The Digital Forensics Research Workshop was back in virtual format for its USA edition running Monday, July 11th through Thursday, July 14th. Six sessions on memory forensics, similarity hashing, application forensics, live and static system analysis, multimedia forensics, and miscellaneous topics highlighted the 13 papers accepted for presentation. In addition, two presentation sessions showcased six additional topics.
Want to volunteer to be a peer reviewer? The organizers encourage you to reach out here!
As always, the conference made plenty of room for social connection and fun via Monday night’s virtual pub quiz, Tuesday’s three simultaneous Birds of a Feather sessions, and Wednesday’s Digital Forensics Rodeo CTF. Birds of a Feather sessions made way for brainstorming around three topics:
- DFIR 4 Good: What Can We Do?
- What’s next? Advances & Challenges in Digital Forensics
- Taking Care of Yourself: Wellness in Digital Forensics
The Keynotes
Crypto Harlem’s Matt Mitchell kicked off the event with “Digital Forensics Duty to Protect,” about the need for practitioners to use their skills to find the artifacts needed to effect justice and positive change in the world.
A unique talk relative to previous keynotes Mitchell has given, the content focused on the weaponization of digital forensics. “Digital dictatorship” in particular involves the use of mercenary surveillance malware such as Pegasus and NetWire to allow governments to plant evidence on devices of reporters, activists, lawyers before using forensics to find “irrefutable” evidence of wrongdoing.
Thus, said Mitchell, the need to verify information through open source and traditional digital forensics alike, as well as the need to encourage truly fair trials by making tools and methods available to non-law enforcement entities. Mitchell encouraged researchers’ involvement with organizations like Mnemonic, WITNESS, and the 5am Coalition in Ukraine, saying that any level of skillset is always needed.
The conference’s second keynote came from Samuel Cava, of the FBI’s Multimedia Exploitation Unit which was created in response to the 2013 Boston Marathon bombing. By way of some of the FBI’s biggest cases – the Las Vegas shooting and January 6 among them – Cava spoke about how digital forensics research was integrated and applied to FBI investigations.
Owing to the pace, scale, and scope of massive critical incidents – each one, said Cava, getting bigger and harder to manage, including the risk of damage from deepfakes – there is a dual need:
First, practitioners themselves need open source intelligence (OSINT) type skills to piece together data from many sources, including images, geolocation, suspicious purchases, motor vehicle information, etc. in context of each piece’s collection and use.
Second, to manage all this is the need for automated tools to help investigators organize and track evidence, versus the use of pen and paper; to enable collaborative review with the ability to tag and annotate evidence, as well as organize around the review; and to build more exposable (declassified) systems for multiagency sharing and disclosure.
Cava solicited researchers to contribute to the Multimedia Processing Framework as well as the Triage Import Export Schema (TIES) at GitHub.
Papers and Presentations
Memory forensics was the topic of the first paper session.
In “Memory Analysis of .NET and .Net Core Applications” – winner of this year’s DFRWS-USA Best Paper Award – Andrew Case focused on the evolution of malware and the resulting effort to develop memory analysis capabilities for the “very powerful and widely abused” .NET Framework and its replacement, .NET Core. Case discussed new Volatility plugins that automatically and repeatably target key areas in these runtimes and report suspicious and/or malicious artifacts.
Enoch Wang then followed with “Juicing V8: A Primary Account for the Memory Forensics of the V8 JavaScript Engine.” This talk introduced the first generalizable account of the memory forensics of the engine behind V8, Google’s open source interpreter which enables JavaScript functionality in Chrome. In addition, the researchers offered the V8MapScan Volatility plugin, which helps to reconstruct most V8 objects from a memory image.
These talks were followed by the second paper session, which focused on similarity hashing – as opposed to cryptographic hashing, which detects only identical copies – across big data.
First, Thomas Göbel presented “FRASHER — A Framework for Automated Evaluation of Similarity Hashing.” FRASHER extends the nearly 10-year-old FRASH framework by modernizing it, enabling the evaluation of efficiency in terms of generation, comparison, and compression; sensitivity and robustness; and adversarial resilience.
“ssdeeper: Evaluating and Improving ssdeep” followed with a focus on the first and most common context-triggered piecewise hashing algorithm. Presenter Carlo Jakobs discussed the research team’s assessment of ssdeep, configurations ideally suited for ssdeep’s typical applications, and proposed improvements to make for more stable hash values, a better runtime performance, and a better detection rate.
The third paper session, offered on Tuesday, consisted of two papers that examined application forensics, specifically “alt tech” social networking and instant messaging.
In “Alt-Tech Social Forensics: Forensic Analysis of Alternative Social Networking Applications,” Hailey Johnson described an analysis of Android and iOS versions of Parler, MeWe, CloutHub, and similar apps. She also introduced the Alternative Social Networking Applications Analysis Tool (ASNAAT), which automatically aggregates forensically relevant data from a mobile device forensic image containing alt-tech social applications.
Then, Megan Davis described the “Forensic Investigation of Instant Messaging Services on Linux OS: Discord and Slack as Case Studies,” meant to close a gap in research on Discord and Slack apps on Linux operating systems. The research described a number of accessible artifacts stored in memory, which could be important, Davis said, owing to the pandemic-era trend of people organizing game nights and other activities via these two apps.
Three papers on Live and Static System Analysis featured in the conference’s fourth session, also on Tuesday.
First, Thanh Nguyen presented “Live System Call Trace Reconstruction on Linux,” a description of how his research team’s method non-intrusively enables the analysis of system calls performed by mature ransomware in real time on Linux-based systems.
Then, Stewart Sentanoe presented “KVMIveggur: Flexible, secure, and efficient support for self-service virtual machine introspection.” This architecture uses containers, virtual machines, and network remote access to isolate virtual machine introspection (VMI) in cloud environments, removing speed, functionality, and implementation obstacles in existing research prototypes.
Finally, in “LibDroid: Summarizing information flow of Android Native Libraries via Static Analysis,” Chen Shi described the LibDroid analysis framework designed to compute data flow and summarize taint propagation for Android native libraries, thus closing a gap in other Android static analysis tools by allowing users to identify app security issues such as the use of private user data or hidden functions.
Wednesday’s first paper session featured two papers that fell outside the other categories.
First, in “Digital Forensics-AI: on Explainability and Interpretability of Evidence Mining Techniques,” Abiodun Abdullahi Solanke presented a nontechnical perspective on artificial intelligence, law, and digital forensics strategies toward mitigating mistrust. Solanke covered explainability versus interpretability of closed-box AI models, proposing recommendations for interpretable AI-based digital forensics methods.
Then, Janine Schneider presented “Ambiguous File System Partitions,” which suggested that steganographic data hiding could be applied when two fully functional file systems coexist within a single file system partition. This research integrated “guest” file systems into the structures of a “host” file system in order to test how forensic tools handled the ambiguity. In addition, the research distinguished host from guest based on essential data at fixed positions.
The sixth and final paper session of the conference featured two talks on multimedia forensics. In “Deepfake Noise Investigation and Detection,” Tyanyi Wang proposed a deep neural network as a means to develop a noise-based deepfake detection model. By visualizing deepfake forensic noise traces, the research team demonstrated a distinction between synthesized faces and any unmodified area in a way that statistical evaluation cannot achieve.
Audio background noise was the topic of the following talk, “BlackFeather: A framework for Background Noise Forensics.” There, Qi Li discussed new methods of automatically extracting, separating, and classifying background noises in complex environments via software, thus offering potential new lead sources to investigators.
Following Monday’s and Tuesday’s paper sessions were the presentations: research of interest to the committee which has not (yet) been submitted for peer review.
On Monday, NIST’s Alex Nelson presented “Discovery of digital forensic dataset characteristics with CASE-Corpora.” This community index of available forensic reference and training datasets relies on the Cyber-investigation Analysis and Standard Expression (CASE) Ontology and the Unified Cyber Ontology (UCO) to describe datasets’ forensically relevant qualities: not only where to find data, but also why – in essence, to reconstruct data provenance.
Future plans include integrating CASE Corpora with the Computer Forensics Reference Dataset (CFREDs). Additionally, Nelson encouraged community members to join the CASE development community to help, as well as to download the datasets from GitHub to work with.
Then, Mitch Kajzer presented “Offline iOS Tracking and Remote Wiping” via the “always on” Apple Ultra Wideband (U1) chip, which relies on a short-range, low energy, wireless communications protocol to provide accurate spatial and directional data even when a device is powered off.
Calling the functionality “GPS at the scale of your living room,” Kajzer described the implications for evidence handling and chain of custody, notably whether the U1 chip can accept wipe commands.
On Tuesday, “A Distributed Digital Body Farm for Collecting Deleted File Decay Data” described a remote software agent, the DDBF, which collects content-free and privacy-preserving data about deleted file decay on an active computer system. In this talk, Omoche Cheche Agada described how to use the agent to collect deleted file decay data from geographically dispersed computers, at which point the data can be aggregated and analyzed for patterns of decay – thus whether file recovery is possible.
Following with another perspective on file decay was Dominique Calder with “Building and decaying a file corpus for sub-sector analysis,” which detailed the development of a scalable algorithm that can accurately infer the past presence of a file given arbitrary sectors. Being built to address the problem of big data triage and antiforensic or tampering, the research focuses on sector rather than file hashes to improve data correlation.
The presentation sessions both days also offered “showcase” content from DFIR Review. Tuesday, veteran law enforcement officer and digital forensics analyst Scott Koenig presented “iOS Settings Display Auto-Lock & Require Passcode,” an extensive testing project he started to help out a fellow analyst. His short video reviewed device activity, plists of interest, and overall results. His research can be found here and here.
Wednesday’s showcase featured Geraldine Blay and Alexis Brignoni, whose “Peeking at User Notification Events in iOS 15” explored notification logs for artifacts that can show content even when it is no longer present in the phone. Parsing and reporting were covered as well.
The Workshops
Four workshops ranging from two to four hours were offered between Wednesday and Thursday.
On Wednesday, Forensic Focus attended the two-hour “CASEWorks! by Eoghan Casey and Alex Nelson. Building on Nelson’s presentation about the CASE Corpora, this workshop focused on data mapping, validation, and customization, along with ontology development practices for better community collaboration and an example of how the Hansken project is implementing CASE.
Casey emphasized the need for data provenance in particular to show a full chain of custody. Currently, output can be incomplete or missing, impacting its interpretability and thus its effectiveness in decision-making.
Concurrently on Wednesday was the “Leveling Up with YARA!” workshop, designed to help attendees learn the syntax of YARA rules to assess their accuracy and start to write their own. Volexity’s Tom Lancaster led attendees through a series of layered exercises that laid a foundation for extensibility and future contributions.
Thursday featured two additional four-hour workshops. In “Performing Linux Forensic Analysis and Why You Should Care,” Ali Hadi and Mariam Khader encouraged attendees to consider both incident response and criminal investigation scenarios involving the Linux operating system. Fundamentals of the Linux OS and EXT4 file system; log analysis; and the search, identification and collection of crucial data were covered.
Concurrently, in “Velociraptor – Digging deeper,” Michael Cohen introduced the open source, scalable digital forensic and incident response tool designed to enhance visibility into endpoints and hunt for forensic artifacts across large networks in minutes. Attendees learned how to do this via the Velociraptor Query Language (VQL) on both dead and live systems, as well as common scenarios such as lateral movement detection and hunting Cobalt Strike beacons in memory.
Planning for DFRWS 2023 conferences is underway, with the DFRWS-EU call for papers open until October 10 and presentations, workshops, and posters also available for consideration. DFRWS-EU will be held in Bonn, Germany and virtually during the week of March 20.
