Case Leads: A Forensicator's take on BlackHat/DefCon/BSides

Case Leads: A Forensicator's take on BlackHat/DefCon/BSides

It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.

July 27th was the start of Black Hat at Caesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes on Wednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) than ever. Black Hat moves next year to the south end of the Las Vegas strip, at the Mandalay Bay. Some have speculated that the larger vendor area was part of the motivation. A spokesperson for Black Hat stated simply, "We need more room."

Meanwhile, two and a half blocks east of Ceasars Palace, at the Tuscany Hotel Casino, BSides Las Vegas was running during the same Wednesday and Thursday as Black Hat. BSides was a real gem this year. Great crowd, with many very smart and interesting speakers, lectures and labs. One of the more compelling DFIR talks of the week was a demonstration on defeating application whitelisting, and the digtial forensic trail that this incident leaves behind. See Good Reads and Listens below for an interview with the co-presenter of that talk, Joe Kovacic.

Thursday August 1st was the "soft launch" of DefCon 21, at the Rio Casino, just west of the Las Vegas Strip. Of note: Def Con held legal training on Thursday for non-legal professionals on the fundamentals of civil and criminal law. Always a help for forensicators. Sunday was the unofficial "forensicator block," with three lectures covering forensics, including an interesting talk on the recoverability of "disappearing" messages like SnapChat. Another DefCon talk relevant for incident response, was Craig Young's talk on a critical authentication flaw in GoogleAppsGmailAndroid. See Good Reads and Listens below for an interview with Craig Young.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to kuyasamahbub@gmail.com.

Tools:

• Mr. John Ortiz developed and teaches a steganography course for the University of Texas at San Antonio (UTSA). Mr. Ortiz developed several steganographic programs for testing and analysis that were demonstrated at DefCon 21 in Las Vegas this year, during the unofficial forensicator block. You may email John: stego [insert at symbol here] satx.rr.com for details on how to obtain these free tools.
• Belkasoft Evidence Center 5.4 (Updated), Detects Forged Images, Analyzes Fragmented Memory Dumps and Extracts Destroyed SQLite Records
• BlackBag Technologies Announces BlackLight2013 R2 Cross-platform Forensics Software Release

Good Reads and Listens:

• From The Ponemon Institute: Live Threat Intelligence Impact Report 2013
• NSA Director Gen. Alexander, in his keynote address on the opening day of Black Hat Briefings Las Vegas
• An interview with Craig Young, taped on the floor of DefCon 21, on his forensic research into a critical authentication flaw in GoogleAppsGmailAndroid
• An interview with Joe Kovacic, taped on the floor of BSides LV, on his research into defeating application whitelisting, and the digtial forensic trail that a breach might leave behind
• An interview with Richard Hickman, who wrote a paper based upon his digital forensic work on SnapChat. The "defeating" SnapChat session at the unofficial forensicator block at DefCon was standing room only. Related story in the news section below.

News:

• 'Snap Save,' a new iPhone app, let's users same SnapChats, without alerting the sender
• Interesting meta data that could prove useful in investigations: Study: Cellular mobile devices emit a traceable meta data digital fingerprint beyond the SIM chip
• Forensicators help determine that is was malware that led to the collapse of a California financial escrow firm
• War on US Cloud Providers: How the US Government Killed a Texas-based Secure E-mail Company
• War on US Cloud Providers II: NSA scandal could cost the US cloud computing industry up to $35 billion over the next three years, a new report claims
• War on US Cloud Providers III: Germany's leading telecoms operator will channel email traffic exclusively through its domestic servers in response to public outrage over U.S. spy programs accessing citizens' private messages. But, Crypto experts blast the German e-mail providers' "secure data storage" claim

Levity: 

  DEF CON: The Documentary, the complete movie. Filmed last year, the 20th anniversary of DefCon. Shown at DefCon 21, August 1, 2013.

 

© Kuyasa Mahbub