This year’s CEIC conference provided a series of excellent presentations and labs that spoke to cutting edge research in the computer forensic field. The presentations I attended included APT analysis, PList Analysis, and Social Media Analysis. In addition to the scheduled presentations, vendors and speakers shared experiences and methods for analysis and research in forensics.
APT stands for Advanced Persistent Threat, and this presentation discussed the multiple perspectives required for rapid triage and analysis of digital security. The presenters discussed their contribution to analysis and how, using advance methods, they are able to assist their team members and provide additional details for analysis. As an example, the memory sample can be analyzed to look for strange process activity and network connections. This data can then be handed to the team member who is examining the hard drive to identify the executable in question, as well as the member handling network traffic analysis to look at the connections. Each aspect of analysis discussed focused on which team members could be assisted as a result of the reverse engineering team that is the common end goal of APT analysis.
Apple OSX machines have become increasingly popular and the industry is seeing a push toward effective analysis of the operating system artifacts on these systems. SANS recently created a new course to focus on OSX analysis. The PList Analysis presentation focused on the PList files found on OSX machines. PList stands for Property Lists, which act as configuration files for OSX and are commonly formatted as XML or binary files. This presentation revealed an EnCase EnScript that will process all PList files within a case. These configuration files can contain elements of user data, making them vital to an investigation.
The Social Media Analysis presentation discussed artifacts associated with platforms such as Skype, Facebook, and Snapchat. The presentation went beyond using a tool to gather the data and discussed how certain tools find this data in database and log files. With Skype, information can be acquired from several database files that contain contact information along with the messages sent between users. Facebook chat no longer caches the messages in the web cache as it used to, therefore data is only found in the pagefile or hiberfil.sys. The data is more difficult to gather and is not as structured as it was previously. The presentation also discussed artifacts left by Snapchat and how the images are not always deleted as users are led to believe. Champlain College students have also conducted research on Snapchat and discovered that the image content is not as temporary as the application suggests. Overall, this presentation emphasized the amount of data still available after an event occurs on a social media platform.
CEIC was an excellent experience, and thanks to Guidance Software, many students were able to attend from Champlain College. This assistance from Guidance and Champlain allows students to enter the industry with a current understanding of the technologies available and challenges faced within the Computer Forensics field. I would like to extend my thanks to those who presented in and outside of sessions, sharing experience and methodologies to help the industry grow as a whole.
Chapin Bryce
Senior Champlain College