In this article, I want to provide a concise sum-up of the (to me) most interesting talks of this year’s DFRWS EU (http://www.dfrws.org/2016eu/).
Eoghan Casey, one of most famous pioneers in digital forensics, and David-Olivier Jaquet-Chiffelle, professor in police science at University of Lausanne, gave a keynote that emphasized the need for theoretical fundamental basis research in the field of digital forensics, which I fully agreed on, as this was exactly what I addressed in some of my former research.
Michael Cohen and Arkadiusz Socala received the best paper award for their work “Automatic Profile generation for live Linux Memory analysis“, which was indeed very interesting and the article is worth reading.
The talk by Joe Sylve, Vico Marziale and Golden Richard: “Pool Tag Quick Scanning for Windows Memory Analysis” was about their implementation of psquickscan, which provides a very fast (compared to volatility and rekall psscan) scan for windows (pre 10) process structures of running processes in RAM, which takes less than 1 second for 16GB RAM image and needs only to read a small portion of entire data. However it does not find all the data (such as processes from previous boot), that the other mentioned implementations do.
While the implementation will not be made publicly available (but instead sold by blackbagtech.com), the method is described within the paper and can be implemented independently.
Johannes Bauer, Michael Gruhn and Felix Freiling presented their paper “Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory“, which refers to the famous paper by Halderman et al. “Lest We Remember: Cold Boot Attacks on Encryption Keys”.
While coldboot attacks worked for DDR2 RAM, they have not been possible for DDR3 so far, as data in DDR3 is scrambled and not clear text.
Bauer et al. managed to descramble DDR3 main memory, using a known plain text attack (50 bytes of known plain text needed), thereby re-enabling coldboot attacks against current computers that use DDR3 RAM at least to some degree.
Still, due to the technical peculiarities of DDR3, single bit flipping errors occur with rather high probability and frequency compared to DDR2.
Alex Biedermann and Joëlle Vuille gave a very considerable talk “Digital evidence, ‘absence’ of data and ambiguous patterns of reasoning” about how digital evidence findings are often used in favor of the prosecution in court proceedings, but disregarded as “neutral”, if they do not fully falsify the prosecutions hypothesis. The authors present a logical way of reasoning that rates evidence with a likelyhood ratio for both (prosecution and defense) hypothesis and provide this ratio to the court alongside the evidence (e.g. stating if it is more likely to find this evidence/absence of evidence if the hypothesis of the prosecution or the hypothesis of the defense is true).
In their work “TLSkex: Harnessing virtual machine introspection for decrypting TLS communication“, Benjamin Taubmann, Christoph Frädrich, Dominik Dusold, and Hans P. Reiser monitor network traffic of a virtual machine and as soon as encrypted network traffic (especially HTTPS) is detected, they apply virtual machine introspection to extract the cryptographic keys from main memory, feed it back to their monitoring tool, and decrypt the encrypted traffic life. This is a neat approach whenever the traffic of a system has to be analyzed, encryption is applied and there is access to the target system’s main memory (as in their example via virtual machine introspection, but also DMA access via firewire or similar should work), which might be applicable especially in cloud / virtual server hosting environments.
I have been glad to moderate the forensic rodeo on Wednesday evening together with Eoghan Casey. I originally created the case which was analyzed by the participants for the FAU Open Research Challenge, where the image can be downloaded and further information about the case is provided. Congratulations to the winning speaker&attendee team!
DFRWS EU 2016 Forensic Rodeo Team: Andreas Dewald, Eoghan Casey, A. Nonym