Digital forensics is being used more and more as computers become increasingly prevalent in our lives. In this talk, Jonathan will walk us through a basic forensic process and discuss some of the complications. Jonathan will highlight some key forensics principles that you can follow without specialist software, allowing you to implement them as part of your own incident response process.
Risk Analysis and RFC 1149 (IP on Avian Carriers)Alison Hawke
In QA we look for risk and run constant calculations about what we should focus on next. Using the IETF's specification for RFC 1149, (aka "A Standard for the Transmission of IP Datagrams on Avian Carriers," dated 1 April 1990) I'll go over how to identify the risks in a system and where to focus your attention first as a tester. I'll hit highlights of stuff that commonly goes wrong and give you some tools to find out where your risks are.
Please read RFC 1149 beforehand (takes less than 5 minutes):
https://tools.ietf.org/html/rfc1149
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
A dry-run of content I wanted to present to an Australian Society of Archivists workshop 21 October 2016.
This trial run was at Archives New Zealand on 28 September 2016.
Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
This is the slide deck that I used when presenting at FSU's Cyber Security Club. This presentation was supposed to give a description of what Red Teaming, Pen Testing, and other roles do.
Risk Analysis and RFC 1149 (IP on Avian Carriers)Alison Hawke
In QA we look for risk and run constant calculations about what we should focus on next. Using the IETF's specification for RFC 1149, (aka "A Standard for the Transmission of IP Datagrams on Avian Carriers," dated 1 April 1990) I'll go over how to identify the risks in a system and where to focus your attention first as a tester. I'll hit highlights of stuff that commonly goes wrong and give you some tools to find out where your risks are.
Please read RFC 1149 beforehand (takes less than 5 minutes):
https://tools.ietf.org/html/rfc1149
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
A dry-run of content I wanted to present to an Australian Society of Archivists workshop 21 October 2016.
This trial run was at Archives New Zealand on 28 September 2016.
Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
This is the slide deck that I used when presenting at FSU's Cyber Security Club. This presentation was supposed to give a description of what Red Teaming, Pen Testing, and other roles do.
Computer Security For Activists & Everyone (Oct 2018)Kit O'Connell
In an age of mass surveillance and increasingly commonplace hacking, protecting yourself online can feel overwhelming. This class is designed to help people get a handle on their devices, including computers and smartphones.
Topics include "threat modeling," which helps you understand what steps to take when. Also: concrete solutions for encrypted messaging, secure email, and protecting your passwords & data. Plus some simple protest tips.
This class is designed for experienced activists, newcomers, and anyone who wants to be safer online.
As much as 75% of the adult population has some fear of public speaking and even more simply have poor presentation skills. What does this mean?
You can’t promote or get credit for your ideas.
You miss out on the visibility and exposure of presenting at conferences.
You (statistically) will earn less and be promoted less than colleagues with better public speaking skills.
But don’t panic! You *can* learn in this fun, fast-paced workshop.
In this session, attendee’s will learn:
The 3 Ps (Planning, Preparing, Performing).
How to figure out the parameters of a presentation (audience, etc.).
How to focus your topic and limit your ideas.
How to build logical structure.
How to use hooks, anecdotes, and segues.
How to work with the audience.
Tips and tricks of rehearsing.
Understanding and implementing website securityDrew Gorton
Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
We will cover:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.
Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target
State of the art in Natural Language Processing (March 2019)Liad Magen
2018 was the year of NLP, with many new advances such as ULMFiT, GPT, ELMo and BERT. But as these all come from the industry, are these advances in the 'right' direction? How does it compare to the academy advances? And where next? these topics (and more) are discussed in this presentation.
In today's charged atmosphere, activists (and anyone who is politically active) are targeted for surveillance, hacking, and even threats to their safety from police, the government, hackers, even white surpemacists.
This introductory class explains the basics of computer security and offer tips on protecting your privacy online. We talked about using encryption to communicate with your friends and comrades, how to select passwords and use a password manager, the basics of Virtual Private Networks, and other introductory topics.
A talk about how to conduct usability research without a massive budget or it being a huge undertaking. Case Studies about past experiences in guerrilla UX as well as the "patent-pending" $1000 UX Lab.
Talk originally prepared for ProductTank Madison 2018-03-14.
See https://tinyurl.com/guerrilla-ux for slides, transitions, etc.
Embracing Culture, Sharing, and Systems from Employee 1.
Reference Article: https://rickmanelius.com/article/employee-1-and-beyond-system-set-checklist
Presented at the Boulder DevOps Presentation Meetup on 11/2019
Hampir tidak ada privasi lagi ketika berbicara perkembangan teknologi. Semua sosial media meminta foto serta data-data pribadi Anda. Pun data yang ada diperangkat Anda, tidak luput dari pencurian oleh orang yang tidak berhak.
Presentasi ini memberikan wawasan bagaimana upaya perlindungan data pribadi Anda di era digital saat ini.
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...Alex Cachia
Vertical Slice Architecture helps us build maintainable applications by separating concerns around features rather than technical responsibilities allowing us to add features without modifying existing code.
Computer Security For Activists & Everyone (Oct 2018)Kit O'Connell
In an age of mass surveillance and increasingly commonplace hacking, protecting yourself online can feel overwhelming. This class is designed to help people get a handle on their devices, including computers and smartphones.
Topics include "threat modeling," which helps you understand what steps to take when. Also: concrete solutions for encrypted messaging, secure email, and protecting your passwords & data. Plus some simple protest tips.
This class is designed for experienced activists, newcomers, and anyone who wants to be safer online.
As much as 75% of the adult population has some fear of public speaking and even more simply have poor presentation skills. What does this mean?
You can’t promote or get credit for your ideas.
You miss out on the visibility and exposure of presenting at conferences.
You (statistically) will earn less and be promoted less than colleagues with better public speaking skills.
But don’t panic! You *can* learn in this fun, fast-paced workshop.
In this session, attendee’s will learn:
The 3 Ps (Planning, Preparing, Performing).
How to figure out the parameters of a presentation (audience, etc.).
How to focus your topic and limit your ideas.
How to build logical structure.
How to use hooks, anecdotes, and segues.
How to work with the audience.
Tips and tricks of rehearsing.
Understanding and implementing website securityDrew Gorton
Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
We will cover:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.
Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target
State of the art in Natural Language Processing (March 2019)Liad Magen
2018 was the year of NLP, with many new advances such as ULMFiT, GPT, ELMo and BERT. But as these all come from the industry, are these advances in the 'right' direction? How does it compare to the academy advances? And where next? these topics (and more) are discussed in this presentation.
In today's charged atmosphere, activists (and anyone who is politically active) are targeted for surveillance, hacking, and even threats to their safety from police, the government, hackers, even white surpemacists.
This introductory class explains the basics of computer security and offer tips on protecting your privacy online. We talked about using encryption to communicate with your friends and comrades, how to select passwords and use a password manager, the basics of Virtual Private Networks, and other introductory topics.
A talk about how to conduct usability research without a massive budget or it being a huge undertaking. Case Studies about past experiences in guerrilla UX as well as the "patent-pending" $1000 UX Lab.
Talk originally prepared for ProductTank Madison 2018-03-14.
See https://tinyurl.com/guerrilla-ux for slides, transitions, etc.
Embracing Culture, Sharing, and Systems from Employee 1.
Reference Article: https://rickmanelius.com/article/employee-1-and-beyond-system-set-checklist
Presented at the Boulder DevOps Presentation Meetup on 11/2019
Hampir tidak ada privasi lagi ketika berbicara perkembangan teknologi. Semua sosial media meminta foto serta data-data pribadi Anda. Pun data yang ada diperangkat Anda, tidak luput dari pencurian oleh orang yang tidak berhak.
Presentasi ini memberikan wawasan bagaimana upaya perlindungan data pribadi Anda di era digital saat ini.
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...Alex Cachia
Vertical Slice Architecture helps us build maintainable applications by separating concerns around features rather than technical responsibilities allowing us to add features without modifying existing code.
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
In this talk Glenn will walk you through the OWASP top 10 published towards the end of 2021 to explain what's hot and what's hotter. He will give a brief description of each weakness and explain how these they are exploited and, more importantly, what you can do to mitigate against attackers exploiting them in your code
If you think open source is not for you, think again by Jane ChakravortyAlex Cachia
Years ago open source was considered unsuitable for the mainstream. We had Windows, didn’t we? Times have changed, we all use open source these days, but often don’t know it. So, let’s take a closer look at open source.
Chaos Engineering – why we should all practice breaking things on purpose by ...Alex Cachia
What can we learn from fire fighters to make the systems we come to depend upon become more robust and resilient? In this talk, I will introduce what Chaos Engineering is and why it is important and share some real case studies of how people like Netflix and Amazon are applying these techniques to create more resilient systems for the benefit of their customers.
Treating your career path and training like leveling up in games by Raymond C...Alex Cachia
Treating your career path and training like leveling up in games
We will take a look at how you can actively plan your career through learning specific skills. Picking a moon-shot job and working out the path to get there. Then how to start taking practical steps to get started
There are many ways to secure software. In this talk, I will explain some of the different techniques used to prevent introducing security vulnerabilities into your software, using threat modelling, automated testing and dependency validation.
Data Preparation and the Importance of How Machines Learn by Rebecca VickeryAlex Cachia
Machine learning is the ability of a machine to perform a task without being explicitly programmed. In this talk, I will cover how to manipulate data into a state that a machine can understand and make accurate predictions, and introduce a Python library that makes this easier.
Why Rust? by Edd Barrett (codeHarbour December 2019)Alex Cachia
For longer than I have existed, memory errors have plagued systems programming. Although many such errors are benign, sadly many end up being security vulnerabilities, or worse, exploits. In this talk, I will discuss how a security exploit is born, and how the Rust
programming language tries to prevent them.
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...Alex Cachia
The analytics strategy must be a primary citizen of the software delivery process in a data driven business! This talk will include a live demo of extending the Nightwatch automated testing framework to uncover and resolve issues in tracking code that would have otherwise hit production.
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)Alex Cachia
You're a developer, so you probably have working knowledge of Javascript. Its 2019, but people still leave you voicemails, pff. In this short practical talk, I'll show you how to hack and upgrade ANY mobile voicemail to do almost anything you want with the Twilio platform.
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)Alex Cachia
There are always challenges developing an app to scale and these are compounded when set in an African context. African Pastors Fellowship’s eVitabu project, launched in March 2018, provides an Android app pastors can use to access multimedia teaching resources.
Revving up with Reinforcement Learning by Ricardo SueirasAlex Cachia
In this session I will share my journey that started with me taking my children discarded toys and trying to get them to drive themselves, to a fully autonomous driving model car.
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)Alex Cachia
Blockchain is an emerging technology that has captured the attention of the financial experts, the media and the technical enthusiasts. In this talk we take a look at the technology; how it works, why you should consider it for your business and how it's given life to cryptocurrencies.
Seeking Simplicity by Phil Nash (codeHarbour June 2019)Alex Cachia
What is simplicity and why do we value it so much? How does it relate to complexity? When is complexity good and when is it bad? How does simplicity differ from ease? As we examine these questions we'll find that the situation is not quite as simple (!) as it might first appear. In the course of the discussion we'll come up with a mental model for framing problems that we can apply to many things - but we'll particularly look at how we can apply it to our designs and code. We'll also look at how some programming languages help us more than others in our drive towards simplicity.
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)Alex Cachia
Considerations for creating, storing and trusting a unified business approach to data in a distributed environment. In order to prevent disjointed and competing views of business facts.
Managing technical debt by Chris Willmott (codeHarbour April 2019)Alex Cachia
Managing technical debt by Chris Willmott
With the talk primarily aimed at those in technical roles, I'll be providing a number of practical methods to use when managing technical debt. About half the talk will be things we can do as developers to quickly identify then reduce the impact of technical debt, and half will be around how to explain technical debt to non-technical stakeholders.
Hosted by Alex Cachia, codeHarbour provides an opportunity for discussion and a platform for digital presenters to get their technological ideas out there to the people who need to hear it.
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)Alex Cachia
Telephone Systems and Voice over IP by Bob Eager
The speaker will talk about his experiences with a gradually evolving SOHO telephone system, starting with a single POTS (landline), through ISDN, to the current VoIP solution, and the eventual removal of the original telephones. The majority of the talk will concern the use of the open source Asterisk platform to provide numerous facilities (including one or two quite unusual ones) in a large, rambling house used also as an office for part of the time. This will include an introduction to VoIP for beginners. Costs and savings will also be considered. There will be time for questions and discussion.
Hosted by Alex Cachia, codeHarbour provides an opportunity for discussion and a platform for digital presenters to get their technological ideas out there to the people who need to hear it.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
2. Show and tell -
digital forensics and
giving evidence
Jonathan Haddock
March 2020
3. About me
● I’ve worked in IT for over 15 years
● Now the Deputy Senior Information Security
Officer for three local authorities
● Have run penetration testing courses with the
YPISG
● Trained in forensics, penetration testing and
incident response
https://keybase.io/joncojonathan
@joncojonathan
https://uk.linkedin.com/in/jonathanhaddock
4. What is digital forensics?
● Process of looking at computer systems and
files to determine what activity took place
○ Can also be about recovery
● Increasingly important for incident response
● Not like it's shown in the movies!
○ You can't decrypt part of a drive like that
● Isn't “wet” forensics - we're in the digital realm
● Needs translation and explanation
5. Why translation?
● Logs can be really hard to read (or just plain
horrible!)
This just means someone accessed a file on a site, and
got redirected (resource permanently moved)...
188.65.57.4 - - [09/Oct/2018:20:32:40 +0000] "GET
/RSS/blogfeed.xml?blogID=1 HTTP/1.1" 301 185
"http://example.org/RSS/blogfeed.xml?blogID=1"
"SimplePie/1.2 (Feed Parser; http://simplepie.org; Allow
like Gecko) Build/20090627192103"
6. What digital forensics isn't
● Not an instant indicator of blame
○ Also not your fault
● (Often) Unable to conclusively tie actions to a
human being
○ Unless there's a camera pointing at the user
and the screen, you can't know for certain
who did what
● Not as easy as it used to be thanks to encryption
7. Forensic process
● Obtain the assets
○ Files, disk images or physical media, phones
● Calculate the asset’s hash
● Take an image of the asset
● Calculate hashes
● Make a copy
● Check its hash
● Perform analysis
8. Chain of custody
● First entry:
Assets received by you from provider
● Shows who had access, so possibility of
tampering reduced
● If the asset moves, is copied or shown to
someone else, note in the log
● Protects you
9. Taking hashes
● A hash is a mathematically calculated
signature for a file
○ da39a3ee5e6b4b0d3255bfef95601890afd80709
● md5, sha1, sha2
● Note tool version in your report
○ sha1sum (GNU coreutils) 8.29
● The sum will change as soon as the file
contents is edited
10. Taking an image
● Not just a photograph!
● A block by block copy of a disk
○ Tools like dd or ftkimager
○ Not a copy of the files on the disk
● Means we can leave the original untouched
● Beware of Windows - it’s not forensically safe
○ Use a write blocker
12. Make a copy of the image
● Immediately after the original is received or the
disk image created
○ Making disk images takes time, you don’t
want to do it again
● Check the hash
● Move the original to protected storage
● We’ll work on a copy
● You may have to provide a copy
13. Forensic tools
● Tools like Encase or Forensic Tool Kit (FTK) are
expensive - around $3,000 each
● The Sleuth Kit is open source
○ Has a graphical front end - Autopsy
● PhotoRec (free) can recover files
● But sometimes you just have to use your
everyday applications
14.
15. Analysing the evidence
● Pick the relevant tool
○ Cost
○ Task
● Stick to the specification
○ If looking for files or events in one date range,
don’t get distracted by others
● Try to avoid changing the copy - avoids
confusion
● Take notes / keep a journal
16. Writing reports and statements
● Take information from your journal / notes
● Write for the audience - probably not too
technical
○ Internal or external?
● Appendix:
○ List of hashes
○ Maybe chain of custody
● Also need-to-know
17. Why “need to know”?
● We have a duty of care to everyone involved in
the case
○ Prosecution
○ The accused
● Leaked details can still ruin someone’s life
○ Newspapers often publish details before
court judgments
● UK law: innocent until proven guilty
19. Attending court
● You’re not allowed in before giving your evidence
● Expect to sit around a lot
○ Courtroom might be triple booked
● Look at your questioner
● Answer to the Magistrates
○ Watch their pens - don’t talk too fast
● Make sure your phone is off!
20. Be clear, explain
● Magistrates are lay people
● Your job is to explain what the evidence means
● You might be allowed a copy of your statement
○ Can’t be annotated
● If you don’t understand the question, get it
repeated or rephrased
21. Don’t make stuff up!
● You either found it in the evidence, or you didn’t
● If you don’t know, say you don’t know
○ If you can’t remember, say that too
● Answers should clarify or explain your
statement
○ You’re not creating new information, just
explaining what’s already presented
22. Cross examination
● The opposition barrister may want to ask
questions
● Their aim is to help their client, don’t feel attacked
○ Consider their questions as just other questions
● You may be asked for clarification to your earlier
answers
● Alternatively, there may be entirely new questions
● The first barrister may ask additional questions
23. Assumption trap
● “Is it fair to assume that…”
● Beware - is it fair to assume anything in criminal
proceedings?
● Ultimately we’re not there to speculate
● Can be a way to use your expertise to cause you to
lend support to a tenuous idea
24. Reporters
● There’s likely to be reporters somewhere
○ Courtroom (public gallery)
○ Waiting area (public space)
○ Just outside
○ May be in disguise
● Don’t be afraid to say “no comment”
● They can be pushy
27. Interested in security? Try a podcast
Smashing Security
Humorous run down of security news
for the week. With Graham Cluley
(@gcluley) and Carole Theriault
(@caroletheriault).
www.smashingsecurity.com
Security Now
A semi-technical dive into recent
security news and vulnerabilities.
Hosted by Leo Laporte and Steve
Gibson (@sggrc).
www.twit.tv/sn
28. The slides that follow were not presented at codeHarbour due to
time, but give you the rest of the story.
I also blogged about this at
https://blog.jonsdocs.org.uk/2018/11/12/show-and-tell-digital-
forensics-and-giving-evidence/
29. Hash example
● Simple text file, says “hello”
f572d396fae9206628714fb2ce00f72e94f2258f
● Text file edited to say “hell0”
40dfb682064a88af16ddb3faa2d3b5f0e6a82ee3
● A minor change has completely changed the
hash
30. Validate your tools
● As tools receive updates their output can
change
● Have a known sample
● After an upgrade, confirm the tool still gives
known results
○ If file spoons.jpg was found before, it still
should be, and be identical
● New versions may add new features, more
results
31. Keeping track
● I always keep a journal
○ Details of assignment
○ Findings (each artefact has a hash)
○ Screenshots
○ Thoughts
○ Chain of custody
● Journal should be shared on a need-to-know
basis
This presentation was originally written after some forensics work I did for the Information Commissioner’s Office (ICO). I started that work in 2017 and ended up in court giving evidence in 2018.
Please note that while there are a number of products linked to in this presentation, I’m not on commission for them nor do I have any investment in them. It is up to the reader to determine if a product meets their needs.
The YPISG is a BCS specialist group - Young Professionals’ Information Security Group.
Every role helps with security, whether that‘s on the service desk or as a developer. I‘ve worked across a number of roles, starting in service desk / desktop support, and each has benefited from experience gained in the others.
If you want to get into IT security, I recommend you specialise in an area you find interesting but make sure you keep your hand in other areas too so you have a broad skill set and knowledge. This will allow you to have informed discussions with different teams, in a way they (and you) can understand.
I also blog about cyber security, development, IT, and occasionally local history at https://blog.jonsdocs.org.uk.
Digital forensics ranges from the simple recovery of photos from a wiped SD card to a full investigation into the actions undertaken on a computer system.
There’s an increased need for forensics awareness for incident response: determining how / where a cyber security incident (e.g. a malware infection or breach) occurred will allow you or others to contain the issue and prevent it happening again.
In the movies there’s often a race against time to crack into the enemy’s encrypted hard disk - note you can’t usually break part of the key. Similarly, we can’t enhance photos from poor pixelated imagery to HD level quality!
As this isn’t “wet forensics” there’s no DNA here, but we do have a number of dvantages as I’ll cover later.
Part of the forensic analyst’s job is to translate what they’ve found into something that can be understood. Logs in particular can be horrible to review and a judge / magistrate / HR manager is unlikely to understand the raw evidence you find.
This is an excerpt from a Nginx web server log. It’s fairly unintelligible unless you know what you’re looking at (Source IP, Date / time, HTTP method, Path, HTTP status code, URL, User agent, to name a few of the fields). Clearly we can’t just present the logs to someone, we need to explain them.
Because this isn’t “wet forensics” it’s virtually impossible to concretely say “this particular human being performed this particular action” - you’d need a camera looking at the keyboard, mouse, monitor and user in order to do that. You can, and I’d suggest should, state in your report that your evidence identifies a user account or device, not a human being. Digital forensic evidence can act as part of the overall evidence bundle, but shouldn’t be used on its own to convict someone.
When performing an investigation you might find yourself thinking “I’m going to cost this person their job, my report is quite damning”. This is a dangerous mindset that’s easy to fall in to. What you need to remember is that you aren’t going to cause someone to lose their job / go to jail, their actions have lead to this point (if they’re guilty). It’s important to be objective at all times and record your findings. Explain them but don’t attach your own interpretation to them - that isn’t your job as the analyst.
Don’t forget we’re not creating evidence, we’re only reporting what’s there.
Encryption has made investigation significantly harder, but it is good for privacy - a moral dilemma.
If presented with files or pre-made images, it’s wise to enquire about their provenance. How were they made, by whom, when? Is there a reason for not being provided the physical media / device?
We calculate a hash of the asset as this will describe the absolute original (this was originally omitted from the presentation, added during question time, and has been added here for completeness). Hashing is covered later in this presentation.
By taking an image of the asset we have a file we can perform our analysis on, protecting the original from changes. This is a great advantage over “wet forensics”. Consider the example of this room - with all of us having come to the event, any “wet forensic” evidence that was already in here has been damaged or destroyed by our presence. In digital forensics we can always refer to the original image, so our environment, so to speak, can always be pristine.
Every time the file moves we calculate the hash again, just to make sure the copy is valid.
This document underpins all our work, and helps protect us / the case from allegations of tampering. As the log shows who could access the evidence it’s possible to determine everyone that could have made changes or provided an interpretation.
By taking or calculating a hash you determine a fingerprint for a file or device. As shown on the next slide, any change will produce a change to the hash.
After each file copy we calculate the hash of the copy to prove the files are the same.
Collisions are unlikely but can happen for MD5 and SHA1. A collision is when two different inputs provide the same hash. I used MD5 and SHA1 during my investigation as finding two different inputs that provide the same hash for both algorithms seems infeasible, especially when you consider the input would still have to be relevant to the case.
The difference between taking a copy of the files on physical media and making a bit by bit copy is the former only shows the current state of affairs. When a file is deleted, the file system (NTFS, EXT4, FAT32 etc.) simply marks it in the table as no longer being present. Space is also returned to the operating system so a new file could be placed where the old one was - but really the file is still there. In a bit by bit copy of the media we have a copy of the whole file system, not just the present files, so we can recover deleted files through a process known as data carving.
Microsoft Windows automatically mounts (makes available for use) disks and in doing so places a marker on the file system, thus changing the original media. Linux doesn’t (always) do this, but in either case can be instructed to mount media read only (mount -o ro). If doing forensics on Windows it’s important to use a write blocker (like the USB one, pictured) which intercepts and discards any instructions to write to the file system.
As mentioned previously, this is about protecting the original. After we’ve taken our image of the original asset it should be locked away, and noted in the chain of custody as such, with all work performed on a copy of the image.
Why on a copy? Images can take a long time to produce, and you don’t want to repeat that exercise (especially given a lot of forensics is performed in environments where cost is very much a factor, and time is money).
You may be asked to provide a copy to expert witnesses or the opposition, so they can perform their own analysis.
It’s unlikely you’ll have FTK (https://accessdata.com/products-services/forensic-toolkit-ftk) or Encase (https://www.guidancesoftware.com/) to hand, as they’re used by law enforcement or consultancies that undertake forensic work regularly. They are powerful tools, but for casual or irregular use perhaps a poor investment.
The Sleuth Kit (http://www.sleuthkit.org/) and Autopsy (http://www.sleuthkit.org/autopsy/) are free and becoming increasingly powerful. Initially Autopsy was a web based front end but as you’ll see in the screenshot later on it’s changed to be an application now. Autopsy supports a number of features, including the ability to look at at browser histories.
Photorec by CG Security (https://www.cgsecurity.org/wiki/PhotoRec) is another free tool that started out as a data carver to recover photos, but now supports recovery of multiple file formats.
In my case I was dealing with PST file exports from a Microsoft Exchange server. Microsoft Outlook was my tool of choice as it’s designed to work with these files, although I still followed forensic practice.
A screenshot of Autopsy, from its website.
We can see it’s managed to pull information from the browser (cookies, history etc.) and Autopsy has categorised files for easier analysis.
It’s very easy to get distracted by your findings. In my case, I was reviewing a mailbox that contained thousands of emails, the vast majority of which were of no relevance to the investigation I was undertaking. I had no need, or right, to review those emails. To avoid distraction, stick to the brief: if you’re looking for changes in a certain time frame, restrict yourself to it. You may find items relating to the same topic outside the time range, but they’re outside of scope.
Avoid making changes wherever possible, even down to rotating pictures or renaming files in the image as changes can lead to confusion: did I do that, or was the file already like that? While we have the option of referring to a pristine copy, it’s not desirable to have to keep looking at fresh copies as this takes time.
Each item we extract from the image (called an artefact), in my case emails, should have a hash calculated and this should be noted.
Your report or statement has to be accurate, that’s the most important thing. Don’t make stuff up, do your best to avoid errors, and don’t be ambiguous. I read my statements through several times before I signed them (in my case, every single page needed my signature).
It may be appropriate to include your chain of custody, dependant on your audience.
The level of technical detail needs to be appropriate. Don’t go into extensive detail on why data carving works - the reader isn’t likely to need that information. Instead, adopt a style that allows you to remain brief and factual. You shouldn’t be making any assumptions in your report - the facts will speak for themselves.
Refer to your journal for details to include in the report.
For me, the intended audience was barristers and eventually magistrates in court.
You’ll note in the press that quite often there are full page spreads and photographs devoted to “Joe Bloggs, 37, arrested for abuse of…” and similar. This is dangerous as it immediately biases the public and can actually destroy lives. I knew a teacher in my secondary school who was falsely accused (the accuser made up the allegation) - details were spread of the accusation and the teacher had to leave the area, eventually leaving teaching. Their life was destroyed due to a lack of “need to know”.
UK law says an individual is innocent until proven guilty, but leaking details can mean the public have already made up their mind regardless of the trial outcome.
Be fair to the accused, keep your findings to yourself.
I was at a magistrates’ court, meaning I was presenting evidence to three people that were acting like judges. They don’t have a legal background, instead taking advice from a legal advisor.
My biggest worry was that I’d be discredited by the defence, like you see in the movies. My second biggest worry was that I had no idea what to expect in terms of questions. The barrister on your side (prosecution in my case) isn’t allowed to tell you the questions in advance as that’s known as “coaching a witness”. Initially I wasn’t allowed my statement for reference either, although the magistrates approved for me to receive this once I’d started giving evidence.
Strangely, I wasn’t requested to provide any ID on arrival at court. I suspect this is because on first entering the witness box you’re asked to swear an oath to tell the truth, and then state your full name. Lying under oath is committing perjury and has legal ramifications.
The magistrates may be taking notes - if so, watch their pens. Don’t talk too fast as if you’re too quick they won’t be able to make notes (or will stop listening in order to do so).
Incidentally, you address the group of magistrates as “your worships”.
In my case my technical evidence was not disputed, my attendance at court was to explain what it meant in a manner non-technical folk could understand. I could refer to my statement but importantly this wasn’t annotated, so any dates I needed to confirm I had to find at the time.
To be fair to the defendant, I made sure to explain my investigation couldn’t pinpoint a particular human being. In the UK we have the concept of being innocent until proven guilty and given my job as a witness is to assist justice, and present the truth, it was only fair to highlight that.
Remember - you’re not on trial, but the court is interested to hear what you have to say. That said, if you make something up, or lie, you are committing an offence. As you’re discussing your statement you don’t necessarily need to worry about recalling details you’ve left out although you may be asked to explain part of the process.
You either found something that answers the question, or you didn’t. You’re not in court to create new information.
Cross examination worried me but wasn’t a big deal. The questions were, literally, just other questions. Some questions I was asked were clearly intentionally ambiguous, so I ensured my answers were clear and precise.
After cross examination the magistrates asked me further questions. Treat them exactly the same: with respect.
I’d been warned about assumption questions by my employer’s legal team - be careful as this type of question can cause you to back yourself into a corner by making you think on your feet.
The important thing is that it’s assumption.
I was asked “is it fair to assume that because X happened on this date, that it’s the reason for Y”. I started looking at the dates, which matched, before realising this was an assumption trap. I pointed out that it wasn’t fair to assume anything in legal proceedings, as I had to be fair to the defendant and thus had to comment on my evidence.
I have no problem with the free press, so long as they’re being honourable and accurate. During my time at court there were some reporters in the waiting area (they sat behind me), in the public gallery and outside. The one outside was in disguise (holding an unlit cigarette, I assumed he was going to ask me for a light).
Don’t be afraid to say “no comment”. As the magistrates pointed out to me before I left the courtroom, I wasn’t to talk about the case to anyone outside (hence I’ve not gone into details here).
If representing your employer they may have their own policy on speaking to the media.
Smashing Security is the less technical of the two, with episodes lasting around 45 minutes. Most episodes there’s also a guest.
Security Now episodes tend to last around two hours.
Example showing the SHA1 hash for a text file containing the text “hello”, and how it changes completely following the edit.
When a tool receives an update it’s possible that it will behave differently. To determine this it’s important to run tests against a known sample. Getting more information is not a problem, as the product may have simply added new features. No longer finding information would be a problem, and should be addressed through the vendor’s support channels.
Your journal is not what you present as your evidence, it’s simply your working document. I record thoughts and to-do lists in mine, along with keeping a log of my chain of custody. Some forensic software allows you to record your notes in it, providing you a journal facility. If there were multiple researchers then the chain of custody would need to be a separate document.
How you structure your journal is up to you - whatever works best. When working on a forensic investigation my journal contains details of who authorised the investigation, a copy of the specification and many tables of data along with screenshots of assets. Conversely, when I’m performing a penetration test (ethical hacking) my journal looks different and includes spider diagrams. There are some common elements between the two, but I change based on my task.
Do whatever works best for you (if that’s pen and paper that’s fine, and I do that too, but remember to keep the physical copies secured).