:: hiddenillusion :: ... look beyond

OMFW & OSDFC recap

General Notes

I attended both the Open Memory Forensics Workshop (OMFW) and the Open Source Digital Forensics Conference (OSDFC) for the first time last year and just like I said last year - they’re both set as recurring events on my calendar now. I was told that my tweets and recap post of last years activities was helpful to those who couldn’t attend so I figured I’d write up something again since I took notes anyway. I really like that both conferences have ~30-40 minute talks so you’re not stuck listening to anyone ramble about anything and you also get the benefit of getting more presentations. If you haven’t been able to make either of these yet or are still debating if you should attend - go for it. They’re both 1 day (well, if you just go to the presentations) each and I have yet to be let down with the overall quality of presentations and better yet, the networking that you’re able to do at them.

Best Quotes of the Cons

They can tunnel faster than you can image - @williballenthin

Brian Carrier just virtually twerked the audience - @bbaskin

What one man can invent, another man can discover - Sherlock Holmes (on someone’s t-shirt)

Disclaimer - I didn’t make it to every talk at OSDFC so if I don’t have notes on it, sorry. Also - these are notes that I jotted down so if something is wrong or there are slides uploaded for ones I didn’t link please contact me so I can update the post.


The first thing I want to say about this conference was how glad I was that it was at the same venue as OSDFC this year - this makes it really convenient for those attending both so hopefully it stays that way next year {nudge @volatility}.

The State of Volatility

Presenter AAron Walters
Notes Went over where Volatility currently stands, major updates/changes and what’s on their roadmap.


- The Volatility Foundation has officially become a 501(c)(3)
- Version [2.3.1](https://code.google.com/p/volatility/wiki/Release23) of Volatility is officially released and includes full Mac support, Android/ARM support, new address spaces and new/updated plugins.
- AAron also touched on a new plugin he created, [dumpfiles](https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles), which is extremely useful as it reconstructs files from the Windows cache manager and share section objects. 

Stabalizing Volatility

Presenter Mike Auty
Notes Went over a lot of the questions that need to be addressed/answered moving forward with the framework and discussed some of the code layout/structure that needs to be modified


Mastering Truecrypt and Windows 8/Server 2012 Memory Forensics

Presenter MHL
Notes MHL talked on the research he’s recently done regarding Truecrypt and the support that Volatility now has in order to help recover Truecrypt keys in memory. His slides go into more detail about the structure of Truecrypt’ed data and where to look for it etc. so hopefully those will pop-up online as there was some good information on them.


All Your Social Media are Belong to Volatility

Presenter Jeff Bryner
Notes Gave a presentation about the recent plugins he contributed to Volatility regarding extracting social media artifacts within memory. Jeff’s only scraped the begining of this and hopefully he or someone else can also take a look at the other social media sites he hasn’t yet gotten around too - except MySpace… no one uses that anymore, honestly.


All the things you think only exist in movies and sci-fi books

…OK, I made up the title because I don’t remember what it was… but I think this one is fitting anyway

Presenter George M. Garner Jr.
Notes This talk wasn’t listed on the schedule but this made up title is right on point. George seems to either have a presentation that is extremely technical and will make you feel dumb on several occasions or he’ll talk about things that some think only happen in the movies… the latter in this instance. Most of his content was just speaking so unfortunately I don’t think having his slides would be of more use.


Memory, Volatility and the Threat Intel life Cycle

Presenters Steven Adair and Sean Koessel
Notes While this was probably the least technical presentation of the conference, it still added value. I enjoy hearing about what others have faced while in this field, what worked, what didn’t work etc.


Dalvik Memory Analysis and a Call to ARMs

Presenter Joe Sylve
Notes Joe touched on some of the work he’s been doing to add ARM support to Volatility, went over the tool ‘Dalvik Inspector’ and put out a call for people who are interested in this space to help out as there’s still a lot to be tackled/uncovered.


Bringing Mac Memory Forensics to the Mainstream

Presenter Andrew Case
Notes One of the big things with the latest Volatility release was the Mac support. Some of the Mac support/plugins have been around for a bit but if you look now you’ll see the number of plugins specifically for Mac is over 30!


Memoirs of a Hidsight Hero: Detecting Rootkits in OS X

Presenter Gem Gurkok
Notes Don’t try and write a book about Mac rootkits or Gem will make it his hobby to disprove your data before you get to publish it


Every Step You Take: Profiling the System

Presenter Jamie Levy
Notes I always tend to find the stuff Jamie talks on to be the most relevant to my daily operations. Last year she talked on MBR/MFT stuff and this year she showed off some plugins related to profiling/intelligence.


Honorable Mention


First… I’m glad the official conference page had a Twitter hashtag to use this year but I still ran into the same issue as last year - people using a variety of hashtags… stick to the default! One of the first observations this year was that it appeared the attendance was double that of last year. Additionally, I noticed there were a lot of younger attendees this year so it’s great to see them getting involved and starting to network. On the disappointing side - I did feel like I was seeing a noticeable amount of people doing the same things as others have already done. I know it’s useful from a learning perspective to do things yourself but why spend so much time re-doing something that’s already out there to use?

Forensics Visualizations with Open Source Tools

Presenter Simson Garfinkel
Slides http://simson.net/ref/2013/2013-11-05_VizSec.pdf
Notes Simson has spoken at every OSDFC, he hates pie graphs and likes PDFs


Autopsy 3: Extensible Desktop Forensics

Presenter Brian Carrier
Notes Brian twerked it


“Challenge Results” - Autopsy Module Contest

Notes I was surprised there were only two submissions to this contest and just as surprised that both of them were more on the complex side of things. Someone could have just created a module to periodically show a cat picture and won some dinero. Of the two submissions, one was a remote submission and only had a video to show if off. It looked useful, but just didn’t cut it - Willi B took the gold.


A Tool for Answering the Question: What Changed on Disk?

Presenter Stuart Maclean
Notes Tool to do some diffing (waiting for github for code)


Bulk_Extract Like a Boss

Presenter Jon Stewart
Slides http://www.lightboxtechnologies.com/wp-content/uploads/2013/11/OSDFC2013-JonStewart-Bulk_extract_Like_A_Boss.pdf
Notes Lightgrep FTW


Making Molehills Out of Mountains: Data Reduction Using Sleuth Kit Tools

Presenter Tobin Craig
Notes The speaker saw a gap and tackled it but I do think some of it is repetitive to what’s already out there.


Doing More with Less: Triaging Compromised Systems with Constrained Resources

Presenter Willi Ballenthin
Notes Willi showed that you don’t always need to have the entire disk in order to answer the key questions to your investigation. He also let us into his analysis process and a peek into all of the sweet things he’s written.


Repo Tool Notes
INDXParse list_mft.py creates timeline and can also pull resident INDX records
INDXParse MFTView.py pulls resident data if it’s there in the ‘Data’ ta and tells what sectors to pull from disk to get contents of it if not ; right pane shows Unicode/ASCII strings so can see refinements of what was previously there
INDXParse get_file_info.py CLI that’s scriptable and creates a mini timeline
python-registry reg_view.py R/O GUI registry viewer
python-registry findkey.py search keys/values/paths etc. to feed it keywords to search for
python-registry timeline.py create timeline from key modification time stamps
python-registry forensicating.py some functions I put together to show how to utilize this library for forensics (got a sweet shout out for it, w00t w00t… now your turn)
python-evtx Lfle.py carve for records

Willi also mentioned a GUI Event Log Viewer which has the ability to index records for easier searching and puts the event IDs in categories/sub-categories that are sortable. This is something I had talked to a few about over the years and I’m really glad to see someone finally doing it, thanks Willi! This currently isn’t publicly released yet but be on the lookout.

Computer Forensic Triage using Manta Ray

Presenters Doug Koster & Kevin Murphy
Notes “Automated Triage” - looks to be the same thing as Tapeworm was. There looks like there still needs some things to be ironed out/finished. In my investigations I don’t need to run every tool every time and that’s kind of what I feel this does… maybe useful for others but doesn’t fit into my process flow.


Honorable Mention