2011 brought DFRWS back to New Orleans from Monday, Aug 1 to Aug 3. Preceding DFRWS on Sunday, July 31, 2011, was the 2nd Open Memory Forensics Workshop sponsored by Volatility. In addition to 2 keynotes, DFRWS also had 14 presentations based on peer reviewed papers. The 2011 conference was held in cooperation with the Association for Computing Machinery (ACM) and its Special Interest Group on Security, Audit and Control (SIGSAC).
The Best Paper Award went to “Forensic Carving of Network Packets and Associated Data Structures” by Robert Beverly, Simson Garfinkel and Greg Cardwell.
The 2011 Forensics Challenge was on Android devices. Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011. The data included flash-memory storage of two Android mobile devices for reconstruction and analysis of evidence.
The winning submission was from Ivo Pooters, Steffen Moorrees & Pascal Arends of Fox-IT in the Netherlands. This submission developed Python utilities for extracting information from the Android data in both scenarios. For the Scenario 1, data structures were carved from the dd image. For the Scenario 2, the YAFFS2 file system was mounted in Linux and information was extracted from files and databases on the system. The report provided a great overall synthesis of evidence and application to the overall scenario, including an analysis of malware installed on one device. The analysis culminated with an impressive visual reconstruction of evidence.
Westin New Orleans Canal Place
New Orleans, LA, US
Analyzing Adobe vulnerabilities: A technical and organizational perspectiveSebastian Porst |
Bio: Sebastian Porst has been a binary file reverse engineer for more than ten years. After getting his Masters degree in Computer Science, he joined the German reverse engineering startup Zynamics where he was the lead developer of the three popular reverse engineering tools BinNavi, BinCrowd, and PDF Dissector. PDF Dissector was successfully marketed to companies and government agencies around the world and quickly became the most powerful PDF malware analysis tool on the market.
Drawing on his experience with analyzing malware and security vulnerabilities in Adobe products, Sebastian was then hired by Microsoft and Adobe to become the primary vulnerability researcher for Adobe products on the Microsoft Active Protections Program (MAPP), a program that aims to supply program partners with advance notification about vulnerabilities before patching Tuesdays. In addition to his paid work, Sebastian is the lead developer of a collection of open source tools for Flash malware and vulnerability analysis and he has been speaking about reverse engineering at IT security conference around the world since 2008.
Abstract: Adobe products like Adobe Reader or Adobe Flash have been the biggest targets of malicious attacks in the last few years. As a result of this, Adobe has begun to implement significant measures to improve the security of their products and many independent security researchers are now focusing on Adobe. I have experience working on both sides of the fence, first working independently on analyzing Adobe software and later working directly with Adobe on their vulnerability assessment. Using Flash as an example, I will describe the low-level details of vulnerability research and file format analysis by describing a real-life example of a Flash vulnerability that was exploited by malware in the wild and what is necessary to figure out what the bug was in Flash Player. Then, I will wrap it up by describing how this ties back to the processes Adobe put into place to work with external security researchers and partners, for example through the Microsoft MAPP program."
Challenges and Opportunities for Digital Forensics in the CloudChristopher Day | Senior Vice President Terremark Worldwide, Inc
Bio: Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers both in the commercial and government sectors. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud's investments in advanced technology as well as leading the design and development of SteelCloud's proprietary security systems.
With over fourteen years in the information security industry and working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, the Middle East, Asia and Africa, Mr. Day has led numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. Christopher has also been involved with various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud including serving as a testifying expert witness.
Mr. Day regularly lectures on computer forensics, incident response, intrusion detection/prevention, and wireless technology security. Christopher is a contributing author for the books Going Mobile: Building the Real-Time Enterprise with Mobile Applications that Work and Computer And Information Security Handbook. Mr. Day has been awarded two patents in the areas of Intrusion Detection (#7017186) and Wireless Network Security (#7020476), respectively, and has two others pending.
Abstract: This presentation will discuss the issues involved with acquiring digital evidence from virtualization systems such as VMware and Xen-based systems, as well as so-called cloud computing platforms that rely on these technologies to provide organizations and users with highly-scalable and distributed computing capabilities. Attendees will learn how virtualization systems work and the particular challenges they pose to the forensic investigator. In addition attendees will learn about the most common types of cloud computing platforms and how each introduces additional challenges for the investigator above and beyond those presented by virtualization technologies. The discussion will provide practitioners a primer for these increasingly common but, to some, still mysterious, technologies and platforms that they will likely be asked to perform forensics acquisitions and investigations on in the near future. This presentation will also present some practical techniques and procedures practitioners can utilize in their work with these systems."
Vassil Roussev, PhD (University of New Orleans)
Conference Vice Chair
Matthew Geiger (CERT)
Technical Program Chair
Florian Buchholz, PhD (James Madison University)
Technical Program Vice Chair
Brian Levine, PhD (University of Massachusetts)
Golden Richard, PhD (University of New Orleans)
Wietse Venema, PhD (IBM)
Frank Adelstein, PhD (ATC-NY)
Dave Baker (MITRE)
Advertising / Sponsorship
Daryl Pfeif (Digital Forensics Solutions)
Andreas Schuster (Deutsche Telekom AG)
Rick Smith (ATC-NY)
Eoghan Casey (cmdLabs)
Demo / Posters
Golden Richard, PhD (University of New Orleans)
Eoghan Casey (cmdLabs), Frank Adelstein, PhD (ATC-NY)
Tim Vidas(Carnegie Mellon)
Brian Carrier, PhD (Basis Technology)
Technical Program Committee
University of Texas at San Antonio
James Madison University
SUNY Institute of Technology
State University of New York at Oswego
Naval Postgraduate School
University College Dublin
Iowa State University
John Jay Criminal Justice/CUNY
North Carolina State University
University of California San Diego
Oak Ridge National Laboratory
University of Massachusetts
Univ. of Massachusetts Amherst
University of Louisville
Virtual Security Research LLC
Air Force Institute of Technology
China University of Geosciences
University of New Orleans
Ohio State University
University of New Orleans
Schatz Forensic Pty. Ltd
Deutsche Telekom AG
Norwegian University of Science and Technology
Sponsors help DFRWS to produce quality events and foster community. Please consider supporting our cause. http://www.dfrws.org/sponsorship-opportunities
WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.Learn More
Need to mitigate risk or ensure compliance? AccessData's targeted, forensically sound collection, preservation, hold, processing and data assessment tools .Learn More
CERT is the home of the CERT Coordination Center and located at Carnegie Mellon University's Software Engineering Institute. It studies internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security.Learn More