On June 6th and 7th, in the sweltering heat and humidity, I had the pleasure of attending at the 2014 SANS Digital Forensics and Incident Response Summit, held annually in Austin, Texas. Not only did I attend, but I was honored to be included on a panel discussing how to write a digital forensics book – as I’ve written a few security books in the past – as well as a 360 talk where the speaker is challenged to present a talk within a 6 minute time limit (i.e. 360 seconds).
The panel, moderated by Computer Forensics and Digital Investigation with EnCase Forensic (McGraw-Hill) author Suzanne Widup went very well. The panel comprised of (from left to right in the accompanying picture):
- David Cowen, Author of Hacking Exposed: Computer Forensics, Anti Hacker Toolkit 3rd Edition, and The Computer Forensics Infosec Pro Guide, (McGraw-Hill),
- Joseph Shaw, Author of Unified Communications Forensics, (Syngress),
- Heather Mahalik, Co-author of Practical Mobile Forensics, (Packt Publishing),
- Me (Andrew Hay),
- Eric Zimmerman, X-Ways Forensics Practitioner’s Guide, (Syngress), and
- Warren Kruse, Author of Computer Forensics: Incident Response Essentials, (Addison Wesley)
The general consensus, know what you’re getting into, plan your time accordingly, have emotional and familial support.
I also had the opportunity to sit through a number of other sessions during the conference as well, including:
- Don’t Let Your Tools Make You Look Bad – Troy Larson, Principal Network Security Analyst, Microsoft Corp
- Reverse Engineering Mac Malware – Sarah Edwards, Senior Digital Forensic Investigator at Harris Corporation
- Mach-O Binary Data Analysis – David Dorsey, Lead Security Researcher, Click Security
- Supersize Your Internet Timeline with Google Analytic Artifacts – Mari DeGrazia, Senior Security Consultant, RISK Team – Verizon
- Excel at Forensics – Anthony Gawron, Manager, KPMG LLP & David Nides, Manager, KPMG LLP
- Peeling the Application Like an Onion – Lee Reiber, Vice President of Mobile Forensic Solutions, AccessData
- The Forensic 4cast Awards – Lee Whitfield, Director of Forensics, Digital Discovery (Note: I didn’t win anything….again.)
- Closing the Door on Web Shells – Anuj Soni, Lead Associate, Booz Allen Hamilton
- Incident Response Patterns: The “Now What?” to the DBIR and VCDB – Kyle Maxwell, Senior Researcher, Verisign & Kevin Thompson, Senior Researcher, Verizon
(Note: I’ll update this post with the links to the slides and/or videos as they are made available)
In my opinion, the best talk that I had the pleasure to sit through was Mari DeGrazia’s Supersize Your Internet Timeline with Google Analytic Artifacts presentation. In it, Mari discussed how to use a number of different browser cookies on a client machine to decipher a timeline of events for an individual’s browsing history.
A fantastic example of its applicability is during an investigation, where an individual claims that a website was visited in error and only one time. The cookies will show you an individual’s frequency of visits, the last visit, and a number of other details that can be used to refute one’s testimony. Her blog can be found at az4n6.blogspot.com and her tools to ease the cookie-related investigations can be found at http://az4n6.blogspot.com/p/downloads.html.
A close second favorite was the Excel at Forensics talk by Anthony Gawron & David Nides, both from KPMG. In it, the presenters walked through various use cases for using pivot tables, VLOOKUP functions, and other useful (but easily forgotten if not used every day) commands.
A final hat tip goes to the Incident Response Patterns: The “Now What?” to the DBIR and VCDB talk by Kyle Maxwell & Kevin Thompson of Verisign and Verizon, respectively. The content was solid but the interaction between the two presenters was what made the talk great. I had a feeling it was going to be good when Kevin began reciting lyrics from old Busta Rhymes songs and it continued into the presentation with what could only be called an interpreitive dance to Kyle’s portions of the slides (see below).
— DFIR_Gecko (@SuzanneWidup) June 10, 2014
Presenting a 360 session was, as warned, a little intense. If you’re used to preparing slides for a 30 or 50 minute talk you have to completely change your mindset. Since I wanted to present a “visual” talk I had slides…lots of slides…21 slides in fact. I had to skip over a couple of non-key points but I ended only 5 seconds over my time limit – which I think is acceptable.
I’m really looking forward to next year where I plan on once again submitting a full standalone presentation. I met new friends, caught up with old ones, and had some interesting technical discussions about security, forensics, and DNS.
Thanks for reading!