Sunday, July 1, 2012

SANS DFIR Summit 2012 - Thoughts & Links

Well, this past week we wrapped up the SANS 2012 DFIR Summit in Austin, TX.  I think it's safe to say that a great time was had by all.  What was truly incredible was the time so many of us got to spend together in the week leading up to the Summit, while going through the wonderful training that SANS made available.

I got to see some people I haven't seen in a year (or more), as well as meet some in person that I've only known online.  And for the first time, I got to experience one of Harlan Carvey's presentations in person.  I'm not sure everyone's brains were awake enough quite yet for his keynote on day 2 of the Summit, but it really was a great talk, and he made some great points about things to consider when performing registry analysis on Win7.

Anyway, back to the point of all this.  I started out the Summit by eating at Stubbs BBQ with a dozen or so folks on my first day there, Wednesday the 20th.  Among these were Tom Yarrish, J. Michael Roberts and his wife Jennifer, Mike Pilkington, Jeremy Berger, and Alejandro Perez.  I recommended the serrano cheese spinach from having eaten at Stubbs once before, and it seemed to go over very well, which was good (I think everyone at my table ordered it); it could have gone so wrong.  ;D

As it turned out, my time there closed out the same; a very large group of us went to Stubbs for dinner on the last day of the Summit, and we had more good food and good times, with the likes of Cindy Murphy, Jen Krueger Favour, Kristinn Gudjonnson, and Shelly Giesbrecht.  I was scheduled to stay overnight and leave Thursday morning, but went ahead and left early to get back home and deal with the hail damage we sustained right before Summit.  That's a whole story in itself!

In between, we had a great opening keynote by Cindy Murphy, where she didn't talk about DFIR at all.  What?!  Might sound strange, but she did a great job, and we got to see Lee Whitfield with a parasol on an elephant.  No photo editing/alteration was involved, of course; that's just how Lee rolls...

Alissa Torres (Stay Outside Your Lane), Jeff Hamm (Carve Records Not Files), Chris Pogue (Sniper Forensics v3), and Hal Pomeranz (TrueCrypt Artifacts and Analysis) had just a few of the awesome presentations I attended.  Having two tracks made choosing difficult at times, unfortunately.  :(  In addition, Paul Henry did a SANS at Nite presentation on setting up a VMWare server on Mac Minis, and we had an awesome time at the SANS 360 Lightning Talks.  This was followed by an after-hours event sponsored by 21CT.  21CT, AccessData, VisibleRisk, JADsoftware, and Cellebrite all had a vendor presence at the Summit.

Also, SANS posted on twitter that all the presentations are available here.

I had the incredible honor of speaking at this year's Summit, and was able to close out the event by speaking at the end of the 2nd day.  Hopefully I "brought it!"  My talk was titled "Exfiltration Forensics in the Age of the Cloud" and was based on the idea of looking into host-side artifacts created by the client applications of cloud-based sync/backup services - namely Dropbox, SpiderOak, TeamDrive, ADrive, Carbonite and Mozy.  Dropbox was updating my work from last year, and the others were expanding on that base.  The idea was to show the risk that these services bring to a business (both internal and external), the types of artifacts that these applications introduce to a system, and what might be left behind after an uninstall.

I had a "cheatsheet" type of handout at my talk, which gave an overview of these artifacts.  I'm making that available online, along with a couple other spreadsheets, and a PDF of my presentation.  For the preso, I've included the notes along with the slides, so that there's a little more context for the bare bones of the slides.  Below is a download link to the 7zip archive.  It is encrypted, so please contact me for the passphrase.  I apologize for the inconvenience, but the reason is two-fold.  One, it gives me some idea who's interested in my research, and two (more importantly), it helps protect against the unscrupulous web scrapers that repost others' content as their own (which I've had happen before, unfortunately).

As a final note, I will be posting some of this over at ForensicArtifacts as a general resource for the larger community.  If you haven't been to ForensicArtifacts, you should check it out - it's a great community-driven site that hosts various artifacts and IOCs, and is a wonderful way to contribute without having to create an entire blog post.

Filename:   Cloud_Forensics_Research_Public.7z
Download:  https://www.box.com/s/a5b5c5b2f11f86f24c91
Hash:  a95ff597d1508db810df3a48a3313a4e (md5),   cd703fc9c60d599d53f2a9758cc49770c57ed069 (sha1)

PS: Since it's been several years, and much of the info has lost some usefulness (and just simplify, since people are still asking), here is the pass:  gcs^6k-'mhRy{dzC=)">+fVvtA!2*P

29 comments:

  1. It's a very interesting job, may I have the password? rebus[at]tipiloschi.net
    Tnx!

    ReplyDelete
  2. Another copy of that pass for me (if possible) amgc.1984(at)gmail.com. Thanks in advance!

    ReplyDelete
  3. You definitely "brought it" to the summit, Frank! The amount of documentation you provided on cloud artifacts is amazing. Thank you for sharing your research.

    ReplyDelete
    Replies
    1. Thanks, Chad! Glad you got something out of it, and hopefully the additional documentation will be helpful to others as well.

      Delete
  4. Also would like the password, josh at defensivedepth.com

    Thanks!

    ReplyDelete
  5. I would also like the pw. I was at the summit, but unable to make your session. Richard dot brackett at gmail dot com

    ReplyDelete
  6. Can I get the password too. Thank you very much. halil at halilozturkci.com

    ReplyDelete
  7. I would like to get the password also. Thank You accoclip2001 at yahoo.com

    ReplyDelete
  8. Would appreciate if I can have the password too. Thank you. pzanyu (at) gmail (dot) com

    ReplyDelete
  9. Thanks for sharing my friend.. And congrats for your research :D
    Please let me kown the password
    info (at) hacklab.com.co
    Thanks again

    ReplyDelete
  10. I'm eager to dig through you research. Would you mind passing along the password? jimmynorthon { at } gmail . com. Thanks!

    ReplyDelete
  11. I looked your presentation on SANS Summit page. It's really interesting!
    Can you please provide me the password at
    mattiaep [at] hotmail.it
    Thanks!

    ReplyDelete
  12. I am interested in looking through the content of your research. Appreciate if you could forward me the password for the compressed file to ckjo23 at gmail dot com.

    ReplyDelete
  13. I'm interested in reading your research too. Could I have the password please? Email: joejosey165 at gmail dot com.

    Thanks!

    ReplyDelete
  14. Thanks for sharing, please send me pass for open file at aldihejo at gmail dot com. Many thanks!

    ReplyDelete
  15. Thanks for sharing, please send the pass to dareneau at gmail dot com. Thanks.

    ReplyDelete
  16. hello. i am interested in reading your research too.could you mail the password at: pu.ru.puru@hotmail@hotmail.com

    thanks in advance.

    ReplyDelete
  17. I am interested in the password, but the link to send you an email don't work without knowing your email adress and I don't want to post mine here. :-(

    I cannot send you a DM without following you and you folling me. How can we contact.

    Do you know a OS X or Linux-tool to browse the filecache.dbx?

    Thanx

    Thomas

    ReplyDelete
  18. I am currently doing a project in establishing the originality of data through dropbox and would be really interested in reading this. Could you send me the password please.

    jclark200@caledonian.ac.uk

    ReplyDelete
  19. Could you tell me a little bit about your research on Dropbox . I'm tasked to do some windows artifacts research project and looking for any tips, ideas to do my own in depth testing.

    thanks

    ReplyDelete
  20. Can you forward me the PW for the paper? galexmorales at gmail dot com ?

    Thank you :)

    ReplyDelete
  21. I'd like to read your research. Could u send me the password? "aaa [dot] aaa5123 [at] gmail [dot] com"

    Much appreciated

    ReplyDelete
  22. Password pleeeeease!

    jparmar [at] live [dot] co [dot] uk

    ReplyDelete
  23. Thank you very much for this research that I'm interresting.
    Can you please forward me the password
    Thank you
    davy (dot) vanderheyden (at) free (dot) fr

    ReplyDelete
  24. Need psw as well: mgodfrey at google dot com

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. please provide password for your article.
    thanks

    ReplyDelete
  27. please provide password for your article.
    thanks
    arasukka@gmail.com

    ReplyDelete
  28. Will be happy to get the password at:
    AlexTheWinberg@gmail.com
    Thanks Alex.

    ReplyDelete