DFIR in a Land Down Under
(A summary of DFRWS-APAC 2024, with apologies to Men At Work)
The 4th DFRWS APAC conference was held in Australia, in Brisbane, Queensland, from October 22-24, 2024, and Hexordia was there to present a hands-on workshop, attend the conference, and experience a bit of the antipodal island continent. Below are some highlights.
Old school, steam-punk era Robo-Roo. The photon cannon is strictly for defensive purposes only. As long as their eyes aren’t glowing red, they’re relatively safe.
♫ Where Research Grows, and It's No Wonder ♫
DFRWS (www.dfrws.org) has been a venue for bringing researchers and practitioners together and showcasing the newest research and development work in Digital Forensics and Incident Response for almost 25 years (next year is the anniversary). This is the fourth year for the Asia Pacific (APAC) conference version, with the first year being virtual only because of COVID-19 travel restrictions. Jessica Hyde presented a 1/2-day workshop on Third-Party App Analysis Methodologies. This hands-on workshop let attendees dig into how to approach analyzing unknown and undocumented applications found on smartphones. With millions of apps out there and “only” thousands of them documented, examiners and responders will likely encounter programs they have never seen where no documentation exists.
Around 25 people attended the workshop in person, with more attending virtually. DFRWS had two satellite sites at universities in India and one for Hong Kong law enforcement. The workshop was very well received, with a mix of traditional instructional and hands-on exercises coupled with Jessica's energy, knowledge, and experience.
We will now be retiring this training course after having presented this workshop at all three DFRWS conferences in 2024 (Brisbane, Baton Rouge, and Zaragoza). But fear not: we will be creating a new course in 2025 with revised content covering third party mobile applications.
The Workshop Room at Cloudland
Jessica discussing the principles behind how to analyze an unknown application.
♫ Can't You Feel, Can't You Feel The Sunbur[n] ♫
As for the main program, Michael Cohen gave a forward looking keynote titled "Digital Forensics is dead! Long live Digital Forensics!" in which he talked about how the pressures between security (i.e., DF/IR) and privacy (read: encryption) will make continue to make it
more difficult to do digital forensics the same as we have been doing it for years. But the field has always been changing and 20 or 30 years ago, our tools were more primitive (strings and grep) and not as much was documented. In certain situations, "forensic readiness" will be the key--configuring systems to provide certain information. This will start with businesses that care, but eventually spread to businesses that care about staying in business, and beyond.
The second day's keynote was from Darren Hopkins presenting his experiences having worked in DFIR in Australia for the last 30 years, starting as a niche area in law enforcement and growing into a multidisciplinary field. He also talked about the ransomware ecosystem, and how typically the weak link is the human that clicks on the suspicious link in a suspicious email. (It can also be argued that software that makes it too easy to execute untrusted, third party code from an unknown source with conflicting identity data might also be a contributing factor.) These are the same humans that don't have time to make a backup of the data on their now-compromised systems, and want to negotiate on the price with the perpetrators who are happy to wait and delete more of their data. Apparently Australian companies have a reputation for paying the ransom and therefore are desirable targets.
The papers and presentations covered a variety of topics, including using LLMs to generate background activity in synthetic data (for testing, education, and training); Deepfake detection; looking at what EnCase L01 and AFF4-L logical image formats provide and what is missing; using LLMs to analyze text to profile authors; using PCAPs of SMB data to reconstruct a file system; how Apple Health Data has changed over the years; what data can be found on old
Nintendo 3DS systems; the accuracy (or inaccuracy) of GPS tags on smartphone photos, and more! As always, the abstracts and full papers are available on the DFRWS web site (https://dfrws.org/apac-2024-program).
In addition, there was a panel session with Jessica, Parag Rughani of the National Forensic Sciences University (NFSU), and Adam Firman of MSAB, chaired by Matthew Sorell on the new UN CyberCrime Convention, and how it will affect DF and what they think it got wrong, got right, or is at least a start. Given that every country in the UN has to more or less agree or provide their take on every point in the document, it's self-limiting by definition. The biggest consensus in the document involved crimes against children.
Jessica makes an important point during the Panel Session.
Other activities included an outing to the Wharf District on Brisbane River, at the so-called Felons Brewery, a brewery/restaurant that spanned about two city blocks along the riverside, which went under the Story Bridge that connects Fortitude Valley (where the conference was) to Kangaroo Point (I am not making up that name; also the Story behind the bridge was John Douglas Story, a well known local public servant). The second night's activities was the Forensic Rodeo at BrewDog, where teams on site and around the world competed in solving the mystery of "Operation Pumpkin Scone" which involved a stolen recipe and evidence in the form of a database of Apple health data. Jimmy Three Pockets, a team from Germany, continued their winning streak at DFRWS rodeos and took first place.
An informal planning session afterwards was held at the 4th floor rooftop bar of Cloudland, where the event was held. Because it was a public space, small groups of people got together, but there was also circulation, giving people an opportunity to chat with other attendees and organizers. While feedback on the conference sounded positive, a few people had mentioned that they heard of the conference by chance word of mouth, just a week or two prior. Getting the message out about next year will need to be a priority.
♫ You Better Use Sunscreen For Cover ♫
For those of us not local to the continent, region, or hemisphere, a trip to Australia includes a bit of mandatory tourism. And being outside in the afternoon hours typically meant the UV Index was around 11 (“extreme”), so local sunscreen was a necessity.