2011 brought DFRWS back to New Orleans from Monday, Aug 1 to Aug 3. Preceding DFRWS on Sunday, July 31, 2011, was the 2nd Open Memory Forensics Workshop sponsored by Volatility. In addition to 2 keynotes, DFRWS also had 14 presentations based on peer reviewed papers. The 2011 conference was held in cooperation with the Association for Computing Machinery (ACM) and its Special Interest Group on Security, Audit and Control (SIGSAC).
The Best Paper Award went to “Forensic Carving of Network Packets and Associated Data Structures” by Robert Beverly, Simson Garfinkel and Greg Cardwell.
The 2011 Forensics Challenge was on Android devices. Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011. The data included flash-memory storage of two Android mobile devices for reconstruction and analysis of evidence.
The winning submission was from Ivo Pooters, Steffen Moorrees & Pascal Arends of Fox-IT in the Netherlands. This submission developed Python utilities for extracting information from the Android data in both scenarios. For the Scenario 1, data structures were carved from the dd image. For the Scenario 2, the YAFFS2 file system was mounted in Linux and information was extracted from files and databases on the system. The report provided a great overall synthesis of evidence and application to the overall scenario, including an analysis of malware installed on one device. The analysis culminated with an impressive visual reconstruction of evidence.
Conference Location:
Westin New Orleans Canal Place
New Orleans, LA, US
August 1, 2011 to August 3, 2011
Keynotes
Analyzing Adobe vulnerabilities: A technical and organizational perspective
Sebastian Porst |Bio: Sebastian Porst has been a binary file reverse engineer for more than ten years. After getting his Masters degree in Computer Science, he joined the German reverse engineering startup Zynamics where he was the lead developer of the three popular reverse engineering tools BinNavi, BinCrowd, and PDF Dissector. PDF Dissector was successfully marketed to companies and government agencies around the world and quickly became the most powerful PDF malware analysis tool on the market.
Drawing on his experience with analyzing malware and security vulnerabilities in Adobe products, Sebastian was then hired by Microsoft and Adobe to become the primary vulnerability researcher for Adobe products on the Microsoft Active Protections Program (MAPP), a program that aims to supply program partners with advance notification about vulnerabilities before patching Tuesdays. In addition to his paid work, Sebastian is the lead developer of a collection of open source tools for Flash malware and vulnerability analysis and he has been speaking about reverse engineering at IT security conference around the world since 2008.
Abstract: Adobe products like Adobe Reader or Adobe Flash have been the biggest targets of malicious attacks in the last few years. As a result of this, Adobe has begun to implement significant measures to improve the security of their products and many independent security researchers are now focusing on Adobe. I have experience working on both sides of the fence, first working independently on analyzing Adobe software and later working directly with Adobe on their vulnerability assessment. Using Flash as an example, I will describe the low-level details of vulnerability research and file format analysis by describing a real-life example of a Flash vulnerability that was exploited by malware in the wild and what is necessary to figure out what the bug was in Flash Player. Then, I will wrap it up by describing how this ties back to the processes Adobe put into place to work with external security researchers and partners, for example through the Microsoft MAPP program."
Challenges and Opportunities for Digital Forensics in the Cloud
Christopher Day | Senior Vice President Terremark Worldwide, IncBio: Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers both in the commercial and government sectors. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud's investments in advanced technology as well as leading the design and development of SteelCloud's proprietary security systems.
With over fourteen years in the information security industry and working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, the Middle East, Asia and Africa, Mr. Day has led numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. Christopher has also been involved with various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud including serving as a testifying expert witness.
Mr. Day regularly lectures on computer forensics, incident response, intrusion detection/prevention, and wireless technology security. Christopher is a contributing author for the books Going Mobile: Building the Real-Time Enterprise with Mobile Applications that Work and Computer And Information Security Handbook. Mr. Day has been awarded two patents in the areas of Intrusion Detection (#7017186) and Wireless Network Security (#7020476), respectively, and has two others pending.
Abstract: This presentation will discuss the issues involved with acquiring digital evidence from virtualization systems such as VMware and Xen-based systems, as well as so-called cloud computing platforms that rely on these technologies to provide organizations and users with highly-scalable and distributed computing capabilities. Attendees will learn how virtualization systems work and the particular challenges they pose to the forensic investigator. In addition attendees will learn about the most common types of cloud computing platforms and how each introduces additional challenges for the investigator above and beyond those presented by virtualization technologies. The discussion will provide practitioners a primer for these increasingly common but, to some, still mysterious, technologies and platforms that they will likely be asked to perform forensics acquisitions and investigations on in the near future. This presentation will also present some practical techniques and procedures practitioners can utilize in their work with these systems."
Committees
Organizing Committee
Conference Chair
Vassil Roussev, PhD (University of New Orleans)
Conference Vice Chair
Matthew Geiger (CERT)
Technical Program Chair
Florian Buchholz, PhD (James Madison University)
Technical Program Vice Chair
Brian Levine, PhD (University of Massachusetts)
Local Arrangements
Golden Richard, PhD (University of New Orleans)
Proceedings
Wietse Venema, PhD (IBM)
Keynote
Frank Adelstein, PhD (ATC-NY)
Publicity
Dave Baker (MITRE)
Advertising / Sponsorship
Daryl Pfeif (Digital Forensics Solutions)
Registration
Andreas Schuster (Deutsche Telekom AG)
Finances
Rick Smith (ATC-NY)
Challenge
Eoghan Casey (cmdLabs)
Demo / Posters
Golden Richard, PhD (University of New Orleans)
Workshops
Eoghan Casey (cmdLabs), Frank Adelstein, PhD (ATC-NY)
Outreach Coordinator
Tim Vidas(Carnegie Mellon)
Web
Brian Carrier, PhD (Basis Technology)
Technical Program Committee
Frank Adelstein
ATC-NY
Cory Altheide
David Baker
MITRE
Nicole Beebe
University of Texas at San Antonio
Matt Bishop
UC Davis
Florian Buchholz
James Madison University
Brian Carrier
Basis Technology
Harlan Carvey
Terremark
Heather Dussault
SUNY Institute of Technology
Jim Early
State University of New York at Oswego
Jon Evans
QinetiQ
Dario Forte
DFlabs
Simson Garfinkel
Naval Postgraduate School
Matthew Geiger
CERT
Pavel Gladyshev
University College Dublin
Grant Gottfried
MITRE
Yong Guan
Iowa State University
Gaurav Gupta
IIIT-Delhi
Sundararaman Jeyaraman
Purdue University
Ping Ji
John Jay Criminal Justice/CUNY
Xuxian Jiang
North Carolina State University
Rob Joyce
ATC-NY
Erin Kenneally
University of California San Diego
Jesse Kornblum
Kyrus
Brent Lagesse
Oak Ridge National Laboratory
Brian Levine
University of Massachusetts
Marc Liberatore
Univ. of Massachusetts Amherst
Michael Losavio
University of Louisville
James Lyle
NIST
Nasir Memon
Polytechnic University
Timothy Morgan
Virtual Security Research LLC
Gilbert Peterson
Air Force Institute of Technology
Wei Ren
China University of Geosciences
Golden Richard
University of New Orleans
Marcus Rogers
Purdue University
Steve Romig
Ohio State University
Vassil Roussev
University of New Orleans
Nicolas Ruff
EADS-IW
Bradley Schatz
Schatz Forensic Pty. Ltd
Andreas Schuster
Deutsche Telekom AG
Clay Shields
Georgetown University
Philip Turner
QinetiQ
Wietse Venema
IBM Research
Svein Willassen
Norwegian University of Science and Technology
Sponsors
Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.
Information about sponsorship opportunities is available at: http://www.dfrws.org/sponsorship-opportunities
WetStone
WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.
Learn MoreAccess Data
Need to mitigate risk or ensure compliance? AccessData's targeted, forensically sound collection, preservation, hold, processing and data assessment tools .
Learn MoreCERT
CERT is the home of the CERT Coordination Center and located at Carnegie Mellon University's Software Engineering Institute. It studies internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security.
Learn More