Thursday, November 10, 2011

PFIC 2011

I just returned from PFIC 2011, and I thought I'd share my experiences.  First, let me echo the comments of a couple of the attendees that this is one of the best conferences to attend if you're in the DFIR field.

What I Liked
Meeting people.  I know what you're thinking..."you're an don't like people."  That isn't the case at all.  I really enjoyed meeting and engaging with a lot of folks at the conference...I won't name them all here, as many don't have an open online presence, and I want to respect their privacy.  Either way, it's always great to put a face to a name or online presence, and to meet new people, especially fellow practitioners.

The content.  I didn't get to attend many presentations (unfortunately), but those that I did get to attend were real eye-openers, in a number of ways.  I didn't get to sit in on anything the first day (travel, etc.), but on Tuesday, I attended Ryan's presentation on how hiding indications of activity leaves artifacts, and Amber's mobile devices presentation.  Ryan's presentation was interesting due to the content, but also due to the reactions of many of the attendees...I got the sense from looking around the room (even from my vantage point) that for some, Ryan's presentation was immediately useful...which is a plus in my book.

Amber's presentation was interesting to me, as I really haven't had an opportunity to this point to work with mobile devices.  Who knew that an old microwave oven (with the cord cut) was an acceptable storage facility for mobile devices?  As an electrical engineer, I know that a microwave oven is a Faraday cage, but like I said...I haven't had a chance to work with mobile devices.  Amber also brought up some very interesting points about clones, and even demonstrated how a device might look like an iPhone, but not actually be one, requiring careful observation and critical thinking.

Another great thing about the content of presentations is that there were enough presentations along a similar vein that you could refer back to someone else's presentation in order to add relevance to what you were talking about.  I referred to Ryan Washington's presentation several times, as well as to an earlier presentation regarding the NTFS file system.  In a lot of ways, this really worked well to tie several presentations together.

After-hours event.  I attended the PFIC After Dark even this year...The Spur bar had been shut down just for the event, and we had shuttle transportation between the hotel and bar.  It was a great time to meet up with folks you hadn't had a chance to talk to, or to just talk about things that you might not have had a chance to talk about before.  I greatly appreciated the opportunity to talk to a number of folks...even those who took the opportunity to buy me a Corona, which I greatly appreciated! 

My room.  I got in to the venue, and found that I had a complimentary upgrade to another room.  Wow!  The original room was awesome (or would have been), but then I got a room right by the slopes where they were creating snow for the upcoming ski season.  I really like how ski resorts get business in the off-season through conferences and other's a great use of facilities and brings a good deal of business to the local area.

What I'd Do Differently
This section is really a combination of what I'd do differently, as well as what I think, based on my experience, would make the event a better experience overall...

Adjust my travel.  I flew in on the Monday of the conference, got in, got cleaned up from my time in airports, grabbed a bite to eat, and then gave my first presentation.  Next year, I think I'd like to see about getting to the conference site a bit earlier, and maybe being able to participate in some more things.  For example, I was invited to speak on the panel that took place on Wed morning, but my flight out left about an hour before the panel started.

Encourage more tweeting.  Social media is a great way to get the word out about upcoming events, but I've also found that live tweeting during the event is also a great way to generate buzz and encourage participation.  I did a search this morning for "#PFIC" and turned up only 20 tweets, some in Spanish.  I know that Mike Murr wasn't at this

Contests.  In addition to the tweeting, Amber mentioned an idea for next year...a forensic challenge of some kind, complete with each team delivering their findings and being judged/graded.  I think that would encourage some great participation.  I think that these sorts of things attract attention to the blog.

Presentations.  One thing I saw and heard others talk about was the fact that there were several good presentations going on at the same time.  For example, I had wanted to attend Chad's presentation, but couldn't because I was presenting.  On Tues morning, there were two presentations on what appeared to be similar topics that I wanted to attend, and I chose to attend Ryan's. 

On the topic of presentations, as the "I" in the conference name stands for "innovation", I think next year would be a fantastic time to hear from the Carbon Black guys.

My Presentations
I gave two presentations this year...thanks again to Amber and Stephanie for allowing me to do so.  As the presentation materials don't really convey what was said in the presentation itself, I wanted to share some of my thinking in developing the presentations, as well as the gist of what was said...

Scanning for Low-hanging Fruit: This presentation centered on the forensic scanner I've been working on, both the concept (as in, why would you want to do this...) and the actual implementation (still very proof-of-concept at this point).  The presentation even included a demo, which actually worked pretty well. 

The idea of the presentation, which may not be apparent from the title, was that once we've found something that we've never seen before (either a new variant of something, or an entirely new thing...), that becomes low-hanging fruit that we can check for each time via automation.  The idea would then be to free the analyst to do analysis, rather than having the analyst spend time performing a lot of manual checks, and possibly forgetting some of them in the process.  As I mentioned, the demo went over very well, but there's still work to be done with respect to the overall project.  Up until now, I haven't had a great deal of opportunity to really develop this project, and I hope to change that in the future.

Introduction to Windows Forensics:  When developing this presentation, I really had to think about what constitutes an introduction to Windows forensics.  What I decided on...and this seemed to work really well, based on the reactions of the attendees...was to assume that most everyone in the presentation already understood the basics of forensic analysis, and we'd progress on to the forensic analysis of Windows systems.  The distinction at that point was that the introduction included some discussion of analysis concepts, and then went into discussing analysis of a Windows system, based on the premise that we'd be analyzing a complex system.  So we started out with some concepts, and went into discussing not just the forensic potential of various artifacts and sources (the Registry, Event Log, Prefetch files, etc.), but also the value of considering multiple sources together in order to develop context and a greater relative confidence in the data itself.

Overall, I think that this presentation went well, even though I went really fast (without any RedBull, I should mention...) and finished almost exactly on time.  I spoke to Stephanie after the presentation, and hope to come back next year and give a longer, hands-on version of this presentation.  I think a bootcamp or lab would be great, as I really want to convey the information in this presentation in a much more "use this right away" format.  Also, Windows Forensic Analysis 3/e is scheduled to be published early in 2012, and will provide a great foundation for the lab.

Slide Decks
I put the PDF versions of my presentations (in a zipped archive) up on Google can find them here.  I've also share the malware detection checklist I mentioned at the conference; keeping in mind that this is a living document, and I'd greatly appreciate feedback.

Links to Attendee's blogs:
Girl, Unallocated - It was great to put a face to a name, and hear how some folks name their blogs...
Journey into IR - It was great to finally meet Corey in person...
ForensicMethods - I'm looking forward to seeing Chad in Atlanta at DC3.


Girl, Unallocated said...

It was great to meet you and see you present... I learned a lot. +1 to the bootcamp idea - I think it would be a great resource.

Richard Steven Hack said...

Re the microwave oven as a Faraday cage - was that a MODIFIED oven? Because I just did some research on the Net and the consensus is that microwave ovens only block the frequency of the microwave and not others. Numerous people have dumped their cells into a microwave and called them and they answer fine.

In short, using a microwave oven as a Faraday cage to block cell phones (or using a cell phone to test microwave oven leakage) appears to be an old wives tale.

So was this oven modified in some way? And tested?

H. Carvey said...


All that was stated in the presentation was that the cord was cut on the microwave oven.

I'm an electrical engineer by training, but a complete newbie to mobile device forensics.

I'll have to try it. ;-)

Gregory Pendergast said...


Just getting around to reviewing your PFIC slides after asking about them. Good stuff there. I would've especially liked to see the Forensic Scanner demo.

As I imagine how I might use the scanner when it comes to fruition, I wonder whether it would be useful to have different "analysis profiles" that could be selected and customized. This would be something like what RegRipper allows with plugin lists. You could have distinct analysis profiles that ran checks specific to, say, malware diagnostics or user investigation.

Having said that, however, I'm not sure how many distinct analysis profiles one might want/need. It may be that there aren't enough distinct analysis objectives to make that idea worth implementing.

H. Carvey said...

George, useful to have different "analysis profiles" that could be selected and customized.

Exactly. Just like RegRipper, you'll have the ability to do this.

I'm not sure how many distinct analysis profiles one might want/need.

As with RegRipper, that's totally up to the analyst. For example, how many custom plugins or profiles have you developed for your own use?