Authors: Gaurav Gogia
DFRWS APAC 2025
Abstract
Threat actors with substantial amounts of funding and technical knowledge prefer building malware that can be spread throughout the network persist itself through autorun configurations, local git hooks, registry configurations, and every other possible time based or logic-based trigger. Artefacts generated by these malwares are usually found in multiple computers/IoT devices/mobile devices and effectively any other electronic device, the malware is compatible with. On the flip side, investigators need to reconstruct the chain of events, which means manually going through multiple devices, finding timestamps and eventually plot a timeseries graph. This workshop will delve into the development of a tool in Go programming language for automatically stitching together artefacts from heterogeneous sources and building a unified chain of events. Attendees will leave with both conceptual understanding and practical code to extend in their own investigations.
Learning Objectives
- Understand the basics of Go and why it is suitable for forensic tooling.
- Identify persistence and propagation artefacts left by malware across different platforms.
- Parse and normalize heterogeneous timestamp formats into a common structure.
- Construct and visualize a forensic timeline without using external time-series databases. Apply the methodology to a simulated case study to reconstruct a chain of infection.
Experience Level
- Intermediate experience level audience with experience in digital forensics/software engineering.
- Digital forensic investigators and incident responders.
- Malware analysts and threat hunters.
- Students and professionals new to Go who want to apply it to DFIR.
Description
This workshop directly addresses one of the core challenges in digital forensics and incident response: reconstructing timelines of malicious activity from heterogeneous artefacts. DFRWS APAC has consistently emphasized practical methodologies and tools for handling modern threats, and this submission contributes by bridging two critical areas:
Forensic Methodology Contribution
The workshop introduces a structured workflow for extracting, normalizing, and stitching together artefacts across multiple platforms to build a unified chain of infection. Instead of depending on heavy infrastructure such as time-series databases or commercial tools, participants learn a lightweight approach suitable for both academic research and real-world investigations.
Technical Contribution
The workshop will demonstrate how to implement this workflow in the Go programming language, producing a cross-platform, open, and extendable tool for forensic practitioners. The focus on Go is intentional: it provides speed, portability, and simplicity.
Additionally, this workshop aims to lower the barrier for newcomers to contribute forensic parsers in Go and equips practitioners with methodology that does not lock them into vendor solutions.
Preparation Details
Laptop capable of running at least one Virtual Machine
Access to stable internet
Biography
 Dr. Gaurav is a Sr. Security Research Engineer @Qualys. He has 5+ years of experience in Detection Engineering, Virtual Patching, & Forensics. He loves conducting & discussing research around Security & Forensics. When he’s not exploring security, he can be found trying out new food cuisines, reading fiction, or playing video games. |