Last week I had the opportunity to go to the SANS DFIR Summit in Austin, TX. I go to this event every year because a) the high quality of the speakers and the presentations, and b) the size of the conference makes it comfortable and intimate.
This year felt like the best year yet. Every session I attended was well presented and taught me something new. I don’t want to tire everyone with details of every presentation, so I’m just going to give you some of my personal highlights. David Kovar gave a great presentation on UAV (drone) forensics. This is an area that is going to rapidly expand and something that we’ll need to know about in the months and years to come.
Sara Newcomer’s presentation on OS X Quicklook artifacts was one of my favorite. I saw Sara present a few years ago at DC3 and knew she’d have something great to discuss, and she did. For some time we’ve struggled to get crucial information from Mac computers. I’ve often thought how nice it would be to have something like ShellBags for OS X systems. Finally we have it. In fact, I was back in the office on Thursday to find a Mac investigation waiting for me. I had an immediate need for the information in Sara’s presentation. I have no doubt that I’ll use this a great deal in the future.
Then there was Yogesh Khatri’s presentation. Windows 8, going forward, has a tremendous artifact that monitors and stores information about the usage of the computer. Want to know if someone downloaded a large amount of data from a network resource? Done. Want to know what software has been running and by who? Done. The Windows System Resource Usage Monitor (SRUM) stores all of this and more. I see great potential for this in my work in the coming years.
I could go on, but these were certainly the most relevant to the work I do on a regular basis. Thanks to everyone that took the time to conduct and share their research. This was an amazing couple of days and if you missed it, please try to make it next year.