2010 EU What Works in Forensics and Digital Forensics and Incident Response Summit Expanded Keynote and Briefing Information

Expanded Keynote and Briefing Information

Keynote Day 1

Jesse Kornblum - Senior Forensic Scientist, Kyrus Technology
Keynote Title: Similarity: Fuzzy Hashing and Beyond

Computers are fantastic at finding identical pieces of data, but terrible at finding similar data. Part of the problem is first defining the term "similar" in any given context. This talk will explore what -similar- means for different contexts in computer forensics. We will then discuss fuzzy hashing, a method for identifying similar files using signatures similar to MD5 or SHA-256. Finally we-ll discuss more specific methods for finding similar images and executables.

Bio:

Jesse Kornblum is a Senior Forensic Scientist for the Kyrus Technology. Based in the Washington DC area, his research focuses on computer forensics and computer security. He has helped pioneer the field of memory analysis and authored a number of computer forensics tools including the md5deep suite of hashing programs and a system for fuzzy hashing similar files. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum has previously served as a computer crime investigator for the U.S. Air Force and as the Lead Information Technology Specialist for the Department of Justice. He has successfully trained his dog to use Facebook.

Keynote Day 2

Keith Foggon - Manager, Digital Evidence Team, UK Financial Services Authority
Keynote Title: Digital Forensics Trends and Techniques

Over the last few years has been white collar crime and Keith has led the Digital Forensic Teams on some of the largest international fraud cases. What concerns me most about new entrants into the forensic profession is that no differentiation is made between a forensic analyst and a forensic investigator and the assumption is often made that one person, sitting behind an Encase machine is the solution to all of life's cybercrime problems.

The investigation team that we have at the FSA is about 400 strong, comprising of Counsel, lawyers, accountants, paralegals etc. and it is only when you can pull together a team like this that you can properly investigate large scale fraud.

The data sources that we use are many but take for example items collected from a recent search. We lifted truck loads of laptops, apples, desktops (new and ancient), blackberrys, CDs, floppies, dictation machines, USBs, mem cards, servers, tapes, telephone recording systems and other weird and wonderful devices. Keith will discuss the ways and means by which large scale fraud can be approached and how digital forensics can be applied across such a wide range of source data in order to provide meaningful data for investigators.

Bio:

Keith currently manages the Digital Evidence Team within the Enforcement and Financial Crime Department at the UK Financial Services Authority. Prior to that I was Head of the Digital Forensics Unit at the Serious Fraud Office. Before that, Keith accomplished computer forensic work for a range of other agencies. Keith is also an Executive Director of the International Organisation on Computer Evidence (IOCE).

Malware Analysis Briefing

Ero Carrera - Chief Research Officer, VirusTotal
Title: Advanced malware analysis

The talk will cover how to approach the analysis of complex kernel-mode malware. Some of the user-land tools used to debug and analyze malware have reached their limits when having to deal with some of the most advanced cases. I will talk about what techniques are common in advanced malware and what tools help best at figuring out and understanding the functionality of complex malware. Some of the tools covered will be CPU emulators such as Bochs playing together with the forensics tool Volatility in order to obtain information in a speedy way, without necessarily having to deal with all the anti-analysis techniques used by malware.

Bio:

Ero Carrera is currently Chief Research Officer of Collaborative Security at VirusTotal and a reverse engineering automation researcher at zynamics GmbH (was SABRE Security GmbH), home of BinDiff and BinNavi. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security. While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects heOs worked on include seminal research on generic unpacking. Ero has presented in conferences such as HackInTheBox, RSA, BlackHat and Source in addition of also teaching a reverse engineering course in the BlackHat conferences. Additionally, Ero is a habitual lurker on OpenRCE and has contributed miscellaneous reverse engineering tools such as pefile and ida2sql and others such as Pythonika and pydot.

New Digital Forensic Techniques Briefings

Lee Whitfield - Forensic Lab Manager, Zentek Forensics
Title: Into The Shadows

Since their arrival in recent Windows operating systems, volume shadow copies have troubled forensic investigators. Many investigations place less value on, or even ignore items found in these files due to their complexity. The only known way of fully accessing the contents of volume shadow copies consumes a great deal of both time and storage. This can prove costly for investigator and client alike.

Bio:

Before becoming involved in the field of digital forensics Lee worked for an international construction law company working directly under the director responsible for forensic construction. Lee's passion for computers caused him to enrol in the first Computing (Forensics) degree at the University of Central Lancashire in Preston. Graduating three years later Lee started his first job in digital forensics. It was here that he gained a good grounding in the field. After two years he moved to join his brother, Simon, at Zentek Forensics. Lee now works as the lab manager and is directly responsible for all computer examinations performed at Zentek. Even though Lee has only worked in the field for four years he has conducted approximately 200 investigations and has experience in cases involving child abuse, rape, attempted murder, fraud, intellectual property theft, burglary, and so on.

Andreas Schuster
Title: Understanding Windows Event Log and the EVTX file format

With the Vista kernel Microsoft introduced an entirely new event logging architecture. Events are no longer recorded in a simple record structure, but in a proprietary binary encoding of XML (EVTX). This briefing will provide forensic examiners with the technical details they need to know in order to process EVTX files and to recover information from deleted and corrupted system logs.

The briefing will recapitulate the core elements of the old "NT style" event log format and discuss its shortcomings. You will learn how Microsoft addressed these problems. The briefing explains how event messages are encoded in a proprietary binary format and how you can transform them into human-readable XML. You will learn how to deal with corrupt and incomplete log files that don't open in the usual system administration tools.

Bio:

Andreas Schuster is a Senior Computer Forensic Examiner with the security department of a major telecommunications and information technology service company since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years.

Andreas had got his first computer in 1981. In order to make the most out of 1024 bytes of main memory he had to acquire low-level programming skills. Though times have significantly changed, he regularly falls back to low-level tools like disassemblers and hex editors when he explores the inner mechanics of an operating system.

Andreas has authored research articles and blogs on computer forensics. Also, he has developed several open-source computer forensic tools. Andreas is a speaker at security conferences and provides training to law enforcement and special interest groups.

Incident Response Trends Briefing

Jelle Niemantsverdriet - Principal Consultant, Verizon Business Security Solutions
Title: 2009-2010 Verizon Business Data Breach report: How did they get in?

In April 2010, Verizon Business' new Data Breach Investigations Report will be published, detailing the statistics and facts on all data breach investigations investigated by Verizon Business in 2009. A few months earlier, the 2009 Supplemental report has already provided a more detailed insight into some of the specific attack types and vectors that we see during our investigations.

If you read in the papers about a data breach, you typically only read about the number of records breached. What actually went wrong, how the attackers got in and how such an attack could have been prevented - you never read that in the press. By sharing intelligence from our investigations, we give an objective view of these data breaches including analysis that we believe will be helpful to the planning and security efforts of our readers. This presentation will combine information from both reports to provide an inside look into the world of investigating data breaches, using real world data and case examples.

Bio:

Jelle Niemantsverdriet is a Principal Consultant with the Forensic and Investigative Team, for the EMEA region at Verizon Business. He has held this role since June 2008 and is based in the London office. In this role, he is responsible for incident response and incident investigation. Verizon Business helps customers prepare for incidents that may need digital evidence, and offers services that assist customers in fully carrying out an investigation. Examples of incidents covered include stolen information, hacked servers and applications, anonymous email threats and fraud.

Niemantsverdriet brings extensive experience in information security and forensic investigations to this role. From 2006 to June 2008 he was coordinator of two teams of Forensic Investigators and the lab team at Fox-IT, a global company pecialising in state-secret level encryption products and forensics. In this role Niemantsverdriet oversaw and participated in all forensic investigations handled by the company, being responsible for the investigative strategy and technical overview, from the sales cycle to reporting. In addition to this, he coordinated a team of security auditors in 2007 as a temporary position and was responsible for all security audits conducted by the company, including the logical, physical and social engineering penetration testing of sites, for corporate and government clients.

Prior to this, between 2004 and 2006, Niemantsverdriet worked as a Senior Programmer for Accenture Technology Solutions, designing and implementing portals and document management solutions for large enterprises. Niemantsverdriet holds various accreditations, including Certified Information Systems Security Professional (CISSP(R)), Certified Information Security Manager (CISM(R)) and Qualified Security Assessor (QSA) for the Payment Card Industry. He holds a Master of Science in Artificial Intelligence, specializing in Autonomous Systems, and is a fully trained Private Investigator.

Digital Forensic Tool Briefings

Kristinn Gudjonsson - Team Leader of Information Security, Skyyggnir
Title: Mastering the Super Timeline log2timeline style

Traditional timeline analysis can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline the investigator misses context that is necessary to get a complete and accurate description of the events that took place. To achieve this goal of enlightenment we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis and create some sort of super timeline. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy. This talk will focus on the tool log2timeline, which is a framework built to parse different log files and artifacts to produce a super timeline in an easy automatic fashion, designed to assist investigators in their timeline analysis.

Bio:

Kristinn Gudjonsson: Skyggnir Kristinn GuTHjonsson is the team leader of information security at Skyggnir, one of Iceland's largest hosting providers. Daily responsibilities include computer forensics, incident handling and response, intrusion analysis and security audits of networks and servers.

Kristinn holds a M.Sc. degree in computer engineering from INT (Institut National des Telecommunications) in Paris as well as a B.Sc. degree in electrical and computer engineering from the University of Iceland. Kristinn also holds several certifications such as GCIA (GIAC Certified Incident Analyst), GCIH (GIAC Certified Incident Handler), GCFA (GIAC Certified Forensic Analyst) as well as certifications from vendors, such as CISP (Cisco Ironport Security Professional) and others.

Kristinn is a member of the SANS advisory board as well as being a local mentor for the institution. He has also taught courses in both University of Reykjavik and University of Iceland in information security as well as regularly giving seminars to increase security awareness among employees of various companies in Iceland. Kristinn writes blogs about computer forensics and incident response, which can be read at his IR and Forensics Talk Blog as well as on the SANS computer forensics blog. He is also the author and creator of the tool log2timeline, an open-source artifact timeline creation and analysis tool.

Matthieu Suiche
Title: Microsoft Blue Screen of the Death is Dead

This talks aims at showing how user may generate a physical memory snapshot of Windows volatile memory, and how to take advantage of existing tools maintained by Microsoft itself to proceed to an analysis. The process will be as follows: create a Microsoft crash memory dump, without executing a BSOD, using free tools, such as win32dd and win64dd. The author will also explain how take advantage of this interoperable format using existing application like Microsoft WinDbg.

Bio:

Matthieu Suiche is a security researcher who focuses on reverse code engineering and volatile memory analysis. His previous researches/utilities include Windows hibernation file, Windows physical memory acquisition (Win32dd/Win64dd) and Mac OS X Physical Memory Analysis.

Matthieu has been a speaker during various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon etc. Prior to starting in 2010 MoonSols, a computer security and kernel code consulting and software company, Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.

Robert-Jan Mora and Bas Kloet
Title: Advanced File Carving

File carving is a technique to recover deleted files from a storage medium based on the raw data, without requiring the use of file system metadata. This course covers file carving techniques ranging from the very basic "header-footer carving" technique to the much more complex techniques that have been developed in recent years. Another important part of the presentations is on measuring the quality of current forensic carving tools and techniques.

Bio:

Robert-Jan Mora is a Senior Forensic Investigator at Hoffmann Investigations based in The Netherlands. Hoffmann Investigations conducts (international) investigations in and for many companies in the business sector, non-profit organisations and government bodies. And thanks to the quality of our investigations and reports and the knowledge level of our employees, Hoffmann is a leading investigation agency in Western Europe. At Hoffmann Robert-Jan is responsible for incident response and forensic investigations. He has conducted hundreds of investigations and has experience in cases involving hacking, sabotage, child abuse, fraud, intellectual property theft et cetera.

Before working at Hoffmann, about a decade ago, Robert-Jan worked at the Dutch Police as a forensic investigator. After leaving the police he worked as a security professional for the Dutch government and he worked in the payment industry.

Robert-Jan is a certified Private Investigator. He's CISSP en EnCe certified and holds several old certifications GCFA,GREM, LPIC, MCSE. In 2009 he finished the study IT-auditing at the Vrije Universiteit of Amsterdam with a thesis on a risk analysis of the evidential value of digital evidence and the use of a Bayesian network for judging culpability of a suspect in a digital forensic investigation.

Furthermore he like's to participate on the DFRWS forensic challenges with his colleagues at Hoffmann to learn new methods and develop new investigative techniques and he's active in several open source projects (libewf, revit, libpff etc) developed by Hoffmann Investigations.

Bio:

Bas Kloet is a Forensic Investigator at Hoffmann Investigations based in The Netherlands. Hoffmann Investigations conducts (international) investigations in and for many companies in the business sector, non-profit organisations and government bodies. And thanks to the quality of our investigations and reports and the knowledge level of our employees, Hoffmann is a leading investigation agency in Western Europe.

In 2007 Bas Kloet received his Masters degree in Computer Science and Engineering from the Eindhoven University of Technology with his Master project on "Measuring and Improving the Quality of File Carving Methods." His Master project took place at Hoffmann Investigations, where he continued to work after his graduation. Bas Kloetis a certified Private Investigator.

At Hoffmann Bas Kloet is responsible for incident response and forensic investigations. Besides his main responsibilities he is also developing new forensic tools and techniques and giving presentations, workshops and trainings to Dutch and international participants.