SANS DFIR Summit 2023 Recap

Posted by

I've had a week to really reflect on the DFIR Summit that happened last week in Austin, TX and I'm still coming down off the high. After years of conflicts and virtually attending over the pandemic it was finally my time to make the trip in person.

The two days were jam packed with awesome talks and plenty of opportunities to chat with other industry experts.

Keynotes

This year there were two keynote presentations, one for each day. Day 1 featured Chris Tarbell who recounted his journey through cyber investigations capping it off with speaking on his efforts in taking down Silk Road, the notorious dark web marketplace.

Day 2 featured a presentation from Matt Edmondson and how he uses OSINT to support his digital forensic investigations, including using AI to speed up analysis. I've honestly never thought of some of the methods he discussed so I look forward to testing them out and adding to my workflows as needed.

Talks

One thing that the DFIR Summit never lacks is the quantity of technical talks. Here are a few that I enjoyed and got some excellent info from:

Zachary Mathis - Fast Forensics and Threat Hunting with Yamato Security Tools

Zachary showed using Hayabusa to quickly streamline Windows event log analysis as well as using Takajo to timeline. I've had some experience with Hayabusa but not Takajo so hopefully I get some time to play with it in the near future.

Sadie Gauthier & Brian Moran - 2 Meta 2 Oculus

With memes a plenty, they broke down what can be found via the iOS/Android apps for Oculus as well as some device artifacts. The scary part is the unsecured use of Remote Desktop apps via Oculus that was a bit concerning.

Ryan Benson & Jon Brown - What Can DFIQ Do For You?

Google rolled out a new site call DFIQ (Digital Forensics Investigative Questions) where they are trying to take the same approaches to common scenarios. It's open source so other can contribute I look forward to maybe adding to it.

Kevin Ripa - The Truth About USB "Serial Numbers" – Redux

Kevin did a webcast on his USB serial number findings at last years summit, but this year he updated some things. It really makes me question how many people are reporting serials incorrectly for external drives depending on the enclosures and adapters that are used.

Phalgun Kulkarni & Julia Paluch - Windows Search Index: The Forensic Artifact You've Been Searching For

Phalgun and Julia went over the artifacts that Windows Search Index encapsulates as well as showing Aon's tool SIDR. I'm looking forward to playing with this tool more and seeing how I can add it to the arsenal for investigation usage.

Check out the visual summary of the DFIR Summit from Ashton Rodenhiser.

Networking

One of the biggest draws for me attending in-person is to get to see friends who I haven't seen in years and to also finally meet people that I've interacted with virtually but never actually met in person. It was amazing to share stories (and stickers and other swag) with friends new and old. I even got to break bread (and BBQ) with so many. And who am I to complain about free beer and tasty appetizers!

There were plenty of sites and sounds to take in as well around the city of Austin. The Spazmatics rocked the stage in the nerdiest way possible for the Day 1 afterparty.

4:Cast Awards

Lee Whitfield presented the Forensic 4:Cast Awards at the closure of the conference. The always interesting presentation this year involved Mjolnir and a nefarious member of Clippy's Anonymous gang. While I'm sad that xLEAPP lost out for Non-Commercial Tool of the Year, we did find some success. The Hitchhiker's Guide to DFIR won Book of the Year, of which I'm a proud co-author of. Congrats to us all! Andrew Rathbun and myself were in person to collect the awesome looking award.

Overall, I had an absolute blast at my first in-person DFIR Summit, I'm hoping it's not my last. Next year's summit will be in Salt Lake City, Utah from August 22-23rd. Maybe I'll see you there!