Saturday, October 20, 2018

OSDFCon Trip Report

This past week I attended the 9th OSDFCon...not my 9th, as I haven't been able to make all of them.  In fact, I haven't been able to make it for a couple of years.  However, this return trip did not disappoint.  I've always really enjoyed the format of the conference, the layout, and more importantly, the people.  OSDFCon is well attended, with lots of great talks, and I always end up leaving there with much more than I showed up with.

Interestingly enough, one speaker could not make it at the last minute, and Brian simply shifted the room schedule a bit to better accommodate people.  He clearly understood the nature of the business we're in, and the absent presenter suffered no apparent consequences as a result.  This wasn't one of the lightning talks at the end of the day, this was one of the talks during the first half of the conference, where everyone was in the same room.  It was very gracious of Brian to simply roll with it and move on.

The Talks
Unfortunately, I didn't get a chance to attend all of the talks that I wanted to see.  At OSDFCon, by its very nature, you see people you haven't seen in a while, and want to catch up.  Or, as is very often the case, you see people you only know from online.  And then, of course, you meet people you know only from online because they decide to drop in, as a surprise.

However, I do like the format.  Talk times are much shorter, which not only falls in line with my attention span, but also gets the speakers to focus a bit more, which is really great, from the perspective of the listener, as well as the speaker.  I also like the lightning talks...short snippets of info that someone puts together quickly, very often focusing on the fact that they have only 5 mins, and therefore distilling it down, and boiling away the extra fluff.

My Talk
I feel my talk went pretty well, but then, there's always the bias of "it's my talk".  I was pleasantly surprised when I turned around just before kicking the talk off to find the room pretty packed, with people standing in the back.  I try to make things entertaining, and I don't want to put everything I'm going to say on the slides, mostly because it's not about me talking at the audience, as much as its about us engaging.  As such, there's really no point in me providing my slide pack to those who couldn't attend the presentation, because the slides are just place holders, and the real value of the presentation comes from the engagement.

In short, the purpose of my talk was that I wanted to let people know that if they're just downloading RegRipper and running the GUI, they aren't getting the full power out of the tool.  I added a command line switch to rip.exe earlier this year ("rip -uP") that will run through the plugins folder, and recreate all of the default profiles (software, sam, system, ntuser, usrclass, amcache, all) based on the "hive" field in the config headers of the plugin.

To-Do
Something that is a recurring theme of this conference is how to get folks new to the community to contribute and keep the community alive, as well as how to just get folks in the community to contribute.  Well, a couple of things came out of my talk that might be of interest to someone in the community.

One way to contribute is this...someone asked if there was a way to determine for which version of Windows a plugin was written.  There is a field in the %config header metadata that can be used for that purpose, but there's no overall list or table that identifies the Windows version for which a plugin was written.  For example, there are two plugins that extract information about user searches from the NTUSER.DAT hive, one for XP (acmru.pl) and one for Vista+ (wordwheelquery.pl).  There's really no point in running acmru.pl against an NTUSER.DAT from a Windows 7 system.

So, one project that someone might want to take on is to put together a table or spreadsheet that provides this list.  Just sayin'...and I'm sure that there are other ideas as to projects or things folks can do to contribute. 

For example, some talks I'd love to see is how folks (not the authors) use the various open source tools that are available in order to solve problems.  Actually, this could easily start out as a blog post, and then morph into a presentation...how did someone use an open source tool (or several tools) to solve a problem that they ran into?  This might make a great "thunder talk"...10 to 15 min talks at the next OSDFCon, where the speaker shares the issue, and then how they went about solving it. Something like this has multiple benefits...it could illustrate the (or, a novel) use of the tool(s), as well as give DFIR folks who haven't spoken in front of a group before a chance to dip their toe in that pool.

Conversations
Like I said, a recurring theme of the conference is getting those in the community, even those new to the community, involved in keeping the community alive, in some capacity.  Jessica said something several times that struck home with me...that it's up to those of us who've been in the community for a while to lead the way, not by telling, but by doing.  Now, not everyone's going to be able to, or even want to, contribute in the same way.  For example, many folks may not feel that they can contribute by writing tools, which is fine.  But a way you can contribute is by using the tools and then sharing how you used them.  Another way to contribute is by writing reviews of books and papers; by "writing reviews", I don't mean a table of contents, but instead something more in-depth (books and papers usually already have a table of contents).

Shout Outz
Brian Carrier, Mari DeGrazia, Jessica Hyde, Jared Greenhill, Brooke Gottlieb, Mark McKinnon/Mark McKinnonCory Altheide, Cem Gurkok, Thomas Millar, the entire Volatility crew, Ali Hadi, Yogesh Khatri, the PolySwarm folks...I tried to get everyone, and I apologize for anyone I may have missed!

Also, I have to give a huge THANK YOU to the Basis Tech folks who came out, the vendors who were there, and to the hotel staff for helping make this conference go off without a hitch.

Final Words
As always, OSDFCon is well-populated and well-attended.  There was a slack channel established for the conference (albeit not by Brian or his team, but it was available), and the Twitter hashtag for the conference seems to have been pretty well-used.

To follow up on some of the above-mentioned conversations, many of us who've been around for a while (or more than just "a while") are also willing to do more than lead by doing.  Many of us are also willing to answer questions...so ask.  Some of us are also willing to mentor and help folks in a more direct and meaningful manner.  Never presented before, but feel like you might want to?  Some of us are willing to help in a way that goes beyond just sending an email or tweet of encouragement.  Just ask.

2 comments:

Unknown said...

Thank yu very much for this blog post. It was eye opening. Regarding Regripper - how can I tell what is the meaing of each OS mask? Is '64' = Vista? Does 22 means it will run on Widows 10?

John Brown said...

Thanks for your contributions and all the new plugins! Was planning to go to OSDFcon this year and had a last minute conflict. I use RegRipper on Linux in SANS Sift frequently but ran into some snafus trying to update. The problem is now solved and as a result, I created a tutorial on how to get Sans Sift's version of RegRipper up to the new version. I have written some automation scripts also. Hope it is helpful!
https://medium.com/@stdout_