by Mattia Epifani
The Techno Security and Forensics CA conference took place between 11th and 13th March at The Hilton Torrey Pines in La Jolla (San Diego). More than 200 attendees were present, coming from different fields like digital forensics, e-discovery, incident response and cybersecurity. Most of the attendees were from the U.S. but many people from Canada and Europe were also present.
Forensic Focus was present for the entire conference and documented it in real-time on Twitter. The conference had four different tracks (Forensics, Audit/Risk Management, Information Security and Investigation) and more than 75 talks took place there.
This article is a wrap-up of the conference highlighting some of the most interesting and innovative topics, with particular regard to the Forensics and Investigations tracks.
As a general consideration we saw a lot of development and interest in three fields:
- improving acquisition and analysis techniques of “traditional” devices like computer and mobile devices, both in the field and in the lab;
- studying emerging sources of evidence (in particular IoT devices, drones, vehicles, DVRs, and so on);
- developing techniques to acquire data from remote sources (email, cloud, etc.).
11th March 2019 – Day One
The first day started with a talk by Atola Technology on evidence acquisition: where it has been, where it is today, and recent breakthroughs.
In parallel, an interesting session on DVR forensics was run by DME Forensics: during the talk two real cases were discussed, one involving a Samsung DVR and the other involving a Q-See DVR.
Immediately after this a second session took place. We highlight in particular an in-depth presentation by Brian Hill, Oxygen Forensics, on deleted data from iOS and Android smartphones, illustrating possible ways to recover it from different sources (cloud or external media). Vico Marziale from Blackbag Technology gave a really interesting presentation on the forensic analysis of Windows 10 with particular highlights on the Windows Timeline Database, the Windows 10 Notification Center and the Background Activity Moderator (BAM).
On the investigation side, a talk by Angel Grant, RSA, discussed how to understand cultural aspects of hacking to improve cyber investigations: this is absolutely a field in which traditional investigators need to be trained more.
After the lunch break, a talk on mobile app analysis by James Eichbaum, MSAB, took place: the main topic was on manual analysis of SQLite databases and application data in general, with particular highlights on embedded objects, encoding and encryption.
Another really interesting talk was held by Arman Gungor from Metaspike, on leveraging server metadata in forensic email investigations. The presentation illustrated in particular what types of email metadata are kept by servers, and how to retrieve and forensically preserve those metadata.
The last talk of the first day was one of the most innovative and enlightening of the entire conference. It was given by A.G. Speake from Berla Corporation, on the topic of vehicle system forensics. The session gave a complete overview of what data can be acquired from infotainment and telematics systems within the vehicle, with an in-depth discussion on the non-destructive methods to acquire and analyze it. Two interesting case studies were presented: an incident that took place in London in 2017; and a kidnapping and murder that took place in Kennewick, WA in which data from a rental car were extracted and analyzed. For an overview of Vehicle Forensics we suggest you to take a look at this YouTube video: although it is not fully up to date, it provides an interesting overview of the potentialities of vehicle forensics.
At the end of the day a happy hour took place in the show floor area, where the attendees had the chance to see some of the news in terms of forensics hardware and software in the market.
12th March 2019 – Day Two
Day two had an early start at 8 a.m with the keynote of the conference provided by Matthew Rosenquist, Intel Corporation. The talk was titled “The Verification of Truth: The Future of Digital Forensics and its Role in Cybersecurity”. During the talk he discussed how “digital forensics” will grow to mean the verification of truth and will play an ever-increasing role in understanding responsibility and controlling the dissemination of fear, uncertainty, and doubt through actuarial data. Rosenquist’s presentation is available on Slideshare.
In the morning, a talk by Ed Michael from Cellebrite illustrated advanced analysis techniques for mobile device evidence analysis. In particular some examples of manual analysis of applications through the use of SQL queries and Python scripts were provided. The talk was really practical and full of references and examples for the audience.
Then we attended a brilliant talk on bypassing multi-factor authentication by Jeff Ham and James Hovious from Mandiant. They presented an updated version of the topic they had discussed at the SANS EU DFIR Summit in Prague last October: slides from the SANS event are available here.
The last talk of the morning, one of the most technical of the event, was from Jason Hale on how to improve USB device forensics in Windows OS, and some of the latest findings to be analyzed in this constantly-changing set of artifacts. Jason is the creator and developer of USB Detective: a community version of the software can be requested on the website.
The first talk after lunch was by Jessica Hyde on handling IoT evidence. Jessica did a great presentation illustrating the challenges of some of the most commonly found devices on the market like Amazon Echo, Alexa and Fitbit and how to extract data from them and from the related cloud accounts.
The last talk of the day was again on a really interesting emerging topic: the forensic analysis of drones. The presentation was given by Dave Rathbone from VTO Labs. The session illustrated the results of “The Drone Forensic Program” funded by the United States Department of Homeland Security. The project identified and defined the forensic best practices for the retrieval of data from consumer and professional level drones. The results of the research are publicly available here.
Day 2 ended with a reception cocktail in the amazing Parterre Gardens of the Hilton Hotel.
13th March 2019 – Day Three
Day 3 started with an early session on current trends in illegal dark web activity, with specific focus on the anatomy of a transaction and the role of cryptocurrencies. Then, an in-depth and technical presentation by Jason Roslewicz, SUMURI LLC, on “APFS Imaging” took place, addressing forensic imaging methods of APFS Macs.
The last talk of the morning was again by Jessica Hyde from Magnet Forensics, and it was about the iOS maturation from iOS 10 to iOS 12. Jessica provided a really detailed explanation of the improvements made by Apple to prevent access to the device and an overview of some of the most interesting artifacts available with a full file system image of an iOS device. A webinar on the same topic is available on Magnet Forensics’ website.
Lunch took place in the Hilton garden, with really tasty Mexican food!
Just after lunch was an interesting talk by Brian Hill from Oxygen Forensics, on geolocation data that can be extracted from mobile phones, drones and cloud accounts.
Just after lunch, Susteen gave a presentation on the latest developments on their DataPilot 10 mobile forensics device developed for on-the-field acquisitions and recently introduced to the market. A review of this device was published on Forensic Focus in October 2018.
The last talk of the day was by Andrea Amico, an Italian researcher and founder of Privacy4Cars, a mobile application and SDK designed to help erase Personally Identifiable Information (PII) from modern vehicles. The app is available for free on both Apple Store and Google Play and it enables consumers and businesses to quickly delete data stored by modern vehicle infotainment systems. During the presentation Andrea illustrated the CarsBlues vulnerability, a Bluetooth-based attack that affects tens of millions of vehicles and was publicly disclosed in November 2018 by the company. During the presentation a methodology to extract contacts and call logs from a vehicle thorough the Bluetooth connection was illustrated. Some videos demonstrating this technique are available on Privacy4Cars’ YouTube channel.
The conference ended with some time for socializing at the Hilton pool. Overall it was a great event and provided a good opportunity to see where digital forensics is going now and in the future.