A few days ago two of us went to Dublin to attend the DFRWS conference. The program indeed looked very interesting, going from high level keynotes to description of Volatility plugins and forensics tools workshops.
The first day started directly with nice “hands-on” workshops (we’ll only talk about the ones we went to):
- DFF (Digital Forensics Framework) developed by Arxsys. A graphical tool to search for evidence in your artefacts (Memory dump, disk image…).
- Grr (Grr Rapid Response, the artefacts collection tool by Google). Very convenient, nice looks, powerful search capabilities… But it is agent based (and has no logout button!! quite surprising for a security tool…).
- Rekall (Memory Analysis Framework by Google). The developers demonstrated the new interactive web console in this workshop.
Second day got us into serious stuff. The introducing keynote was held by Mr Troels Oerting, Group CISO of Barclays Bank and former head of EC3 at Europol. Keys points I noted are that we need tools that protect privacy, provide security, and are convenient to use, that’s one of the major issues companies and forensics teams have at the moment. Right now the upper hand is with the bad guys ; and to counter this cyberalliances are made everywhere with academia and research: Banks don’t compete on this topic, they have to cooperate!
The next keynote was about different kind of forensics as it showed us how satellite digital data was used to reconstruct the MH370 flight path after it disappeared, using several techniques. A truly fascinating talk! For those who are interested the lastest update to the Search Area Report of the Australian Transport Safety Bureau can be found here: http://www.atsb.gov.au/publications/investigation_reports/2014/aair/ae-2014-054.aspx
Then presentation sessions started and continued on the next day. The most interesting in my opinion were:
- Hviz: HTTP(S) Traffic Aggregation and Visualization for Network Forensics (which got the best paper award). The authors presented a tool they developed that visualizes the timeline of HTTP and HTTPS activity of a workstation. Aggregation and cross-correlation allow reducing the number of events displayed. This could help spotting key events that could relate to malicious traffic (http://hviz.gugelmann.com/)
- Tor forensics on Windows OS: This short presentation exposed some artefacts linked to the use of Tor Browser. This showed evidence related to the usage of Tor Browser and to the websites visited using it. This information might come in handy during some investigations…
- Fast and Generic Malware Triage using openioc_scan Volatility plugin: The author developed a Volatility plugin that looks for specific IOCs. He also wrote generic OpenIOC rules to detect some generic threats (https://github.com/TakahiroHaruyama/openioc_scan).
- SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code. The goal is to improve the efficiency of reverse engineering by applying exact and inexact graph matching to identify reused functions.
- Uforia: Universal Forensic Indexer and Analyzer. This tool is based on ElasticSearch and allows indexing and visualizing files (http://www.uforia.nl/, https://github.com/uforia)
- Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information: This presentation showed the work done on DFAX, Digital Forensic Analysis eXpression, a way to structure forensics data in order to share information and/or combine results from multiple forensics tools (https://github.com/dfax/dfax)
The last day’s most interesting point was M. Jean-Dominique Nollet’s keynote, as the Head of Unit, Forensics, Research, Development, European Cybercrime Centre. As was said before, he insisted on the fact that investigations are numerous, investigators too scarce, and forensically sound, convenient and efficient forensics tools are needed. One of the major issues encountered is also getting access to the data to investigate: too often it is either too large, either encrypted, no solution exists yet.
Presentations and papers are available at http://dfrws.org/2015eu/program.shtml, have a look at those who might interest you!
As a conclusion, I would say these four days were really interesting, mixing high level speeches with technical tools and hands-on sessions. Academia and research, Law Enforcement, and the private sector were all three well represented. Focus was really on research and Law Enforcement which means that practical applications were not always there but research from the public and private sector should help turn research results into convenient solutions.