Bsides workshops
6 december, friday
Note: that all three workshop tracks run simultaneously.
CHOOSE WISELY.
WORKSHOPS SUMMARY
Track 1:
- [Morning – AM] Elastic Security Analyst Workshop.
- [Afternoon – PM] Better open-source investigations with Ubikron.
Track 2:
- [Full-day] Binary Instrumentation with Frida.
Track 3:
- [Full-day] You Can’t Hide in Memory: The Importance of Memory Forensics.
Note: that all three workshop tracks run simultaneously.
Workshop sponsor
Track outline
ELASTIC SECURITY ANALYST WORKSHOP
[8:30 – 12:30: Presented by: Roberto Arico]
The Elastic Security Analyst Workshop aims to provide participants with common daily workflows and analyses that a security analyst would leverage.
Requirements:
– A laptop with a modern browser.
– An understanding of endpoint and network fundamentals is recommended.
– Experience working in an IT or security operations role, such as in SOC or incident response, is strongly preferred but not a hard requirement.
– Good vibes and a willingness to have fun with other like-minded people.
BETTER OPEN-SOURCE INVESTIGATIONS WITH UBIKRON
[13:00 -18:00: Presented by: Roelof Temmingh]
Learn how to conduct open source intelligence (OSINT) investigations and research with concrete examples using the Ubikron system.
Ubikron is a new tool, no feelings of FUD if you didn’t recognize the name.
Also, it has AI – for reals. AI + OSINT, c’mon – what more could you want in life?
Requirements:
– Laptop with Chromium-based browser
Key takeaways:
– Data classification – learn how people leak information
– Methodology to profile individuals or companies (farm vs explore)
– Learn which services and sources work well and which are kak
– Pivot points in investigations – types and values
– Avoiding common mistakes in investigations & how to deal with roadblocks
– How to use Ubikron and OSINT-Tool in online research (biased much)
BINARY INSTRUMENTATION WITH FRIDA
[8:30 – 16:00: Presented by: Leon Jacobs & Isak van der Walt]
This full-day workshop gives attendees the skills necessary to perform binary instrumentation using Frida.
Making changes to software when you have source code is usually simple. Get a test environment up, make the change, compile and test. Best case, you make a Pull Request to include your feature/bug fix!
However, what happens when you *don’t* have access to source code, or building a target is not simple.
How do you add features? How do you change logic?
Workshop Content
– Lab environment setup and familiarisation.
– Frida introduction – components of Frida.
– Connecting to targets for instrumentation.
– Frida operating modes (i.e., frida-server, gadget mode)
– Getting to know frida-tools like frida-ls, frida-trace etc.
– Writing your own instrumentation logic in JavaScript.
– Instrumenting binary programs (various languages) with and without symbols.
Requirements:
– Laptop with Wi-Fi adapter.
– Modern browser.
– SSH client.
YOU CAN’T HIDE IN MEMORY: THE IMPORTANCE OF MEMORY FORENSICS
[8:30 – 16:00: Presented by: Jason Jordaan]
RAM is crucial in all computer systems, and literally everything that happens on a computer system must pass through RAM. RAM is thus a crucial source of digital evidence, especially when dealing with compromised systems.
There is a paradox when it comes to malware that it wants to hide but it has to run to be useful, and it is in the process of running that it becomes detectable in memory. As a result, any type of investigation into a possible system compromise should consider memory forensics.
This workshop will explore the nature of RAM and its importance in a forensic investigation. It will look at the various methods and techniques that can be used to obtain a forensic image of RAM, and finally look at how RAM can actually be examined, and forensic analysis performed on it. We will be doing this using the tool MemProcFS which has fundamentally changed the way that we do memory forensics.
Requirements:
– Each attendee to bring own laptop.
