following topics will be covered.
• GUI Settings panel usage.
• External program execution.
• Custom artifact and attribute creation.
• Importing different file formats (SQLite, CSV, etc..).
• Other topics.

What to Bring:

  • Windows laptop
  • Your favorite Python text editor installed
  • Download Autopsy in advance from: http://sleuthkit.org/autopsy/

Advanced Memory Forensics Workshop

Oct 16 – 1:00pm – 4:00pm

Jamie Levy
Volatility Foundation

Memory Forensics is a required skill for digital analysts these days; it is also a needed in order to keep up with advanced attackers. In addition to attackers avoiding disk, thousands of nodes and BYOD are increasing the complexity of investigations. Gone are the days when an analyst could examine one machine at a time- results must be quick and precise. Oftentimes if you are not proactive, you’ve already lost the war before you even knew it was raging.

This workshop demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.

What to Bring:

Hardware:
Laptop with the following minimum specifications:

  • 2.0 GHz, multi-core CPU
  • 4 GB of RAM
  • 20 GB of disk space
  • USB 2.0/3.0 ports
  • Wireless Network Interface Card

Software:
Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own native laptop, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.

A USB thumbdrive with evidence and tools will be provided.