IMF 2015
9th International Conference on
IT Security Incident Management & IT Forensics
May 18th - 20th, 2015
Magdeburg, Germany
http://www.imf-conference.org/
mailto:2015@imf-conference.org
Conference of SIG SIDAR
of the German Informatics
Society (GI).
Preliminary Conference Program - subject to change
Monday, May 18th, 2015
| Time | Presentation / Description | Speaker/Author/Session Chair |
|---|---|---|
| From 10:00 | Registration and Welcome Coffee | |
| 11:00 - 11:10 | Welcome | General Chair/Program Co-Chair Jana Dittmann Research Group Multimedia and Security, Department of Computer Science, Institute of Technical and Business Information Systems, Otto-von-Guericke-University of Magdeburg Program Co-Chair Holger Morgenstern Dean, Faculty of Computer Science, Albstadt-Sigmaringen University |
| 11:10 - 12:00 | Keynote: Challenges and opportunities in IT Forensics and forensic data science | Zeno Geradts Netherlands Forensic Institute and University of Amsterdam |
| 12:00 - 13:00 | Forensics Session Part 1 | Andreas Dewald |
| Windows NT pagefile.sys Virtual Memory Analysis |
Michael Gruhn |
|
| Recovery of SQLite Data using expired Indexes |
Felix Ramisch, Martin Rieger |
|
| 13:00 - 14:00 | Lunch Break | |
| 14:00 - 15:00 | Forensics Session Part 2 | Andreas Dewald |
| Improving the detection of encrypted data on storage devices |
Simon Thurner Marcel Grün Sven Schmitt Harald Baier |
|
| What is Essential in File System Forensic Analysis? |
Felix Freiling Michael Gruhn |
|
| 15:00 - 15:30 | Coffee Break | |
| 15:30 - 17:00 | Incidents and Forensics | Jens Nedon |
| Towards automated incident handling: How to select an appropriate response against a network-based attack? |
Sven Ossenbühl Jessica Steinberger Harald Baier |
|
| Mobile Payment Fraud: A practical view on the Technical Architecture and Starting Points for Forensic Analysis of new attack scenarios |
Christof Kier Gerald Madlmayr Alexander Nawratil Michael Schafferer Christian Schanes Thomas Grechenig |
|
| Characteristic Evidence, Counter Evidence and Reconstruction Problems in Forensic Computing |
Andreas Dewald |
|
| 17:00 - 18:00 | Incident Response and Pentesting Panel Discussion | Oliver Göbel (RUS-CERT, Universität Stuttgart) Detlef Günther (Volkswagen AG) Sebastian Nerz (SySS Gmbh) Volker Krummel (Wincor Nixdorf) Oliver Nyderle (T-Systems Multimedia Solutions GmbH) |
| 18:00 - 18:05 | Wrap up Day1 amd information for the evening event |
Jana Dittmann |
| 18:30 | Start social event: Dinner at the Haus des Handwerks, Gareisstraße 10, 39106 Magdeburg | |
Tuesday, May 19th, 2015
| Time | Presentation / Description | Speaker/Author/Session Chair |
|---|---|---|
| 09:00 - 10:00 | Special Session on Malware Analysis / Malware Forensics |
Tobias Hoppe Stefan Kiltz |
| Platform-Independent Malware Analysis Framework |
Ulf Lösche Maik Morgenstern Hendrik Pilz |
|
| Smart Home Definition and Security Threats |
Michael Schiefer |
|
| 10:00 - 11:00 | Special session on teaching forensics and incident management |
Christian Krätzer Volker Krummel |
| Supporting Forensic Design - a Course Profile to Teach Forensics |
Stefan Kiltz Jana Dittmann Claus Vielhauer |
|
| Conception of a Master Course for IT and Media Forensics Part II: Android Forensics |
Knut Bellin Reiner Creutzburg |
|
| 11:00 - 11:30 | Coffee Break | |
| 11:30 - 12:30 | Special session on digitized forensics part 1 |
Claus Vielhauer Mario Hildebrandt |
| Digitized Forensics Challenges: Crime Scene Traces - An Overview from the The DigiDak(+) Project |
Claus Vielhauer |
|
| DigiDak(+) Results: From Fingerprints, Locksmith, Firearm and Fibre Traces to challenges in the digital forensic analysis |
Jana Dittmann Robert Fischer |
|
| 12:30 - 13:30 | Lunch Break | |
| 13:30 - 15:00 | Special session on digitized forensics part 2 |
Claus Vielhauer Mario Hildebrandt |
| Invited Talk: Challenges from the signal processing domain |
Sabah Jassim, University of Buckingham, UK |
|
| Special Session Panel: Crime Scene Investigations - Achievements and Practical and Future Challenges |
Joanna Vella Laboratory of Molecular Genetics, University of Malta Sabah Jassim University of Buckingham Thomas Leich Metop GmbH Thomas Fries Fries Research and Technology GmbH Martin Schäler Databases and Software Engineering Otto von Guericke University Mageburg and other experts from the research field |
|
| Latent Fingerprint Aging from a Hyperspectral Perspective: First Qualitative Degradation Studies using UV/VIS Spectroscopy |
Ronny Merkel |
|
| 15:00 - 15:30 | Coffee Break | |
| 15:30 - 15:40 | Wrap up Day 2, Introduction Demonstrator and Center Tours |
Stefan Kiltz |
| 15:40 - 16:30 | DigiDak(+) Demonstrator tour AMSL - Group 1 DigiDak(+) Demonstrator tour AMSL - Group 2 |
Ronny Merkel Mario Hildebrandt |
| 15:40 - 16:30 | IKAM and AMSLator - Automotive Security Demo Tour |
Robert Altschaffel Sven Kuhlmann |
| 15:40 - 16:30 | Tour through the Otto von Guericke Center |
local tour guide |
Wednesday, May 20th, 2015 - WORKSHOP DAY
| Time | Presentation / Description | Organisation |
|---|---|---|
| 09:00 - 10:00 | MicroSystemation Workshop - Challenges of securing mobile devices, gettin the data phones do not want to share - Part 1 |
Martin Westman (Micro Systemation) |
| 10:00 - 10:30 | Coffee Break | |
| 10:30 - 11:30 | MicroSystemation Workshop - Challenges of securing mobile devices, gettin the data phones do not want to share - Part 2 |
Martin Westman (Micro Systemation) |
| 11:30 - 12:30 | Lunch Break | |
| 12:30 - 14:30 | Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility - Part 1 |
Manuel Schönthaler (SANS Institut) Matthias Fuchs (SANS Institut) Please download the material from the downloads section ahead of attending the workshop |
| 14:30 - 15:00 | Coffee Break | |
| 15:00 - 17:00 | Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility - Part 2 |
Manuel Schönthaler (SANS Institut) Matthias Fuchs (SANS Institut) Please download the material from the downloads section ahead of attending the workshop |
| 17:00 | Good Bye |
Holger Morgenstern |
Workshop Program
"Challenges of securing mobile devices, getting the data phone do not want to share" Martin Westman (MicroSystemation)
As the title implies, that we face harder and harder challenges of getting the data out of phones. The cat and mouse game we currently have in mobile forensics with using exploits and features in ways that apple, google and Microsoft have not intended for our use. As soon as a feature or exploit goes public, it gets patched or tweaked by the manufacturer and we have to find new ways. This is a constant forensics struggle and gets harder and harder.
The whatsapp part we will do a live demo and explain why we don't get any data out of android devices on a logical extraction anymore, but how you still can trick whatsapp to share chat data with us. After blown up in media, whatsapp have gone from no (or very little) efforts to obfuscate the personal chat data, to now be one of the most safest one among the widespread chat apps. So this will be a case study of the steps whatsapp have taken to protect its users personal data.
The "Lock features in android and how to bypass some of them" we will take a look on how to use different tools to access locked devices and see what can be done, and where we today have no suitable solutions. So using JTAG, ADB command and recovery images.
The last part "using python to visualize data from apps not supported by forensics tools" we will briefly look into the BIG challenges that lays ahead, supporting local popular apps that are not supported by the standard forensics tool. New apps pops up every day, and there is not possible for the forensics tools to keep up with app support on local level. Using python scripts to assist in supporting unsupported apps are crucial for solving the forensics challenges today and tomorrows on the app field.
"Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility" Mathias Fuchs (SANS)
Now a critical component of many incident response teams that detect advanced threats in their organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers.Memory analysis traditionally was solely the domain of Windows internals experts, but the recent development of new tools makes it accessible today to anyone especially incident responders. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.
This section will introduce volatility one of the best free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics capabilities.
Topics include: