About This Workshop
Modern digital forensic investigations often lead analysts to suspicious software artifacts, such as binaries recovered during incident response. In IoT environments, this frequently involves firmware images extracted from embedded devices. While identifying such artifacts is well-supported, determining their root cause – particularly how known vulnerabilities manifest within compiled firmware binaries – remains a challenging task, especially in the absence of source code and complex analysis tooling.
In this workshop, we present an interactive system that enables analysts to express and evaluate forensic hypotheses as high-level queries over static data flow. Participants will engage in a hands-on exercise centered on cross-binary n-day vulnerabilities drawn from the NIST CVE database, focusing on vulnerabilities embedded within IoT firmware.
Framed as a post-incident investigation, attendees will be given a known CVE and a redacted exploit (PoC), and tasked with identifying the precise instruction-level paths within the firmware binary that enabled the attack. Through guided queries, participants will locate root-cause instructions and trace the propagation of attacker-controlled data across firmware components, demonstrating how abstracted dataflow analysis can support practical forensic workflows in embedded devices.