SANS Digital Forensics and Incident Response Blog

2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Matt Olney (SourceFire) said that when describing the Advanced Persistent Threat attacks earlier this year. He was not joking. The results over the past year clearly indicate that hacking groups are racking up success after success. Over 30 companies have been compromised by the Advanced Persistent Threat. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, more bold, and their success rate is impressive. Are we?

We can do better. We need to field a more sophisticated incident responders and forensic investigators. We need lethal forensicators that can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left in place during a compromise. You need to know what you are up against. You need to know what the seasoned experts in the field know. You need to stay ahead constantly seeking new knowledge and experience.

The 2010 SANS What Works in Digital Forensics and Incident Response Summit being held in Washington, DC on July 8 and 9 gives you access to the state of the art in computer forensic techniques. Top industry leaders, forensics and incident response professionals, and vendors will discuss the latest defenses and technologies in a series of highly interactive sessions focused on effective incident response and mitigation, forensic analysis, and recovery as a result of a data breach incidents.

Read Reviews of the Previous Year's Summit

Presentations from 2008 Digital Forensics and IR Summit: http://files.sans.org/summit/forensics08/

Presentations from 2009 Digital Forensics and IR Summit: http://files.sans.org/summit/forensics09/

This Summit gives you access to the state-of-the-art computer forensic techniques. Top industry leaders, forensics and incident response professionals, and vendors will discuss the latest defenses and technologies in a series of interactive sessions focused on effective incident response and mitigation, forensic analysis, malware analysis, and even network forensics.

Thu, July 8 2010

TimeMain RoomDeep Technical Breakout Room
6:30am - 8:00amBreakfast
8:00am - 8:30amWelcome and Introduction to the 2010 Digital Forensics and Incident Response Summit

  • Rob Lee — Summit Chair Computer Forensic/IR Summits
8:30am - 9:30amKeynote Address: Being announced soon!!
9:30am - 10:30amExpert Briefing:

Malware Analysis in the age of APT

Today's malicious code poses immense challenges to the incident responder and reverse engineer. Gone are the days of monolithic, simplistic malware; instead today's malware developers create sophisticated and modular applications that pose significant challenges for the network defender. This new Advanced Persistent Threat has spurred significant advances in the state-of-the-art not only for the attacker but also for the defender and analyst. This presentation will reinforce the need for volatile memory acquisition during an incident response by fusing the results of memory analysis with traditional reverse engineering methods. We will embark on a one-hour journey from discovery to understanding on a live malicious code sample, integrating the latest advanced reverse engineering, volatile memory analysis, and behavioral analysis techniques.

  • Jason Garman - Chief Technology Officer, Kyrus TechnologyAuthor of "Kerberos: The Definitive Guide"
Expert Briefing:

Registry and Timeline Analysis
The Windows Registry is rife with timestamped data that is invaluable to an analyst
for a wide range of investigations. In this workshop, we will discuss the value of
Registry analysis to support a number of examinations, and how information extracted
from the Registry can be used to populate and clarify an analyst's timeline.

10:30am - 10:50amBreak
10:50am — 11:50amPanel:

Reverse Engineering Malware Analysis Panel

Panelists will discuss the latest method to detect and analyze malware from real cases. Malware developers are hired by these groups to infect your systems. In some cases, malware is compiled mere hours before being deployed on a specific system. These panelists have been analyzing malware in real cases from the Advanced Persistent Threat, Botnets, and Organized Crime. Come learn from the masters how to properly detect and analyze evil. Learn why it is crucial that every team employ a malware specialist to shore up their IT security teams.

Expert Briefing:

exFAT (Extended FAT) Filesystem: Revealed and Dissected

In January 2008 the SD Card Association, makers of the removable SD memory cards used in cameras, cell phones, and many other consumer electronics, announced a new SDXC specification for SD cards starting at 32GB and reaching a maximum capacity of 2TB. These memory cards will exclusively use a new Microsoft file system called exFAT which is the extended FAT file system, and has been nicknamed by some as FAT64. Because this file system is patent pending, and propriety to Microsoft, implementation of the specification requires a license from Microsoft. Although this file system has been available on desktop systems since 2008 with Vista SP1 and Windows XP since 2009, there is very little open source support available today and some tools that can process this file system are beginning to surface. As of the end of 2009 major commercial forensics tools do not support this file system. However, in early 2010 when the consumer devices that use this new technology come to market, there will be a wealth of potential digital evidence stored on removable media formatted with exFAT. This is not limited to SD cards, as USB flash drives and other removable media may be formatted using exFAT. There is not much available about the internals of exFAT and the purpose of this session is to show the forensics examiner what is under the "exFAT" hood.

11:50am- 1:00 pmLunch
1:00pm - 2:00 pmExpert Briefing:

Analyzing Windows 7: Current Issues In Windows Forensics

This talk will provide a survey of the forensically noteworthy or interesting features new or different in Windows 7, compared with previous versions of Windows. Windows features to be discussed include BitLocker, file system changes, folder and registry virtualization, new registry hive files, hard and symbolic links, virtual hard drives, Libraries, Volume Shadow Copy, and Internet Explorer InPrivate Browsing. In addition, we will look at some preliminary ways to examine a number of the new artifacts in Windows 7.

  • · Troy Larson — Senior Forensics Program Manager, Microsoft
Expert Briefing:

Network Payload Analysis for Advanced Persistent Threats

Modern attacks exhibit a trend of moving up the protocol stack. Additionally, the persistent nature of current intrusion sets is best addressed through an intelligence driven response. Both of these factors necessitate deeper network analysis and auditing for effective incident response. Increases in network visibility provide for quicker intrusion response times and more complete attack analysis.

Highly targeted attacks warrant highly customized network sensors systems. In some instances, off-the-shelf tools can be configured to provide valuable network forensics information. Many required capabilities are not fully supported by off-the-shelf solutions, requiring new paradigms and technologies. For example, tools that bridge the gap between traditional intrusion prevention systems and full packet capture systems provide significant value.

Examples of successes in facing sophisticated threats will be presented, including examples of use of off-the-shelf and in-house developed network payload analysis tools.

2:00pm — 3:00pmPanel:

Next Generation Windows Forensics Panel

Panelists will discuss the challenges that an investigator now faces and discuss some of the new discoveries in the recent operating systems released (Windows 7 and Windows 2008 Sever). Panelists will discuss what they see as challenges to these new operating system environments. You can also ask questions to them about potential threats and ways that criminals might exploit these systems for personal gain or sophisticated cyber attacks.

3:00pm - 3:20pmBreak
3:20pm - 4:20pmExpert Briefing:

Breaking Bitlocker-

"Cryptanalysis" for Incident Responders, v20.10

A brute force attack against an AES 128 key would require checking each of the 340 undecillion (1036) possible key possibilities and would take 13,000,000,000 years to complete. Since this is not possible, we must be able to circumvent this process to recover passwords and access encrypted data. Since time is rarely on our side, we must be able to work smarter and faster to recover encrypted data and complete our investigation.

This presentation will briefly cover the detailed knowledge required to perform cryptanalysis of complex cryptographic algorithms, protocols and ciphers. While encryption programs and ciphers are getting stronger and faster with current computer systems, there are still many successful methods to circumvent the encryption and recover the encrypted data. This presentation will highlight current attack methodologies against encryption programs (to include BitLocker) as well as discuss techniques to successfully build custom dictionary attacks for more time effective attacks.

Expert Briefing:

Fuzzy Hashing and Beyond

Computers are fantastic at finding identical pieces of data, but terrible at finding similar data. Part of the problem is first defining the term "similar" in any given context. This talk will explore what -similar- means for different contexts in computer forensics. We will then discuss fuzzy hashing, a method for identifying similar files using signatures similar to MD5 or SHA-256. Finally we'll discuss more specific methods for finding similar images and executables.

Speaker: Jesse Kornblum — Computer Forensics Research Guru, Kyrus Technology- Author of ssdeep, foremost, and many other well known computer forensic tools. Jesse is the author of the security blog A Geek Raised By Wolves.

4:20pm - 5:20pmSolution Provider Panel: Hear about strengths and weaknesses of the leading tools, services, and solutions in a format that enables vendors to interact in interesting ways and users to ask the kinds of questions they have always wanted to ask (but never dared).

6:30pm - 7:30pmSANS Forensic Challenge Winners Presentation

Winners of the 2010 Forensic Challenge "Ann's Aurora" to be announced and presented with their awards via this live and internet broadcasted event!

Prizes: 2 netbook and free passes to the 2011 Forensics/IR Summit

7:30pm - 8:30pm

Live Forensic 4Cast Podcast — Forensic 4Cast popular computer forensic and computer crime podcast. Join Lee Whitfield for a session of Forensic4Cast podcast recorded live from the Forensic Summit 2010.

Friday, July 9 2010

TimeMain RoomDeep Technical Breakout Room
7:00am - 8:30amBreakfast
8:30am - 9:30am

Keynote Address: Speaker: Amit Yoran, CEO NetWitness
9:30am - 10:30amExpert Briefing:

Bringing a Knife to a Gun Fight: The Arsenal Required for Modern Forensic Combat!

One of the most time consuming yet important aspects of any forensic investigation is the analysis of forensic information not located on the compromised machine. For example, logs from compromised systems and ancillary devices, such as routers, firewalls, and intrusion devices, combined with network-level flow and packet analysis help paint a picture of the compromise from start to finish. Reviewing data by hand, however, could take days, weeks, or even months to stitch together a timeline of events.

This talk serves to highlight the current forensic capabilities of Enterprise Security Information Management (ESIM) products, such as Security Information and Event Management (SIEM) and Log Management systems, and how you can best leverage the collected data to aid in forensic exercises. The speaker will also highlight how ESIM products need to evolve to best serve the forensic and incident response community in the future.

Expert Briefing:

IOC - The Death of Filename and MD5 hash Searching.

The increase in threat centric security has highlighted a limitation in the community's ability to share intelligence in an actionable, manageable, and extendable way. In addition, describing how to detect an incident has shifted from solely network-based intelligence to a hybrid of both network- and host-based content, changing the type of information we want to share. These new methods, technologies and threats have driven commercial organizations — in cooperation with MANDIANT — to design a new indicator language. Named IOC (Indicator of Compromise), the extendable format can describe all the elements associated with detecting an intrusion at rest and in motion. This presentation will describe the need for a new sharing mechanism and its role related to existing indicator reporting frameworks. We will also discuss what an IOC is, how IOCs fit into the investigation process, and how to build an indicator to detect threats throughout an enterprise. Lastly, we'll cover currently available tools that support the IOC format.

  • Kris Harms — Principal Consultant, MANDIANT

10:30am - 10:50amBreak
10:50am - 11:50pm

Panel:

Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence. It is critical in investigations. Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the latest techniques thata re utilized in reacting to real attacks that these experts have responded to. This panel includes some of the best minds for the future of Network Forensics. Listen to what they have to say. Network Forensics: No Hard Drive? No Problem.

Expert Briefing:

Sniper Forensics — One Shot, One Kill

At one time, computer forensics consisted of pulling the plug, imaging everything in sight, and loading those images into a massive forensics program for "analysis". As computer hackers became more resourceful, the complexity of computer forensics increased exponentially. Add to that the growing size of data storage devices, and it becomes infeasible to even consider imaging tens or hundreds of terabytes, let alone loading those images into some forensic software. So what's the answer? How can incident responders hope to remain relevant in today's operating environment? With Sniper Forensics!

Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, "Locard's Exchange Principle", "Occam's Razor", and "The Alexiou Principle" to target only the systems, and specific files that are part of the breach. What used to take hours of analysis can now be done is minutes! What used to take weeks, can now take days!

By using sound logic and data reduction based on forensic evidence extracted from Sniper Forensics, incident responders can introduce accuracy and efficiency into their case work at a level not available through any other means. This is truly the cutting edge of modern computer forensics, and not something to be taken lightly! Don't miss the opportunity to learn tips, tools, and hear real world examples of how Sniper Forensics is literally changing the landscape of modern forensics!

  • Chris Pogue ? Senior Security Consultant, Trustwave; Author of "Unix and Linux Forensic Analysis"
11:50am- 1:00 pmLunch
1:00pm — 2:00pmExpert Briefing:

CIRT-level Response to Advanced Persistent Threat

What do you do when you've discovered or learned that your organization is an Advanced Persistent Threat (APT) victim? In this presentation, Richard Bejtlich will address this question from a CIRT-level perspective. He will share general approaches to dealing with adversaries who either maintain a regular presence in a victim network, or who repeatedly seek to reassert a presence in a victim network.

2:00pm — 3:00pmPanel:

Advanced Persistent Threat Panel Discussion

Panelists will discuss the Advanced Persistent Threat. What is it? How to combat it? What are the biggest challenges in dealing with it? These experts have all actively worked cases involving the Advanced Persistent Threat and have the knowledge and experience to tell you first-hand what they know and what you should do if the APT infect your network.

3:00pm - 3:20pmBreak
3:20pm - 4:20pm

Expert Briefing:

Intelligence-driven Response for Combating the Advanced Persistent Threat

In response to increasingly sophisticated and advanced persistent threats, Lockheed Martin's CIRT has developed effective new intelligence-based techniques for computer network defense. In this discussion, attendees will learn the principles and application of intelligence-driven response used to defend the nation's next generation of military technologies against computer network exploitation and espionage. By leveraging knowledge of APT actors through analysis of successful and failed attacks, network defenders can act preemptively to detect and prevent future attempts, even when adversaries shift tactics and employ 0-day exploits. Central to these techniques is an understanding of risk, the attack progression (or "kill chain"), courses of action in response, and the indicator lifecycle, all of which will be discussed in depth including examples inspired by real-life attacks. The key take-away for attendees will be an appreciation for the role of intelligence in network defense, and how to effectively use these techniques in defense of APT actors.

Expert Briefing:

Shadow Warriors

In the last few years the number of cases involving volume shadow copies has soared. Since the introduction of this technology in Windows desktop operating systems forensic investigators have struggled to find a viable method for extracting meaningful data from these files. Current methods of analysis take a great deal of time and storage. As a result these files often go neglected in digital investigations.

This briefing will discuss how to manually decompile volume shadow copies in order to retrieve key evidence. A new software tool will also be demonstrated that automates this process without the overheads that prove so costly for investigator and client alike.

4:20pm - 5:20pmVendor Panel:

What Works in Computer Forensics and Incident Response Solutions

Hear about strengths and weaknesses of the leading tools, services, and solutions in a format that enables vendors to interact in interesting ways and users to ask the kinds of questions they have always wanted to ask (but never dared).

5:20pm - 5:30pmClosing — Digital Forensic and Incident Response Summit 2010

1 Comments

Posted May 25, 2010 at 2:43 AM | Permalink | Reply

Dave Hull

Augh! It's killing me that I don't think I can make it this year. Looks like a great line up, Rob. Well done.