SANS DFIR Europe Summit 2019Monday 30 September, Prague #DFIREurope

@SANSEMEA @SANSforensics #DFIREurope

Agenda We strive to present the most relevant, timely and valuable content. As a result, this

Agenda is subject to change. Please check back frequently for changes and updates.

Sunday, 29 September 2019

18:00 – 20:00

19:00 - 20:00

Pre-Summit Meet and Greet

This optional session offers the opportunity to meet and network with your fellow attendees as well the night before the Summit kicks off. We highly recommend you attend if possible.

Apple Watch forensics (Live Demo)

Apple Watch is one of the most popular wearable devices. Working in the Apple ecosystem, it holds a lot of valuable information, but how do you extract it from there? watchOS does not include any backup engine. Its data is included into iPhone (the watches are paired with) backup, and some is also synced with the iCloud (but mostly through the iPhone as well). If you do not have the paired iPhone itself, that's a problem: pairing with the other device will remove all the data. Still, there is a way to get at least some of the data directly from Apple Watch. In theory, even full file system acquisition is possible, but that would require jailbreaking while only a few experimental non-complete jailbreaks for older watchOS versions are available. Without the jailbreak, we can get only detailed device info (serial number and model), media files (pictures and music), list of applications installed, and some logs. Synced pictures are resized, but still keep EXIF data, so some location data is available as well. Much better than nothing! All you need is some special hardware and software.

Mattia Epifani, CEO, REALITY NET - System Solutions Snc

Francesco Picasso, CTO, REALITY NET - System Solutions Snc

Monday, 30 September 2019

08:00 – 09:00 Registration and Coffee

This is another great opportunity to meet, greet and interact with your peers so come down early.

09:00 – 09:10 Welcome and Introduction by Summit Chair

Jess Garcia, Founder and Technical lead of One eSecurity

09:10 – 10:00 Keynote

a) When Data Talks, b) The Beautiful Mind of a Timeline

How does one find the needle in the sea of haystacks that is our data? In this presentation we'll talk about how one can utilize Timesketch as a data exploration platform and as a method to experiment with data science techniques to both surface anomalies as well as reduce noise. We'll explore the benefits of thinking like a data scientist and will demonstrate this with examples of statistical analyzers in Timesketch.

Kristinn Gudjonsson, Member of the Detection & Response team, Google

Johan Berggren, Security Engineer, Google

@SANSEMEA @SANSforensics #DFIREurope

Monday, 30 September 2019

10:00 – 10:35 Memory Smearing: Myth or Reality?

Memory forensics techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation. Unfortunately, this is seldom the case and since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect. In this presentation we show our research efforts to shed some lights on this matter. First of all we discuss several experiments we conducted to show that inconsistencies are very frequent and can negatively impact an analysis of user and kernel space memory. We then discuss modifications we made to popular memory forensic tools to minimize the effects of memory smear, both during the acquisition and the analysis of a memory dump. Finally we show how we built a graph-based model of kernel objects and how this graph can be used to detect inconsistencies in a more systematic way.

Fabio Pagani, PhD Student, Eurecom

10:35 - 11:05 Networking Break: Drinks and snacks will be served

11:05 – 11:40 Incident response in the cloud: foggy with a ray of sunshine

This presentation will consist of three key parts highlighting incident response challenges in the cloud, but also how we can purposely use what cloud providers offer us to improve our security operations. The first section will include some key examples of what went wrong during incident in cloud environments and listing some key challenges that we face as an incident response team to investigate security incidents in depth. A second section in the presentation describes the overview of critical logs that are required to do incident response, these logs and settings are mapped on the 2 main cloud providers Amazon AWS and Microsoft Azure. This session will allow you to understand which logs are there by default and which logs should be activated for incident response and forensic investigations. A 3rd section will introduce automated response, by explaining a use case were a system gets infected, server-less code will be executed to protect other systems and enable advanced analytics on the compromised system. This example is based on Microsoft Azure Security Center and app-logic to enforce actions in case a specific alert is triggered.

Jeroen Vandeleur, Director, NVISO

11:40 – 12:15 Slacking Off: Slack artefacts on Windows

Whitepapers and online information regarding Slack indicate that strong encryption is used for data in transit and on servers out in the ether. However, little is mentioned regarding how the data is stored on the device. This presentation outlines the format and content of a number of artefacts observed to date.

Kathryn Hedley, Director, Khyrenz Ltd

12:15 - 13:15 Networking Luncheon Lunch is served onsite to maximize interaction and networking among attendees.

@SANSEMEA @SANSforensics #DFIREurope

Monday, 30 September 2019

13:15 – 14:00 Lightning Talks

Tsurugi Linux project, the right DFIR tools in the "wrong time”...

Giovanni Rattaro, Senior Cyber Security Expert, Openminded

‘TuxResponse - Linux Incident Response Framework’

Hristiyan Lazarov, VP, Deutsche Bank

14:00 – 14.35 Handling BEC's in an Office 365 environment

This presentation discusses the challenges of a Business Email Compromise (BEC) and how to address those challenges from an incident responder’s perspective. Two major challenges identified from responding to a BEC are log acquisition and analysis. Log acquisition from an Office 365 environment is particularly challenging because of the sheer amount of logs stored and their export limits. This notion further complicates analysis of those logs. In order to address these challenges, we developed a PowerShell script that is open-sourced, and able to acquire and analyze Office 365 logs in a reliable manner. The analysis component of the tool, supports incident responders by providing additional insights into a threat actor’s tactics, techniques, and procedures. Furthermore, the new functionality of mailbox auditing that Microsoft has recently added is assessed as a complimentary tool for helping incident responders.

Joey Rentenaar, Incident Response Specialist, PWC

Curtis Hanson, Threat Intelligence Specialist, PWC

14:35 – 15:10 Managing Major incidents

Investigating large scale breaches can be demanding and challenging. Not only does it require a well-versed and top-notch investigators team but moreover an engagement lead that keeps the overview, communicates outcomes to stakeholders and plans the next steps. During an investigation, the engagement lead constantly receives data about the breach from investigators, the client and sometimes external entities like police or other officials. It is up to the engagement lead to organize, qualify and document the data in a usable fashion. Organizing the breach relevant data can be a daunting task. In the beginning, it is often not clear what the relevant information is and how it will be used in the future. Additionally, over time this task allocates more and more resources. For that reason we present a tool that acts as engagement management sheet and if used right delivers the capability to stay on top of a case. We use that tool in our investigations, and it supports us from the initial call, in every status meeting and to the point where we write our final report. In this talk, we argue about common pitfalls in breach investigation management and how to avoid them by using the free tool to record important case data and the investigative process that comes along with it. We will also give a little insight into our internal version of the tool that is more integrated with our systems and speeds up information handling even more. The tool is free and will remain free and the content is more focused on the processes and interaction between multiple investigators.

Mathias Fuchs, Head of Investigation & Intelligence, InfoGuard AG

Michael Kurth, Senior Analyst, Infoguard AG

@SANSEMEA @SANSforensics #DFIREurope

Monday, 30 September 2019

15:10 – 15:45 Performing Linux investigations at scale

Objective: To carry out an investigation and incident reporting for large Linux estates in an automated manner while aligning to professional reporting standards. The task may seem straightforward when you have a large Incident response team with infinite resources. However, with limited man-power, a more efficient approach is required. The talk describes an approach that involves triaging important artefacts across numerous endpoints, and then automatically generating a professional report of suspicious activity. The data extracted from the endpoints would also be aggregated into an ELK stack for analysts to conduct further investigation where needed. Attendees will learn which artefacts are of forensic importance on Linux, how to collect these artefacts using a bash script, and how to parse them into a professional report format using Latex.

John Rogers, Consultant: Investigations and Incident Response, MWR Infosecurity

Joanni Green, Senior Consultant: Investigations and Incident Response, MWR Infosecurity

15:45-16:05 Networking Break Drinks and snacks will be served

16:05 – 16:40 smbtimeline - An automated timeline for SMB Traffic

smbtimeline is, as the name already states, a tool to produce a timeline out of SMB traffic. Inspired by the manually work of putting together an investigative timeline from SMB traffic, its purpose is to provide a timeline from a given pcap file. Particularly as Incident Response is about to focus on the right amount of details at the right time, smbtimeline provides an overview about the SMB traffic and not showing every possible bit of information but still enriching packets with useful details. In order to archive this goal, smbtimeline arranges not only SMB commands, but also important commands taken from protocols which utilize SMB as transport medium, in an easy to handle .csv file. As of today, smbtimeline supports two output formats - the native smbtimeline .csv format and a log2timeline compatible csv output format. The latter enables analysts to merge the output into an existing timeline produced by log2timeline. As it is one of Olaf's private projects, it will be released open source and free to use for everybody around the SANS DFIR Europe Summit in Prague 2019.

Olaf Schwarz, Senior IT-Security Analyst, Austrian Energy CERT / CERT.at

16:40 – 17:15 The Unified Logging confession

How to know what an iDevice user was doing ? You can certainly extract data such as messages, events or media. But how to know that this user activated airplane mode? iOS is logging an enormous amount of data in Unified Logging System. Currently no forensic software parse this data and make sense out of it. During this talk we will demonstrate how to extract and parse the logs. We will also show how to extract valuable information and illustrate with real case examples. Every investigator will ask to get that information after attending this presentation.

Johann Polewczyk, Mac forensic expert, French Gendarmerie National Forensic Lab

Matthieu Regenery, Data extraction expert, French Gendarmerie National Forensic Lab

17:15 – 17:30 Closing Remarks by Summit Chair

Jess Garcia, Founder and Technical lead of One eSecurity

Social events and informal networking activities are hosted after the Summit.

@SANSEMEA @SANSforensics #DFIREurope

FOR508

Advanced Incident Response, Threat

Hunting, and Digital Forensics

Advanced Network Forensics: Threat

Hunting, Analysis, and Incident Response

FOR572

Windows Forensic Analysis

FOR500

Mac and iOS Forensic Analysis and Incident

Response

FOR518

FOR526

Advanced Memory Forensics & Threat

Detection

Smartphone Forensic Analysis

In-Depth

FOR585

Reverse-Engineering Malware: Malware Analysis Tools and

Techniques

FOR610

SANS DFIR EUROPE 2019S U M M I T & T R A I N I N G

3 0 S E P T - 6 O C T 2 0 1 9 , P R A G U E

SANS DFIR Europe Summit 2020

Register your name with the Summit team to confirm your place at next year’s Summit:

emea-summits@sans.org

@SANSEMEA @SANSforensics #DFIREurope