| Thursday, July 16 - all times are EST |
|---|
| 9:00-9:15 am |
Opening Remarks
Phil Hagen @PhilHagen, Senior Instructor, SANS Institute
Heather Michalik @HeatherMahalik, Senior Instructor, SANS Institute
Rob Lee @robtlee, Fellow, SANS Institute
|
| 9:15-10:00 am |
Keynote
To be announced
|
| 10:00-10:35 am |
Track 1
You need a PROcess to check your running processes and modules. The bad guys, and red teams are coming after them!
Michael Gough, @MichaelGoughTX, Principal Incident Response NCC Group
If there is a file on disk, you can easily SEE the bad fu, but what if the malware is nowhere to be found on the disk? Malware can be broken up into several types, some call it "fileless malware" (poor non-descript term). The malware really isn’t fileless, the file, or code lives somewhere, the registry, WMI database, or the focus of this talk, in memory. This talk will focus on Memware that has been injected into memory, most likely injected a process or added a DLL and may not reside on disk while the system is running.
Do you have a PROcess to detect, investigate, respond, and/or hunt for Memware?
This talk will walk through some commodity and Red Team examples of how this works and what you can do to address this newly expanding threat that is becoming more and more common in commodity malware, Red Team engagements, and of course APT attackers, because it can avoid so many security tools. Attendees will leave with some ideas and tools that can help you detect, investigate and hunt for Memware.
Track 2
Kansa for Enterprise scale Threat Hunting
Jonathan Ketchum, @Un1d1g1t, Threat Hunter/InfoSec Analyst, USAA
Over the past 2 years our threat hunting team has made significant improvements to the open-source Kansa project. As an IR/Hunt powershell framework it is a great tool, but it didn't scale beyond a few dozen endpoints. Our code revisions, approved for release this Summer, scale to 150K+ endpoints and decrease execution time to just a few minutes leveraging distributed servers for asynchronous deployment and ELK for collection, aggregation, and analysis at scale. We also built in metrics, safety-measures, and controls to prevent this powerful capability from completely overwhelming the all the resources of a business enterprise network. Leveraging the improved scalable framework, we developed more than 2 dozen new modules that enable hunt analytics at massive scales.... And the whole project is still backward compatible with the current framework. We will cover our changes as well as several case studies to show how we use it for hunting in our environment.
|
| 10:35-10:55 am |
Break |
|---|
| 10:55-11:30 am |
Track 1
Data Science for DFIR - The Force Awakens
Jess Garcia, @j3ssgarcia, Lead DFIR Analyst/CEO, One eSecurity
Data Science (DS) and AI (Machine/Deep Learning) have effectively erupted in our world during the last few years, improving the efficiency of a vast number of areas and opening doors to new possibilities, both in the business front and our personal lives. The adoption of DS/IA in the DFIR field has been, however, modest so far.
During this presentation, Jess Garcia will introduce the different resources available in the DS/AI field, with a focus on the pythonic world (NumPy, Pandas, ScyPy, scikit-learn, Tensorflow/Keras, Matplotlib, ...), and will show how to use these technologies to help in the parsing of DFIR data (timelines, event logs, forensic artifacts, memory objects, ...), obtained with different triage or analysis tools (such as KAPE or volatility). Jess will also present how this techniques help other DFIR processes in the real world, such as Threat Hunting, by allowing to effectively process and analyze thousands of systems and big quantities of DFIR data.
Jess will also release some tools that will help to make use and get value from these technologies in a straightforward way.
To make the most of this presentation, learn before the Summit the most important DS/AI concepts at ds4n6.io
Track 2
Making Memories: Using Memory Analysis for Faster Response to User Investigations
Aaron Sparling, @osintlabworks, Digital Forensics Examiner, Portland Police Bureau
Jessica Hyde, Director of Forensics, Magnet Forensics; Adjunct Professor, George Mason University
What if there was a better way? What if examiners could get to critical data quicker? What if the digital data could inform the interview questions? Typically, investigators do not collect or analyze memory in criminal/end-user investigations. Acquiring and analyzing memory is rapid. This means results from the acquisition and analysis of your memory collection can be completed long before the drive finishes imaging.
|
| 11:30-11:40 am |
Break
|
|---|
| 11:40 am - 12:15 pm |
Track 1
Using Big DFIR Data in Autopsy and Other Tools
Brian Carrier, CTO, Basis Technology
All industries are learning about how to leverage "big data" to make their operations more efficient. DFIR investigations benefit in terms of speed and thoroughness when you leverage data from your and others past cases.
This talk will cover how to use data from past cases to ensure you focus on the most relevant data first. The talk will cover basic concepts so that you can build your own data repository and how to use existing capabilities. For example, Autopsy (free and open source) can store all past file hashes, email addresses, phone numbers, etc. in its Central Repository and its new File Discovery UI can use that data to allow you to prioritize files. If you've seen a file 10 times before and didn't tag it, then it will be scored less than a file never seen before. We'll also cover our experiences with storing and analyzing occurrence data with intrusion-related data in Cyber Triage.
Attend this talk to learn about features in Autopsy that will help you sort through large data sets and to learn about ways you can leverage your past cases.
Track 2
Healthy Android exams: Timelining digital Wellbeing data
Alexis Brignoni, @AlexisBrignoni, Special Agent, Federal Law Enforcement
Joshua Hickman, Senior Associate, Kroll
The digital Wellbeing database in Android devices helps users keep track of application usage, device unlocks, notifications received, and many more pattern of life data points by month, day and even up to the hour.
In this presentation attendees will learn how to located the Wellbeing database, understand the different event types it contains, correlate it with other data sources on the device, and leverage python scripts designed to put it all together.
|
| 12:15-1:15 pm |
Lunch |
|---|
| 1:15-1:50 pm |
Track 1
If at first you don't succeed, try something else
Jim Clausing, @jclausing, Principal Member - Technical Staff, AT&T
Using a packer that I found being used in several campaigns several month backs, I'll demonstrate some of the defenses the malware used, and the steps taken to try to (ultimately unsuccessfully) extract the unpacked malware using my usual techniques. When that didn't work out, I took a step back and looked at what I believed was the packed executable. I'll show how going "old school" with the help of tools like CyberChef I found what turned out to be an XOR key that ultimately the creation of python script that was able to extract and unpack the hidden executables without actually reversing the unpacking routine. When your standard techniques don't work, sometimes a little common sense and using your eyes can do the job.
Track 2
Captain's Log: Take your application log analysis from Starfleet to Star Fleek
David Pany, Manager, Mandiant
Ryan Tomcik, Consultant, Mandiant
Incident response findings and conclusions are only as strong as the logs and evidence upon which they are based. Mandiant investigations into application-level compromises have revealed that many organizations either do not centralize application logs into a SIEM or, if they do, there is no formalized process for validation, monitoring, or investigation. Many incident handling teams only realize the significant logging deficiencies and security monitoring gaps for their critical applications after an incident has already occurred. Considering your application logging capability from the perspective of an incident response will ensure the logs you need will be available and actionable when the time comes to respond to an incident.
This talk will challenge information security professionals to proactively evaluate their current application logging capabilities and determine how effectively they can detect and respond to application abuse. Threat modeling and attack simulations from an investigator's perspective will help you develop hunting and detection capabilities. Once you have a possible threat to investigate, you can then craft automated investigation workflows that combine multiple data sets, enrich useful indicators, and provide pivot points to identify related threats.
To elevate your threat hunting, detections, and investigations, we will walk through examples of how you can optimize your log data and significantly cut the amount of time and effort required to detect and investigate abuse of your application platform. This talk will use a hypothetical application with activity types and analysis requirements common to applications across many industries. We will walk through a comprehensive but straightforward hunting, detection, and investigation workflow that you can replicate with your team.
|
| 1:50-2:25 pm |
Track 1
Extract and Visualize Data from URLs using Unfurl
Ryan Benson, @_RyanBenson, Security Engineer, Google
Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL into components, extracting as much information as it can from each piece, and presenting it all visually. This "show your work" approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.
Unfurl has parsers for URLs from popular search engines, social media sites, mail services, and chat applications. It also has more generic parsers (timestamps, UUIDs, base64, and more) helpful for exploring new URLs or reverse engineering. It's also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.
No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser's history file, Unfurl can help you get the most out of it.
Track 2
Just Forensics, Mercifully
Lee Whitfield, @lee_whitfield, Senior Technical Adviser, SANS
Most seasoned forensicators have done some significant things over the span of their career. Maybe you've joined the company of your dreams or started your own consultancy. Maybe you work on the best cases with the best people. Either way, life is good as a forensic practitioner. Now that you're an established authority in the field, what's next? Where do you go once you've achieved everything you originally set out to do? You could develop tools like Eric Zimmerman or start mentoring others, both are very noble in helping the community. But what about philanthropic endeavors? So many people are denied access to forensic experts because they lack the funding to do so. Why should you care and what can you do to help?
|
| 2:25-2:45 pm |
Break |
|---|
2:45-3:20 pm
|
Track 1
What the DLL is happening? A practical approach to identifying SOH.
Frank McClain, Senior Detection Engineer, Red Canary
There are many ways adversaries can maliciously leverage Dynamic Link Libraries (DLL). One of the most common is Search Order Hijacking (SOH), a simple technique which provides the means to evade detection, establish persistence, and expand infection. As a DFIR analyst, knowing how to identify SOH during an incident is important, as this can trigger other workflows for memory forensics or reverse engineering.
Most of the available information about DLL hijacking focuses on these late stage workflows yet overlooks the earlier stages of investigation. This talk will share a profile for SOH and present real-world examples to aid in identifying its setup and usage.
Track 2
Lucky (iOS) #13: Time to Press Your Bets
Jared Barnhart, Mobile Forensic Engineer, Principal, Parsons Corporation
The discovery of checkm8 made forensically sound, full file system iOS extractions possible for the masses. Now that everyone has "jailbreak" access, let's play the odds and go ALL IN for native artifacts. This talk will focus on a few newly discovered forensic gems in iOS 13 to add to an already robust list of crucial files available on every iPhone. The convenience sought by the majority of iOS users is populating priceless data on disk, and Apple hasn't protected it. Whether you are an experienced iOS examiner or brand new to the game, this talk will highlight the best of iOS and point you towards success!
|
| 3:20-3:55 pm |
Track 1
Did I do that? - Understanding action and artifacts in real-time
Matthew Seyer, @forensic_matt, Manager, KPMG
David Cowen, @HECFBlog, Managing Director, KPMG #instructor
By default, when we look at forensic artifacts, the action has already occurred. Have you ever been curious what an action or application would leave behind and how it would appear in your forensics tools? Or, maybe you have seen something in a forensic artifact and wondered what caused it. So many artifacts and so many questions!
Tools like Process Monitor have always assisted in exploring how applications and actions impact the file system. The forensic challenge arises though when you want to see changes to binary structures or internals that are contained within files or registry values to better associate an action to an artifact. For example, answering questions like, “How can an executable have been run by a user without updating the run count?”
What if there was a way to see artifact data change, to connect the dots between what we see left behind in artifacts, and the actions that caused it? In this talk you will learn how to utilize the Windows API to view changes in forensic artifacts in real-time and better understand how actions generate forensic data. We will also demonstrate NEW (and FREE) tools and techniques to enable this type analysis.
Track 2
capa: Automatically Identify Malware Capabilities
Willi Ballenthin, Senior Staff Reverse Engineer, FLARE/FireEye
Moritz Raabe, Staff Reverse Engineer, FLARE/FireEye
Effective analysts are those that understand and prioritize files of interest during an incident response. However, understanding if a program is malicious, the role it plays during an attack, and its potential capabilities requires at least basic malware analysis skills. And often, it takes an experienced reverse engineer to recover a file's complete functionality and guess at the author's intent. We are here to clear that roadblock and demonstrate how to algorithmically triage an unknown program.
Our newest tool, called capa, takes automated malware triage to the next level going from simply saying "this is probably bad" to providing a concise description of what a program actually does. capa detects capabilities in programs to reduce the time-to-triage and make malware analysis more accessible. The tool reports a sample's capabilities, role (downloader, backdoor, etc.), and any suspicious or unique functionality. This report provides critical, decision-making information to anyone dealing with potentially malicious programs and especially forensic, intelligence, and malware analysts. Furthermore, with capa, you can make more confident decisions, because the tool explains how it came to a conclusion, letting you verify each step, if necessary.
capa uses a new algorithm that reasons over the features found in a file to identify its capabilities. The lowest level features range from disassembly tricks to coding constructs, while intermediate features include references to recognized strings or API calls. Users compose rules that train capa how to reason about features, and even the significance of other rules. This makes it easy for the community to extend the tool's ability to match capabilities in malware. Incidentally, the growing rule set is a practical taxonomy of the behaviors actually seen in malware and begins to codify the collective knowledge of reverse engineers.
At the SANS DFIR Summit we will open-source capa and share it with the DFIR industry. Attendees will learn how capa works and how to use it to enhance their analysis workflow. Moreover, we will teach attendees how to develop capability detections that extend capa. This way, everyone can leave the conference with both a new tool and the skills needed to customize it for their environment.
|
| 3:55-4:30 pm |
Track 1
Long Live Linux Forensics
Ali Hadi, Assistant Professor and Cybersecurity Researcher, Champlain College
Brendan Brown and Victor Griswold, Senior Digital Forensics Students, Champlain College
90% of the modern Internet is running on Linux. Hundreds of millions of servers and personal computers are collectively utilizing some form of Linux operating system. Despite this, we as forensic investigators are taught almost exclusively how to investigate Windows systems.
Ask yourself this question; if you were asked to investigate a system running Linux, how confident would you feel in your abilities? Do you have the skills required to collect data from this system? Some investigators may feel very confident, but many of us will feel lost when put in this sort of position.
It is the goal of this talk to help DFIR analysts build and grow their skillset in the area of Linux Forensics. An attendee should walk away having learned the most important aspects of investigating Linux endpoints and have gained confidence in their personal capabilities.
A wide range of material will be covered in order to make sure there is something for everyone to learn whether this is an analyst's first time touching Linux or their 1000th time. Attendees will learn about introductory topics such as the Linux Filesystem Hierarchy Standard (FHS), Boot Process, System + Service Managers (init and systemd), and how all of this is important to an investigator. Likewise, we will discuss the basics of the EXT4 file system and how to traverse / analyze information within it using TSK.
Additionally, an attendee will learn how to search for, identify, and collect data from or pertaining to devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, deleted files, and procfs. Lastly, profiling of user activity and the ways in which an investigator can perform log analysis will be explained as well.
In addition to the material covered above, attendees will also have the opportunity to learn about certain advanced topics. This will include the investigation of injections to systemd, apache, and the creation of anonymous processes.
This talk will challenge information security professionals to proactively evaluate their current application logging capabilities and determine how effectively they can detect and respond to application abuse. Threat modeling and attack simulations from an investigator's perspective will help you develop hunting and detection capabilities. Once you have a possible threat to investigate, you can then craft automated investigation workflows that combine multiple data sets, enrich useful indicators, and provide pivot points to identify related threats.
To elevate your threat hunting, detections, and investigations, we will walk through examples of how you can optimize your log data and significantly cut the amount of time and effort required to detect and investigate abuse of your application platform. This talk will use a hypothetical application with activity types and analysis requirements common to applications across many industries. We will walk through a comprehensive but straightforward hunting, detection, and investigation workflow that you can replicate with your team.
Track 2
Forensic Marriage: The love/hate relationship between eDiscovery and DFIR
Sarah Konunchuk, @SarahKonun13, IR Forensic Investigator, CFC Response
Andrew Konunchuk, @AndrewKonu, Data Operations Analyst, DISCO
In this talk you will hear from the two people that make up the Forensic Marriage: Sarah and Andrew Konunchuk. Attendees can expect to learn about the similarities and differences between eDiscovery and DFIR, along with why we both love to hate the other one. In addition, we will also give a brief example of how these two fields marry together to solve a case. This talk is aimed at individuals new in their careers or looking to make a switch from one to the other, as well as giving a technical big picture of why both need to coexist.
|
| 4:30-4:45 pm |
Day 1 wrap-up
|
| Friday, July 17 |
|---|
| 9:00-9:10 am |
Day 2 Welcome & Overview
|
| 9:15-9:55 am |
Keynote
To be announced
|
| 9:55-10:30 am |
Help! We need an adult! Engaging an external IR team
Liz Waddell, @vlsin, Incident Commander, Talos Incident Response
Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will talk about the considerations to make - when you should engage, how to choose a firm, one-time engagements vs retainers, invoking cyber insurance, and which members of your team should be involved in these discussions (hint: it's not just your CISO). We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for, and establishing command centers.
|
| 10:30-10:50 am |
Break |
|---|
| 10:50-11:25 am |
Forensic analysis of the Apple HomePod and the Apple HomeKit environment
Mattia Epifani, Digital Forensics Analyst, REALITY NET - System Solutions
The Apple HomeKit is an Apple protocol that allows users to communicate with and control connected accessories in their home using the Home App installed on an iPhone or an iPad. An HomeKit environment is based on a Home Hub, that can be used to control and automate HomeKit accessories remotely. The Home Hub can be an HomePod, an Apple TV or an iPad. The HomePod is a voice assistant and smart speaker device manufactured by Apple and based on Siri. According to the latest market trends, it is the third most sold device all over the world, after Amazon Echo/Alexa and Google Home. The aim of this presentation is to explore which techniques can be used by a forensic examiner to extract and analyze data from an Apple HomePod and from a synced device using the Home App. In particular, extraction of data from the device and from a paired iPhone or iPad will be covered during the presentation. Moreover, an overview of the Apple HomeKit system will be provided with examples of analysis of some compatible devices.
|
| 11:25-11:35 am |
Break |
|---|
| 11:35-12:10 pm |
Hunting bad guys that use TOR in real-time.
Milind Bhargava, Founder, Mjolnir Security
As cybercrime has become commonplace, Tor has been the tool of choice for attackers due to the inherent anonymity it provides. But what if you, an Incident Responder, could acquire additional pieces of the puzzle relating to the activities performed by the attacker in order to paint a clear picture of what occurred during the incident.
The outcome of our research demonstrates how viewing the communications leaving and entering the Tor network gives an unprecedented understanding of the thought process and, most importantly, techniques and malwares used by the malicious actors. It also allows an opportunity of a live sneak peek into their different activities allowing an Incident Responder to provide a more conclusive answer to the “how” was the organization attacked.
But even more importantly, we have developed a capability for the Incident Response teams to not just stop their investigation at the Tor node, but to follow the breadcrumbs of an attack even further and finally providing a conclusive answer to the most asked question – was anything taken?
|
| 12:10-12:20 pm |
Using Storytelling to Be Heard and Remembered
Frank McClain, @littlemac042, Senior Detection Engineer, Red Canary
Technical people are typically somewhat lacking in soft skills. We can identify bad things at a glance, but communicating those to others in a way they can understand and relate to is a different story altogether.
This talk will shed light on the importance of storytelling in the DFIR space: not only as a means to share information, but also as a method for those who struggle with the confidence to speak in a group or public setting. Everyone has a story to tell, and this talk provides real-world examples of how that can be done by anyone.
|
| 12:20-1:30 pm |
Lunch |
|---|
| 1:30-2:05 pm |
Session to be announced |
| 2:05-2:40 pm |
Session to be announced |
| 2:40-3:00 pm |
Break |
|---|
| 3:00-3:35 pm |
Session to be announced |
| 3:35-4:10 pm |
Session to be announced |
| 4:10-4:15 pm |
Break |
|---|
| 4:15-5:00 pm |
Forensic 4cast Awards
|
