I had the geeky joy of attending the CTIN Forensics Conference held this year at Building 98 on the Microsoft campus. This was an incredible experience and I will do my best to convey some of the great talks that I attended as well as my take-aways from the conference.
If you are interested in learning more about CTIN, or for applying for membership, check out their site here: https://ctin.org/
Wednesday, May 22nd was the first day of the conference. After getting checked in I proceeded to the bigger of the two session rooms for the keynote.
Keynote: Partnerships in Forensics
This first session mainly focused on Microsoft’s involvement in security and privacy across the globe. The speaker, Kirk Arthur, spoke about both the Microsoft Digital Crimes Unit and a software project called Photo DNA which has been helping law enforcement with child pornography cases. It was developed by both Microsoft and Dartmouth.
Advancements in Windows Hibernation and Crash Dump Forensics
This was a fantastic session done by Mark Spencer, the President of Arsenal Consulting. He explained the kinds of data that you can find in a hibernation file, as well as the fact that a destructive reinstall of Windows 10 (where you tell it to not preserve files, settings, etc) does not in fact remove the hibernation file. Arsenal Consulting sells a product called Hibernation Recon that allows you to analyze hibernation files including hibernation slack in depth. We unfortunately ran out of time before we dug into crash dumps so I am looking forward to getting a copy of the presentation so that I can see what I missed. If you are interested in Arsenal Consulting, you can find them here: https://www.arsenalexperts.com/. I would highly recommend checking out their blog.
Imaging and Analysis of iOS and Android phones
This session was presented by Jeff Whitney and started out with a timeline of when the first iPhones and Android phones came out. Differing mobile forensics products were mentioned as well as common extraction methods for mobile device data. Jeff then spoke specifically about Android forensics and the challenges that he has run into, as well as iOS devices and the challenges that they present.
Matt Durrin knew what he was talking about with this session on banking trojans. The term is a bit of a misnomer as the trojans aren’t limited to financial systems, but they do share some common traits. He spoke about the traits such as stealing passwords and data, hijacking accounts, stealing card numbers and controlling you computer remotely. He spoke about the common vector of infection – phishing emails – no surprise there! What I liked most about his presentation was all of the screenshots around various types of malware and dark web sites selling the malware.
Finding the Hidden Evidence on iOS
This session by Trey Amick was very interesting. He talked about the changes to iOS over the years and the challenges that those changes posed to digital forensics. He spoke about some of the newer changes as well such as the transition from HFS+ to APFS and the newer media formats. He also mentioned the KnowledgeC database and gave examples of the goldmine that is.
Having survived Wednesday, I came back for Thursday refreshed and ready to learn more.
This session was AMAZING! I walked in not sure how much I should care about SQLite and came out realizing that SQLite is used in so many products that it would be foolish not to learn more about it. Scott Tucker did a fantastic job explaining SQLite and had several screenshots from a book called SQLite Forensics. He recommended the book highly, as did several other presenters at the conference. A link to the book is below if you are interested. Be advised that there is no digital format available currently.
Don’t Pull the Plug: A Practical Look at Memory Forensics
Good ‘ol Volatility. I have a love/hate relationship with Volatility. On the one hand its a powerful tool for memory analysis…on the other hand you have to know the commands to work with it. Lucas Ceballos did a great job explaining why you should do memory analysis and discussed some of the more common commands and why you might want to run them. This was like Volatility 101 and I found it very helpful…may be time to start playing with it again. He also recommended a book called “The Art of Memory Forensics” which I have linked below.
This session presented by Colin Cree looked at how F-Response can be used to conduct a capture and to begin an investigation. His presentation included screenshots and a live demo. If you would like to learn more about F-Response, click here:
The Mock Hearing was a great addition to the conference. The mock trial started out with Sean Selin and Andrew Stokes from K&L Gates, and the Hon. Micheal J. Trickey (Retired). The presentation they went over described the usual stages of a trial and some of the things to keep in mind when asked to be an expert witness, Next, CTIN president, Allison Goodman volunteered to be an expert witness so we could all see how it was done. Volunteers were then called up so that they could experience what a trial might be like as well. This session was so useful…getting to see the types of questions that might be asked and to understand the different perspectives and tactics that were used in prosecution vs. defense.
High Stakes Evidence Tampering and the Failure of Digital Forensics
While there were a lot of incredible presenters and sessions, I have to admit this one was one of my favorites. Mark Spencer, from Arsenal Consulting came back and discussed some of the amazing work he (and his team) have done. He talked about cases where his team was able to identify that someone had indeed tampered with documents to make them appear older than they were…and he also discussed how digital forensics had failed a journalist and others employed at Odatv for quite a while until his team stepped in and found evidence to exonerate them. You can read about this case via the link below:
I think I enjoyed this one so much because it seemed surreal…like on the spy/espionage movies you watch all the while thinking this can’t happen…except it can and did happen.
By the last day of the conference, I was pretty worn out, but the last two days had been so amazing so I had to see what I would learn today.
Investigating Compromise and Breach
Troy Larson spoke about doing investigations in Azure. With cloud computing being the way of the future, I have found that there is surprisingly not a ton of data regarding forensics in the cloud. Mr. Larson covered the types of logs in Azure that can assist in your investigations, and discussed ways to get the storage from Azure VM’s (IaaS) without directly impacting the virtual machine. He emphasized the use of PowerShell to aid in your forensics investigation, and suggested an order to the steps in your investigation based loosely on RFC 3227’s section entitled Order of Volatility. The order he suggested was to snapshot the VHD, collect the memory, collect the resource disk and then look at the various log files.
Web Site Forensics: Total Acquisition of a Website and Harvesting Chats, User Information, etc.
This session by Randall Karstetter focused on gathering data from websites and the challenges in doing so depending on how the site is hosted. He walked us through a case he had investigated and the steps that he performed in his analysis. The presentation was very interesting, though I would love to see what he would come up with to script some of the more manual work that he did.
The session on Geolocation Data was done by Brett Shavers. While I realized before the session that mobile devices often tag images with geolocation data, I didn’t realize that other devices, even Bluetooth can embed geolocation data. He spoke about viewing the EXIF data for images and the information that they can contain.
Mac Hardware Triage and Acquisition
Pierson Clair spoke about how to get a good image from a system running Mac OSX/MacOS. He went over different diagnostics screens and of course target disk mode. He spoke about the challenges of imaging Apple’s Fusion drives, and how to deal with drives that are setup with Bootcamp.
What’s New in Mac Forensic Artifacts
This session was also done by Pierson Clair, and was a great walk-through of the new artifacts that appeared in new version of the Mac operating system starting with Mac OSX 10.11 El Capitan all the way up to MacOS 10.14 Mojave. I learned more about APFS and the T2 chip that comes on the newer Macs and I plan on digging into both of these more.
I am absolutely planning on digging into hibernation files. Most of the forensics training that I have had has historically focused on memory analysis and drive slack space. Not once has anyone really dug into what is the hibernation file on a Windows PC.
I want to learn more about SQLite and am planning on not only reading the SQLite Forensics book (its sitting next to me on my desk even as I type), but also digging into SQLite databases to get some hands-on experience.
Last but certainly not least, I plan on improving my skills with mobile forensics (hello Oxygen!) and MacOS forensics as well.
For any of my readers who went as well, what did you enjoy most?