The 7th Annual DFRWS Conference was held from August 13 to 15, 2007 at the Omni William Penn Hotel in Pittsburgh, PA with local assistance from the CERT Coordination Center. Keynote speakers included Greg Hoglund (author of ROOTKITS, Subverting the Windows Kernel) and Ronald van der Knijff (Netherlands Forensic Institute). 17 peer-reviewed papers were presented at the conference.
THE DFRWS 2007 CHALLENGE was about data carving, which is a file recovery technique that is frequently used during digital investigations. Files are “carved” from the unallocated space using file type-specific information, such as footers, headers, and internal structures.
The previous DFRWS 2006 Challenge focused on carving basic file types in basic scenarios. The result was the development of new tools and techniques to carve files using more internal structure than only the header and footer values. This year, DFRWS expanded on that challenge by introducing more file types and more complex fragmentation scenarios. The goal of this challenge was to design and develop automated file carving algorithms that have high true positive and low false positive rates.
Michael Cohen won the 2007 challenge for his work on a theory of fragmentation and file mapping, and developed dedicated validators for PDF, ZIP, MIME, HTML and MPEG. His process involved evaluating possible files against an ideal mapping model, performing interpolation when discontinuities were found, and then performing error checking on the resulting files using his validation utilities. Even though Cohen did not focus on image and office file formats, his results still ended up very high, with the lowest false positive score. The high quality of the results from this approach shows promise.
Pittsburgh, PA United States
August 13, 2007 to August 15, 2007
Digital Forensics, Covert Monitoring, and Active MethodsGreg Hoglund | HBGary, Inc
Abstract: New methods and capabilities for collecting evidence are emerging that include live memory analysis and ongoing covert monitoring of insider threats. These methods go far beyond the tradition of hard-drive imaging or pulling data from firmware. Advanced attack capabilities such as rootkits and botnets are bringing forensics and incident response together not just for evidence collection, but also for reverse engineering to understand the threat. Software weapons are being developed that include very advanced systems to thwart detection, hide and transmit data, and resist forensics analysis. These are all modern challenges for the next generation of digital forensics. Hoglund will talk about various technology, both offensive and defensive, and share insights into the emerging problems that need to be solved.
Bio: Greg Hoglund has published a great deal of work related to reverse engineering, software exploitation, and rootkit development. He founded the website rootkit.com in the late 1990's to help people understand what may be the most popular and advanced backdoor technology. He has published several best-selling books on computer security. His latest book, Exploiting Online Games, takes the focus away from traditional security and into online game hacking which represents not only fun and games, but also a real underground economy in virtual property. Greg is currently CEO of HBGary, Inc, his third security start-up, and has released the product "HBGary Inspector", a program designed to reverse engineer malware using active methods (www.hbgary.com).
10 Good Reasons Why You Should Shift Focus to Small Scale Digital Device ForensicsRonald van der Knijff | Netherlands Forensic Institute
Bio: Ronald van der Knijff received his B.Sc. degree on electrical engineering in 1991 from the Rijswijk Institute of Technology. After performing military service as a Signal Officer he obtained his M.Sc. degree on Information Technology in 1996 from the Eindhoven University of Technology. Since then he works at the Digital Technology and Biometrics department of the Netherlands Forensic Institute as a scientific investigator. He is responsible for the embedded systems group and is also court-appointed expert witness in this area. He is author of the (outdated) cards4labs and TULP software and founder of the TULP2G framework. He is a visiting lecturer on ‘Cards & IT’ at the Dutch Police Academy; a visiting lecturer on ‘Smart Cards and Biometrics’ at the Masters Program ‘Information Technology’ of TiasNimbas Business School and a visiting lecturer on ‘Mobile and Embedded Device Forensics’ at the Master’s in ‘Artificial Intelligence’ of the University in Amsterdam (UvA). He wrote a chapter on embedded systems analysis in Eoghan Casey’s Handbook of Computer Crime Investigation - Forensic Tools and Technology.
Brian Carrier (Basis Technology)
Vassil Roussev (University of New Orleans), Frank Adelstein (ATC-NY)
Golden Richard (University of New Orleans)
Wietse Venema (IBM)
Brian Carrier (Basis Technology)
Todd Shipley (SEARCH)
Matthew Geiger (CERT), Tanya Macrina (Air Force Research Lab)
Eoghan Casey (Stroz Friedberg)
Rick Smith (ATC-NY), Daryl Pfeif (Digital Forensics Solutions)
Marc Rogers (Purdue University), Dan Kalil (AFRL, Assured Information Security)
David Baker (MITRE)
Technical Program Committee
James Madison University
Iowa State University
Olivier De Vel
Defence Science and Technology Organization, Australia)
European Space Agency
Ecole Polytechnique Montreal, Canada
University of Milano at Crema
Naval Postgraduate School
University of Louisville
Florida State University
Deutsche Telekom, Germany
Purdue University - CERIAS
Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.
Information about sponsorship opportunities is available at: http://www.dfrws.org/sponsorship-opportunities
WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.Learn More
A Computer Emergency Response Team is an expert group that handles computer security incidents. Alternative names for such groups include Computer Emergency Readiness Team and Computer Security Incident Response TeamLearn More
Taylor & Francis
Taylor & Francis Group publishes quality peer-reviewed journals under the Routledge and Taylor & Francis imprints. The newest part of the group, Cogent OA, offers a purely open access program. Our journal content is hosted on Taylor & Francis Online, our content platform.Learn More
Elsevier is a global information analytics business that helps institutions and professionals progress science, advance healthcare and improve performance.Learn More
Air Force Research Laboratory
The Air Force Research Laboratory is a scientific research organization operated by the United States Air Force Materiel Command dedicated to leading the discovery, developmentLearn More
Stroz Freidberg, LLC
Stroz Friedberg is a leading global consulting firm for ... Please visit our website listed below for more services and details.Learn More