DoD 2006 - Days 2 & 3 Update

Day 2 - 01/09/2006: This was the second day in the Mac OS X forensics class. It was a smidgeon better than the first day. We went through an image of a system and learned about how applications store their configuration, how to read those files, tools to extract data from configs, caches and history files that are specific to certain apps. It was quite interesting to learn about it from a forensic perspective because it also helped me learn more about an OS that I use everyday. I can truly say that I understand X better and where to look if I ever have issues with it or need to cover my tracks. ;-)

The last portion of the class was spent cracking the passwords. It was surprisingly simple. {I just edited this as I started to talk about a tool we used in class but realized it might be a violation since it is an internal tool for "Official Use Only."}. The passwords were pretty easy to get to and crack. I was quite surprised, but remember, this was done on Panther. The instructor said that Tiger has made some changes making it trickier...but not impossible. He will be giving a presentation in the next day or two about Tiger and specific forensic challenges such as this.

Monday evening, the expo began with a large list of vendors and some tasty food. There was a gimmick to get attendees to visit booths by giving out a list of the vendors and requiring their signature from 25 of them so you could be entered into a raffle. I finished it after listening to quite a few pitches but did talk to some interesting people. The turnout of attendees and number of vendors was quite impressive, and I walked away with some pretty darn useful tools and swag. I even got added to a mailing list, portal and magazine subscription that I probably wouldn't have access to if I wasn't here.

Day 3 - 01/10/2006: Today was the official kickoff of the conference with the keynote and headliners. Jordan and I missed the keynote because we were working on the Cipher Hunt challenge which required us to find clues all over the large Innisbrook property and solve the cipher on each one to find the next clue. With a little social engineering and good decipering skills, we kicked some but and were most likely the first team to finish it (but there may have been _1_ before us). This was also the only day they are feeding us all day according to the schedule. There was a nice breakfast, lunch and dinner in a walk_around_and_choose_what_you_want_to_eat_from_the_many_food_tables format.

Det Randy Stone gave a brief presentation about the BTK case and an intro into the forensics that helped catch the killer. It was quite impressive. Johnny Long gave a very amusing presentation on how Hollywood has portrayed hacking. It was damn funny as he went through examples from Hackers, Net Force, Swordfish and more. We were asked to choose if the portrayal was L33T or LAME. Holy Crap! We were all laughing! David Marconi spoke next about Hollywood villians. It was written up as being a talk about the future of hacking in the movies but I didn't see any of that. He was talking about having multidimensional villians and showed too many movie of these types of villians. Oh well, not great.

The evening had food, tickets for free drinks and more vendor action. At 6:30pm, they raffled all kinds of cools vendor-donated prizes. Do you think I won anything? Heck No!! Jordan won the _last_ prize to be given out...a Symantec engraved 20gb iPod Photo. After that, we had the Floppy Disk Throw as the second part of the Cybercrime Conference Olympics as a followup to the Cipher Hunt. We did a great job but there was some crappy judging, crappy distance recording, contestants who should not be eligible and shady score changes at the end. We should have been 2nd but were "bumped" to 5th. Even with that pile of crap, we should still be in the Top 3 and win some kick-butt prizes thanks to our excellent Cipher Hunt work.

It was a LONG day so I will be crashing soon. Sleep will not be coming soon enough. There is so many cool presentations tomorrow. It starts with Johnny Long at 8:30 and keeps getting better after that. I will keep you updated.