This survey is to help choose the program for the 12th Annual Open Source Digital Forensics conference. More details are available at

The rating is numerical. Here is a guide:

+1: You'll signup specifically to attend this talk
0: You'll probably find this talk interesting.
-1: You'll likely end up checking e-mail during most of the talk if you attend at all

Title and abstracts are listed in random order, so make sure you read through all of them.

If you would like to be added to an email list to receive updates about OSDFCon,  please enter your email address on  Or if you prefer Twitter, follow @basistechnology.  We'll post updates to #OSDFCon.

Question Title

* 1. Have you attended OSDFCon in the past?

Question Title

* 2. Do you think you'll attend in person this year in Herndon, VA?

Question Title

* 3. Incident Recorder

During an incident, things happen so fast that its hard to keep track.

While there are many roles for an Incident response team, the most labor intensive , in the authors opinion, has to be the Incident Recorder. Being able to track an incident is also important if that incident has any legal ramifications.

As forensic investigators know, creating a timeline and capturing relevant information is important if you need to go back and report details. This is why I have created the first of many programs called Incident Recorder. the presentation will cover the perceived common steps in a Incident and how the open source tool can be used to help. This will be a short slide presentation followed by a demonstration of an automation tool for Security Incident recorders. It's still being developed, but It is publicly available now in Beta from GitHub. Part of the presentation will also be feature requests for further development objectives. Incident recorder will also be the first stand-alone module in the automation project of Incident response.

Question Title

* 4. Windows Event Log Trick-Shots in Rust!

Windows Event Logs never get old as a go to evidence source and I have some new trick-shots for you! Need to process an insane number of Event Logs quickly for large scale searching? Not only will I show you how, I will show you how some other common tools stack up in comparison. Empty Event Log? Let me show you how you can recover records from empty pages. Its not always alot, but sometimes it can make the difference! Additionally, I will show some other fancy evtx tricks using open source libraries and tools that can even assist you with things outside of evtx. Best of all, all the tools and libraries I show you are in Rust.

Question Title

* 5. Autopsy Update 2021

With thousands of github commits a year, there is a lot going on in Autopsy. This is the annual update on what's new and a brief overview for those who still think it's the same tool they saw 10 years ago.

We're going to cover big new features, like Web Domain-based interfaces, scoring, Solr 8 upgrade, and associating more data with its operating system account. We'll talk about new summary interfaces, integration of iLEAPP, aLEAPP, and Yara. And we'll touch on a bunch of other infrastructure changes, like UI performance and artifact pipelines.

Question Title

* 6. ARTHIR –ATT&CK Remote Threat Hunting Incident Response Windows tool

ArTHIR is a modular framework that can be used remotely against one, or many target systems to perform Threat Hunting, Incident Response, compromise assessments, configuration, containment, and any other activities you can conjure up utilizing built-in PowerShell (any version) and Windows Remote Management (WinRM).
This is an improvement to the well-known tool Kansa, but with more capabilities than just running PowerShell scripts. ArTHIR makes it easier to push and execute any binary remotely and retrieve back the output!
One goal of ArTHIR is for you to map your Threat Hunting and Incident Response modules to the MITRE ATT&CK Framework. Map your modules to one or more Tactics and Technique IDs and fill in your MITRE ATT&CK Matrix on your capabilities, and gaps needing improvement.
Have an idea for a module? Have a utility you want run remotely but no easy way to do it volume? ArTHIR provides you this capability. An Open Source project, hosted on GitHub, everyone is encouraged to contribute and build modules, share ideas, and request updates. There is even a SLACK page to ask questions, share ideas, and collaborate.
Included in ArTHIR are all the original Kansa modules, and several LOG-MD Free Edition modules. Also Included is a template of some key items you will need to build your own PowerShell or utility modules.

Question Title

* 7. Leaving No Stone Unturned

Most analysts know the value of including memory forensics in investigations. If you were given a memory sample, would you know where to start in your investigation? How could you get the most information relevant to your case? This talk will demonstrate the importance of including Volatile memory in your investigations by covering several attack methodologies seen in the field- all while giving you analysis steps that you can use going forward.

Question Title

* 8. Velociraptor - Dig Deeper

Velociraptor is fast becoming the standard DFIR tool for hunting at scale. Featuring a powerful query language called VQL, allowing for rapidly adapting to fluid DFIR intrusions, Velociraptor places unprecedented reach, flexibility and power in the hands of responders.

Unlike more traditional remote forensic tools which collect large amounts of raw data for offline processing, VQL allows defenders to perform analysis directly on the endpoint. This new approach allows defenders to collect only high value, tactical information to affect their response, and leverage current state of the art digital forensic analysis techniques into detection.

This talk will provide some examples of Velociraptor's use in typical DFIR scenarios, such as compromise assessment, wide spread remediation and rapid response. Specifically, we examine the process of going from a detection idea, writing the VQL to detect it and then hunting a large network (10k+ hosts) to identify the compromised hosts in minutes. Finally we illustrate how these custom detections can be elevated to real time monitoring rules (also implemented by VQL) to allow the endpoint to autonomously detect future compromises even while being offline!

Question Title

* 9. Log Parser as a Forensic Tool

Log Parser is a Windows tool which can be incorporated into open source tools to work as a fast, lightweight tool to collect operating system data, registry data, and log files as well as the ability to quickly parse log files and registry data.

Along with tools from the Sleuth Kit, such as hfind, it can be a full featured, open source incident response tool.

Question Title

* 10. Meet the New Kid On The Leapp Block; cleapp

Last year iLeapp and aLeapp were introduced as open-source projects for investigators to quickly gain information about iPhone and Android mobile devices. With the global Chromebook sales exceeding 30 million in 2020, cLeapp is being introduced to allow investigators to analyze and report data from a Chromebook acquisition. CLeapp is an open-source project that utilizes Python, like aLeapp and iLeapp. During this presentation, cLeapp features will be explained, how it can help with your investigation, and what the future for the tool looks like.

Question Title

* 11. Where Have UAL Been?

This presentation will review aspects of Microsoft's User Access Logs (UAL) found on Windows Servers. The discussion will involve authentication information recorded in these logs as well as how long the records are maintained, IP/MAC address information recorded for authentications, count of authentications recorded each day, categories of authentications, among other details. We'll explore how these logs can be used as well as the parsing tool that Brian Moran created.

Question Title

* 12. Chrome Wasn't Built In a Day

Chromebooks present a forensic challenge as they become more prevalent. Analysis of Chromebooks has also matured. This talk builds on initial research and discusses acquisition challenges and capabilities, a deeper analysis of what Google stores in the cloud, and a comparative of the types of data that can be recovered from different sources associated with Chromebooks. This talk serves as an update of knowledge on Chromebook Forensics since the initial OSDFCon in 2018.

Question Title

* 13. Autopsy Scoring: Finding the Relevant Data With Analysis Results

A big theme with the Basis Technology team has been on bubbling up the relevant data in Autopsy. This year, the backend databases of Cyber Triage and Autopsy combined and the scoring features of Cyber Triage are now in Autopsy. We're going to talk about how this helps you focus on relevant data faster.

In this talk, we'll talk about analysis results, conclusions, scores, and combining individual scores to make an aggregate score such as "Notable" or "Likely Notable". We'll talk about how modules can create scores and how examiners see them. We'll cover some other example modules and their use of scores. Scoring is an important capability when making sure examiners see the most relevant data first and we're excited to share how we're doing this.

Question Title

* 14. SEPparser - Forensic Analysis of Symantec Endpoint Protection

Endpoint Protection Systems and Anti-Virus software collect a wealth of information. Furthermore, endpoint security systems will only report limited information. The information presented is not always clear on what was detected and lacks important details for response. Unfortunately, querying and extracting similar information is not possible from forensic images. This presentation focuses on Symantec Endpoint Protection (SEP). The research will highlight the difference between the information that could be queried from the Symantec Endpoint Protection Client and that we could extract once we understand how to locate and read the logs of the endpoint. The research will include coverage of corner cases where unmanaged endpoints have not reported logs back to the Symantec Endpoint Protection Management (SEPM) server yet. The presentation will also investigate artifacts such as VBN (quarantine) files and ccSubSDK (submission) data. At the end of this presentation, audience will learn not only how to extract the data that was quarantined, but other information that Symantec does not make available and that could aid your investigations. Finally, this aims to encourage others to start investigating other antivirus software and the secrets they can hold with a presumption such research could be used with their forensic investigations and shared with the community.

Question Title

* 15. Surveyor: The Swiss Army Knife for EDR

A supply chain attack on SolarWinds and exploitation of Exchange zero-days have been two of the biggest security stories in recent memory. In both cases, public and private sector organizations published hundreds of IoCs, leaving individual security teams to sort out whether they were affected and to what extent.

This presents a complicated, two-part problem. To determine if your company was affected, you have to collect long lists of indicators from multiple, disparate sources—and then you have to search for these IoCs across your environment.

Surveyor is an open source tool that solves both problems. It interacts with EDR tools and includes definition files that consist of signatures, processes, and other indicators. The tool and definitions together empower security teams to take inventory of software usage and validate threats across their environment. When the SolarWinds and Exchange IoCs dropped, we created definitions files that vastly expedited the process to determine impact.

Those are just two use-cases for Surveyor. We originally created it to streamline the way that Red Canary’s incident handlers queried Carbon Black environments to baseline normal and abnormal activity. Since then, we’ve made it open source, added new definitions files, and expanded it to support Microsoft Defender for Endpoint.

In this talk you’ll learn what Surveyor is, how your security team can use it to sort out what’s normal and what isn’t, and how you can become a contributor!

Question Title

* 16. friTap - Decrypting TLS traffic on the fly

In recent years, obtaining decrypted network traffic for forensic purposes and analysis has become a more and more challenging task, both for forensic researchers as well as law enforcement agencies. Current techniques such as SSL pinning may render established analysis approaches like MitM proxies useless and prevent investigators and researchers from getting insights into encrypted traffic - even with full access to the device. In many cases, the time-consuming process of reverse engineering the application of interest remained the only option to obtain the keys for decrypting the network traffic, which lays the foundation for further protocol research and tool development.

In this talk, we present friTap a methodical approach to intercept the generation of encryption keys used by TLS for the purpose of decrypting the entire traffic an application sends.
friTap is an open source framework built on top of FRIDA and is able to decrypt TLS traffic on all major operating systems including different CPU architectures.
Our approach enables researchers in network forensics to analyze the widely used proprietary network protocols in advance in order to gain insight into their structure, identify existing artifacts and finally develop methods and tools to aid future forensic analyses. To support this process, friTap provides an easy-to-use approach for researchers to create decrypted test data needed.

Question Title

* 17. Two Faces to the Same Linux: GUI Environments

The previous time we looked at Linux servers and how to investigate them. This time, we flipped the coin, and it's Linux again, but this time it's Linux desktops. There are other GUI environments available for the Linux operating system, but the most prevalent two are GNOME and KDE. This talk will demonstrate how to investigate user activity in each of these GUI environments, as well as what artifacts are accessible and where to find them. Eventually, a comparison between the two will be called for.

Question Title

* 18. Digital Media forensics toolkit

The unprecedented growth of technology in the past few decades has led to massive flooding of the market with media forgery tools like Photoshop, gimp. These tempered media sources have contributed to other major problems like fake news and even cyberbullying. Furthermore, advancements in deep learning(AI) has lead to even more severe problems known as Deepfakes and Generative Adversarial Networks(GAN) generated images and videos, that are even harder to detect and investigate in case of a legal breach. This paper aims to address this challenge by implementing two novel deep learning models that can be used conjointly with some static models to provide complete protection against almost all types of image and video forgeries including Deepfakes, GAN generated forged media, photo-shopped media (splicing, copy and move forgeries). For Deepfakes detection, this paper implements a Time distributed CNN-LSTM neural network and for GAN generated media detection, this research proposes a fine-tuned DenseNet model as the base Convolutional neural network. The statistical models include generation of images by masking original image through various algorithms like Error Level Analysis, Laplace transforms, variance masking, pixel density algorithm, and an custom exif-data parser. Compared with existing strategies, the evaluation results demonstrate that the novel solution can serve as a one-stop tool for forensic investigators.

Question Title

* 19. Demystifying Cryptocurrency Investigations

I love the concept of blockchain, so I want to present a talk on blockchain (cryptocurrency) investigation. It will be like from 0 to 0.3 where the person who does not know anything about cryptocurrency will be able to understand what it is, how it works, and how LEA can investigate a case. All the tools used will be for investigation will be opensource.

Question Title

* 20. Forensic Acquisition of Websites, Webpages and Online Services with Open Source Tools

Acquiring and preserving digital evidence from hard drives, smartphones or pendrives is pretty straightforward by now. The new challenge is getting to freeze online evidence: websites, webpages, cloud, tweets, social profiles or whatever is found on the Internet. There are few tools and services around, both commercial and free, some are good for webpages and other for websites, some can be adapted to different scenarios but there's no standard or comprehensive solution.

During this talk we'll try to build a custom solution to forensically acquire online evidence and metadata based on open source tools such as Firefox, wget, curl, ffmpeg, tcpdump, mitmproxy, opentimestamps and some other OSS tools which together can make web browsing and whole site downloading forensically sound by means of open and verifiable process, certification hash, digital signature and blockchain timestamp.

Furthermore, such environment can be expanded to perform forensic download and acquisition of network traffic, web apps, locally installed software, Android apps, Firewall logs, Google Earth or Maps, Web Archive, audio and video streaming, file transfer/upload , FTP and SFTP, P2P & Torrent, Email, Cloud, VPS and even Tor onion hidden services. With little to no effort, expert witnesses can also perform forensic acquisition of Whatsapp and Telegram chats, groups or channels: whatever can be displayed in browser or accessed via command line can be forensically acquired.

Question Title

* 21. I know what your AD did last summer..!

We are used to talk about & examine how they got it, and what they took out, but not as much about how they moved laterally, reconed for assets & entities internally, achieved persistence & escalated privileges. Active Directory is running ~95% of the world's organizations identity management and access control. AD Security has come a long way in three decades, with new attacks and creative attack paths found constantly, including evasive 'game over' moves such as a forged offline TGT, aka "golden ticket". Take a dive into multiple "mini research" projects derived from dozens of AD Forensics hands-on incidents, hunting for clues in an enterprise without AD logs (wiped), with open source tools. We will also share advise for both Red & Blue teams on how to beat each other:)

Question Title

* 22. Digital Forensics tools and data hiding technique

A lot of cybercriminals always find creative way to perform cybercrime like industrial espionage, transmitting viruses etc, the aim of this research was to find out whether the forensics tools are able to detect data which are hidden example steganography, hidden data in the NTFS data streams etc. the aim is to see how effective our forensics tools are when faced with such scenario's

Question Title

* 23. Parsing Outlook Mailboxes in Python using PyPff

On my first IR case I was presented with an Outlook Mailbox file. Not knowing what to do I tried to parse the file using freeware tools on windows, however they tried to execute the malware that was contained within.
Looking for a solution I turned to PyPff , the python bindings for LibPff written by Joachim Metz. Using this library I was able to carve out the content that I needed in a safe and forensically sound manner.
In this presentation I will demonstrate this parsing script, as well as showing how you can create your own. The resulting tool can be used to analyse a large number of mailboxes in an automated fashion, as well as exporting key events to indexing software such as ElasticSearch, allowing analysts to easily search large datasets for malicious activity. 

Question Title

* 24. ForensicOps - automating forensic workflows using EDR and GitLab

EDR is an open-source command line application and collection of connectors that automate cross-application e-discovery and forensic workflows. GitLab is an open-source DevOps platform. Together they can be used to streamline and automate repetitive tasks and workflows, such as case setup and data ingestion, allowing users to spend more time on analysis. This talk will provide an overview of how to setup a workflow using EDR and then automate it using GitLab's pipelines.

Question Title

* 25. Artificial Intelligence and Big Data techniques applied to digital forensic analysis of big amounts of documents

Digital Forensic Analysis faces the challenge of dealing with an increasing amount of data: hundred thousand documents on servers, millions of emails, tons of digital messages or continous activity logs. Classical analysis techniques require important resources in the form of qualified analyst professionals and heavy hours of documents review, and common open source digital forensic tools and frameworks are not ready for scalable and agile scenarios. We propose the application of machine learning and deep learning techniques to digital forensics in open source scalable infrastructures in order to face these new challenges. Methods of unsupervised classification of digital documents has been explored for the analysis of email boxes. Machine learning alhorithms of unsupervised classification like K-Means or Latent Dirichlet Allocation allow topics to be automatically associated with each document, also allowing an analyst to know if the results of a blind keyword search contain relevant or personal content. Typical Big Data and open sourced technologies like distributed nodes of SparkML and MongoDB have been used to ensure the scalability of the system. Finally, a methodology for the analysis of big amounts of documents and communications is proposed and tested with the public Enron email database.

Question Title

* 26. A Golden Ticket to the Cloud

In a post-pandemic world, more and more organizations are moving to the cloud. Due to this rapid migration, FireEye/Mandiant has also observed an influx of cloud-based breaches that we have been requested to investigate and respond.

Late last year, the SolarWinds breach introduced another novel method of gaining access to a cloud environment bypassing Federation Services in a technique dubbed the Golden SAML attack. Hope is not lost, though, because even if the federation certificates are compromised, these unauthorized logins are still detectable, as long as authentication logs are correlated between the federation and the cloud environment. By abstracting the attack technique to its core components, we can engineer detection events relevant to multiple providers and environments.

The presenters will also provide a case study of this novel attack technique (Golden SAML) and demonstrate high-fidelity detection approaches to assist the Security Operations in defending against adversaries. We will be discussing multiple open-source tools an organization can utilize to assist their understanding of their cloud environments and provide the possibility to identify misconfigurations. 

Question Title

* 27. Best Practices of Utilizing Threat Intel to Pin Down Ransomware

Armed with actionable intelligence, this talk will focus on taking pieces of intel such as a file hash or network indicators to paint a full picture of a ransomware attack using open source enrichment tools. The end result is an understanding of the different technical components controlled by threat actor groups that engage in a double extortion ransomware attack. The main purpose of understanding the big picture is to enable security and risk professionals to identify, detect and respond to a ransomware attack.

Question Title

* 28. Building an Malware Analysis Library

This talk will cover how to leverage the CARO malware naming convention and Jupyter notebooks to create a hierarchical library of easily referenced malware analysis notebooks. Coupling this with Binder for containerized analysis sandboxing and you have a lexicon of prebaked analysis techniques that you can spin up, use, and discard until the next time you need to dig into to something.

Question Title

* 29. Rapidly Finding People and Relationships From 19+ Million Media Files

In this talk, we will discuss how we processed thousands of hours of open source media and made interesting discoveries to some of the individuals who participated in the Capital Hill riot. The discoveries were made using our media triage system that combines the use of open source software and Pixel Forensics built machine learning components. This talk will contain a discussion of our media triage system and the discoveries made during our Capital Hill media collection processing effort.