Friday, May 11, 2012

SANS DFIRSummit 2012 - Austin TX

The SANS #DFIRSummit in June is almost here, and those of us who are involved have been asked to share a little bit about what's going on. First, I'll give you the pertinent (aka, dull and boring) info, then move on to the juicy stuff.

Who: SANS (throwing the party)
What: 5th Annual Forensics and Incident Response Summit (aka, #DFIRSummit)
When: Tuesday, 26 June and Wednesday, 27 June, 2012 (ie, next month)
Where: Omni Hotel Downtown Austin
Why: Because it's a great event - networking, learning, good times (aka, DFIR "heaven on earth")
How: A lot of work by SANS, some generous sponsors, and incredible speakers (just can't be beat)

There's another "who" and that's the speakers. Detailed bios, and event schedule are on the website, but here's a quick breakdown:
Keynotes by Detective Cindy Murphy, Madison Police Department and Harlan Carvey, Chief Forensics Scientist at Applied Security, Inc. Probably everyone knows Harlan from his books, and because of regripper, so he won't need much in the way of introduction. Cindy may not be as well known, so if her name doesn't ring a bell, look her up - she's heavily involved in CDFS, and has done some incredible pioneering work in the field of digital forensics.

The speakers over two days, in two separate tracks (last year there was only one track) are:
- Windows 8 Forensic Artifacts - Kenneth Johnson
- Analysis and Correlation of Macintosh Logs – Sarah Edwards
- Practical Use of Cryptographic Hashes in Forensic Investigations - Pär Österberg Medina
- Reasons Not to “Stay in Your Lane” as a Digital Forensics Examiner – Alissa Torres
- Digital Forensics for IaaS Cloud Computing – Josiah Dykstra
- Carve for Records (Not Files) – Jeff Hamm
- Android Memory Acquisition and Analysis with DMD and Volatility – Joe Sylve
- Sniper Forensics v3: Hunt – Christopher Pogue
- Decade of Aggression – Christopher Witter
- Passwords are Everywhere – Hal Pomeranz
- Recovering Digital Evidence in a Cloud Computing Paradigm – Jad Saliba
- Anti-Incident Response – Nick Harbour
- Automating File Analysis - Pär Österberg Medina
- Mac Memory Analysis with Volatility – Andrew Case
- Digital Dumpster Diving – Lee Reiber
- When Macs Get Hacked - Sarah Edwards
- Evidence is Data: Your Secret Advantage – Jon Stewart
- Taking Registry Analysis to the Next Level – Elizabeth Schweinsberg
- Tales from the Crypt: TrueCrypt Analysis - Hal Pomeranz
- Security Cameras: The Corporate DFIR Too of the Future – Mike Viscuso
- Exfiltration Forensics in the Age of The Cloud – Frank McClain

But wait, there's more! Looks like 21CT is sponsoring several events, including some spectacular after-hours venues; there are lunch & learns (reduces per diem expenses for the budget-conscious), a breakfast, Forensic4Cast Awards, and SANS360 (a little over half-way down the page, just before the "NetWars" section). SANS360 is a lightning talk event, where each speaker has just 6 minutes (360 seconds) to present their topic. In that line-up we have: Andrew Case, Kenneth Johnson, Cindy Murphy, Harlan Carvey, Hal Pomeranz, Kristinn Gudjonsson (extra points if you can pronounce his name properly), Corey Harrell, Melia Kelley, Tim Ray, Alissa Torres, and David Nides.

Now back in the speakers list, you might have noticed a familiar name (they saved the best for last), and I thought I'd give you all a little overview of what my talk is about. As you all probably know, I spent a lot of time last year researching the footprint of Dropbox, the popular file-sync service. This came out as a multi-part kind of thing, with some initial research posted on the SANS blog, a more detailed article published on ForensicFocus, a post or two here, and some artifacts over on ForensicArtifacts. Links to all of those are here. I'd been thinking about that for a while, because I had used that service myself, and saw how easily it could be abused - especially in smaller organizations - for people to steal data. We're used to folks using thumb drives or webmail to get docs out, but what if they just kept them in a directory on their computer, and that directory was sync'd to the cloud and possibly other computers (or mobile devices) outside of the company's control?

Last summer I moved out of the consulting realm and into a corporate investigative setting. Thinking about how attackers exfiltrate data got me to thinking that these types of services could potentially be exploited that way as well as used by insiders. And smaller orgs don't tend to have all the fancy monitoring and locked-down systems/networks that larger ones might (data loss prevention, application layer firewalls, deep packet inspection, reverse proxies with blocked websites, yada yada yada). So if users have local admin rights, and nothing on the network is stopping certain types of traffic, then what's to stop them from using things like Dropbox, Carbonite, and so on?

So anyway, I started over with Dropbox (applications change over time, right?) (Note: Yes, it did change), and have added several others. I wanted to give forensicators an idea of what kinds of artifacts to look for on these types of applications. The preso won't be as detailed as my prior Dropbox work (I might be talking for two days if that were the case!), and I'm not delving into things like prefetch, jump lists, user assist, and so on. I think those are areas we all know to look; I wanted to give a starting point specific to some of these apps, and hopefully get everyone's minds churning.

 At a high level, I'll be touching on things like:
- File locations/application signature
- Files of note (databases, logs, etc)
- Residue after uninstall (files, folders, etc)
- Network connections
- Traffic signature (from packet capture)

 I'm really looking forward to this event, and not just because I'm a speaker. I think it'll be an awesome time, and a great opportunity to get out and mix it up with the community at large. There's no other event quite like this!

 If you haven't registered yet, but are going to, please feel free (read: be encouraged to do so) to use the discount code "PrimeLending10" to save 10% off the registration fee. SANS has given each speaker a discount code to share, this year, and that one's mine (obviously, right?). And yes, I get a "li'l somethin'" if enough people use it. :)

I think that's about it. Like I said, I'm looking forward to it, and I hope to see many of you there!

Happy Forensicating!