DFIR Prague Summit 2018

Angelo Hotel, Prague1st October 2018

#DFIRPrague

emea-summits@sans.org +44 203 384 3470@sansemea@sansforensics

Monday 1st October 2018

08:00 - 08:45 Registration and Coffee

08:45 - 09:00 Welcome Remarks

09:00 - 09:30 Cutting the Wrong Wire: How a Clumsy Attacker Revealed a Global Cryptojacking Campaign

We have seen a massive spike in malicious crypto mining campaigns. This session consists of a walk-through of a remarkable incident caused by an eager and clumsy attacker who ended up revealing multiple cryptojacking campaigns targeting large organisations across the world in early 2018.

Renato Marinho - Chief Research Officer at Morphus Labs

09:30 - 10:00 BYOM - Build Your Own Methodology (in Mobile Forensics)

In recent years Mobile Forensics is becoming increasingly challenging because of the different and improved security mechanisms. This talk provides a methodology to determine if and what can be acquired from a specific device. We will illustrate a practical approach, with resources and tools that can be immediately applied.

Mattia Epifani - Digital Forensics Analyst at REALITY NET

10:00 - 10:30 Morning Break

10:30 - 11:00 Building a Digital Evidence Classification Model

One thing that we have never had as a discipline is a conceptual model which allows us to define various digital evidence categories, so that we can uniformly and consistently describe digital evidence. Attendees will learn to understand evidence classification in forensic science, the importance of being able to classify digital evidence, how the digital evidence classification model works and practical application of the digital evidence classification model.

Jason Jordaan - Principal Forensic Analyst at DFIR LABS

11:00 - 11: 30 Project SIRF - Security Incident Response Framework

This session focuses on the outcomes of a project carried out by CERT Austria (CERT.at) and the Austrian Energy CERT (AEC), who are working on a portable Incident Response setup which includes hardware, tools/software, documentation and best practices needed to perform a decent response to an IT-Security incident.

Olaf Schwarz - Senior IT-Security Analyst at CERT Austria

11:30 - 12:00 Lessons from TheShadowBrokers One Year Later

After emerging in 2016, TheShadowBrokers made of name for themselves by leaking US Intelligence operational notes and exploits after disappearing during summer 2017. What have we learned one year later? Are we entering a new era of where kernel exploits and kernel-based fileless threats can be recycled by several threat actors and plunge the world in chaos again at any moments?

Matt Suiche - Managing Director at Comae

12:00 - 13:00 Lunch

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

emea-summits@sans.org+44 203 384 3470@sansemea

@sansforensics

Agenda

13:00 - 13:30 The X Factor exFAT Talk

This talk will provide a primer on the exFAT filesystem, details of testing and results that show how different Operating Systems implement exFAT, and how different forensic tools interpret the filesystem. Learn to correctly interpret exFAT metadata as well as techniques to determine the source Operating System.

Adam Harrison - Principal Consultant at Verizon Threat Research Advisory Center

13:30 - 14:00 Automating the Routine Stuff

This presentation outlines a number of shortcomings in existing tools used to parse information from a disk, and demonstrates a script that uses a combination of existing tools and manual parsing to automatically produce some routinely required sections of a forensic report.

Kathryn Hedley - Director at Khyrenz Ltd

14:00 - 14:30 Comparative Forensic Examination of Three Prominent Ransomware Families

With the rise in Ransomware, it has become more important than ever to understand the interaction between the malware and the machine. In this talk the audience will learn to understand three ransomware families in terms of their static signatures, their interaction with the host which they are infecting, the residual data left within memory and the network aspect of this malware.

Veronica Schmitt - Partner at DFIR LABS

14:30 - 15:00 Statistical Methods for Triaging DFIR Investigations

The volume of content available in some investigations can be overwhelming to the point that investigations are slowed and the size of the backlog increases. This presentation seeks to speed the investigative process through the use of statistical sampling method which can be applied to evidence collections and use the results to rank or prioritise evidence for review.

Ray Strubinger - Managing Consultant DFIR at VerSprite

15:00 - 15:30 Afternoon Break

15:30 - 16:00 Chrome Nuts and Bolts: ChromeOS/Chromebook forensics

Chromebooks have been taking over the classroom and are an up and coming issue for forensic examiners. This presentation will delve into our research into the forensics of the Chrome OS and Chromebooks, including the hardware and software perspectives of how to deal with a Chromebook in an investigation and provide practical techniques to help you with your analysis.

Jessica Hyde - Director of Forensics at Magnet Forensics Jad Saliba - Founder and CTO at Magnet Forensics

16:00 - 16:30 1+1 is Not Always 2: Bypassing Multi-Factor Authentication

In the presentation, a Mandiant red team consultant will present techniques used in the field to bypass multi-factor authentication and a Mandiant incident response consultant will demonstrate ways to mitigate, detect, and investigate these same techniques.

Jeff Hamm - Technical Director at Mandiant James Hovious - Senior Consultant at Mandiant

16:30 - 17:00 Closing Remarks

17:00 Networking Drinks and Reception

emea-summits@sans.org+44 203 384 3470@sansemea@sansforensics