2011 brought DFRWS back to New Orleans from Monday, Aug 1 to Aug 3.  Preceding DFRWS on Sunday, July 31, 2011, was the 2nd Open Memory Forensics Workshop sponsored by Volatility. In addition to 2 keynotes, DFRWS also had 14 presentations based on peer reviewed papers.  The 2011 conference was held in cooperation with the Association for Computing Machinery (ACM) and its Special Interest Group on Security, Audit and Control (SIGSAC).

The Best Paper Award went to “Forensic Carving of Network Packets and Associated Data Structures” by Robert Beverly, Simson Garfinkel and Greg Cardwell.

The 2011 Forensics Challenge was on Android devices. Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011. The data included flash-memory storage of two Android mobile devices for reconstruction and analysis of evidence.

The winning submission was from Ivo Pooters, Steffen Moorrees & Pascal Arends of Fox-IT in the Netherlands. This submission developed Python utilities for extracting information from the Android data in both scenarios. For the Scenario 1, data structures were carved from the dd image. For the Scenario 2, the YAFFS2 file system was mounted in Linux and information was extracted from files and databases on the system. The report provided a great overall synthesis of evidence and application to the overall scenario, including an analysis of malware installed on one device. The analysis culminated with an impressive visual reconstruction of evidence.

Conference Location:

Westin New Orleans Canal Place
New Orleans, LA, US

August 1, 2011 to August 3, 2011

Keynotes

Analyzing Adobe vulnerabilities: A technical and organizational perspective

Sebastian Porst |

Bio: Sebastian Porst has been a binary file reverse engineer for more than ten years. After getting his Masters degree in Computer Science, he joined the German reverse engineering startup Zynamics where he was the lead developer of the three popular reverse engineering tools BinNavi, BinCrowd, and PDF Dissector. PDF Dissector was successfully marketed to companies and government agencies around the world and quickly became the most powerful PDF malware analysis tool on the market.

Drawing on his experience with analyzing malware and security vulnerabilities in Adobe products, Sebastian was then hired by Microsoft and Adobe to become the primary vulnerability researcher for Adobe products on the Microsoft Active Protections Program (MAPP), a program that aims to supply program partners with advance notification about vulnerabilities before patching Tuesdays. In addition to his paid work, Sebastian is the lead developer of a collection of open source tools for Flash malware and vulnerability analysis and he has been speaking about reverse engineering at IT security conference around the world since 2008.

Abstract: Adobe products like Adobe Reader or Adobe Flash have been the biggest targets of malicious attacks in the last few years. As a result of this, Adobe has begun to implement significant measures to improve the security of their products and many independent security researchers are now focusing on Adobe. I have experience working on both sides of the fence, first working independently on analyzing Adobe software and later working directly with Adobe on their vulnerability assessment. Using Flash as an example, I will describe the low-level details of vulnerability research and file format analysis by describing a real-life example of a Flash vulnerability that was exploited by malware in the wild and what is necessary to figure out what the bug was in Flash Player. Then, I will wrap it up by describing how this ties back to the processes Adobe put into place to work with external security researchers and partners, for example through the Microsoft MAPP program."

Challenges and Opportunities for Digital Forensics in the Cloud

Christopher Day | Senior Vice President Terremark Worldwide, Inc

Bio: Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers both in the commercial and government sectors. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud's investments in advanced technology as well as leading the design and development of SteelCloud's proprietary security systems.

With over fourteen years in the information security industry and working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, the Middle East, Asia and Africa, Mr. Day has led numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. Christopher has also been involved with various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud including serving as a testifying expert witness.

Mr. Day regularly lectures on computer forensics, incident response, intrusion detection/prevention, and wireless technology security. Christopher is a contributing author for the books Going Mobile: Building the Real-Time Enterprise with Mobile Applications that Work and Computer And Information Security Handbook. Mr. Day has been awarded two patents in the areas of Intrusion Detection (#7017186) and Wireless Network Security (#7020476), respectively, and has two others pending.

Abstract: This presentation will discuss the issues involved with acquiring digital evidence from virtualization systems such as VMware and Xen-based systems, as well as so-called cloud computing platforms that rely on these technologies to provide organizations and users with highly-scalable and distributed computing capabilities. Attendees will learn how virtualization systems work and the particular challenges they pose to the forensic investigator. In addition attendees will learn about the most common types of cloud computing platforms and how each introduces additional challenges for the investigator above and beyond those presented by virtualization technologies. The discussion will provide practitioners a primer for these increasingly common but, to some, still mysterious, technologies and platforms that they will likely be asked to perform forensics acquisitions and investigations on in the near future. This presentation will also present some practical techniques and procedures practitioners can utilize in their work with these systems."

Committees

Organizing Committee

Conference Chair

Vassil Roussev, PhD (University of New Orleans)

Conference Vice Chair

Matthew Geiger (CERT)

Technical Program Chair

Florian Buchholz, PhD (James Madison University)

Technical Program Vice Chair

Brian Levine, PhD (University of Massachusetts)

Local Arrangements

Golden Richard, PhD (University of New Orleans)

Proceedings

Wietse Venema, PhD (IBM)

Keynote

Frank Adelstein, PhD (ATC-NY)

Publicity

Dave Baker (MITRE)

Advertising / Sponsorship

Daryl Pfeif (Digital Forensics Solutions)

Registration

Andreas Schuster (Deutsche Telekom AG)

Finances

Rick Smith (ATC-NY)

Challenge

Eoghan Casey (cmdLabs)

Demo / Posters

Golden Richard, PhD (University of New Orleans)

Workshops

Eoghan Casey (cmdLabs), Frank Adelstein, PhD (ATC-NY)

Outreach Coordinator

Tim Vidas(Carnegie Mellon)

Web

Brian Carrier, PhD (Basis Technology)

Technical Program Committee

Frank Adelstein

ATC-NY

Cory Altheide

Google

David Baker

MITRE

Nicole Beebe

University of Texas at San Antonio

Matt Bishop

UC Davis

Florian Buchholz

James Madison University

Brian Carrier

Basis Technology

Harlan Carvey

Terremark

Heather Dussault

SUNY Institute of Technology

Jim Early

State University of New York at Oswego

Jon Evans

QinetiQ

Dario Forte

DFlabs

Simson Garfinkel

Naval Postgraduate School

Matthew Geiger

CERT

Pavel Gladyshev

University College Dublin

Grant Gottfried

MITRE

Yong Guan

Iowa State University

Gaurav Gupta

IIIT-Delhi

Sundararaman Jeyaraman

Purdue University

Ping Ji

John Jay Criminal Justice/CUNY

Xuxian Jiang

North Carolina State University

Rob Joyce

ATC-NY

Erin Kenneally

University of California San Diego

Jesse Kornblum

Kyrus

Brent Lagesse

Oak Ridge National Laboratory

Brian Levine

University of Massachusetts

Marc Liberatore

Univ. of Massachusetts Amherst

Michael Losavio

University of Louisville

James Lyle

NIST

Nasir Memon

Polytechnic University

Timothy Morgan

Virtual Security Research LLC

Gilbert Peterson

Air Force Institute of Technology

Wei Ren

China University of Geosciences

Golden Richard

University of New Orleans

Marcus Rogers

Purdue University

Steve Romig

Ohio State University

Vassil Roussev

University of New Orleans

Nicolas Ruff

EADS-IW

Bradley Schatz

Schatz Forensic Pty. Ltd

Andreas Schuster

Deutsche Telekom AG

Clay Shields

Georgetown University

Philip Turner

QinetiQ

Wietse Venema

IBM Research

Svein Willassen

Norwegian University of Science and Technology

Sponsors

Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.

Information about sponsorship opportunities is available at: http://www.dfrws.org/sponsorship-opportunities

WetStone

WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.

Learn More

Access Data

Need to mitigate risk or ensure compliance? AccessData's targeted, forensically sound collection, preservation, hold, processing and data assessment tools .

Learn More

CERT

CERT is the home of the CERT Coordination Center and located at Carnegie Mellon University's Software Engineering Institute. It studies internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security.

Learn More