8:45 am - 9:30 am
CEST
6:45 am - 7:30 am UTC | SANS DFIR Europe Summit 2024 Registration & Networking |
9:30 am - 9:50 am
CEST
7:30 am - 7:50 am UTC | SANS DFIR Europe Summit 2024 Opening Remarks Jess Garcia, Senior Instructor, SANS Institute; Founder of One eSecurity |
9:50 am - 10:20 am
CEST
7:50 am - 8:20 am UTC | SANS DFIR Europe Summit 2024 Investigating & Parsing Windows 11 Notepad Tabs Using The Dissect Framework The Windows Notepad application historically used to be a simple program with limited functionality. Users who required more functionality often resorted to alternatives like Notepad++, VSCode or Sublime Text. In a likely attempt to make the application more appealing, Microsoft added a lot of new features to the Windows 11 Notepad application. One of the features is the 'auto-restore' function of unsaved tabs; users are now able to close and re-open the Windows Notepad application with no loss of data, all without explicitly saving any file to disk. Although this may be convenient for users and has been a feature in many other text editors for years, this leaves new forensic traces on disk. These traces may be interesting during forensic investigations for various reasons; think of passwords, tokens and other sensitive information being stored in these tabs. After inspecting the traces on disk, the binary file format was not as trivial as we thought. By interacting with the application in many ways, bits and pieces of the file structure became clear, until finally most of it could be recovered. An initial implementation was written in Python for the Dissect framework. The public Github Pull Request for this implementation gained attention of others after the YouTube channel of John Hammond published a video about dissecting the same file format. In the end, the discussions in the Pull Request led to new findings and insights into the file format, and collaboration between multiple people. The presentation will cover the process of turning this idea into practice; how we started this project, how we gained insights into the file structure and finally, how the idea was submitted and improved in the public domain. Alongside, examples of forensic traces will be shown to demonstrate the potential use cases. The goal of the presentation is not to explain the file format in full detail, but to encourage and inspire people to take a (deep) dive into unknown file formats and share the findings with the entire DFIR community!
Show More
|
10:25 am - 10:50 am
CEST
8:25 am - 8:50 am UTC | SANS DFIR Europe Summit 2024 Rise of the Drones: Extracting & Analyzing Data From These Airborne Devices Daniel Flack, Exploitation Team Lead & UAS/cUAS Subject Matter Expert, Edgesource Corporation Drones are an increasingly common device used for nearly every purpose imaginable. Roof inspections, aircraft inspections, electrical wire inspections, and targeting your ex – wait, that last one doesn’t seem quite right! Alas, drones provide immense capabilities to professionals and criminals alike, enabling drug or contraband delivery (either across borders or into prisons), corporate espionage, terrorism, or just a harassment tool. However, these devices also collect a lot of data and can help further investigations in previously impossible ways. Throughout this presentation, we’ll see just how complex these machines can be, how to access the data stored on them, what this data may help with in an investigation, and most importantly – we’ll discuss many case studies and real-life stories! We’ll also walk through the case of “Operation ”, a fake cross-border smuggling investigation. Each viewer, technical or not, stands to walk away from this presentation with actionable knowledge that will further their ability to approach cases involving drones confidently.
Show More
|
10:50 am - 11:15 am
CEST
8:50 am - 9:15 am UTC | SANS DFIR Europe Summit 2024 Networking Break |
11:15 am - 11:45 am
CEST
9:15 am - 9:45 am UTC | SANS DFIR Europe Summit 2024 The Application of AI to Threat Detection and DFIR Jess Garcia, Senior Instructor, SANS Institute; Founder of One eSecurity |
11:50 am - 12:15 pm
CEST
9:50 am - 10:15 am UTC | SANS DFIR Europe Summit 2024 Session To Be Announced |
12:15 pm - 1:15 pm
CEST
10:15 am - 11:15 am UTC | SANS DFIR Europe Summit 2024 Networking Lunch
Show More
|
1:15 pm - 1:35 pm
CEST
11:15 am - 11:35 am UTC | SANS DFIR Europe Summit 2024 Fuji: A New Open Source Tool For Full File System Acquisition of Mac Computers The advent of Apple Silicon introduced new challenges for forensic acquisition on macOS devices, as traditional imaging tools like dd or Disk Utility cannot be used due to hardware-level encryption. This issue inspired the creation of Fuji, a free and open-source tool designed for the forensic acquisition of Mac computers. Fuji leverages native Apple utilities such as ASR and Rsync to perform a Full File System (FFS) live acquisition, thus working even on encrypted drives. It generates DMG files compatible with tools like FTK Imager and Autopsy. We will explore what Fuji is capable of, the differences between its acquisition modes, and how it was developed using Python. In this talk, I will provide a detailed explanation of how Wiskess was developed and the benefits it brings to incident response investigations. The presentation will cover the five steps that make up the automated pipeline, allowing for an in-depth exploration of the tool's capabilities. I will also include a live demo of the tool in action.
Show More
|
1:40 pm - 2:00 pm
CEST
11:40 am - 12:00 pm UTC | SANS DFIR Europe Summit 2024 VerManent: A Tool For Clues Search in Voice Messages VerManent is a tool designed to address the challenge of analyzing the large number of voice messages on platforms like WhatsApp, Telegram, and Instagram in smartphone forensic investigations. Traditionally, investigators had to listen to nearly all messages to find useful evidence, a task growing increasingly difficult with the daily increase in voice message exchanges. The traditional methods of listening or using speech-to-text combined with exact string searches are inefficient. Listening to all messages is impractical, and exact string searches are limited by the chosen search terms. To improve this, VerManent combines speech-to-text and word embeddings for textual similarity search in audio transcripts. Using the Whisper AI tool on a local dataset, VerManent transcribes all audio files and searches for files containing words or phrases similar to the user-specified search terms. A similarity ratio is assigned to files based on their textual similarity to the input field, calculated using three methodologies: Word similarity: Compares all words in each transcription and assigns the highest similarity ratio to the audio. Average similarity: Computes the average similarity ratio between the input field and all words in the transcriptions. Window similarity: Divides transcriptions into fixed-length word windows and calculates the average similarity ratio, assigning the highest result to the audio.
These methodologies increase the chances of detecting relevant messages in various contexts. VerManent orders the results from most to least similar and provides a report list. Future enhancements could include sentiment analysis, pitch detection, or anomaly detection for more precise clue searches.
Show More
|
2:00 pm - 2:20 pm
CEST
12:00 pm - 12:20 pm UTC | SANS DFIR Europe Summit 2024 Segugio: Automatic Detection and Malware Config Extraction Based on Yara Rules This talk with discuss Segugio. As real hunting dogs do, Segugio will help you detecting the malware you launched on your sandbox system by using Yara (YaraX improvement is in ToDo list), then if its a match the corresponding python script will extract automatically the malware configuration for you. It's a tool for hunting and intelligence purposes that fits well in the DFIR loop.
Show More
|
2:25 pm - 2:45 pm
CEST
12:25 pm - 12:45 pm UTC | SANS DFIR Europe Summit 2024 Forensic WACE: A Multi Thread Tool For Forensic WhatsApp Chat Analysis The aim of this presentation is to show our new multi thread tool called Forensic WACE. This tool helps you to analyze Apple iOS WhatsApp database through a graphical, free, and open-source tool. The main deliverable of our project is the development of a multi thread tool with a user-friendly graphical UI that will let users extract the WhatsApp database from the iOS device backup, execute queries on the extracted databases to collect the necessary information and generate certified tamper-proof reports. To ensure simplicity and accessibility to all, the tool will provide pre-packaged queries. In this way, all information retrieval operations are facilitated for anyone who is going to perform such analyses on the database. At the time of writing this abstract, all the functionalities in the tool are not present in any open-source software. Commercial software already has these analysis features, but the product realized is intended to offer them totally without any cost.
Show More
|
2:45 pm - 3:15 pm
CEST
12:45 pm - 1:15 pm UTC | SANS DFIR Europe Summit 2024 Networking Break |
3:15 pm - 3:45 pm
CEST
1:15 pm - 1:45 pm UTC | SANS DFIR Europe Summit 2024 Gone in 60 Seconds: Digital Forensics Acquisitions at The Speed of Cloud In today's cloud-centric computing landscape, Amazon Web Services (AWS) has emerged as a dominant force, offering a vast array of services and resources. As organizations increasingly migrate their operations to the cloud, the need for robust digital forensics capabilities within AWS becomes paramount. This presentation aims to equip attendees with essential knowledge and practical techniques for conducting essential AWS forensics investigations. The session will commence with an introduction into the fundamentals of digital forensics (DF) within the AWS ecosystem. Attendees will gain a thorough understanding of the unique challenges and considerations that arise when conducting forensic examinations in a cloud environment. By focusing on DF assets inventory, participants will learn how to identify and secure critical evidence sources, ensuring a comprehensive and legally defensible investigation. This session is designed for digital forensics professionals who are looking to deepen their expertise in AWS forensics.
Show More
|
3:50 pm - 4:15 pm
CEST
1:50 pm - 2:15 pm UTC | SANS DFIR Europe Summit 2024 Session To Be Announced |
4:20 pm - 4:45 pm
CEST
2:20 pm - 2:45 pm UTC | SANS DFIR Europe Summit 2024 AI-Powered Security ChatGPT for Rapid Threat Detection and Response GenAI has gone from novel technology to commoditized in months since its inception. Since then a diversity of applications have arisen, from CoPilot and ChatGPT for writing code, through many other other engineering capabilities‚ generating configuration templates, QA and more. What if we could harness security domain expertise and threat intel to power a Security CoPilot for SOC analysts & IT admins to respond to threats more rapidly and effectively?! With the power of modern LLMs [Bedrock / OpenAI] it is now possible to aggregate all of this disparate knowledge into a single source in order to automate security reports and create incident summaries, create custom security playbooks, integrate chatbots leverage RAG systems with security domain knowledge, generate policy and security hardening suggestions - the list goes in. In this talk, we'll dive into what it takes to build such an engine, the immediate business value that can be derived, and the new power it delivers for security-minded organizations.
Show More
|
4:45 pm - 4:45 pm
CEST
2:45 pm - 2:45 pm UTC | SANS DFIR Europe Summit 2024 Closing Remarks Jess Garcia, Senior Instructor, SANS Institute; Founder of One eSecurity |
4:50 pm - 6:30 pm
CEST
2:50 pm - 4:30 pm UTC | SANS DFIR Europe Summit 2024 Networking and Drinks |