I was fortunate enough to attend this year’s DoD Cyber Crime Conference, in Atlanta, GA. While these events are always great opportunities to meet up with old friends, I also took away a lot of useful information on the current and evolving state of computer forensics and the greater information security community.
Partially as a synopsis, partially as a way to pool my own thoughts for future reference, I’ve written up some notes on the sessions I attended this year. Overall, the content was good, though at a high level. Given the size of the conference, I can understand the need to keep material at a level that will interest a large number of people. Hope that those of you who are interested in the Digital Forensics/Incident Response (DFIR) and overall information security community are able to attend this or a similar conference sometime in the the future. Between the presentations and the networking, it was time well-spent.
The keynote speakers included DoD Cyber Crime Center (DC3) leadership, as well as big names from the forensic community. I was interested to hear Alan Paller’s “Six People Who Are Changing the World of Security”. It’s refreshing to hear the “unsung” heroes in the trenches and the boardrooms who are fighting a tough fight against the bad guys. This led nicely to two talks on high school, collegiate, and post-graduate cyber competitions. Both BG (Ret) Bernie Skoch and Dr. Greg White (my undergraduate academic advisor) really opened my eyes to the scale of these events. I’m glad to know the next generation of information security professionals are getting such a solid start so early in their careers. Rob Lee gave some thought-provoking questions on how we as a community could start to better identify malicious activity on our networks through behavior-based indicators of compromise (IOCs) gleaned from various system-level artifacts. While that may not be a new idea unto itself, Rob’s development of forensic timelining tools could be a new take that would be extremely helpful. The last keynote I saw was from Marc Goodman, who pretty much blew everyone’s mind with ideas on the future of criminality and crimes, and how we need to be better prepared for them than we were with cybercrime.
After the first day, there were dozens of breakout sessions, from several different functional tracks. I spent a lot of time in the legal and forensic tracks each of the next three days. A few of the highlights are below:
Effective Expert Witness Testimony: Mr Norm Printer, from the DC3, explained that only someone who has been qualified as an expert for a particular case can provide an opinion at trial. All other witnesses (lay witnesses) can only testify to facts and observations. Potential expert witnesses should be prepared for a grilling by opposing council, and need a very solid curriculum vitae (CV) to support being qualified for the case.
Forensic Clusters: Advanced Processing with Open Source Software: Advanced Processing with Open Source Software: Jon Stewart and Geoff Black from Lightbox gave a GREAT presentation on the work they’ve done with Apache’s Hadoop project to leverage clustered computing solutions as a forensic solution. Between this and Dr. Brian Carrier’s new work on The Sleuth Kit (TSK) should have the big commercial forensic vendors shaking in their expensive boots. (More on TSK below.) The bottom line is that we need a smarter solution to handle growing hard drives with finite processor clock speeds. Watch these guys – they’re going to shake things up… With open-source software, to boot.
Using Demonstrative Evidence in Digital Evidence Cases: Another legal track event, also from Norm Printer. This helped to show different ways of presenting digital evidence to judges, attorneys, and most importantly juries. In most cases, those parties are not going to be the most technically savvy (not a negative comment, just honest), so having an über-l33t computer forensic examiner speaking their jargon wouldn’t resonate as needed. Lots of ideas from Mr. Printer as well as the session attendees.
De-Cloaking the Enemy: One of the few non-legal/non-forensic sessions I attended. Rob Murphy from the DC3 provided a fascinating demonstration on how to determine whether a user is behind one or more proxy servers while performing their dastardly deeds. This topic is one I’ve worked with for almost ten years, and I’ve got to admit the game has been significantly stepped up on both sides of this particular arms race during that time.
NetHunter: On-the-Fly, High-Speed, Enterprise Network Forensic Analyzer: John Ortiz presented the results of an Air Force research project that essentially rips through PCAPs or live network data to perform near-real-time analysis on the network contents. The engineering challenges the team faced in minimizing performance bottlenecks were huge, and their solutions made for a nice case study on using a feedback loop between engineers, developers, and users. The tool itself was interesting as well – especially the use of a plugin architecture. NetHunter is free for other government agencies to use.
Mac, Beyond the GUI: Understanding Where to Look to Uncover System Artifacts: This was a pretty basic but reliable primer on where to find fun forensic artifacts on an OS X system. Sean McVey from the DC3 presented some of the storage conventions that OS X uses (e.g. /Library/ versus ~/Library/), and the kinds of data you’d expect to see in different OS X log files. It wasn’t as in-depth as I hoped, but was still well-thought-out.
Drive Prophet Triage Tool: Mark McKinnon develops this tool, which aims to perform an automated cursory review of a hard drive within 15 minutes. As drive space increases and the “basic” install of an operating system comprises more and more files, this is no small task. Mark demonstrated some of the newer features of the software, as well as discussed other ideas for features with the attendees. This tool is free for law enforcement personnel, and available for a fee to the rest of us. I could definitely see Drive Prophet run against all incoming data for a standardized, quick look at each drive.
The Color of A Forensicator’s Parachute: Professional Development and Retainment Panel: Rob Lee ran a panel of professionals in the DFIR/InfoSec business world, including law enforcement, startup, defense contractors, and more. Though as a consultant, I’m no longer managing a large group of people in this community, I really did appreciate the perspectives that the panel members brought to the discussion. It’s a great time to be in this industry, but that brings its own challenges as well.
Device Tracking with Geolocation Forensics: Geo is hot – every new web service or app has some kind of geotag feature. This leaves a wealth of forensic artifacts, and Chad Tilbury elegantly dissected a handful of the more interesting ones. I’ve been using EXIF tags since 1998, but the metadata commonly present in those fields is INSANE. Truly a forensicator’s dream. Chad expanded the value that kind of geolocation data can provide to wireless access points, web cookies, and more. In the case of the wireless access points, he demonstrated a geolocation on the hotel where the conference was held, using just three MAC addresses from the hotel’s guest wireless network. He used Harlan Carvey’s macl.pl to query the wigle.net database. Personally, I foresee location being the next big thing after supertimelining.
The Sleuth Kit and Autopsy 3: Dr. Brian Carrier from Basis Technologies presented the current state and immediate future for his most venerable Sleuth Kit (TSK) and the Autopsy frontend. There was a nice overlap with the work Basis did with Lightbox on their Hadoop solutions. I was most interested with the new focus on case-wide data and metadata management that will be in the new TSK release. The days of single-drive forensic examinations are numbered, and this kind of framework will help to manage the onslaught of data we’ll see in the coming years. I had a number of ideas on how to leverage these features and hope that I’ll have the time to experiment with them.