Skip to main content

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool.

Image may contain: sky, cloud and outdoor

A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up the elevator to my room on breaks if I need to.

This year SANS decided to make the talks shorter and limit the ability to ask questions. I totally get why they are doing this, to compact in more presentations, however it wouldn't be my choice. Not only is 30 minutes per talk a little too short, having to leave and miss a talk to ask the speaker questions isn't optimal.

Jess Garcia (@j3ssgarcia) kicked off the event and did a great job throughout introducing the speakers and also covering logistics.

Renato Marinho (@renato_marinho) gave a very relevant talk on Cryptoacking. He discussed how he is seeing cyber criminals operate in groups and sharing the burden of mining, but also the rewards when one of the hashes is matched. He reconstructed a recent campaign leveraging XMRig and Monero that targeted vulnerable Weblogic servers. He runs a honeypot as a part of his research and confirmed to me, he still hasn't seen attackers elevating privileges to patch servers and keep them all to themselves. Instead other attackers jump on the resource often leading to detection.

Mattia Epifani (@mattiaep) gave a talk that was very timely and relevant to my situation. It was on building your own mobile forensic methodology. His practical approach broke things up into 4 sections (needs, knowledge, workflow, and methodology). He referenced the site,, which can provide great information on a phone, while being passive. He believes android's latest release, Oreo, makes recovery of deleted files impossible. He discussed a possible method of leveraging an AppleTV, which has no password protection, to collect iCloud information that is shared from a phone, table, or other mac device. Mattia also referenced, which will tell you if a particular device is supported by forensic tools. Then he walked through about 10 cases where he did not have the PIN code, but was still able to gain access and do analysis. This was likely my favorite talk of the conference.

Jason Jordaan, pronounced Jor-Dawn (@DFS_Jason) covered the need for an evidence classification model. And really who can argue with that, we all use different terms, different approaches, and there is a complete dearth of standards. He prefers to break of evidence into filesystem, OS, App, and User-created, which makes perfect sense. He also incorporated network evidence, but interesting not log evidence. The reason being, is that on the source device its actually OS or Application evidence. Since often as a responder you won't get access to the source device of all log data in your case, I'm not sure this makes a ton of sense (e.g. vpn, badge, camera, etc). He also mentioned the Case/UCO project or Cyber-investigation Analysis Standard Expression & Unified Cyber Ontology.

Olaf Schwarz (@b00010111) presented on his Project SIRF, which aims to help the part time incident responder. He talked about the GDPR's requirements for data deletion which is "reasonable deletion" of data, not advanced, multi-pass, military grade device destruction into dust. The first attempt at doing this was to delete the encryption key, but this failed because the master key was still available. He determined that actually zeroing out the data was 5x faster than re-encrypting with a new throw away key. He also brought up Mattermost, which I had not heard of, as being something that is gaining traction by IR teams. In his jump kit, he chose a Lenovo P320 tiny over a Skull Canyon and MSI Nightblade. He stated the NUC doesn't have as good of tech specs and MSI is too heavy. He also chose ESXi for virtualization due to VirtualBox not allowing free commercial use.

Matt Suiche (@msuiche) of DumpIt fame, gave an update to his previous talk on ShadowBrokers. He walked the attendees through a timeline of activities, which include direct correspondence with them. This included mention of a blog post alleging the NSA compromised the SWIFT network. He also talked about the pending Swift 7.2 upgrade (November 2018), which is requiring banks to upgrade not just software, but hardware. But sadly, doesn't include OS hardening requirements. There was also some talk about the exponential growth of offensive-oriented commercial cyber companies.

Adam Harrison (@harrisonamj) did a talk on the ExFAT filesystem. He recommended updating the Fuse driver in SIFT to get a more accurate timestamp granularity. FTK imager lite gives incorrect timestamps, whereas FTK 4.1 is accurate. Like many of us, he is a fan of Xways, as it will tell you if the time is either local or UTC. He mentioned Scott Pancoast's Xways template.

Kathryn Hedley from Khyrenz gave a talk on her efforts to create a Windows triage script. She found that Xways doesn't parse USBStor correctly. Her script will add the timezone to USB activity as a separate field. It also gives time in UTC when the USB device was inserted into the system. Her script ( can also make use of a local repo to do analysis offline. Since there are a lot of triage tools out there that are mutli-platform, I'm not sure this will expand, but the process of creating your own triage tool is definitely worthwhile.

Veronica Schmitt (@Po1Zon_P1x13) gave a review of 3 prominent ransomware families (Locky, Cerber, and Maktub). This is in fact her thesis for university. She talked about her extensive approach to analysis, which went beyond just the classic static and dynamic analysis. She is using the term "DNA", which I think HBGary used, to track similarities in malware of the same family (eg. Code re-use). She also covered some of the common anti-forensics techniques used by malware authors, such as GetLocalTime to wait longer than the typical sandbox.

Ray Strubinger gave a talk titled "Statistical Methods for Triaging DFIR Investigations". His primary use case was having to review tens of thousands of images and the need for sampling to complete the task. While the math he presented was sound, this just wasn't a use case that I typically engage in. I tend to zero in on time slices of interest and evidence of execution versus reviewing large lists of files manually. I think eDiscovery professionals are the likely target audience.

Jessica Hyde (@B1N2H3X) and Jad Saliba (@JadAtMagnet) gave a great talk on Chromebook and ChromeOS forensics. I really wish this would have been a workshop. They mentioned that Google Chrome Enterprise is only $50/client, which is likely why many cheap/fast orgs are gravitating this way. They also talked about LevelDB or LDB which is common in ChromeOS and based on NoSQL. They did present some pretty compelling differences between what is available on the local Chromebook vs what you can pull from the cloud api via Google Takeout.

Jeff Hamm (@hammjd) and James Hovious (@JamesHovious) gave what was my second favorite talk of the day on bypassing MFA controls. My only complaint was there was no time for questions at the end. They talked about some engagements where they have obtained seed files out of email. Often searching for .stdid files can yield good results. They also talked about leveraging a keylogger to capture the PIN code for a MFA token. And then there was the hilarious story about the webcam for an MSSP being pointed at a MFA token and being shared out publicly. This talk may have sparked me to spend time again on getting current on offensive techniques again. While I did red work in the past, its been awhile so this might be a fun learning goal.

Overall this was a pretty solid event with very knowledgeable speakers. It's definitely nowhere near as big as the US version, but I did enjoy the smaller crowd. I would recommend they go to multitrack and 45m talks with questions to meet the needs of more attendees.


Popular posts from this blog

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.

If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…

Hacking Exposed Notes

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogati…