If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

Stop wasting time looking for files and revisions. Connect your Gmail, Drive, Dropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account. View Edit

To edit this page, request access to the workspace. Already have an account? Log in! BSidesNOLA2019 Event details Please read our new Code of Conduct When: October 26, 2019 Where: NEW VENUE FOR 2019! Hyatt Centric French Quarter New Orleans 800 Iberville Street New Orleans, Louisiana, 70112 Note: The venue is in the French Quarter Note: We do not have a room block this year given other events in the city Cost: Pre-registration ( ends Friday, October 25th @ 10 AM CDT ) Until October 9th, tickets for full time students are $10 and everyone else is $20. After October 9th, student tickets become $20 and everyone else is $30. Please pre-register on EventBrite BEFORE October 7th so that we can accurately place our shirt order: https://bsidesnola2019.eventbrite.com On-site Registration $30 cash-only at the door CFP The CFP has now closed. Thanks to all who submitted! Sponsors To request a sponsorship packet, please email bsidesnola [@] gmail.com. Platinum Sponsors



Gold Sponsors



Silver Sponsors



Sponsors







Schedule Track 1 Track 2 Track 3 8:15 Registration / Check In 9:00 Opening Remarks 9:10 Keynote David Cowen @HECFBlog https://www.hecfblog.com/

10:00 Break 10:20 Poking the Bear, Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis Sarah Edwards AaaStronomically Profitable Kirstie Failey File-Centric Analysis through the Use of Recursive Scanning Frameworks David Zawdie 11:10 Break 11:20 Binary Emulation for Threat Analysis and Hunting with Binee Erika Noerenberg LA cyber militia war stories Joshua Tannehill 12:10 Lunch 1:10 Black Cats in Coal Mines: Basics of Data Collection and Enterprise Hunting Brian Baskin Threat modeling in the land down under Shanna Daly Blockchains and Smart Contract Security Golden G. Richard III 2:00 Break 2:10 Building a distributed autonomous vehicle analysis platform David Kovar DCART: Decoupled Components for Automated Ransomware Testing Mark Mager 3:00 20 Minute Break 3:20 The Art of Detection Jay DiMartino Chrome Nuts and Bolts: Chrome OS / Chromebook forensics Jessica Hyde 4:10 Break

4:20 Broken Arrow Will Baggett Taking Lightgrep beyond bulk_extractor Jon Stewart 5:10 Closing Remarks

Presentations AaaStronomically Profitable - Kirstie Failey - @gigs_security A longtime favorite monetization scheme for hackers has recently jumped back into the public eye. Costing upwards of hundreds of thousands of dollars for ransom payments alone and affecting high profile targets such as [select city_name from usa LIMIT 3], deployment of malware and Access as a Service intrusions have been on the rise. In this talk, Kirstie Failey will discuss typical TTPs seen in ransomware investigations and share common detections for security teams to detect early. Binary Emulation for Threat Analysis and Hunting with Binee - Erika Noerenberg - @gutterchurl In August of 2019, Carbon Black researchers Kyle Gwinnup and John Holowczak introduced and open-sourced a novel tool called Binee at DEF CON 27. Binee is a complete x86 binary emulation environment focusing on introspection of all IO operations. In this talk, I will briefly introduce Binee and demonstrate how static process emulation can assist with both malware analysis and hunting for Windows threats. I will also discuss how this capability can facilitate automation of analysis tasks, and preview future work currently in planning. Black Cats in Coal Mines: Basics of Data Collection and Enterprise Hunting - Brian Baskin - @bbaskin How can you find badness while potentially being surrounded by it? This presentation will focus on introducing frameworks for gathering data in your environment to allow for more detailed and unique threat hunting capabilities. Methods of analyzing basic data, when done in a large scale, could produce dramatic results for finding compromised machines in an organization. Blockchains and Smart Contract Security - Golden G. Richard III - @nolaforensix Blockchain technologies are arguably 80% hype, 20% promise. Bitcoin, Ethereum, and numerous other blockchain schemes promise decentralized currency as well as potential "solutions" to numerous other problems, including identity management, supply chain management, online gambling sites, breeding cute digital animals, and more. Smart contracts are a key component for expanding the scope of blockchain tech like Ethereum, but unfortunately we simply can't seem to be rid of vulnerabilities like integer overflows, internationalization issues, variable scoping issues, reentrancy problems, and race conditions. Given that code deployed for smart contract blockchain applications in systems like Ethereum is immutable, public, and potentially handle very large amounts of money, there's huge potential for mistakes and exploitation. The talk focuses on smart contracts written in Solidity (for Ethereum), but the general, overwhelming feeling of paranoia that the speaker aims to create is applicable to other systems. Broken Arrow - Will Baggett - @iosforensic I will discuss applying InfoSec principles and also forensic principles to assisting domestic abuse victims cutting the electronic cord to their abuser. The very same Internet of Things which are installed for convenience can form a gilded, velvet lined cage with an Alexa or Siri voice. I will discuss applying the counterintelligence mindset to the domestic situation- what can be gathered, what sources and methods can be used against a person in their own house and how to detect the threat. The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics...and the ways to protect oneself against leaving data behind. Building a distributed autonomous vehicle analysis platform - David Kovar - @dckovar We started off writing a parser for drone log files. We now have $2M+ in DOD R&D funds and are building an analysis solution to support autonomous vehicle telemetry analysis. One application of the framework is UAV forensics. How'd we get here? Nearly everything we're doing is based on DFIR experience and lessons learned. Chrome Nuts and Bolts: Chrome OS / Chromebook forensics - Jessica Hyde - @B1N2H3X Chromebooks have been taking over the classroom and are an up and coming issue for forensic examiners. In this presentation we delve into our research into the forensics of Chrome OS and Chromebooks. We will share the artifacts that can be recovered from a Chromebook and determine the differences between data available from a Chromebook itself and data available from the Google Cloud. DCART: Decoupled Components for Automated Ransomware Testing - Mark Mager - @magerbomb Detonating ransomware is not difficult. However, detonating ransomware in a controlled, repeatable manner for the purposes of testing a behavioral detection framework can be an arduous task. System services, background processes, and other concurrent file system activity may lead to inconsistent true positive detections (e.g. varying level of file / process activity or elapsed time until detection thresholds are met). The best method to avoid any variance between test runs is through decoupling the detonation and detection components and carrying out these tasks separately. In this talk, I will guide the audience through the design and development of a behavioral ransomware detonation and detection framework, demonstrate the framework and how it performs against well-known ransomware families, and detail a thorough automated testing methodology. I will also be releasing the project source code to the public on the day of the talk. File-Centric Analysis through the Use of Recursive Scanning Frameworks - David Zawdie This session will provide background regarding the needs for and requirements of file-centric analysis, demonstrate the effectiveness of several popular open source frameworks, and highlight opportunities for extending detection and response efforts. The discussion will include an overview of the frameworks, their approach for presenting a unified system for analysis, and details on how to actively participate in the respective open source projects through contributions that further extend capabilities via new modules and integrations. At the conclusion of this session, attendees will be able to: Define the intent, purpose and scope of file-centric analysis

List and describe capabilities from several open source recursive scanning frameworks

Determine potential opportunities to improve existing analysis workflows

Identify opportunities to further extend the existing frameworks by contributing to open source projects LA cyber militia war stories - Joshua Tannehill - @jayseetee LA cyber militia war stories from the trenches. You play like you practice and we practiced hard. These are the stories of our training and real world events. Sanitized for public disclosure. Poking the Bear, Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis - Sarah Edwards - @iamevltwin If I come across a useful piece of data on macOS or iOS I do not just assume I know what it means - especially if my whole case depends on it. My experience with Apple data is that it is consistently inconsistent. They certainly do some questionable things. Testing is the only way to get that warm fuzzy feeling that the awesome piece of data you found truly means what you think it means. Yes, testing takes time. Yes, testing can be tedious. However, testing can make or break cases. This talk will go through my testing processes on Mac and IOS platforms to show that sometimes a quick test really is a quick test. A 30 second test may be well worth the investment in the long run. I will also show how more intensive testing can be implemented to tease out the strange oddities of native and 3rd party data stored in various SQLite databases using some of my APOLLO modules as examples. The Art of Detection - Jay DiMartino Ever inherited a security rule you were afraid to modify? Ever import a Yara rule only to have the alerts blow up in your face? Does your SEIM or security appliance keep you up at night with email alerts? The Art of Detection focuses on the methodology of writing and sharing accurate detections to make you a better detection author. Gain confidence in managing false positives, learn rule sharing best practices, tackle large monolithic detections, and write detections that feed other detections. Learn the importance of your intelligence test data, and if your intelligence streams could be causing bias. Taking Lightgrep beyond bulk_extractor - Jon Stewart - @codeslack Bulk_extractor finds forensics artifacts fast and has earned its place in many investigators’ toolboxes, but it could be better. This talk will demonstrate a new tool based on the Lightgrep search engine that provides fast performance like bulk_extractor, but with a more sophisticated understanding of the filesystem and friendlier output. Threat modelling in the land down under - Shanna Daly - @Caccia7r1c3 Australia is (in)famous for its dangerous flora and fauna, most notably deadly spiders, snakes and jellyfish. We continually have to look at potential threats and assess our risk of basic things like venturing outside. This talk looks to help turn threat modelling exercises into something relatable, fun and educational. Too often security education is delivered in a dry format that is difficult for non security folks to digest, so let’s look at fun ways to turn that around! Speakers Brian Baskin - Technical Director, Threat Research - Carbon Black Brian Baskin is a Technical Director of Threat Research with Carbon Black’s Threat Analysis Unit with a specialty in digital forensics, incident response and malware analysis. Baskin was previously an intrusions analyst for the US Defense Cyber Crime Center and has studied and presented research on cyber threats for over 15 years. He has authored multiple security books and develops open source tools for more efficient malware analysis. David Kovar - CEO - URSA Inc. David Kovar has been doing DFIR for Guidance, EY, three e-discovery firms and himself for 15+ years. Five years ago he realized that drones would be an "interesting" source of digital evidence as well as posing a variety of risks to society. He created URSA Inc. and is working to fend off SkyNet. David Zawdie David is an analyst working in private industry focusing on defending organizations against malicious threats. With over 10 years experience in information security and computer network defense, David is a passionate blue-team defender and strong advocate of open source software. Erika Noerenberg - Principal Threat Researcher - Carbon Black Erika Noerenberg is a Principal Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a malware analyst at LogRhythm Labs and as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI. Golden G. Richard III - Louisiana State University Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 35 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He holds a TS/SCI security clearance and supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his B.S. in Computer Science from the University of New Orleans and M.S. and Ph.D. in Computer Science from The Ohio State University. His first floppy drive cost $600 and required financing; despite that, he's still very much alive. Jay DiMartino - Head of Detections & Countermeasures - Fidelis Jay Dimartino is a Threat Researcher for Fidelis Cybersecurity and Head of Detections & Countermeasures. He has been doing Malware Reverse Engineering for over nine years, writing yara rules and regular expressions against files and network traffic. Jessica Hyde - Director, Forensics - Magnet Forensics Jessica Hyde is an experienced forensic examiner in both the commercial and government sectors. She holds an MS in Computer Forensics from George Mason University. She is currently the Director, Forensics at Magnet Forensics and an Adjunct Professor teaching Mobile Forensics in the graduate programs at both George Mason University and Champlain College. Her previous roles included performing forensic examinations as a Sr. Mobile Exploitation Analyst for Basis Technology, Senior at EY, and Senior Electrical Engineer at American Systems. Jessica is also a veteran of the United States Marine Corps. Jon Stewart - Vice President - Aon Cyber Solutions/Stroz Friedberg Jon Stewart is a Vice President of Solutions Development at Aon Cyber Solutions/Stroz Friedberg, where he leads a software development team specializing in DFIR tool development. Prior to his current position, he cofounded Lightbox Technologies and was a senior developer at Guidance Software. Joshua Tannehill - Sr Manager, InfoSec - CenturyLink Joshua Tannehill is a Senior Manager over CenturyLink’s global Endpoint Security team and Internet Security Services team. He has worked in the IT & cybersecurity industry for the last 22 years. Josh holds an associate degree in Information Systems Technology from the Community College of the Air Force. Additionally, he has obtained many IT and InfoSec certifications over the years to include the CCNA, C|EH, and CISSP. Josh retired from the Louisiana Air “Force” National Guard last month after a 21-year career doing networking, network security, and cybersecurity policy and compliance. He is the founder of the NELASEC meetup that provides a free monthly professional networking opportunity for the Monroe area and is his way to give back to the community and help mentor young upcoming and established professionals alike. Josh was also a speaker at the 2018 NOLACON cybersecurity conference in New Orleans where he gave a talk titled, “how to tell Cajun doctors they have bad (cybersecurity) hygiene and live”. Finally, Josh was a 2015 winner of the NELA Young Professionals Top 20 under 40 award. Kirstie Failey - Consultant - Mandiant

Kirstie Failey is a Consultant at Mandiant. She is a professional data wrangler and has spent countless hours responding to ransomware incidents, and business email compromises. Mark Mager - Senior Malware Researcher - EndGame

Throughout his career in software engineering and computer security, Mark has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and has provided malware analysis and reverse engineering subject matter expertise to a diverse range of government and commercial clients in the Washington, D.C. metropolitan area. Sarah Edwards - Mac Nerd - SANS Institute Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, Bsides*, DEF CON and the SANS DFIR Summit. Sarah is the author of the SANS Mac Forensic Analysis Course - FOR518. Shanna Daly - Cacciatrice - Caccia Cybersecurity Shanna started working in information security by accident back in 2001 and has never turned back. Continuing that pattern of making it by accident she managed to find her way into an IR team and that’s where her love of DFIR was born, and that’s where she decided that she would stay and continue her passion for it. In 2019 she started her own DFIR company in Australia and continues to work in the field she loves. Will Baggett - HTCI Former Intelligence Community officer, current NATO SOF cyber trainer and volunteer of many BSides conferences. DefCon and BSidesLV 2019 speaker. Prior to public speaking, I was an IC SME for iOS and Mac forensics and now apply these skills to the private sector. Volunteers Please email bsidesnola [@] gmail.com if you would like to volunteer during the event. Tags for flickr, twitter, blog, etc. Please use the tag #BSidesNOLA for content related to this event

BSidesNOLA2019 Tip: To turn text into a link, highlight the text, then click on a page or file from the list above. Printable version