Thursday, January 12, 2006

DoD - Day 5 Update

Day 5 - 01/12/2006: Today may have been the least exciting day so far. I expected more from several of the presentations I attended. There were several cool people that I met and hung out with which makes up for the mediocre day. It started out with an early breakfast where I sat with some of the Air Force OSI guys, a Marine JAG fellow and a Naval Post Graduate School sysadmin. Very cool people.

The first presentation must have been specifically for law enforcement folks since it wasn't overly technical. Nothing wrong with that, but the title of "Hacking and Forensic Analysis of an iPod" made me expect more. The presentation briefly went over the partition structure of iPods, the directory structure, "hiding" files on it and using to boot Linux from an iPod. I know many others in the class got lots from it so I won't knock it. It just wasn't technical enough for me.

My second choice was a presentation by a lawyer from the JTF-GNO about the rights of system administrators to provide info to law enforcement and what info can be given. It was definitely interesting and raised a few questions I have for the university environment. Not much more that I can say about this one. I do need to review the slides as he did not go over all of them. Great information and excellent speaker.

The third presentation was by Thane Erickson who taught part of the Mac OS X forensics class I was in earlier. He was focusing specifically on Tiger things that were different and/or not covered in the previous class that was mainly on Panther. I learned about the difference in how passwords were hashed between Panther and Tiger, how to crack them, details about Spotlight and associated commandline tools and Dashboard Widgets with their associated forensic value. Excellent stuff. Thane is a good presenter and knows his stuff well. If you ever see him, make sure you tell him that LSU SUCKS!!!

Next, I went to a talk titled, "Daubert Digital Forensics." Since I am not LE, this presentation was just something I thought I might learn more about. I did take a few notes but did not find it overly interesting. Right now, I bet you are thinking, "Duh, it is legal stuff. Of course, it isn't interesting." Well, you have a point, but one day, it might be something I have to adhere to...but not yet.

After lunch with the FDLE boys, I thought "Digital Crime Scene Reconstruction" would be good with Fred Cohen. Hmmm...other people enjoyed it more than I did. His talk did a good job of validating the Daubert talk but his constant joking and goofiness turned me off. During the presentation, I ended up designing a future hacking challenge network layout for UF where I will set it up and challenge all L33T hackers at UF to penetrate. It should be fun.

My next choice was another bust. How did I keep choosing crappy presentations? It was Johnny Long presenting "Death by a 1000 Cuts." How could it be lame? Have you read "Stealing the Network: How to Own an Identity?" If yes, then don't go to this presentation. It is a rehash of one of the chapters and not very exciting. I really disappointed I chose it over Kevin Mandia's "Windows Malware Analysis" presentation. Johnny did get done 15 minutes early, so I was able to catch the last bit of Kevin's presentation which pissed me off even more that I chose the wrong presentation. I think by going to Kevin's "Identity Theft" presentation tomorrow, it will make up for it.

Finally, I caught the last hour of Bill Harback's "Examining the Windows Registry." It was FULL of windows registry information. Holy Crap! Bill went through so much in that hour, I would have had registry coming out of my ears if I had been there for both hours. Afterwards, he gave us updated copies of his presentation along with a free version of a registry tool that was recently purchased by a decently well known forensic tool company.

That's it for Thursday. The presentations I chose to attend certainly did not turn out as I hoped. Tomorrow will be better, especially since Jordan and I will be getting awards for kicking @$$ in the DoD Cybercrime Olympics. Now, I think I am going to drive over to Wing House or Hooters and work on an article for Secure Enterprise magazine that is due next week.

1 comment:

Anonymous said...

John!!! I discovered your post while researching the free version of Windows Registry Editor. I understand that you have version 1.5.2... the last free version??? May I get a copy from you, sir?

Thanks!
Barry

bconner
@huntsvilletx.gov