Keynote Presentation

 

Offense at Scale

Chris Rohlf - Senior Manager, Penetration Testing - Yahoo

 

Bio

Chris Rohlf runs the penetration testing team at Yahoo in NYC. He focuses on vulnerability discovery, reverse engineering, and exploit development. Chris has over thirteen years of experience in various security roles including developer, researcher and consultant. Before Yahoo he was the founder of Leaf Security Research, a small highly specialized security consultancy. Chris has discovered and published many security vulnerabilities affecting web browsers, operating systems and more. He has previously spoken at industry conferences including Black Hat.

 

Research Presentations

 

Catch more honey's when you're fly (Honeypots) - Ian Ahl and James Huber - @tekdefense 

 

Honeypots, while common knowledge to most security professional are often underused and under-appreciated. Many researchers and organizations avoid their use entirely. This talk will focus on how to build, maintain, and utilize various honeypot techniques as a method of gaining intelligence, and as an early warning system for both researchers and organizations. Additionally, tips, techniques, and real world examples on how to make honeypots more effective will be shared.

 

CryptoWall File Recovery and Analysis - Wyatt Roersma - @wyattroersma

 

I will cover the history of Ransomware all the way up to the latest versions in the wild today. I will walk through the light RE I did on CryptoWall 1.0 that exposed a major design flaw using the windows built in DeleteFile function to delete files from the system. I will go into my proof of concept showing how to recover files after the 1.0 infection. I was the first researcher to uncover this flaw and release it to the public. 

 

After this in depth malware analysis I will cover some of the latest updates to CryptoWall 2.0 and 3.0. I will also cover some of the phish emails and exploit kits that are common with Crypto variants. With the little time left I will walkthrough various solutions that can help prevent this nightmare.

 

Deconstructing the Catalog - Kenneth Johnson - @Patories

 

This talk will focus on the deconstructing the FileHistory Catalog that has been introduced in Windows 8 and still present in Windows 10. I will look at other artifacts that are important on the Host systems before diving into teaching the attendees how to understand the FileHistory Catalog that shows what files were present and backed up by the system. 

 

Examiners will be able to identify when a specific file was first identified in a Directory/Library that is part of the backup, as well as identify when it was removed/deleted from those same Directories. This allows Examiners to prove the presence of a file and how long it was being backed up by the system. 

 

I will showcase my tool that allows examiners to quickly produce a XLS report with the important information regarding these files. 

 

Digital Investigation and the Trojan Defense, Revisited - Golden Richard - @nolaforensix

 

Over the past 15 years, digital forensics has been radically transformed by the introduction of new tools and techniques that support very detailed investigation of a wide variety of digital crime scenes, spanning unauthorized data exfiltration, fraud, employee misconduct, kidnapping, child pornography, and murder. Modern digital forensics tools can be used to deeply examine not only computer systems, but smartphones, voice recorders, printers, cars, and much more.  A common defense used by those accused of wrongdoing in crimes involving digital evidence is the so-called Trojan defense, which essentially means "I didn't do that--a computer virus did it."  This defense has traditionally been quickly dismissed by investigators after a cursory examination of digital devices for the presence of malware.  Often, this sweep for malware consists of simply running an antivirus program, noting a negative result, and using this as a basis for proceeding with the charge of wrongdoing.  In all likelihood, this process was historically fairly accurate, because it was pretty unlikely that a virus did "do it".  Now, in the face of increasingly sophisticated cyber attacks and malware infections, it's frequently very possible that someone or something (e.g., malware) other than the "obvious" party may be guilty.  The solution to unraveling the accuracy of Trojan defenses and pointing the finger of blame in the right direction is increased technical sophistication for investigators. This talk surveys a number of recent high tech cyber attacks and discusses the implications for surety in digital

investigations while simultaneously underlining the importance of combatting cyber attackers with their own weapon: deep technical knowledge.

 

Forensic analysis of sUAS aka drones - David Kovar - @dckovar

 

Small Unmanned Aerial Systems (sUAS) aka “drones” are all the rage – they are invading your privacy, they are delivering your packages (and illegal drugs), they are even landing on the White House lawn. Where have they been? Where are they going? Who launched them? Let’s find out.

 

sUAS – emphasis on the final ‘S’ – are complex systems. The aerial platform alone often consists of a radio link, an autopilot, a photography sub-system, a GPS, and multiple other sensors. Each one of these components might contain a wealth of pieces to the answer to the above questions. Add in the ground control stations, the radio controller, and the video downlink system and you have a very complex computing environment running a variety of commercial, closed source, open source, and home brew software.

 

And yes, there is already malware specifically targeting drones.

 

During this presentation, we will walk through all of the components of a representative drone and discuss the forensic process and potential artifacts of each component, along with a presentation of the overall story told by the individual components.

 

File System Journaling Forensics - David Cowen - @HECFBlog

 

Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been  approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:

 

• Recover data hidden or destroyed by anti-forensics

• Recover previously unrecoverable artifacts

•Trace all file system movements and actions of malware

• The possibility of entirely new analysis techniques

 

This will be followed with practical examples showing how to use file system journaling forensics to answer questions we couldn't answer before. 

 

Embedding IR into the DNA of the Business - Sean Mason - @SeanAMason

 

We live in a new normal, where prevention has failed us time and again. Much like we have law enforcement to Detect & Respond to criminal behavior, a business’ only real protection is hiring their own enforcement to police their network by practicing Continuous Detection & Response. Getting away from the failed notion that an Incident Response plan is enough, the required people, processes, tools, measurements, and more will all be discussed in detail, drawing on experience and best practices at some of the largest and most complex organizations in the world.

 

Graphical Malware Actuation with PANDA and Volatility - Brendan Dolan-Gavitt - @moyix

 

A large portion of malware today has some graphical component: fake antivirus, adware, and trojaned file downloaders all require some user interaction before revealing their malicious behavior. In this talk, I will discuss my work to bring Volatility's ability to peer into the graphics subsystem of the Windows kernel to bear on the problem by integrating it into the PANDA-based Malrec sandbox. By combining the power of both tools, we can gain greater insight into malicious software and get a more realistic picture of its goals and behavior. 

 

Lessons Learned: Security at an Open Source Startup - Chris Sandulow and Andreas Nilsson - @joshuafalken

 

Everyone is aware that the sooner you apply ‘security’ to any project, the cheaper and more effective it will be. But how does this apply to a new company? What about its fast changing product? Where do you start and how do you balance a startup’s needs and culture while improving security?

 

The talk will discuss MongoDB's approach to both secure open source product development, and securing the organization. In conjunction with the talk, several internal tools created to help small teams audit and reduce risk, will be open sourced and released. We will discuss many topics, including what best practices to focus on early, AWS and GitHub security, MongoDB security product development, war stories and some lessons learned. 

 

MongoDB Inc. develops and ships an open-source NoSQL document database.

 

Memory Forensics for IR – Leveraging Volatility to Hunt Advanced Actors - Jared Greenhill - @jared703

 

This talk highlights the criticality of memory analysis in today’s IR intrusion space. This talk will give a background on IR related memory analysis and present a technical discussion on responding to advanced actor activity. Finally, a case study will be presented on how memory analysis broke open an extremely large intrusion and a subsequent Incident Response effort in the non-profit space. 

 

Product Security and DevOps - Michael Murray - @mmurray

 

The speed of product development has increased massively in the past 10 years. At the same time our formal secure development and SDL methodologies have fallen behind. This forces product developers to choose between rapid release times and security. We will examine the problems and present some solutions for moving security in to the DevOps lifecycle to ensure that we get fast AND secure.

 

Speed Kills: Rapid Visualizations for Determing Lateral Propagation - Paul Jaramillo - @DFIR_Janitor

 

During a typical investigation, its common to place priority on determining how and adversary is moving around in an environment. The earlier on you know this, the easier it is to track movement and plan for remediation. While TTPs can run the gambit of very basic to extremely crafty, a quick win can often be to analyze 5 common methods: Service & Privilege Account Abuse, RDP Connections, Remote Process Execution, Backdoor Ports, and Scheduled Tasks. By leveraging some of the newer graphing options available in Splunk 6.x, you can more quickly scope your incident and reduce your mean time to remediation.

 

The New World Order - Cris Neckar - @cneckar

 

The landscape of the security industry is shifting faster than ever before. With the advent of vulnerability rewards programs, advancements in attack detection and forensic analysis, and a churning arms race in exploit mitigation technologies and techniques, it has become increasingly difficult to keep up, let alone cut through the hype to make strategic decisions on where to focus limited resources. In this talk we will discuss the history of adversarial digital security, new approaches being pioneered by leading industry players, and outline strategies that can be stolen from industry leaders to keep your head above water.

 

Ubiquity Forensics - Your iCloud and You - Sarah Edwards - @iamevltwin

 

Ubiquity or "Everything, Everywhere” - Apple uses this term describe iCloud related items and its availability across all devices. iCloud enables us to have our data synced with every Mac, iPhone, iPad, PC as well as accessible with your handy web browser. You can access your email, documents, contacts, browsing history, notes, keychains, photos, and more all with just a click of the mouse or a tap of the finger - on any device, all synced within seconds.

Much of this data gets cached on your devices, this presentation will explore the forensic artifacts related to this cached data. Where is the data stored; how to look at it; how is it synced; and what other sensitive information can be found that you may not have known existed!

 

Update: What “Reasonable Security” Looks Like in 2015 and Beyond - David Stampley

 

Attempts to define rules for “reasonable security” take the form of new litigation, enforcement actions, legislation, and standards. Meanwhile, supervisors and managers tasked with implementing the rules find themselves with limited authority and job security. This session includes: (a) a fast-paced update on legal developments and trends that affect information security; (b) a rundown of pointers and pitfalls when talking about the rules; and (c) time for questions, collective crying in the wilderness, or brainstorming ways to hack out of the box that keeps information security professionals from having a say in what the rules look like.

 

What Your (Encrypted) iPhone Backup Says About You - Hal Pomeranz - @hal_pomeranz

 

Think your data is hidden because you ticked the "Encrypt Backup" checkbox in iTunes?  While the data files themselves may be encrypted, an enormous amount of metadata is available to anybody who can browse your iDevice backup directory.  Unencrypted data includes:

 

-- Device name and installed OS version

-- Device identifiers (serial number, phone numbers, IMEI numbers, etc)

-- Lists of installed applications

-- File and directory paths with full timestamp information

 

Live demos will show where to find and how to extract this data, and we will discuss some plausible scenarios for how the information might come back to haunt you.

 

Speaker Bios

 

Ian Ahl - Prinicpal Incident Response Consultant - FireEye

 

Ian Ahl (@TekDefense) is a Principal Incident Response Consultant with FireEye/Mandiant.  Ian has been in the IT industry for over 10 years, focusing on various aspects of security for the majority of that time. Ian holds a M.S. degree in Information Technology. Additionally he writes article and produces video tutorials on Information Security topics at http://www.TekDefense.com.

 

David Cowen - Partner - G-C Partners, LLC

 

 

Mr. Cowen has more than sixteen years of experience in the areas of integration, architecture, assessment, programming, forensic analysis and investigation. He currently holds the Certified Information Systems Security Professional certification from (ISC)2. He has been trained in proper forensics practices by the High Tech Crime Investigators Association, ASR Data and Guidance Software, and SANS, amongst others. He is an active contributor within the computer forensics community where he frequently presents and trains on various forensic topics. He has managed, created, and worked with multiple forensics/litigation support teams and associated procedures. His experience spans a variety of environments ranging from high security military installations to large/small private sector companies. He is the author of Infosec Pro Guide to Computer Forensics, Hacking Exposed: Computer Forensics (1st and 2nd edition) and the Anti Hacker Toolkit 3rd edition all by McGraw Hill.

 

Mr. Cowen has testified in a number of cases over the years with two of the highlights featured in Verdict Search being Exel Transportation Services Inc., a Delaware Corporation v. Total Transportation Services, LLC, a Delaware Corporation d/b/a Worldwide Total Transportation Services GP, LLC; Total Transportation Services, LP, a Delaware Limited Partnership d/b/a Worldwide Total Transportation Services, LP; Michael Joseph Musacchio, an Individual; and John Michael Kelly, an Individual, No. 3-06-cv-0593-R leading to a $10 million dollar settlement and Orix Capital Markets LLC v. Super Future Equities Inc., Keon Michael Arjmandi, Schumann Rafizadeh, Cyrus Rafizadeh and Houman Thomas Arjmandi, No. 3:06-cv-00271-B leading to a $12.5 million dollar verdict.

 

Brendan Dolan-Gavitt - Postdoctoral Researcher - Columbia University

 

Brendan Dolan-Gavitt is a postdoctoral researcher at Columbia University working on making reverse engineering automated and available to everyone. Prior to joining Columbia he did a PhD at Georgia Tech under Wenke Lee, working on virtual machine introspection, memory forensics, and reverse engineering. He will be joining the faculty at the NYU Polytechnic School of Engineering as an assistant professor in CS this fall.

 

Sarah Edwards - Digital Forensics Analyst - SANS/Parsons Corporation

 

 

Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC, Bsides*, Defcon and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.

 

Jared Greenhill - Senior Practice Consultant, IR - RSA

 

 

Jared Greenhill  is currently an incident responder for RSA's IR practice where he performs a multitude of DFIR tasks including network and host based forensics, memory analysis and reverse engineering of malware. Prior to joining RSA, Jared was a forensic analyst for US-CERT’s Digital Media Analytics team where he performed malware analysis and provided digital forensic support. 

 

Jared holds a MS in Computer Forensics from George Mason University and has several security related certifications.

 

Jim Huber - Consulting Security Engineer - Fortinet

 

Jim Huber is a Consulting Security Engineer with Fortinet. Jim has also been in the IT industry for over 10 years where he was focused mostly on network operations and security particularly in military deployed environments. Jim holds an M.S. degree in Information Technology and is currently working on his D.Sc in Information Systems and Communication. Jim is a contributor to blogs and topics on the http://www.TekDefense.com site.

 

Paul Jaramillo - Principal Consultant - CrowdStrike

 

Paul is currently a consultant for CrowdStrike in Saint Louis. His area of passion are incident response, threat intelligence, and digital forensics. He has previously worked for the DoE, a large telco, a large manufacturer, and a Fortune 10 conglomerate. Some career highlights include breaking into a 2-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensics examiner, and hunting & ejecting nation state adversaries from corporate and government networks. Paul is also a proud husband and father of 2 kids, as well as a huge college football fan.

 

Kenneth Johnson - KPMG

 

 

Kenneth has been speaking since 2012 on various new artifacts identified in Windows 8 and has continued to provide usable information regarding their importance. He is currently with KPMG Forensic Technology team with an emphasis on Incident Response, Digital Evidence Recovery and Threat Intelligence integration. 

 

David Kovar

 

David Kovar is a senior manager in Ernst & Young’s Advisory Center of Excellence developing and offering operational services in the digital forensics and incident response space. He’s also been an entrepreneur, ediscovery consultant, software engineer, search and rescue incident command, executive protection agent, and lethal forensicator. He’s collected images in China, rescued wayward Americans in Australia, and fenced with APT actors from all over the world. Oh, and he flies sailplanes, fixed wings, helicopters, and drones…..

 

Sean Mason - VP, Incident Response & Customer Success - Resolution1 Security

 

 

Sean Mason is the Vice President of Incident Response & Customer Success for Resolution1 Security. After serving his commitment to the US Air Force, Sean has spent his career with Fortune 500 companies (GE, Monsanto, Harris & CSC) where he has worked in a variety of IT & industry verticals, including software development, auditing, information security, Defense, Aviation, Finance, Energy, Biotechnology, and Healthcare. Sean served as the Defense Industrial Base (DIB) representative for Harris from 2009-2011 and also notable is that Sean was the Director of Incident Response for GE for a number of years. Sean also serves as a Subject Matter Expert for ISC2, helping to design credentials’ common body of knowledge and exam questions as well as sitting on the ISC2 Application Security Advisory Council (ASAC).

 

Michael Murray - Director - Secure Product Development - GE Healthcare

 

 

Michael Murray is the Director of Secure Product Development at GE Healthcare, responsible for providing architecture and security assessment services to support GE Healthcare’s engineering teams in building secure products.  A career information security professional, Michael has taken leadership roles in organizations ranging from small consulting firms to Fortune 100 companies.  Before joining GE, Michael was co-founder and managing partner of MAD Security / The Hacker Academy.   He holds a BA in Philosophy from the University of Toronto.

 

Cris Neckar - Co-Founder - Divergent Security

 

Cris Neckar is the Co-founder and a Principal of Divergent Security. He was one of the original members of Google's Chrome Security Team, and a Professor of Application Security Assessment and Exploit Development at DePaul University. With over 10 years of experience in vulnerability research, some of Cris' public disclosures include critical, remotely exploitable vulnerabilities in the Microsoft Windows kernel, Microsoft Internet Explorer, Google Chrome, and Apple Safari.

 

Andreas Nilsson - MongoDB

 

 

Andreas Nilsson leads the Security Development Team for the MongoDB database. Prior to MongoDB, Andreas was a Security Architect at NASDAQ OMX in Stockholm. Prior to NASDAQ OMX, Andreas worked with full disk encryption at Check Point software.

 

Hal Pomeranz - Principal - Deer Run Associates

 

 

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the US and Europe and global corporations.

 

Hal is a SANS Faculty Fellow and a respected author and speaker at industry gatherings worldwide. Hal is a regular contributor to the SANS Computer Forensics blog and co-author of the Command Line Kung Fu blog.

 

Golden Richard - Research Professor - University of New Orleans

 

Golden G. Richard III is a digital forensics and and computer security expert and a Fellow of the American Academy of Forensic Sciences, with over 35 years of practical experience in computer systems and computer security. He is Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and conducted research for the past 20 years. His research interests mirror his teaching interests: digital forensics, reverse engineering, offensive computing, operating systems internals, and malware analysis. Dr. Richard is also a member of the United States Secret Service Electronic Crime Taskforce, the Editorial Board of the Journal of Digital Investigation, and the Editorial Board of the International Journal of Digital Crime and Forensics (IJDCF).  He

is a founding member and chairman of the non-profit that runs the Digital Forensics Research Workshop (DFRWS), the premiere venue for publishing digital forensics research. He earned his Ph.D. from The Ohio State University.

 

Wyatt Roersma - Target

 

 

Senior Security Engineer. I love DFIR, most of all memory forensics and volatility ;) I research Malware for fun and Dev for volatility. 

 

Chris Sandulow - MongoDB

 

Chris Sandulow works on enterprise security at MongoDB. Prior to MongoDB, Chris was a Security Architect at NASDAQ OMX in New York. Prior to NASDAQ, Chris worked on the National Incident Response Team (NIRT) for the Federal Reserve System.

 

David Stampley - Partner - KamberLaw

 

Dave Stampley, CIPP, is a partner at KamberLaw in New York, where he litigates information-technology-related class actions and provides compliance consulting services. In his prior roles that include regulatory enforcer (New York Attorney General’s Office), privacy officer (a Fortune1000 B2B technology provider), and consultant (Neohapsis), he has specialized in data privacy and security compliance for over 15 years. He started his legal career as an Assistant District Attorney in the Manhattan D.A.’s Office.