The Open Source Digital Forensics Conference (OSDFCon) kicked off its second decade virtually and, thanks to sponsorships, free of charge. Usually hosted each October in Washington, D.C., OSDFCon this year drew 12,000 people from around the globe: a massive increase from the 400+ it has historically seen.
In his opening remarks, conference host Brian Carrier, CTO of Basis Technology, said the goal this year was to “keep it simple” with everyone in the same Zoom meeting, while still sharing knowledge and inspiring collaboration.
To that end, this year’s event featured only a single track in contrast to previous years, where three tracks — a track dedicated to Autopsy software, a digital forensics track, and an incident response track — were the norm. Workshops and Autopsy training, previously each single-day events bookending the conference, were also cut from the schedule.
Acknowledging that this could challenge OSDFCon’s traditionally collaborative spirit, Carrier encouraged participants to simultaneously join the conference’s Discord server. Channels were available for Q&A to help save time and keep the schedule on track, as well as allow participants to interact more directly with each other, the speakers, and sponsor representatives. Some of the speakers presented via video recording rather than live on Zoom, but remained in the Discord channel to answer questions live.
Discord was also the place to join and vote in MemeWars, where conference participants could use starter templates, or design their own homegrown OSDFCon-related memes to compete for a chance to win a grand prize pack.
Another feature we hadn’t seen at other conferences this year was an online store, where participants could purchase cups, shirts, stickers, and other swag commonly given out at the in-person conference.
In a presentation that featured plenty of his own memes, Brian Moran (BriMor Labs) presented “Putting Together the RDPieces” of the Remote Desktop Protocol (RDP) bitmap cache: a way to determine whether data has been accessed and/or exfiltrated when an attacker has cleaned the usual go-to artifacts, including event logs and recent registry data.
An update of his presentation from the Magnet Virtual Summit, Moran’s talk further broke down the bitmap cache: a set of screenshots taken by the system during an RDP session and written to disk on the originating endpoint. These screenshots can potentially — though not always — include useful information like domains, passwords, server names, etc.
Like a document run through a shredder, the screenshots are broken into chunks and written to disk. Also like a document run through a shredder, they can be reconstructed. The process is time-consuming and painstaking, though — up to 40 hours for potentially thousands of bitmaps.
That’s why Moran wrote RDPieces, an open source script available on GitHub, to extract the raw data and fit the bitmaps together like puzzle pieces. Doing this, he said, creates “slices” of information — hundreds, not thousands, of results to focus on — versus the entire (not necessarily relevant) picture.
Later in the day, Champlain College graduate students Joseph McCormack and Austin Grupposo presented research they’ve been working on with Dr. Ali Hadi. “Linux Forensics for IoT: Hello World” was another installment of ongoing research. (Read more in Hadi’s own article.)
McCormack stressed that Linux forensics is a relatively new field that deserves additional attention. Lockdown and limited lab access made their research challenging, he said, but there’s much more to learn. Grupposo mentioned a few possibilities: investigating common Internet of Things (IoT) devices, creating an automated IoT forensics toolkit using open source tools, and making Linux file systems more accessible using common forensic tools.
On a similar note, Tanium’s Asif Matadar presented “Investigating Windows Subsystem for Linux (WSL) Endpoints.” Focusing on the architecture changes within WSL 2 — what he called the “lightweight utility virtual machine” announced in May 2019 — Matadar described particular forensic artifacts that might be found on a compromised Windows 10 or Windows Server 2019. These artifacts are associated with threat techniques such as “living off the land” binaries (LOLBins), lateral movement, command and control, and exfiltration.
Presentations: Tool How-Tos
Jamie Levy, a senior researcher and one of the core developers at the Volatility Foundation, delivered “Overcoming Obstacles in Memory Forensics” via recording. In contrast to more “hardcore” Volatility material, Levy talked about common issues that memory forensics analysts encounter, along with the thought process involved in troubleshooting them.
Levy started with a description of acquisition errors that can include failures, long acquisition timespans, corrupt memory samples, malware, and even updates. These can all result in acquisition “smearing”: the result of buggy tools and incomplete acquisitions, for instance.
While Volatility 3.0 reduces some of these issues by no longer requiring the machine profiles or vtypes needed in v2.0, Levy said, some circumstances could require manual overrides and other techniques.
She demonstrated how to do this in the command line and using the different open source scripts — and reminded listeners that memory acquisition is so complicated that open source tools alone may not solve some problems.
Kumarshankar Raychaudhuri joined OSDFCon from India, where he works at the LNJN National Institute of Criminology and Forensic Science as well as at the Ministry of Home Affairs, Government of India. His talk, “Detection and Tracking of Forged Digital Images on Social Media using Forensically,” focused on the open source tools Forensically and JPEGSnoop, which can be used on images extracted from either social media or a hard drive.
Raychaudhuri provided an overview of a digital image and how it’s constructed, as well as how images can be manipulated in a such a way that they can’t be identified with the naked eye. Using an exemplar — a photo taken in Syria — he showed how EXIF metadata may be stripped for privacy, but sometimes location data, camera model, etc. remain.
However, because geotags and other metadata are likely to be stripped from social media images, he said this type of analysis would be less relevant. Other types of analysis, including identifying artifacts that are cloned via magnification, error level analysis, noise analysis, JPEG and structural and string analysis, would be more valuable in these cases.
Sarah Edwards (BlackBag Technologies and SANS) followed up this year’s numerous presentations about her tool, APOLLO, with a new first step: “Go for Launch: Getting Started with Practical APOLLO Analysis.”
Recapping the “pattern of life” concept and APOLLO’s foundation — a set of SQLite database queries she wrote for triage purposes — Edwards reminded the audience that APOLLO is the “Apple Pattern of Life Lazy Output’er” — meant to have a low bar to entry as a SQL dumper.
To that end, she demonstrated how to remove the noise of APOLLO’s roughly 400 specific queries across 250 modules to get to what’s needed. She gave an overview of v1.4 and said that an Apollo Diaries blog series is forthcoming.
Building on Edwards’ talk was Alexis Brignoni’s presentation, “Open Source Mobile Forensics using Python.” In his first time presenting at OSDFCon, Brignoni described how he used Python 3 to write his tool xLEAPP — the Android complement to APOLLO.
Brignoni stressed during his talk that the days of “push button forensics” would soon enough give way to a greater need for examiners to understand data structures and how to manipulate them better via coding and reverse engineering skills.
After demonstrating xLEAPP and showing different artifacts recovered in its user interface, Brignoni talked about his YouTube class for examiners, which has a discussion component on the DFIR Discord Server. Additionally, he said, he intends to offer more content in Spanish.
Coding was also encouraged in self-proclaimed “DFIR Nerd” Harlan Carvey’s talk, “Effectively Using RegRipper 3.0.” While RegRipper is written in Perl rather than Python, the point was the same: Carvey encouraged audience members to chip in to the project, if not by writing new plugins outright, then by testing them, providing sample data together with any requests, etc.
After briefly recapping what RegRipper is — a tool for extracting, translating and displaying both data and metadata from Registry formatted files via plugin — and providing an update on what’s new in version 3.0, Carvey spoke about how to “bake” lessons from previous cases into ongoing investigations via plugins.
With more than 250 plugins in the RegRipper distro, he said, effectively using the tool now demands an investigator to automate playbooks through the use of profiles: selecting specific plugins that are fit for purpose.
That can depend on an investigation’s goals, the operating system version being dealt with, the applications installed on a system (and their versions), and other factors. RegRipper isn’t a “complete” out of the box tool, but it’s designed to be customized.
Autopsy: What’s new, and plugin contest results
Three presentations offered more insights into Basis Technology’s open source digital forensics tool, Autopsy, delivered by Brian Carrier.
“Autopsy’s Year in Review” talked about Autopsy 4, which Carrier said is much different from “the Autopsy you may have seen 20 years ago on Linux/Mac.”
- New features in this version include support for APFS, XRY reports, and iLEAPP.
- New modules include Recent Activity; Central Source Repository; Interesting Items such as cloud storage, encryption, cryptocurrency, privacy programs; and drone and picture analyzers.
- New viewers are included for context, communications, timeline, image gallery, data source summary, and maps.
- Forthcoming is more support for mobile, triage, and more artifacts.
Online training is available for Autopsy, and Carrier additionally encouraged OSDFCon attendees to contribute to the project.
Carrier also delivered a presentation entitled “Using Past Data to Determine Relevance in Autopsy.” Focusing on the new File Discovery UI and the Central Repository that stores hashes from past cases, Carrier showed how the two in combination help examiners to deal with heavy data volumes by focusing on new, unique files.
One of OSDFCon’s highlights was Autopsy Module Results. Because the conference drew so many attendees this year, the usual crowdsourced voting gave way to a 22-person committee which reviewed, provided feedback, and picked three winners from a field of 20 ahead of the event.
Videos of up to 2 minutes showcased the new modules, which consisted of three types: ingest, reporting, and data source processor modules. With cash prizes doubled this year, the three winners were:
- 3rd place and $500 went to Forensic Analysis for Mobile Apps
- 2nd place and $1000 went to AD1 Extractor — a long term request, said Carrier, from people who acquire data with FTK Imager
- 1st place and $3000 went to a speech-to-text module for video analysis
OSDFCon wrapped up the presentations with a series of Lightning Talks:
- Jessica Hyde described Magnet Forensics’ Auxtera project. This is a way for forensic examiners to use their skills to help those in need. The project is still taking applications.
- Tijl Deneut offered offensive forensics on Windows 10.
- Florian Rudolf talked about the Secure and Forensic Container (SFC) that combines a SQLite database with a TAR container for archiving evidence and case data, backups, etc.
- Event sponsor PolySwarm showed its Autopsy plugin for uncovering malware infections.
Carrier concluded the conference with a statement that next year there will be a virtual dimension as well as a physical conference to maximize attendee interactions. Because this year’s single track meant accepting fewer talks, Basis Technology anticipates offering monthly webinars featuring the highly rated talks that didn’t make the OSDFCon cut. (OSDFCon crowdsources its lectures, allowing the community to vote for the presentations.) Joint webinars with sponsors will also be available.