• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions! Dokkio, a new product from the PBworks team, integrates and organizes your Drive, Dropbox, Box, Slack and Gmail files. Sign up for free.

View
 

BSidesNOLA2019

 

 

 

 

Event details

 

Please read our new Code of Conduct

 

When:

October 26, 2019

 

Where:

NEW VENUE FOR 2019!

 

Hyatt Centric French Quarter New Orleans

800 Iberville Street

New Orleans, Louisiana, 70112

 

Note: The venue is in the French Quarter

 

Note: We do not have a room block this year given other events in the city

  

Cost:

 

Pre-registration (ends Friday, October 25th @ 10 AM CDT)

 

Until October 9th, tickets for full time students are $10 and everyone else is $20.

 

After October 9th, student tickets become $20 and everyone else is $30.

 

Please pre-register on EventBrite BEFORE October 7th so that we can accurately place our shirt order: https://bsidesnola2019.eventbrite.com

 

On-site Registration 

 

$30 cash-only at the door

   

CFP

 

The CFP has now closed. Thanks to all who submitted!

 

Sponsors

 

To request a sponsorship packet, please email bsidesnola [@] gmail.com.

 

 

 

Platinum Sponsors
 
 

 

 

Gold Sponsors

 

 

Silver Sponsors
 
 

 

Sponsors


 

 

 

Schedule

 

 

 

  Track 1 Track 2 Track 3
 8:15 Registration / Check In
9:00 Opening Remarks                                                                                                                                                                                        
9:10

Keynote

David Cowen

@HECFBlog

https://www.hecfblog.com/

 

10:00 Break
10:20

Poking the Bear, Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis

Sarah Edwards

AaaStronomically Profitable

Kirstie Failey 

File-Centric Analysis through the Use of Recursive Scanning Frameworks

David Zawdie 

11:10 Break                        

11:20

Binary Emulation for Threat Analysis and Hunting with Binee

Erika Noerenberg

 

LA cyber militia war stories

Joshua Tannehill

12:10 Lunch

1:10

Black Cats in Coal Mines: Basics of Data Collection and Enterprise Hunting

Brian Baskin

Threat modeling in the land down under

Shanna Daly 

 

Blockchains and Smart Contract Security

Golden G. Richard III

2:00 Break
2:10

Building a distributed autonomous vehicle analysis platform

David Kovar

 

DCART: Decoupled Components for Automated Ransomware Testing

Mark Mager 

3:00 20 Minute Break
3:20

The Art of Detection

Jay DiMartino 

 

 

Chrome Nuts and Bolts: Chrome OS / Chromebook forensics

Jessica Hyde 

4:10 Break  
4:20

Broken Arrow

Will Baggett

 

Taking Lightgrep beyond bulk_extractor

Jon Stewart 

5:10

Closing Remarks  

 

 

Presentations

 

AaaStronomically Profitable - Kirstie Failey - @gigs_security

 

A longtime favorite monetization scheme for hackers has recently jumped back into the public eye.  Costing upwards of hundreds of thousands of dollars for ransom payments alone and affecting high profile targets such as [select city_name from usa LIMIT 3], deployment of malware and Access as a Service intrusions have been on the rise. In this talk, Kirstie Failey will discuss typical TTPs seen in ransomware investigations and share common detections for security teams to detect early.

 

Binary Emulation for Threat Analysis and Hunting with Binee - Erika Noerenberg - @gutterchurl

 

In August of 2019, Carbon Black researchers Kyle Gwinnup and John Holowczak introduced and open-sourced a novel tool called Binee at DEF CON 27. Binee is a complete x86 binary emulation environment focusing on introspection of all IO operations. In this talk, I will briefly introduce Binee and demonstrate how static process emulation can assist with both malware analysis and hunting for Windows threats. I will also discuss how this capability can facilitate automation of analysis tasks, and preview future work currently in planning.

 

Black Cats in Coal Mines: Basics of Data Collection and Enterprise Hunting - Brian Baskin - @bbaskin

 

How can you find badness while potentially being surrounded by it? This presentation will focus on introducing frameworks for gathering data in your environment to allow for more detailed and unique threat hunting capabilities. Methods of analyzing basic data, when done in a large scale, could produce dramatic results for finding compromised machines in an organization.

 

Blockchains and Smart Contract Security - Golden G. Richard III - @nolaforensix

 

Blockchain technologies are arguably 80% hype, 20% promise. Bitcoin, Ethereum, and numerous other blockchain schemes promise decentralized currency as well as potential "solutions" to numerous other problems, including identity management, supply chain management, online gambling sites, breeding cute digital animals, and more. Smart contracts are a key component for expanding the scope of blockchain tech like Ethereum, but unfortunately we simply can't seem to be rid of vulnerabilities like integer overflows, internationalization issues, variable scoping issues, reentrancy problems, and race conditions. Given that code deployed for smart contract blockchain applications in systems like Ethereum is immutable, public, and potentially handle very large amounts of money, there's huge potential for mistakes and exploitation. The talk focuses on smart contracts written in Solidity (for Ethereum), but the general, overwhelming feeling of paranoia that the speaker aims to create is applicable to other systems.

 

Broken Arrow - Will Baggett - @iosforensic

 

I will discuss applying InfoSec principles and also forensic principles to assisting domestic abuse victims cutting the electronic cord to their abuser. The very same Internet of Things which are installed for convenience can form a gilded, velvet lined cage with an Alexa or Siri voice. I will discuss applying the counterintelligence mindset to the domestic situation- what can be gathered, what sources and methods can be used against a person in their own house and how to detect the threat. The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics...and the ways to protect oneself against leaving data behind.

 

Building a distributed autonomous vehicle analysis platform - David Kovar - @dckovar

 

We started off writing a parser for drone log files. We now have $2M+ in DOD R&D funds and are building an analysis solution to support autonomous vehicle telemetry analysis. One application of the framework is UAV forensics. How'd we get here? Nearly everything we're doing is based on DFIR experience and lessons learned.

 

Chrome Nuts and Bolts: Chrome OS / Chromebook forensics Jessica Hyde - @B1N2H3X

 

Chromebooks have been taking over the classroom and are an up and coming issue for forensic examiners.  In this presentation we delve into our research into the forensics of Chrome OS and Chromebooks.  We will share the artifacts that can be recovered from a Chromebook and determine the differences between data available from a Chromebook itself and data available from the Google Cloud.

 

DCART: Decoupled Components for Automated Ransomware Testing - Mark Mager - @magerbomb

 

Detonating ransomware is not difficult. However, detonating ransomware in a controlled, repeatable manner for the purposes of testing a behavioral detection framework can be an arduous task. System services, background processes, and other concurrent file system activity may lead to inconsistent true positive detections (e.g. varying level of file / process activity or elapsed time until detection thresholds are met). The best method to avoid any variance between test runs is through decoupling the detonation and detection components and carrying out these tasks separately. In this talk, I will guide the audience through the design and development of a behavioral ransomware detonation and detection framework, demonstrate the framework and how it performs against well-known ransomware families, and detail a thorough automated testing methodology. I will also be releasing the project source code to the public on the day of the talk.

 

File-Centric Analysis through the Use of Recursive Scanning Frameworks - David Zawdie 

 

This session will provide background regarding the needs for and requirements of file-centric analysis, demonstrate the effectiveness of several popular open source frameworks, and highlight opportunities for extending detection and response efforts. The discussion will include an overview of the frameworks, their approach for presenting a unified system for analysis, and details on how to actively participate in the respective open source projects through contributions that further extend capabilities via new modules and integrations.

 

At the conclusion of this session, attendees will be able to:

 

  • Define the intent, purpose and scope of file-centric analysis
  • List and describe capabilities from several open source recursive scanning frameworks
  • Determine potential opportunities to improve existing analysis workflows
  • Identify opportunities to further extend the existing frameworks by contributing to open source projects

 

LA cyber militia war stories - Joshua Tannehill - @jayseetee

 

LA cyber militia war stories from the trenches. You play like you practice and we practiced hard. These are the stories of our training and real world events. Sanitized for public disclosure.

 

Poking the Bear, Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis - Sarah Edwards - @iamevltwin

 

If I come across a useful piece of data on macOS or iOS I do not just assume I know what it means - especially if my whole case depends on it. My experience with Apple data is that it is consistently inconsistent. They certainly do some questionable things. Testing is the only way to get that warm fuzzy feeling that the awesome piece of data you found truly means what you think it means. Yes, testing takes time. Yes, testing can be tedious. However, testing can make or break cases. This talk will go through my testing processes on Mac and IOS platforms to show that sometimes a quick test really is a quick test. A 30 second test may be well worth the investment in the long run. I will also show how more intensive testing can be implemented to tease out the strange oddities of native and 3rd party data stored in various SQLite databases using some of my APOLLO modules as examples.

 

The Art of Detection - Jay DiMartino 

 

Ever inherited a security rule you were afraid to modify? Ever import a Yara rule only to have the alerts blow up in your face? Does your SEIM or security appliance keep you up at night with email alerts? The Art of Detection focuses on the methodology of writing and sharing accurate detections to make you a better detection author. Gain confidence in managing false positives, learn rule sharing best practices, tackle large monolithic detections, and write detections that feed other detections. Learn the importance of your intelligence test data, and if your intelligence streams could be causing bias.

 

Taking Lightgrep beyond bulk_extractor - Jon Stewart - @codeslack

 

Bulk_extractor finds forensics artifacts fast and has earned its place in many investigators’ toolboxes, but it could be better. This talk will demonstrate a new tool based on the Lightgrep search engine that provides fast performance like bulk_extractor, but with a more sophisticated understanding of the filesystem and friendlier output.

 

Threat modelling in the land down under - Shanna Daly - @Caccia7r1c3

 

Australia is (in)famous for its dangerous flora and fauna, most notably deadly spiders, snakes and jellyfish. We continually have to look at potential threats and assess our risk of basic things like venturing outside. This talk looks to help turn threat modelling exercises into something relatable, fun and educational. Too often security education is delivered in a dry format that is difficult for non security folks to digest, so let’s look at fun ways to turn that around!

 

Speakers

 

Brian Baskin - Technical Director, Threat Research - Carbon Black

 

Brian Baskin is a Technical Director of Threat Research with Carbon Black’s Threat Analysis Unit with a specialty in digital forensics, incident response and malware analysis. Baskin was previously an intrusions analyst for the US Defense Cyber Crime Center and has studied and presented research on cyber threats for over 15 years. He has authored multiple security books and develops open source tools for more efficient malware analysis.

 

David Kovar - CEO - URSA Inc.

 

David Kovar has been doing DFIR for Guidance, EY, three e-discovery firms and himself for 15+ years. Five years ago he realized that drones would be an "interesting" source of digital evidence as well as posing a variety of risks to society. He created URSA Inc. and is working to fend off SkyNet.

 

David Zawdie

 

David is an analyst working in private industry focusing on defending organizations against malicious threats. With over 10 years experience in information security and computer network defense, David is a passionate blue-team defender and strong advocate of open source software.

 

Erika Noerenberg - Principal Threat Researcher - Carbon Black

 

Erika Noerenberg is a Principal Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a malware analyst at LogRhythm Labs and as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.

 

Golden G. Richard III - Louisiana State University

 

Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 35 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He holds a TS/SCI security clearance and supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his B.S. in Computer Science from the University of New Orleans and M.S. and Ph.D. in Computer Science from The Ohio State University. His first floppy drive cost $600 and required financing; despite that, he's still very much alive.

 

Jay DiMartino - Head of Detections & Countermeasures - Fidelis

 

Jay Dimartino is a Threat Researcher for Fidelis Cybersecurity and Head of Detections & Countermeasures. He has been doing Malware Reverse Engineering for over nine years, writing yara rules and regular expressions against files and network traffic.

 

Jessica Hyde - Director, Forensics - Magnet Forensics 

 

Jessica Hyde is an experienced forensic examiner in both the commercial and government sectors. She holds an MS in Computer Forensics from George Mason University. She is currently the Director, Forensics at Magnet Forensics and an Adjunct Professor teaching Mobile Forensics in the graduate programs at both George Mason University and Champlain College. Her previous roles included performing forensic examinations as a Sr. Mobile Exploitation Analyst for Basis Technology, Senior at EY, and Senior Electrical Engineer at American Systems. Jessica is also a veteran of the United States Marine Corps.

 

Jon Stewart - Vice President - Aon Cyber Solutions/Stroz Friedberg

 

Jon Stewart is a Vice President of Solutions Development at Aon Cyber Solutions/Stroz Friedberg, where he leads a software development team specializing in DFIR tool development. Prior to his current position, he cofounded Lightbox Technologies and was a senior developer at Guidance Software.

 

Joshua Tannehill - Sr Manager, InfoSec - CenturyLink

 

Joshua Tannehill is a Senior Manager over CenturyLink’s global Endpoint Security team and Internet Security Services team. He has worked in the IT & cybersecurity industry for the last 22 years. Josh holds an associate degree in Information Systems Technology from the Community College of the Air Force. Additionally, he has obtained many IT and InfoSec certifications over the years to include the CCNA, C|EH, and CISSP. Josh retired from the Louisiana Air “Force” National Guard last month after a 21-year career doing networking, network security, and cybersecurity policy and compliance. He is the founder of the NELASEC meetup that provides a free monthly professional networking opportunity for the Monroe area and is his way to give back to the community and help mentor young upcoming and established professionals alike. Josh was also a speaker at the 2018 NOLACON cybersecurity conference in New Orleans where he gave a talk titled, “how to tell Cajun doctors they have bad (cybersecurity) hygiene and live”. Finally, Josh was a 2015 winner of the NELA Young Professionals Top 20 under 40 award.

 

Kirstie Failey - Consultant - Mandiant

 

Kirstie Failey is a Consultant at Mandiant. She is a professional data wrangler and has spent countless hours responding to ransomware incidents, and business email compromises.

 

Mark Mager - Senior Malware Researcher - EndGame

 

Throughout his career in software engineering and computer security, Mark has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and has provided malware analysis and reverse engineering subject matter expertise to a diverse range of government and commercial clients in the Washington, D.C. metropolitan area.

 

Sarah Edwards - Mac Nerd - SANS Institute 

 

Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, Bsides*, DEF CON and the SANS DFIR Summit. Sarah is the author of the SANS Mac Forensic Analysis Course - FOR518.

 

Shanna Daly - Cacciatrice - Caccia Cybersecurity 

 

Shanna started working in information security by accident back in 2001 and has never turned back. Continuing that pattern of making it by accident she managed to find her way into an IR team and that’s where her love of DFIR was born, and that’s where she decided that she would stay and continue her passion for it. In 2019 she started her own DFIR company in Australia and continues to work in the field she loves.

 

Will Baggett - HTCI

 

Former Intelligence Community officer, current NATO SOF cyber trainer and volunteer of many BSides conferences. DefCon and BSidesLV 2019 speaker. Prior to public speaking, I was an IC SME for iOS and Mac forensics and now apply these skills to the private sector.

 

Volunteers

 

Please email bsidesnola [@] gmail.com if you would like to volunteer during the event.

 

Tags for flickr, twitter, blog, etc.

Please use the tag #BSidesNOLA for content related to this event

 

 

 

 


Comments (0)

You don't have permission to comment on this page.