Last week I had the opportunity to attend the 2012 SANS Digital Forensics & Incident Response Summit. It was held in Austin, Tx at the Omni Downtown Hotel for a second consecutive year. First thing I want to say is that this is my third consecutive DFIR Summit. I did not think they could top last year’s offering. Boy was I wrong, dead wrong.
The Summit started off with Cindy Murphy’s most excellent Day 1 Keynote (intentional Bill & Ted reference). She talked about how we sometimes need to step back from our examinations to see the big picture and how data without context is just data. She had a great quote from Helen Keller, “It is a terrible thing to see and not have vision”. It was very inspirational presentation and has motivated me to reflect on who my “monks” are. If you haven’t had a chance to check it out yet, make sure you do (http://computer-forensics.sans.org/summit-archives/2012/6-blind-monks.pdf).
I have to say that I enjoyed all of the talks that I attended, but the ones that stood out for me were:
- Analysis & Correlation of Mac Logs (http://computer-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf) and When Macs Get Hacked (http://computer-forensics.sans.org/summit-archives/2012/when-macs-get-hacked.pdf) by Sarah Edwards (@iamevItwin). I have had the chance to get my hands on a variety of Apple devices in the last year or so, but I learned a good deal of information from Sarah on additional artifacts that are available on those devices that could enhance future exams.
- Sniper Forensics v3 (Hunt) (http://computer-forensics.sans.org/summit-archives/2012/sniper-forensics-v3-hunt.pdf) by Chris Pogue (@cpbeefcake) is the third in a series of presentations (Part 1- http://blog.spiderlabs.com/2011/01/spiderlabs-blog-post-sniper-forensics-part-1.html and Part 2- http://blog.spiderlabs.com/2011/01/sniper-forensics-part-two-target-acquisition-in-part-one-of-the-sniper-forensics-post-we-discussed-the-history-of-forensic.html)
- Mac Memory Analysis with Volatility (http://computer-forensics.sans.org/summit-archives/2012/mac-memory-analysis-with-volatility.pdf) by Andrew Case (@attrc). What more can you say? Being able to analyze memory dumps from a Mac computer with Volatility. ‘Nuff said.
- Nick Harbour’s Anti-Incident Response (http://computer-forensics.sans.org/summit-archives/2012/anti-incident-response.pdf) presentation was very informative on how attackers will attempt to keep IR folks from catching up to them.
- Tales from the TrueCrypt (http://computer-forensics.sans.org/summit-archives/2012/tales-from-the-crypt-truecrypt-analysis.pdf) with Hal Pomeranz (@hal_pomeranz). Hal shows us that we don’t have to freak out when we come across a container that is encrypted by TrueCrypt. There are plenty of artifacts that exist on the users unencrypted Operating System that point to a suspects knowledge & usage of TrueCrypt. This talk inspired me to do a little research of my own. Hopefully if all goes well, I’ll have a presentation to give at next year’s Summit
- Finally, Frank McClain (@littlemac042) had an excellent presentation titled “Exfiltration Forensics in the Age of the Cloud” (http://computer-forensics.sans.org/summit-archives/2012/exfiltration-forensics-in-the-age-of-the-cloud.pdf). Frank did a TON of research on artifacts left behind by cloud based applications. A big thanks to Frank for making his findings available via PDF (http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html) to the public.
As far as the SANS360 talks (http://computer-forensics.sans.org/summit-archives/2012/dfir-sans360-talks.pdf) went, I think they were all great. 6-minutes each (roughly) and to the point.
The one thing I’d like to complain about is the fact that there were two tracks this year. The one thing I’d like to commend is that there were two tracks this year. Confused? Well, it stunk that I had to miss a few talks because I was attending others. That said, it was great because it gave the opportunity for more people to present. Good thing the slides are available online.
The only real complaint I’ve heard about the Summit was from the folks trying to follow along at home. Apparently, the live stream kept cutting in and out due to issues with the hotel’s network. Hopefully, that issue is squared away for next year and the remote viewers have smooth sailing.
I will echo what others who have reviewed the Summit have stated. The other best thing (aside from the presentations), was the chance to meet other DFIR Community members. There were a lot of new faces in attendance this year. It was great to meet people I’ve spoken with, helped or had received help from online. When it comes to the DFIR Community, I feel like I don’t have just colleagues, but that I am part of a family. I hope that our close knit ways continue in the future.
The video presentation from the Closing Remarks (http://www.xtranormal.com/watch/13533924/closing-remarks) was epic!!!
I just want to thank Rob Lee & the Staff from SANS that helped to put together and run such a great conference!!!