Summit talks will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response. All talks should be technical and specific and provide actionable takeaways.
The DFIR Summit offers speakers the opportunity to present their latest tools, findings, and methodologies to their DFIR industry peers. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.
We are looking for proposed presentations on topics including, but not limited to:
Case studies in Digital Forensics, Incident Response, or Media Exploitation that solve a unique problem or case study
New forensic or analysis tools and techniques
Discussions of new artifacts related to Cloud, Smartphones, Windows, and Mac platforms, malware reverse engineering, or network communications
Improving the status quo of the DFIR industry by sharing novel approaches
Challenges to existing assumptions and methodologies that might change the industry
New analytic techniques that can extract and analyze data more rapidly and/or at a larger scale
Benefits of Speaking
Promotion of your speaking session and company recognition via the DFIR Summit website and all printed material
Visibility via the DFIR post-Summit on the SANS DFIR Website
Full conference badge to attend all Summit sessions
Speakers can bring 1 additional attendee for free to attend the summit
Private speakers-only networking lunches
Speakers-only networking reception on the evening before Summit
Diversity of thought is critical to any organization’s success, and SANS Summits encourage participation by everyone regardless of age, culture, ethnicity, sexual orientation, or gender identification. Whatever your background, whoever you are, we encourage you to respond to a CFP. We welcome people who are newer to the field or who have not yet done any public speaking, and we can provide mentoring and guidance to help you develop an impactful presentation.
Most talks will be 35 minutes of content + 5 minutes of Q&A. However, we are always interested in exploring new formats, especially for interactive learning.
The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!
To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:
1. Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):
· Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or
· Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.
· The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.
· The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.
· All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.
Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:
3. All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.
4. Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.
5. Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.
6. Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.
7. Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!
8. Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!
9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.
10. Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.
11. Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!
As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.
The Summit will be held on June 7-8, and the training courses run from June 9-14.
MELTDOWN SPECTRE VULNERABILITIES
Unless you’ve been living under a rock for the last 24 hours, you’ve heard about the Meltdown and Spectre vulnerabilities. I did a webcast with SANS about these vulnerabilities, how they work, and some thoughts on mitigation. I highly recommend that you watch the webcast and/or download the slides to understand more of the technical details. In this blog post, I would like to leave the technology behind and talk about action plans. Our goal is to keep this hyperbole free and just talk about actionable steps to take moving forward. Action talks, hyperbole walks.
To that end, I introduce you to the “six step action plan for dealing with Meltdown and Spectre.”
Step up your monitoring plan
Reconsider cohabitation of data with different protection requirements
Review your change management procedures
Examine procurement and refresh intervals
Evaluate the security of your hosted applications
Have an executive communications plan
Step 1: Step up your monitoring plan
Meltdown allows attackers to elevate privileges on unpatched systems. This means that attackers who have a toehold in your network can elevate to a privileged user account on a system. From there, they could install backdoor and rootkits or take other anti-forensic measures. But at the end of the day, the vulnerability doesn’t exfiltrate data from your network or encrypt your data, delete your backups, or extort a ransom. Vulnerabilities like Meltdown will enable attackers, but they are only a means to an end. Solid monitoring practices will catch attackers whether they use an 0-day or a misconfiguration to compromise your systems. As a wise man once told me, “if you can’t find an attacker who exploits you with an 0-day, you need to be worried about more than 0-days.”
Simply put, monitor like your network is already compromised. Keeping attackers out is so 1990. Today, we assume compromise and architect our monitoring systems to detect badness. The #1 goal of any monitoring program in 2018 must be to minimize attacker dwell time in the network.
Step 2. Reconsider cohabitation of data with different protection requirements
Don’t assume OS controls are sufficient to separate data with different protection requirements. The Spectre paper introduces a number of other possible avenues for exploitation. The smart money says that at least some of those will be exploited eventually. Even if other exploitable CPU vulnerabilities are not discovered (unlikely since this was already an area of active research before these vulnerabilities), future OS privilege escalation vulnerabilities are a near certainty.
Reconsider your architecture and examine how effective your security is if an attacker (or insider) with unprivileged access can elevate to a privileged account. In particular, I worry about those systems that give a large number of semi-trusted insiders shell access to a system. Research hospitals are notorious for this. Other organizations with Linux mail servers have configured the servers so that everyone with an email address has a shell account. Obviously this is far from ideal, but when combined with a privilege escalation vulnerability the results can be catastrophic.
Take some time to determine if your security models collapse when a privilege escalation vulnerability becomes public. At Rendition, we’re still running into systems that we can exploit with DirtyCOW – Meltdown isn’t going away any time soon. While you’re thinking about your security model, ask how you would detect illicit use of a privileged account (see step #1).
Step 3. Review your change management procedures
Every time there’s a “big one” people worry about getting patches out. But this month Microsoft is patching several critical vulnerabilities. Some of these might be easier to exploit than Meltdown. When thinking about patches, measure your response time. We advise clients to keep three metrics/goals in mind:
Normal patch Tuesday
Patch Tuesday with “active exploit in the wild”
“Out of cycle” patch
How you handle regular patches probably says more about your organization than how you handle out of cycle patches. But considering all three events (and having different targets for response) is wise.
Because of performance impacts, Meltdown definitely should be patched in a test environment first. Antivirus software has reportedly caused problems (BSOD) with the Windows patches for Spectre and Meltdown as well. This shows a definite example where “throw caution to the wind and patch now” is not advisable. Think about your test cycles for patches and figure out how long is “long enough” to test (both for performance and stability) in your test environment before pushing patches to production.
Step 4. Examine procurement and refresh intervals
There is little doubt that future processors (yet to be released) will handle some functions more securely than today’s models. If you’re currently on a 5 year IT refresh cycle, should you compress that cycle? It’s probably early to tell for hardware, but there are a number of older operating systems that will never receive patches. You definitely need to re-evaluate whether leaving those unpatchable systems in place is wise. Just because you performed a risk assessment in the past, you don’t get a pass on this. You have new information today that likely wasn’t available when you completed your last risk assessment. Make sure your choices still make sense in light of Meltdown and Spectre.
When budgeting for any IT refresh, don’t forget about the costs to secure that newly deployed hardware. Every time a server is rebuilt, an application is installed, etc. there is some error/misconfiguration rate (hopefully small, often very large). Some of these misconfigurations are critical in nature and can be remotely exploited. Ensure that you budget for security review and penetration testing of newly deployed/redeployed assets. Once the assets are in production, ensure that they are monitored to detect anything that configuration review may have missed (see step #1).
Step 5. Evaluate the security of your hosted applications
You can delegate control, but you can’t delegate responsibility. Particularly when it comes to hosted applications, cloud servers, and Platform as a Service (PaaS), ask some hard questions of your infrastructure providers. Sure your patching plan is awesome and went off without a hitch (see step #3). What about your PaaS provider? How about your IaaS (Infrastructure as a Service) provider? Ask your infrastructure provider:
Did they know about the embargoed vulnerability?
If so, what did they do to address the issue ahead of patches being available?
Have they patched now?
If not, when will they be fully patched?
What steps are they taking to look for active exploitation of Meltdown? *
* #5 is sort of a trick question, but see what they tell you…
Putting an application, server, or database in the cloud doesn’t make it “someone else’s problem.” It’s still your problem, it’s just off-prem. At Rendition, we’ve put out quite a few calls today to MSPs we work with. Some of them have been awesome – they’ve got an action plan to finish patching quickly and monitoring for all assets. One called us last night for advice, another called us this morning. Others responded with “Melt-what?” leading us to wonder what was going on there. Not all hosting providers are created equal. Even if you evaluated your hosting provider for security before you trusted them with your data, now is a great time to reassess your happiness with how they are handling your security. It is your security after all…
Step 6. Have an executive communications plan
When any new vulnerability of this magnitude is disclosed, you will inevitably field questions from management about the scope and the impact. That’s just a fact of life. You need to be ready to communicate with management. To that end, in the early hours of any of these events there’s a lot of misinformation out there. Other sources of information aren’t wrong, they’re just not on point. Diving into the register specific implementations of a given attack won’t help explain the business impact to an executive.
Spend some time today and select some sources you’ll turn to for information the next time this happens (this won’t be the last time). I’m obviously biased towards SANS, but I wouldn’t be there if they didn’t do great work cutting through the FUD (fear uncertainty and doubt) when it matters. The webcast today was written by me, but reviewed by other (some less technical) experts to make sure that it was useful to a broad audience. My #1 goal was to deliver actionable information you could use to educate a wide range of audiences. I think I hit that mark. I’ve seen other information sources today that missed that mark completely. Some were overly technical, others were completely lacking in actionable information.
Once you evaluate your data sources for the next “big one,” walk through a couple of exercises with smaller vulnerabilities/issues to draft communications to executives and senior leadership. Don’t learn how to “communicate effectively” under the pressure of a “big one.” Your experience will likely be anything but “effective.”
Take some time today to consider your security requirements. It’s a new year and we certainly have new challenges to go with it. Even if you feel like you dodged this bullet, spend some time today thinking about how your organization will handle the next “big one.” I think we all know it’s not a matter of “if” but a matter of “when and how bad.”
Of course, if I don’t tell you to consider Rendition for your cyber security needs, my marketing guy is going to slap me silly tomorrow. So Dave, rest easy my friend. I’ve got it covered
The WannaCry ransomware worm is unprecedented for two reasons. First, it’s a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams‘ firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of the Internet for this threat. The webcast walks you through what we know so far about the malware, the leaked exploits, mitigation strategies, and predictions for future impact.
SANS Institute Internet Storm Center: http://dfir.to/2r4dxMK
Microsoft released information what can be done to protect against #WannaCry which includes deploying MS17-010 if not already done (March patch release), update Windows Defender (updated 12 May 2017) and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.
Why change the course number? FOR500/FOR408 is an intermediate-level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR500/FOR408 focuses entirely on in-depth, tool-agnostic analysis of the Windows operating system and artifacts. The course has been at the intermediate skill level since 2013 and a course number change to the 5 level reflects this content more accurately. The course is vigorously updated each year. The change in the course number was timed to coincide with the regularly scheduled update of the course in the Spring of 2017. SANS courses are updated as frequently as possible as part of our efforts to keep teaching material hyper-current and relevant for leading-edge problem solving.
What is the difference between FOR500 and FOR508? FOR500 focuses on deep-dive forensic analysis of Windows operating systems and artifact locations. FOR508 teaches students how to conduct enterprise incident response and threat hunting. Its focus is on intrusion response and forensics. Each course complements the other and both should be taken to create a full operational and analytical capability.
Which course should I take first, FOR500 or FOR508?
It is recommended that FOR500/FOR408 be taken prior to FOR508 so that students obtain a firm understanding of operating system and artifact locations on Windows systems as well as demonstrable, hands-on skills in Windows forensics. However, FOR500 is not a formal prerequisite for FOR508, so the classes could be taken in any order.
How does the change in the course number affect GIAC certification?
Any current GCFE certifications will not change in any way. Any student taking FOR500/FOR408 will be taking the same exam. Additionally, DoDD 8570, DoDD 8140, and ANSI/ISO/IEC 17024 accreditation status remains unchanged.
How will the course number change affect alumni?
Anyone who wishes to retake the FOR500/FOR408 course using the alumni discount may do so if they have taken FOR408 in the past.
If you have any additional questions regarding this change, please email us at FOR500@sans.org
The technical basics of the case is that FBI is trying to compelApple Inc. to help create a new capability installed on the suspect’s iPhone that would enable with the following degraded security mechanisms:
Allow the FBI to submit passcode “electronically via the physical device port”
Will not wipe underlying data after 10 incorrect passcode attempts
Will not cause any delays after an incorrect passcode attempts
Here is what we know about the device in question so far. From court documentation we know it is an Apple iPhone 5C, model A1532, running iOS 9 , with serial number FFMNQ3MTG2DJ and IMEI 358820052301412. Using the serial number and IMEI, we can garner some additional information that’s crucial to answering the technical questions by using free website imei.info and other resources. This particular model of iPhone contains an A6 chip. The provider is Verizon and the data capacity could be either 16 or 32 GB. The device is locked with a user generated, numeric passcode .
Whether or not we’re able to break the passcode on an iPhone depends a great deal on what version of iOS is installed on the device, as well as what version of hardware is involved. The combination of these two factors can mean the difference between being able to break the passcode without Apple’s assistance or having to rely on Apple for help.
For many years, mobile forensic analysts had it easy. With iOS devices using the A4 chip (iPhone 4, iPad) and older (running iOS 7 or older) we were able to make physical images handily. A physical image is the closest thing we get to a bit by bit forensic image of the entire device. These are sometimes referred to as “the good ole days” by those of us doing mobile forensics. A physical image was considered ideal, because it gave us access to all the data stored on the phone. As time has moved forward, it has gotten more and more difficult to pull complete physical images from mobile devices of all varieties. More often, we’re able to obtain forensic backups or logical extractions of portions of the data from mobile devices.
Starting with Apple A5 chip (iPhone 4S, iPad 2) and any iOS version we can still acquire a physical and/or logical image, but we will need the passcode as well as jailbreak software, or a device that’s been previously jailbroken by the user.
The San Bernardino iPhone central to this discussion contains the A6 chip (found in the iPhone 5, iPhone 5C) and based on court documentation from the case, some version of iOS 9 is installed on the device. For this particular device, we would still need the passcode and jailbreak software to get a physical dump or just the passcode to get a logical extraction or forensic backup of the file system.
These “it depends” scenarios get complicated, and sometimes a great reference document is needed to keep track of it all. Devon Ackerman, Special Agent/Forensic Examiner provided the great spreadsheet shown in the below images to us, and has given permission to share it.
Why can’t the FBI dump the iPhone like a hard drive?
iOS devices offer increased levels of encryption with each new release. The Apple A5 (and newer) chips offer the greatest amount of encryption and are the most difficult Apple devices so far to access when locked. These iOS devices are encrypted with 256bit AES encryption at the hardware level. The encryption key is stored between the flash memory and system area on the iOS device. This area of is referred to as “effaceable storage.” Hardware level encryption important because resulting extractions will only allow viewing of the file system and metadata, while leaving file contents unreadable due to encryption. Using the passcode to unlock the device prior to acquisition allows decryption of the data and renders it usable.
The iPhone 4S, which debuted the A5 chip, featured beefed up security which decreased the number of commands available in the boot loader, and consequently made it more difficult to physically acquire the device. The A6, A7, and A8 chips have followed suit and have become increasingly secure with each new chip release. The iPhone 4 has an bootrom exploit (24kpwn) which is used by commercial mobile forensic tools and non-commercial methods to physically access the device and bypass a lock. In the A5, A6, and A7 chips this exploit has been patched. This patch occurred well before the release of the iPhone 6 and the A8 chip.
Additionally, most logical files stored on the user partition of the disk are protected by a per-file encryption called Data Protection. This means that if we were able to get a dump of the data from the phone via chip-off or JTAG techniques (either of which could be destructive to the device) the contents of the files would still be encrypted. The following screenshots shows a physical image from a device with Data Protection. The file system is readable, however the file contents are encrypted.
iPhone Physical Image – Note the file system structure and associated metadata:
As far as we are aware, it is not possible at this time to extract the iPhone hardware keys along with a brute force of the passcode to decrypt the file contents.
What about those auto-magical password cracking tools I see on CSI Cyber?
Just because you see actor-investigators, actor-analysts, and actor-technicians quickly and effortlessly solve all the nearly-impossible tech problems presented to them in the span of an hour long episode does not necessarily mean things ever work that way in real life. Remember, these shows are largely fiction with a few juicy tidbits of truth thrown in here and there for good measure. Brute force password cracking on TV rarely fails, and is usually successful just barely in the nick of suspense filled time.
Three (real) and popular commercially available password cracking solutions for iPhone are described below:
1. One of the auto-password guessing tools is called the IP-BOX. The IP-BOX is a black box that originates from phone unlocking, hacking, and repair market which can be used to defeat simple 4 digit pass codes on iOS devices running versions of iOS through iOS8.1.2. Following testing and validation, this box has been used by law enforcement (with valid legal authority) quite effectively to unlock iPhones for evidentiary purposes, until the exploits being leveraged the device were patched by Apple. Again, from the court documentation available, the San Bernardino iPhone is likely running some version of iOS9, thus the IP-BOX would not be effective.
2. Cellebrite’s Advanced Investigative Services (CAIS) offers an iPhone unlocking service using tools and processes that are proprietary and publicly unknown. We are aware of a number of great success stories related to use of Cellebrite’s services to unlock iPhones in criminal cases. Use of this service requires an agency to provide the physical device to Cellebrite in hopes of getting the device and passcode in return. This service is advertised to only work on the iPhone4S (or newer) devices running iOS 8.0 to 8.4.1. The service also states that the “device wipe” functionality is bypassed. Cellebrite also has a user lock recovery tool for use on iOS and Android devices that relies on brute force attacks. This tool is only effective with iOS devices running versions of iOS 7.
3. Secure View’s svStrike is similar to the IP-BOX, but with added capabilities including the ability to brute force up to a 6-digit passcode (versus 4-digit). The documentation does not state whether the “device wipe” functionality can be bypassed.
You have the suspects thumb, could the FBI just use Touch ID on the Apple iPhone?
If only. Unfortunately, the iPhone we’re talking about here was an iPhone 5c, and Touch ID was introduced with the more fully featured iPhone 5s.
Ironic, isn’t it? One less security feature to attempt to exploit actually means this particular iPhone is more secure.
Assuming an alternate universe, where the suspect had a Touch ID capable model of iPhone and Touch ID was enabled by the suspect, there would have been a very limited time window during which his hands could have been used to attempt to unlock the phone. Let’s face it though – there was a whole lot going on in those first few hours of terror. Mass casualties and injured people, a large crime scene, stretched resources and buckets of adrenaline. Search warrants were being written and executed. The existence of this particular iPhone likely was not yet even known, let alone who it belonged to. To quarterback after the fact and say that the cops should have matched the dead terrorist’s thumb to this particular iPhone in the midst of the chaos is asking people who are already heros to have been comic book super heros.
Here are the technical limitations they would have faced: According to Apple’s security documentation to use Touch ID, users must set up their device to require entry of a passcode to unlock it. When a recognized enrolled fingerprint is scanned via Touch ID, the device unlocks without asking for the device passcode. The passcode can be used instead of a fingerprint, and the passcode is still required when the device is restarted, when the device has not been unlocked for more than 48 hours, when the device has received a remote lock command, after five unsuccessful attempts to match a fingerprint, or when setting up or enrolling new fingerprints with Touch ID.
In this case, because of the iPhone 5C hardware, Touch ID wasn’t even an option. Therefore we face the following passcode options: 1) A four digit simple passcode. This is the most common passcode for pre-iOS 9 devices. 2) A six digit PIN, introduced with iOS 9. More digits means more difficulty and more time for a brute force attack. 3) A complex passcode. Complex alphanumeric passcodes can also be used on iOS devices, making our brute force attempts even more difficult. Most forensic tools can crack simple passcodes if the iOS version is supported. At best, complex passcodes can be bypassed if the iOS device can enter DFU mode (not damaged) and the device is supported for physical acquisition, which is not the case with this iPhone.
Oh, so it’s just a Apple iPhone pin code, why can’t the FBI just brute force it now?
Brute force can be attempted and may work using the tools discussed above.
However, should the user have their iPhone enabled to wipe after 10 failed attempts, the data on the device could be wiped and rendered useless within minutes of running the brute force attack. This is the risk we aim to avoid, at all costs.
While iOS devices used to warn the user of an impending wipe of the device following too many failed passcode entry attempts, this is not the case anymore. Based upon data found in iCloud backups and information provided by the employer-owner of the phone, investigators in the San Bernardino case have reason to believe that the Erase Data function was turned on. A blind brute-forcing attempt to break the passcode in this case would not have been wise.
Could the Apple iPhone iCloud backups be of help to the FBI?
Yes. If the device has iCloud backups enabled then the backup files can be recovered. In this case, the last iCloud backup file that was recovered and examined by the FBI was dated October 19, 2015 which is over a month before the attacks occurred.  iCloud backup files contain user data as specified through their specific iPhone settings including email, contacts, calendars, photos, and Apple keychain data. iCloud backups are only performed when the device is connected to a WiFi network and plugged in. As long as the settings are turned on and maintained, iCloud backups would occur regularly when connected to a WiFi network. Any changes to the configuration of the iCloud backup settings require the user’s iCloud password and the correct password to be entered into the iPhone. If the password to the user’s iCloud account changes, the device user would need the enter the new password into the device prior to successfully backup their data into the iCloud.
The iCloud password was remotely reset by the owner of the device, San Bernardino County, hours after the attack eliminating the possibility of an automatic backup if the device connected with a known WiFi network. Also, a Mobile Device Management (MDM) solution should be considered by any government or corporate owned phones used by employees. MDM solutions would help prevent locking out the organization from the phone that they own and could secure the data for eventual examination.
I heard Apple has helped out the FBI before, why is this different?
Previously, when presented with search warrants compelling their assistance, Apple has provided law enforcement agencies with the extracted contents of older iPhone devices running iOS 7 or older. They did this by running a specialized RAM disk on the devices to bypass the passcode to obtain the data. As of iOS 8 Apple has stated that this process is no longer an option due to how the encryption process has changed. From Apple’s “Legal Process Guidelines”
“For all devices running iOS 8.0 and later versions, Apple will not perform iOS data extractions as data extraction tools are no longer effective. The files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.“
I hear Apple holds the key, can you explain?
One ring key to rule them all! When an iOS device boots it verifies the Boot ROM code against the Apple Root CA public key, this is the first step in the secure boot chain. This ensures that iOS devices will only boot with Apple provided iOS software. If another version of the iOS software was created (either by Apple or other 3rd parties) the device would still be required to verify the Boot ROM against the Apple Root CA public key to successfully load. Only Apple has a copy of their private key and this is a critical reason why the government cannot simply write their own version of iOS.
One of the critical security mechanisms for distributable software is this verification process. If a private key is lost or stolen, hackers could write backdoors, espionage software, or other malicious capabilities into their software that the device would automatically trust and load that malcode.
Ok, I get it. This is hard. Can they get the data from anywhere else? I heard the FBI has other cellphone evidence from the Apple iPhone. Surely this can this be used? (…and don’t call me Shirley!)
Some data related to use of the iPhone 5c likely exists in other locations, including the suspect’s iCloud account, the hard drive of any computers the iPhone was backed up to, the carrier, and potentially other cloud based accounts related to apps in use on the phone. Also, conversations have at least two sides, and anyone the suspect was communicating with could have relevant information stored within their phones as well.
According to the court filing, two other cell phones were examined in this case. Both of those phones were found “destroyed” and “discarded” in a dumpster behind the residence. These phones may contain information useful to the investigation, or which could potentially lead to the passcode for the iPhone 5c. Many times, “destroyed” phones can be repaired to get to relevant evidence, many times pass codes are more easily recovered from different mobile devices, and many times passcodes are reused between devices. Time will tell.
If the FBI can get to the Apple iPhone data, what else can they find?
If the FBI can get to the data, a plethora of information may be accessible. The iPhone most likely contains recent conversations, call logs, Internet searches, chats, application usage, locational data and much more. Our smartphones are the most personal devices we own and contain information that provide deep insight into our lifestyle.
Merely successfully getting to the data is sometimes just the first challenge. If we are able to successfully dump the phone after obtaining or bypassing a passcode, data stored by the apps themselves often contains encrypted data. This scenario is increasingly common, as app developers work to make user data more secure and are implementing data-at-rest security features like encrypted databases, or encrypted content within databases. For example, Threema, is a commonly used secure communications app that is used world-wide. The data associated with the application is all encrypted when data is dumped from the iPhone. If the user relied upon third-party applications like Threema to chat, it’s likely the FBI would be faced with an additional hurdle – encryption that Apple cannot help with.
Can Apple even do what the FBI is asking for?
From what we know about iPhones, the A6 chip, and iOS 9, the answer is: Probably. Apple may be the only ones who currently can. Which is not to say someone else outside Apple and the FBI won’t come up with a creative solution to this problem. Our bets aren’t on McAfee’s social engineering attack though. Dan Guido from Trail of Bits describes this in a bit more technical detail, and Jonathan Zdziarski also agrees that Apple would be technically able to comply with the order given the hardware and iOS version involved.
This is interesting, may I have more information?
We have found the articles below well written and useful for learning more about this topic.
Heather Mahalik is leading the forensic effort as a Principal Forensic Scientist and Team Lead for Oceans Edge, Inc. and has extensive experience in digital forensics which began in 2003. She is currently a senior instructor for the SANS Institute and is the course lead for FOR585: Advanced Smartphone Forensics.
Sarah Edwards is a senior digital forensic analyst who has worked with various federal law enforcement agencies. Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering. Sarah is the lead author for FOR518: Mac Forensics.
** Above Joe Friday “Just the FAQs” – Photo by Brian Moran @brianjmoran
David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015. Sign up now to take this course with David. We interviewed David so you can get to know him a bit better — he is one of the best in the industry. A leader. An astonishing analyst and visionary. He is our current DFIR Hero.
1. Who are you? What is your homepage?
I’m David Cowen. I think most people know me from www.hecfblog.com but I also maintain www.gettriforce.com for our software, www.learndfir.com for the books and my company site www.g-cpartners.com
3. Tell us how you became interested in IR or Forensics.
I was a pen tester in the 90s and I thought that was probably the coolest job I would ever have. Then in 1999 I got a call from a physical company I had a relationship with about a rogue ex-CTO who they suspected was keylogging the other executives. I took on the job, got my first copy of Encase and thanks to our suspects own bad decisions solved the case. After that I was hooked and found something even better than pen testing where people really cared about the results of my work and I made a difference.
4. What gives you the most satisfaction while working on a case?
When I get to see that moment of comprehension in my clients face when they finally understand what we were able to prove happened. Every case is different because the people who perform the actions we investigate are different so finding out what makes them special and helping someone else understand that so they can use it keeps me going. Well that and finding new artifacts!
5. What forensic techniques do you find the most useful?
All of them I think is the right answer. If I was to promote one thing that people are not doing, it’s testing. Testing their assumptions, tools and theories to make sure that the artifacts they are relying on are repeatable and re-creatable.
6. What is your forensic tool of choice and why?
You know I have to say Triforce ANJP. File System Journal forensic analysis is something I do in every case now to understand at a lower level exactly what happened in the past on a system.
7. What area of forensics or incident response needs to be understood by every new investigator?
File system journaling forensics I think is something everyone needs to start looking at. Otherwise validating assumptions and findings before presenting them.
8. What area of digital foreniscs or incident response is the most exciting development over the past few years?
I have to say File system journaling forensics as its been my main area of research over the last 3 years. Otherwise artifacts like shellbags, shimcache and the rise of memory forensics has been a huge boone for everyone.
9. Why is teaching computer forensics to new students important? Why do you like doing it?
You will never fully understand and master a topic until you have to teach it to someone else. Everytime I teach for SANS and talk to the students I walk away with new questions, ideas and theories to test that makes me a better examiner.
Beyond that I love watching students grow in their knowledge and ability through each day of the class. They come out much more confident and prepared for the world when they leave us.
10. How long have you been instructing or teaching individuals in computer forensics?
I’ve been teaching computer forensic classes since 2001 with the local HTCIA, classes at conventions, private classes for industry as well as teaching a graduate course in forensics once. Teaching is something I enjoy doing and SANS makes it fun.
11. What is your favorite part of the SANS FOR408: Windows Forensics class?
I think for me it’s the day 6 challenge. After being bombarded with information and artifacts for 5 days you really get a feeling for how well you did as an instructor when the students begin getting excited by using what they learned the last 5 days.
12. How did you get involved in SANS? What makes SANS unique?
I reached out to SANS about developing training around my file system journaling forensics research. Given the opportunity to not only help develop new content for SANS but to also teach was too good of an oppertunity to say no to.
The thing that makes SANS different from all of the other courses I’ve taught is the level quality and effort demanded from everything you do. The slides, notes, labs, instruction, everything has to be the best and I enjoy meeting the challenge.
13. What do you do in your free time when not working on computer forensics?
I like to be a Dad to my kids and of course master the art of Texas BBQ.
David’s Full Bio:
David Cowen is a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David’s research enables examiners to go back in time to find previously unknown artifacts and system interactions.
David speaks about digital forensics and file system journaling forensics at DFI and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog (www.hecfblog.com) contains some 448 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.
SANS’ annual dedicated Digital Forensics and Incident Response (DFIR) Summit & Training event returns for 13 days of intensive training and excellent networking opportunities.
The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.
Call for Speakers- Now Open
DFIR Europe Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.
The DFIR Europe Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.
Submit your submissions to email@example.com by 5 pm BST on 1 June, 2015 with the subject “SANS DFIR Europe Summit.”
Benefits of Speaking
Promotion of your speaking session and company recognition via the DFIR Summit website and all printed materials
Visibility via the DFIR post-Summit on the SANS DFIR Website
Full conference badge to attend all Summit sessions
Speakers can bring 1 additional attendee for free to attend the summit
*Presentations may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).
Title of Proposed Talk
The presentation abstract should outline your presentation and what attendees will All content must be strictly educational. The presentation should be relevant to: Digital Forensics Examiners, Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.
2015-03-04 UPDATE: I’ve added some thought process/methodology to the answers inline below.
Thanks to everyone that submitted or just played along with the SANS DFIR Network Forensic Challenge! We had over 3,000 evidence downloads, and more than 500 submissions! Per the rules, the winner must have answered four of the six questions correctly. Then, by random selection among those submissions, the winner was selected.
We’re excited to announce that Henry van Jaarsveld is the winner for this challenge! Congratulations, and we hope you enjoy your SANS OnDemand Course. Great work, Henry!
Thanks for all the submissions and interest in this challenge. If you enjoyed the questions – no matter how many questions you answered – you should check out FOR572: Advanced Network Forensics and Analysis. The class is available via OnDemand, as well as the following live and virtual SANS events:
More live and virtual/remote events are being added all the time, so keep checking the course page for additional offerings.
The challenge answers are listed below:
At what time (UTC, including year) did the portscanning activity from IP address 18.104.22.168 start?
Answer: Aug 29 2013 13:58:55 UTC
Portscanning activity is typically characterized by connection attempts to a range of ports. This is often repaid and originates from the same IP address. Some scanning utilities may or may not use the same source port or a small cluster of source ports. In this case, the following command get you started:
However, we’ve asked for the time in UTC, which is the only recommended time zone to use for forensic reporting. To find the offset, examine the same “messages” file further. This isn’t often an explicitly logged value, so context is necessary. The following line shows the syslog time (system local time) and a corresponding UTC value. Therefore, it is reasonable to state that the system’s time zone is UTC-4 during the time the file was created.
Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: setting system clock to 2013-08-29 11:07:08 UTC (1377774428)
What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?
-n: suppress DNS lookups -r nitroba.pcap: file to read -T fields: use “fields” output format -e ip.src: output just the “ip.src” field, as defined by the Wireshark/tshark parsers -Y 'eth.src == 00:1f:f3:5a:77:9b and ip': display filter to limit results to the MAC address of interest and IP traffic, which would be the only traffic to include IP addresses | sort | uniq: bash shell utilities to narrow results to only unique values
What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?
Answer: 22.214.171.124 and 192.168.75.29, 30472 and 51851
Again, the tshark utility is your friend. This is as a multiple-stage process. First, get the frame number containing the desired request. This command returns frame number 5846.
-n: suppress DNS lookups -r ftp-example.pcap: file to read -Y 'ftp.request.arg == "scenery-backgrounds-6.0.0-1.el6.noarch.rpm"': display filter to limit results to just FTP commands that included the argument of interest -T fields: use “fields” output format -e frame.number: Get the frame number containing the desired request
Next, find the immediately preceding “Passive Mode” response.
-n: suppress DNS lookups -r ftp-example.pcap: file to read -Y 'ftp.response.code == 227 && frame.number < 5846': Display filter to limit results to just FTP response codes of “227” (Entering Passive Mode) and prior to the frame number containing the request of interest -T fields: use “fields” output format -e frame.number -e ftp.passive.ip -e ftp.passive.port: Get the values from the fields of interest | tail -n 1: Just return the last result from the list
Finally, get IPs and ports from both ends of the data transfer.
-n: suppress DNS lookups -r ftp-example.pcap: file to read -Y 'ip.addr == 126.96.36.199 && tcp.port == 30472': Display filter to isolate TCP connection according to IP and port determined above -T fields: use “fields” output format -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport: Get the values from the fields of interest | sort | uniq: Only display unique lines
How many IP addresses attempted to connect to destination IP address 188.8.131.52 on the default SSH port?
A connection attempt may or may not be successful, so we can simply limit our search to the high-level filtering provided by nfdump. You could use grep against the text file as well.
There are 55 total connections:
$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip 184.108.40.206 and dst port 22' | wc -l
-q: “quiet” output, which suppresses summary header/footer information -O tstart: order output by “start time” of each record -r nfcapd.201405230000: input file to read -o 'fmt:%sa': only display the source IP address for each record 'dst ip 220.127.116.11 and dst port 22': limit flows to those from the IP address of interest, to the default SSH port. You might also limit by TCP protocol by adding “and proto tcp” | wc -l: count the results
There were 49 unique IPs in this data set:
$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip 18.104.22.168 and dst port 22' | sort | uniq | wc -l
This is the identical command to that above, but uses the following shell command chain
| sort | uniq | wc -l: Count only unique lines from the nfdump command’s output
What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”?
Answer: 13,625 bytes
To find the portion(s) of the input pcap that involve the filename of interest, use the “smb.file” field to find the TCP streams of interest.
This file is very feasible to open in Wireshark, as it’s a mere 18MB.
After opening the file, you must explore the SMB session – which is not at all a simple process. In the input file generated above, the message we’re interested in is the Trans2 Response message containing Standard File Info for the file of interest. This occurs in frame 749 (frame.time = Apr 5, 2012 14:21:50.574112000). By spelunking the available fields, you’ll find the “End of File” value, which is 13,625. This represents the number of bytes in the file. Note that the Wireshark status bar tells us that Wireshark knows this field by the name “smb.end_of_file”, which could be used to scale this process out via the tshark utility.
The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
Answer: ULQENP2 at offset 4 (bytes 5-11 of the TCP data segment, zero-based)
There are a number of ways to approach this. The goal is to identify commonalities among the individual sessions, even though we are not (yet) sure what the bytes mean.
This evidence file is small enough to load into Wireshark, then visually explore the content – despite Wireshark not knowing the content is anything other than generic “Data”.
After visually inspecting these fields in the traffic the IDS logged, you should see that bytes 4-10 (zero-based, of course) seem consistent. This can be confirmed with the following display filter:
data.data[4-10] == 55:4c:51:45:4e:50:32
After applying this filter, you can quickly see that 100% of the packets in the IDS log file match. Expanding the filter one byte before or after this substring range results in a <100% match. Barring any additional knowledge of the custom protocol used for these communications, this substring and offset would be a good indicator of compromise.
BONUS! Identify the meaning of the bytes that precede the substring above.
Answer: UNIX Timestamp
There is a no magic solution here – just trial and error combined with experience. The UNIX timestamp (number of seconds after Jan 1, 1970 at 00:00:00 UTC) fits into four bytes. Those with a keen eye for timestamps will see that after converting any given four byte sequence to a big-endian integer, then converting that to a timestamp, the Wireshark/tshark “frame.time” field value corresponds almost perfectly in every case. For example:
0x4fe6c278 == 1340523128 $ date -u -d @1340523128 Sun Jun 24 07:32:08 UTC 2012
Corresponding frame.time: Jun 24, 2012 07:32:08.273277000
Join us at DFIR Monterey 2015 – a Reverse Engineering Digital Forensics and Incident Response Education (REDFIRE) Event.
This unique Digital Forensics and Incident Response (DFIR) event brings our most popular forensics courses, instructors, and bonus seminars together in one place to offer one of SANS most comprehensive DFIR training experiences. This is a must-attend event for you and your team as our leading experts focus on building the DFIR skills that will take you to that next level.
The objective of the DFIR Monterey 2015 challenge is simple: Download the network forensics dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on February 3, 2015 and we will announce the winner by February 9, 2015. Good luck!
Win a free DFIR OnDemand course by downloading the network forensic dataset and answering the following questions.
SANS OnDemand is the world’s leading comprehensive online training for information security professionals. OnDemand offers more than 25 SANS courses whenever and wherever you want from your computer (Windows, Mac, and Linux), iPad or Android tablet. OnDemand allows you to learn at your own pace, spend extra time on complex principles, reinforce concepts with quizzes, and repeat lab exercises – all of which increases your retention of the course material.
Your course enrollment gives you printed course books, CD/DVDs/USBs/Toolkits for hands-on exercises (as applicable), four months of online access to our OnDemand e-learning platform featuring a top SANS instructor presenting the material, quizzes, and synchronized video demonstrations/interactive labs (as applicable).
Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 1, 2014 and ends Tuesday, February 3rd 2015. Responses must be submitted by 9pm EST on February 3rd.
Prize: Each person that correctly answers at least 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen by February 9th, 2015 and will be notified by email.
Questions regarding the challenge? Please send to DFIR-Challenge “at” sans.org. (DFIR-Challenge@sans.org )