This article is a recap of some of the main highlights from the ICDF2C conference 2018, which took place in New Orleans, LA, USA from the 10th-12th September.
The program began on Monday 10th September with the usual welcome registration. The conference was held at Chateau LeMoyne in New Orleans’ French Quarter: a beautiful hotel complete with pool and resident terrapins!
Once attendees were registered we gathered in the conference room for the opening keynote address. Given by Dr. Deborah Frincke of the National Security Agency, it talked through some of the NSA’s techniques within the realm of digital forensics, and how cooperation works both within and between agencies in the USA and abroad. It was interesting to hear about the research and analysis conducted by such an important body, although of course there was a lot left unsaid.
An important point that came out of Dr. Frincke’s discussion was that it’s very easy to say intelligence agencies should share more, but if you have everybody sharing at all levels it ends up being too chaotic. It is therefore important to work out what counts as a ‘need to know’ and what is a ‘need to share’. This cycle needs to be constantly updated.
Following a coffee break, we reconvened for the next sessions, which were focused on data carving and hiding. I liked the way the sessions were grouped together, with two or three talks on the same topic following each other. It helped to keep things on track and meant that often the talks complemented each other really well.
We began with research on linear function detection approaches for memory carving, from Lorenz Liebler & Harald Baier of the University of Applied Sciences Darmstadt. This was followed by Thomas Göbel demonstrating fishy, a new framework for implementing filesystem-based data hiding techniques.
Monday afternoon was devoted to workshops by Riscure, which allowed attendees to get some hands-on experience.
— Lorenz (@kn000x) September 10, 2018
The gala dinner at the nearby Royal Sonesta Hotel allowed attendees to network over dinner and continue discussing the topics that had been brought to light in the talks during the day.
Tuesday morning’s keynote was given by Golden G. Richard III, who talked about memory forensics and strongly recommended The Art of Memory Forensics by Case, Levy & Ligh for anyone who is looking for an in-depth walk through the topic. Richard highlighted the importance of memory forensics to the field as a whole, saying that ‘memory is the new hard drive’ and that anyone who isn’t yet au fait with memory forensics techniques is already falling behind.
Automation and machine learning were looked at as possible aids to forensic investigation, but while acknowledging their utility the speaker warned against leaning on them too heavily. It is important to remember that these are helpful tools, not catch-all solutions.
Following this session we saw two papers discussing Android forensics. The first, If I Had A Million Cryptos: Cryptowallet Application Analysis and A Trojan Proof-of-Concept, looked at the forensic analysis of cryptocurrency; and the next session focused on AndroParse, a new Android feature extraction framework and dataset from a team at the University of New Haven.
— Ibrahim Baggili (@CyberShawerma) September 11, 2018
New Haven’s Cyber Forensics Research & Education Group publish a lot of interesting research, which you can access here.
Following lunch, Atola Technology gave a presentation and brief demo talking about damaged drives and other challenges facing digital forensic investigators today. They showed how their TaskForce tool can help to image damage drives and to deal with cases where several drives need to be imaged at once.
The next three sessions followed on from this theme, looking at common challenges in digital forensics and how they might be addressed. Hassan Hadi Latheeth Al-Maksousy and Michele C. Weigle presented a paper on hybrid intrusion detection for worm attacks, and then Vikram Harichandran from MITRE took to the stage to introduce CASE, which is quickly gaining popularity among forensic investigators. CASE stands for Cyber-investigation Analysis Standard Expression and looks to create an ontology for practitioners; you can find out more here.
Andrew Case then discussed the rise of memory forensics and reiterated how important it is becoming, especially in the face of modern threats.
“If you’re working in incident response, but you’re not getting a memory sample and doing memory analysis, there’s really no point.” – Andrew Case
The Best Paper awards were given out in the early afternoon of the second day, and this time the award went to two winners: Lorenz Liebler & Harald Baier for their work on memory carving, and Trevor Haigh, Frank Breitinger & Ibrahim Baggili for their paper If I Had A Million Cryptos: Cryptowallet Application Analysis and A Trojan Proof of Concept.
Forensic readiness was the overarching topic of the final three sessions of the day. First of all researchers from the University of Pretoria showed a readiness framework for ransomware intrusion, and then Raquel Tabuyo-Benito, Hayretdin Bahsi and Pedro Peris-Lopez’s paper looking at the forensic analysis of an online game on the Steam platform was the subject of discussion. The day ended with Jieun Dokko from Texas Tech University demonstrating a digital forensic investigation and verification model for industrial espionage.
On the final day we spent some time talking about developments that would be of use to the digital forensics world. Ibrahim Baggili talked about the need for more conferences where people sit around on circular tables, talk about what’s happening in the industry and work through potential solutions. A lot of conferences focus either on vendor demonstrations or academic research, without necessarily taking into account important current developments and creating working groups that could go off and do some good in the field.
Other suggestions for improvements to digital forensics as a whole included making changes to education, such as bringing together more multidisciplinary strands into computer forensics courses, and making available grants for students who want to present at conference but lack the funding to do so. You can read more suggestions from researchers at the University of New Haven here.
Multi-item passphrases was a hot topic of discussion on the last day of the conference, with Jaryn Shen from Nanjing University talking about public misconceptions of computer security and how they impact on user privacy as well as digital forensic investigations. More than 10% of users select one of the top 100 passwords, making their accounts much less secure. But how do we make passwords easy for users to remember, but hard for others to guess? This and other questions were discussed in the last session of the conference.
Next year’s ICDF2C conference will take place in Milan, Italy. Keep an eye on the website for more details – see you there!