Wednesday, October 20, 2010

WACCI Digital Forensic Goodness: (We're Not Worthy! Edition)

From the WACCI 2010 conference, this YouTube video sums up my WACCI experience! I was fortunate enough to attend this conference this past week, just as MIRCon was going on. Fellow SANS blog author Gregory Pendergast attended MIRCon and delivered some awesome, fresh content on that conference on the SANS Digital Forensics blog. Also fellow SANS blog author Ken Pryor is delivering some "WACCI Fu" on the SANS Digital Forensics blog with some good details and recap of the conference. You can also follow some of the "public" tweets.
This blog entry is not going to be a conclusive summary, but rather sharing my perspective and a few experiences from last week.
First off, I had the opportunity to mingle and converse with Ovie Carroll, Mark McKinnon, Harlan CarveyRob Lee, Gary Kessler, Ken Pryor, and many other LEOs and forensic professionals in the community. It was good to finally put faces with a name and make new friends. A big thank you to Cindy Murphy (lethal forensicator), President of WACCI-West and others for putting on a great conference. As Cindy stated to me, "It ROCKED" and I could not agree more! If you attended this conference and did not come away excited, you are in the wrong profession! It was a refreshing week and the atmosphere @ WACCI was one of camaraderie (LE & private sector) and of learning and networking.
Ovie delivered a great keynote discussing "online recons", search signatures, data correlation, etc. What I took most from Ovie's keynote was the importance of a "phased approach and employing triage" versus traditional "deadbox" forensics. The size of hard drives and the data that hard drives can store is growing exponentially and forensic practitioners must begin employing data triage with cases. 
Directly following Ovie's keynote, Harlan Carvey delivered his keynote covering collaboration between the private sector and law enforcement. First, Harlan is a great public speaker and delivered a great keynote. Harlan went commando (no powerpoint) and lead a great discussion-style approach. Some of the issues brought up were in relationship to a vetting/screening process to establish credibility to the data and to the user/author. Checkout Harlan's blog for his WACCI experience and more information on collaboration among the digital forensics community.
Tuesday evening, I attended the WACCI Awards Banquet & Dinner and it was good to see some great LE forensic examiners and teams recognized.

*Wednesday:
Breakout I: Perl & Regular Expressions in Forensic Exams delivered by Fergus Toolan of the UCD School of Computer Science and Informatics. Fergus delivered a great breakout session and walked the group through writing a Perl script to use in our forensic examinations (Thank you Fergus).

Breakout II: Live RAM Analysis by Rick McQuown: Rick brought a lot of energy and shared some of his findings in the area of Live RAM Analysis. Checkout Rick's website (Enscript included).

Breakout III: Intellectual Property Theft Investigations- Stealing The Show- MPAA: A lof of great information on what the MPAA is doing to combat movie piracy. This was definitely a good takeaway.

*Thursday:
Keynote Speaker: Gary Kessler- Gary is a very good public speaker and educator. If you want to know file systems, Gary is your reference! In 2009, I was fortunate to be one of Gary's students through Champlain College's CCE bootcamp course. Gary's talk featured an array of information where he discussed the evolution of computers, information/data security, and the state of cyber warfare. It was a very informative and well received morning keynote.

Breakout IV: DFCP and DFCA Certifications and Why the Digital Forensic Certification Board Exists by Sam Guttman- From the sessions that I attended during WACCI, this one generated a lot of discussion. I really enjoyed Sam's presentation, which was geared towards obtaining feedback from practitioners in the community as to the DFCB process. There was support for what DFCB was trying to accomplish by leveling the playing field amongst examiners/analysts, but is DFCB the answer? One examiner felt IACIS will eventually be the standard with the CFCE certification opening up to those outside of the law enforcement community in the near future. Some were concerned about the DFCB creating a brand name and marketing itself to those in the forensics community. It will be interesting to follow the direction that DFCB proceeds in the near future. Deciding on what certification will be the standard for digital forensics is our responsibility. Now is the time to be involved and be an advocate for our profession!

Breakout V: Into The Shadows: Taking a Walk Through the Windows Volume Shadow Copy with Mark McKinnon (Shadow Warrior)- Shadow Warrior Mark McKinnon shed some interesting light on the VSC service and difference files. Wait for it...yes, there is a tool that Mark McKinnon and fellow Shadow Warrior Lee Whitfield will be releasing called, Shadow Analyzer or Shadow Analyser (depending on what side of the Atlantic you reside). Mark demonstrated Shadow Analyzer's (beta version) capabilities and what features are under development. Mark also demo'd Drive Prophet. In my opinion, Drive Prophet is a must in your digital forensic toolkit. Drive Prophet is a information collection tool that reports on critical areas of a machine, assisting the investigator/examiner on how to proceed with the digital evidence. Do you need to complete a full forensic examination? Are you on-scene and need to focus your investigation/exam on something else? Drive Prophet was designed to be a road-map for the investigator/examiner, outlining critical information important to your digital forensic examination.

Breakout VI: Incident Response: Stories from the Field- Mark Lachniet (GCFA Gold)- Mark captured everyone with his high-level of energy and delivered some great pointers/how to's to those in the front-lines of Incident Response. While I do not have an incident response background, Mark's talk was very interesting, informative, and made me thirsty for more knowledge in corporate incident response. Looking at it from the law enforcement perspective, I realized that corporate incident responders are the soliders on the front-lines defending their respective networks daily from internal and external attacks! This is an area that law enforcement really needs to grow in and educate responders/examiners/analysts. My advice to LE is to find out who your IR folks are within your respective communities and get to know these folks! If they've reached out to you....listen. If not, reach out to them! You will learn from them, which ties directly into sharing information, just as Harlan outlined in his keynote on Tuesday morning.

*Friday

Keynote Speaker: Brian Carrier

Just as WACCI kicked off with back to back keynotes by Ovie Carroll and Harlan Carvey, the final day was no different. Back to back keynotes by Brian Carrier and Rob Lee. I had the pleasure of meeting Brian Carrier just prior to his keynote and was totally pumped! Brian Carrier? What can I say... the guy lives in "Brian's bubble" and is genius! Brian's talk focused on Open Source Digital Forensics.
Some noteworthy items:
-The Sleuth Kit 3.2 should be out very soon. Some long terms goal of TSK are application-level open framework, registry analysis, internet history viewers, text extraction, etc.
-Autopsy 3.0 is in development with the first release by the end of the year.
-AFF4 coming soon and will be able to store multiple disk images in a single file!

Rob Lee's keynote was no different! If you have sat through one of Rob's SANS Forensics courses either in the classroom or via On-Demand, you know how much Rob has a passion for teaching and advocating for digital forensics! Rob is a great friend and it is always good to hear him speak. This time was no different! Rob's talk focused on Super Timeline Analysis! The key piece of information that I took away from Rob's talk was that we (the digital forensic community) have to move past what the forensic tool outputs (i.e. timestamp anomalies)! $STANDARD_INFORMATION vs $FILE_NAME

The afternoon breakouts were just prior to Closing Remarks for the conference. The two that I attended (see below) were both good talks.

Breakout VII: HDD Operation and Physical Recovery by Scott Holewinski of Gillware, Inc.
Scott discussed provided tips for handling failing hard drives and some insight to the future of hard drives, including pros v cons of solid-state hard drives.
Breakout VIII: An IP Address Leads to a Haystack: What to look for in a corporate environment by Jeremy Charles.
Applying what I took away from Mark Lachniet's breakout from Thursday with Jeremy Charles' talk, I now have a better understanding and respect for the daily challenges of the corporate incident responder/investigator.

Overall, WACCI was a fast-paced, full week of learning, networking, and sharing! I was able to make new friends and catch-up with old (or put a face with a name). I commend Lethal Forensicator Cindy Murphy and everyone @ WACCI that worked tirelessly to generate a top-notch conference! The "WACCI Buzz" seems to have spread. We seen a return of CyberSpeak (Ovie had the option of either delivering a podcast or retiring with Luby N. to drink martinis and give tango lessons). I guess that means CyberSpeak will be around! There also been an influx in people contributing (see the blogs, forensic mailing lists, etc.). David Kovar's AnalyzeMFT also has been getting updated (thank you David). I had the opportunity to catch up with two good friends, David Kovar and Ken Pryor, on Friday evening for dinner, while returning from the WACCI conference. It was good to see David again and discuss a lot of exciting things that are happening in the digital forensic oasis!

1 comment:

Ken Pryor said...

Great recap, Brad! WACCI was well worth attending and a tremendous value for the money. I enjoyed hanging with you all week and meeting so many people I previously only "knew" online.
KP