Digital Forensic Science

[Webinar] DFIROnline: Memory Forensics with Volatility

For those of you interested in memory forensics with Volatility:

<div class="p1">Thursday, 17 January, 2013 - 20:00 EST (GMT - 5)</div><div class="p1">[EST 20:00] [GMT 01:00 +1 day] [KST/JST 10:00 +1 day] [AUS 11:00 +1 day]</div><div class="p1">
</div>
<div class="p2">A fun concise workshop about Volatility with a lot of hands on components. It should take around 60-80 minutes with questions. Michael Cohen, one of the Volatility developers, will be giving an extensive overview of memory forensics with Volatility.</div><div class="p1">
</div><div class="p1">For more information and instructions on how to join see the website: http://www.writeblocked.org/index.php/dfironline.html</div><div class="p1">
</div><div class="p1">No registration, email address or other personal information is required, just sign in as a guest with whatever name you want.</div>

Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 2013

Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 2013
25-27 September 2013
Moscow, Russia
http://www.d-forensics.org/2013

Submission deadline: 1st June 2013
Notification of Acceptance: 1st August 2013
Camera Ready: 1st September 2013
Conference Date: 24th and 26th October 2013

CALL FOR PAPERS
Keeping up with our international theme at ICDF2C, we are proud to announce this year that ICDF2C 2013 will run in parallel to InfoSecurity Russia 2013, the premiere information security industry event in Russia. In addition to maintaining its high academic standards, the 2013 conference participants will be able to attend both the InfoSecurity Russia event and ICDF2C and hear the latest developments in both research and industry. The conference provides a venue which offers chances for networking and high-quality training through expert speakers, state-of-the-art work from researchers all around the world, and tutorials on digital forensic techniques and methods of cyber crime investigation. This ICST conference is endorsed by EAI.

[Scope]
The Internet has made it easier to perpetrate crimes by providing criminals an avenue for launching attacks with relative anonymity. The increased complexity of the communication and networking infrastructure is making investigation of the cybercrimes difficult. Clues of illegal activities are often buried in large volumes of data that needs to be sifted through in order to detect crimes and collect evidence. The field of digital forensics and cybercrime investigation has become very important for law enforcement, national security, and information assurance. This is a multidisciplinary area that encompasses law, computer science, finance, telecommunications, data analytics, and policing. This conference brings together practitioners and researchers from diverse fields providing opportunities for business and intellectual engagement among attendees.

[Topics]
The following topics highlight the conference’s theme:

<ul><li>Business Applications of Digital Forensics</li><li>Cyber Crime Investigations</li><li>Digital Forensics Techniques and Tools</li><li>Digital Forensics Process & Procedures</li><li>Theoretical Foundations of Digital Forensics</li><li>Digital Forensics & Law</li><li>Mobile / Handheld Device & Multimedia Forensics</li><li>Digital Forensics Standardization & Accreditation</li><li>Cyber Criminal Psychology and Profiling</li><li>Cyber Culture & Cyber Terrorism</li><li>Information Warfare & Critical Infrastructure Protection</li></ul>
[Submission Cathergories]
Submissions can be made in a number of categories: Completed research papers, research-in-progress papers, industrial talks, panel and tutorial proposals, and round table discussions. Please follow the following guidelines in preparing your submission.

<ul><li>Completed Research Papers: No longer than 16 pages (including abstract, figures, tables and references).</li><li>Research in Progress Papers: No longer than 8 pages (including abstract, figures, tables and references). </li><li>Industrial Talk: Typically a 1,000 word description of the proposed talk. All talks must be vendor neutral.</li><li>Round Table Discussion: Typically a 1,000 word synopsis of the topic area.</li><li>Panel Proposals: Typically a 1,000 word description, identifying the panelists to be involved.</li><li>Tutorial Proposals: Typically a 1,000 word description of topic(s), potential speakers, program length, and potential audience. Also, include proposer resume(s).</li></ul>

Digital Forensic Research Workshop (DFRWS) 2013

CFP DFRWS 2013

Important dates:

<ul><li>Submission deadline: February 20, 2013 (any time zone). This is a firm deadline. </li><li>Author notification: April 9, 2013 </li><li>Final draft and speaker registration: April 30, 2013 </li><li>Conference dates: August 4-7, 2013 </li></ul>
Topics of Interest:

<ul><li>Memory analysis </li><li>Filesystem forensics </li><li>Incident response and live analysis </li><li>Network-based forensics Traffic analysis, traceback and attribution </li><li>Event reconstruction methods and tools</li><li>Application analysis </li><li>Embedded and mobile device forensics </li><li>Large-scale investigations </li><li>Digital evidence storage and preservation </li><li>Data mining </li><li>Data hiding and discovery </li><li>Data recovery and reconstruction </li><li>Multimedia analysis </li><li>Database forensics </li><li>Tool testing and development </li><li>Digital evidence and the law </li><li>Anti-forensics and anti-anti-forensics </li><li>Case studies and trend reports </li><li>Malware forensics </li><li>Data visualization in forensic analysis </li><li>Forensics in distributed and virtual environments </li><li>Interpersonal communications and social network analysis </li><li>Non-traditional approaches to forensic analysis </li></ul>

The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: dfrws2013-papers dfrws org

Webinar: Pitfalls of Interpreting Forensic Artifacts in the Windows Registry

Forensic Focus Webinar concerning analysis and of the Windows Registry from UCD’s very own Jacky Fox titled: Pitfalls of Interpreting Forensic Artifacts in the Windows Registry. From ForensicFocus.com:
<blockquote>In our next webinar, Jacky Fox, student at UCD School of Computer Science and Informatics, presents the results of her dissertation on Windows Registry reporting - focusing on automating correlation and interpretation. After the webinar Jacky will be available in the Forensic Focus webinars forum to answer any questions. </blockquote><blockquote>Date: Thursday, November 1st 2012
Time: 12PM (midday) EDT US / 4PM GMT UK / 5PM CET Europe
Duration: 20 mins </blockquote><blockquote>There is no need to register for this webinar, simply visit http://www.forensicfocus.com/webinars at the above time (the webinar has been pre-recorded and will be archived for viewing later if you are unable to attend).</blockquote>I’ve worked with Jacky, and know her thesis well. It should very interesting for anyone who works with the Windows Registry.

Conference: SANS DFIR Summit 2013

SANS DFIR Summit 2013 - Call For Speakers - Now Open

<div class="summary" style="border: 0px; font-family: Arial, Helvetica, 'Nimbus Sans L', sans-serif; font-size: 13px; outline: 0px; padding: 0px; vertical-align: baseline;">
</div><div class="summary" style="border: 0px; font-family: Arial, Helvetica, 'Nimbus Sans L', sans-serif; font-size: 13px; outline: 0px; padding: 0px; vertical-align: baseline;">Dates:
Summit Dates: - July 9-10, 2013
Post-Summit Course Dates: July 11-16, 2013

Summit Venue:
Omni Hotel Downtown Austin
700 San Jacinto @ 8th Street
Austin, TX 78701
Phone: (512) 476-3700
Fax: (512) 397-4888
Omni Hotel

The 6th annual Forensics and Incident Response Summit will again be held in the live musical capital of the world, Austin, Texas. The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. The 2013 theme is currently in development as the digital forensics and incident response community is constantly evolving and our content promises to be cutting-edge and relevant to ensure you will be able to utilize the ideas presented when you return to your organization.</div><div class="summary" style="border: 0px; font-family: Arial, Helvetica, 'Nimbus Sans L', sans-serif; font-size: 13px; outline: 0px; padding: 0px; vertical-align: baseline;">
Call for Speakers - Now Open

The 6th annual Forensics and Incident Response Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel we are looking for user-presented case studies with communicable lessons.
The Forensics Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.</div><div class="summary" style="border: 0px; font-family: Arial, Helvetica, 'Nimbus Sans L', sans-serif; font-size: 13px; outline: 0px; padding: 0px; vertical-align: baseline;">
Benefits of Speaking

Promotion of your speaking session and company recognition via the Forensic conference website and all printed materials
Visibility via the Forensic single-conference presentation email link for many months following the conference
Full conference badge to attend all Summit sessions
Private speaker lunch
*Speakers may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).

Submission Guidelines
</div><ul><li>Title</li><li>Author Name(s)</li><li>Author Title</li><li>Company</li><li>Speaker Contact Information: Address, phone number, email address</li><li>Biography</li><ul><li>Your biography should be approximately 160 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.</li></ul><li>Abstract</li><ul><li>The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational. The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.</li></ul></ul>
Session/panel length: 60 minutes
Presentation: 50-55 minutes
Question & Answer: 5-10 minutes

Submit your submissions to [email protected] by January 18, 2013 with the subject “SANS DFIR Summit CFP 2013.”

Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 2

A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge 1, that is “eliminating epidemic attacks by 2014”. Today, we will look at Challenge 2.
<div class="separator" style="clear: both; text-align: center;"></div>
Challenge 2, is generally defined as “ensure[ing] that new, critical systems currently on the drawing board are immune from destructive attack”.

Challenge 2 looks at systems of critical importance that are currently being designed and implemented. Unlike Challenge 1, that focuses on systems that are already deployed, Challenge 2 focuses on security, reliability and trustability of systems that are (or were at that time) currently being developed.

The metric of success is based on the CIA model, focusing on systems that ensure:
<ul><li>Confidentiality</li><li>Integrity</li><li>Availability</li></ul>and is extended with:
<ul><li>“Auditability”</li><li>Global Accessibility</li></ul><div>The group identified a number of critical systems (Figure 1), and stated that “there is very little reason to believe that such systems, if developed under current technology, will be trustworthy”.</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"></td></tr><tr><td class="tr-caption" style="text-align: center;">Figure 1. Critical systems and infrastructure identified by the CRA group in 2003.</td></tr></tbody></table><div>This statement comes almost five years after the U.S. Presidential Directive 63, which had a national goal stating:
<blockquote class="tr_bq">No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish the abilities of:
<ul><li>the Federal Government to perform essential national security missions and to ensure the general public health and safety;</li><li>state and local governments to maintain order and to deliver minimum essential public services.</li><li>the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.</li></ul></blockquote>The Colloquium for Information Systems Security Education in 2008 again put critical systems, and specifically SCADA systems, as a priority area in need of organized research. There has been a growing amount of research into critical system defense, security and forensics, but the 2011 alleged hacking of an Illinois water system, as well as some infrastructures we have seen, lead me to believe that research is not being practically implemented.

From discussions with people dealing with critical infrastructure, there seems to be an attitude much like a home computer user. They know there is a risk, but in many cases don’t feel like there is a big enough risk to justify investing the amount of money necessary to update, secure and monitor their systems (even some physical systems). In the U.S., government regulation to that would allow the DHS to “enforce minimum cybersecurity standards on infrastructure computer systems that, if damaged, would lead to mass casualties or economic loss”. Regulation, however, was opposed.

I somewhat understand why some critical infrastructure providers may find it hard to justify large investment in cybersecurity. Last year, 198 cyber incidents were reported to DHS across all critical infrastructure sectors, most of which were reportedly spear-phishing attempts. Granted, many more attacks probably took place that were not discovered / reported, but with numbers like that, a director may be thinking that it is statistically unlikely that they would get hit.

For me, the takeaway is that critical systems are still not being designed with cybersecurity, and sometimes even physical security, in mind. Further, critical infrastructure providers have the same problems as any other business; their people - as well as technology - can be a security gap. Since critical infrastructure is a hot topic right now, I hope security and risk awareness increased, but I have yet to see any real changes implemented in many countries. Almost 10 years after the grand challenge was proposed, I would say that not only are we not designing systems that are “immune from destructive attack”, but we are still not designing critical systems with basic cybersecurity in mind.

</div>
Image: FreeDigitalPhotos.net