Digital Forensics and Incident Response Summit (a.k.a Wastin’ Time and Money in Austin with Rob, His Ego, and His Homies)
I know there has been a love fest of blog posts and tweets in the past couple of weeks discussing the 2012 DFIR Summit, so I wanted to offer an opposing and “unbiased” perspective. As I have stated in previous posts, I’ve gotten to the point where I have lost all interest in suffering through these types of events but, in this instance, I wanted to show support for Andrew and Joe. Thus, for the sake of the Volatility Community I was willing to endure instructor “try-outs” and the DFIR “circle back pat”…. which I think is celebrating how the industry is miserably struggling to keep up with advanced adversaries? (No?). The only advantage was that I have seen variations of most of these presentations numerous times, so I could focus my attention on getting actual work done. In this post, I will share a few of my observations: the positives, the negatives, and the strange.
- While I’m once again probably biased, I felt Andrew Case and Joe Sylve both gave outstanding presentations. Andrew discussed his research into Mac memory analysis and Joe discussed memory analysis of Android devices. There are a number of components that made their presentations standout. First, it was obvious that both speakers possess deep technical backgrounds in computer science and operating system internals, which is unfortunately hard to find these days in the forensics and incident response communities. Despite their technical expertise, they are also both strong practitioners and were able to present the material in an approachable manner. Second, both speakers transitioned their innovative research into open source contributions that other aspiring researchers could build upon and other practitioners can immediately use. Finally, they gave the audience a unique opportunity to learn from and ask questions of the actual developers. Developers often have an amazing perspective that can only be ascertained after having invested the time to actually understand the data and write the tools. This is why it is important that the community continue to Support Open Source Forensics Developers (SOSFD). After experiencing the Summit, as speakers, I would be surprised to see them present there again.
- Mr. Nick Harbour gave one of the more entertaining talks of the event. Granted, he seemed a little bitter since he didn’t have access to his original presentation data. Many of you may remember Nick from his days at Mandiant, where he led up their malware analysis team. Nick is part of a massive talent drain (Hi Wendy!) that has been fleeing Mandiant in recent months. Nick’s presentation discussed a number of “anti*” techniques that can make dealing with advanced threats challenging. He also spent a lot of time discussing the challenges associated with large-scale remediation. My favorite part of the presentation was when he told a story about a company that had paid for a year of IR services but Mandiant was unable to get the targeted adversary out. He conceded that the only reason the adversary left was because there was nothing left to steal! (..So much for finding evil and solving crimes.). He concluded with the following paraphrased quote: “Since I’m no longer an employee, I guess I can say it. We FAILED!” You will have to watch the video for yourself to fully appreciate the candor in his presentation. Everything that glitters (or has marketing videos and glossy reports) ain’t always gold!
- On another positive note, I finally had the pleasure of meeting Mr. Kristinn Gudjonsson, the actual developer of log2timeline. Kristinn is a very nice and intelligent open source developer! Previously, my only contact with the log2timeline project had been listening to Rob’s humble claims “That is a SANS started project. (Time, money, resources, code… AND the idea behind the entire project was my own personal idea that I had been pushing for years openly to the community and never capitalized on it.)…. But the idea, the concept, and the start of it were all my idea.” I always thought that those claims tried to diminish the contribution of the actual developer, and I’m glad to publicly confirm that Kristinn is a lot more talented than just Rob’s code monkey. Shoutz to Kristinn! We can’t wait to see the Python version!
- I was also pleasantly surprised to see that the summit had finally abandoned the question note cards. In previous years, all participants with questions were required to submit those questions on note cards that were collected at the end of the presentation. Those note cards were then reviewed by Rob and he would decide which questions would be asked of the speakers. As I mentioned back in 2009, this killed any notion of open dialogue and definitely biased the types of questions that would actually be asked. I’m glad to see that the yellow question cards have been abandoned.
- Finally, I do want to acknowledge Carol, her team, and the rest of the supporting Summit staff. They do an outstanding job given the resource constraints they are under. If you happen to attend any of the other Summits in the future, please take a moment and thank the supporting staff for their hard work.
- The Summit continues to take what I consider to be an exploitive stance towards its conference speakers, which has a direct impact on the quality of the content. As it has been stated on numerous occasions, the Summit believes that it is doing the speakers a favor by blessing them with the opportunity to present to its audience (Hmmm..an audience of ~150 people with ~20% being conference speakers). As a result, they do not cover any travel expenses for its speakers. In my opinion, this is just one of the reasons that the event is having a tough time attracting interesting content. Most modern conferences understand that a major draw of a conference is the presentations and speakers. As an example, Black Hat covers your flight, your hotel room, and even pays their speakers a stipend. They realize that a major thing that draws people to the event is the speakers and content not the hosting organization. Heh…Vegas may also play a part!
- It was also unfortunate that the Summit had some “technical difficulties” associated with it’s live streaming. From what I understand, there were a number of people who were watching the event over the Internet, who were very disappointed. While there were a number of claims that this was associated with the poor networking at the hotel, a Summit insider speculated that the “technical difficulties” were probably related to the fact that the Summit was unwilling to pay for an actual USTREAM account. Instead, they were trying to take advantage of the free version (seems like a reoccurring trend…). Take a moment and consider what an actual account costs in relation to what the attendees are paying to attend the Summit.
- The final negative is the fact that the Summit is hosted in Austin during the middle of the summer. Given the current economic conditions, I know a lot of people do not have large travel budgets, which impacts both attendees and speakers. While Austin is a great city with a bourgeoning infosec community, it is also unbearably hot during this time of year. Granted, we did eat at some great restaurants and I had one of the coolest drivers (Curley Culp)! I’ve also heard that next year is going to overlap with Black Hat…Good luck with that!
- I also wanted to mention one last observation, which I found rather strange. As I previously mentioned, I didn’t want to spend a lot of time at the summit, so I decided to fly in late Monday evening. It just so happened that I was sharing a flight with the Mr. Harlan Carvey, so we decided to share a shuttle back to the hotel. Upon arrival at the conference hotel, I was notified that I had a special message from the banquet organizer, Angela. I was instructed that I was supposed to call her immediately upon my arrival. It seems that Angela was concerned that I was flying in late and wanted to make sure I didn’t have any travel issues. Imagine that, the hotel’s banquet organizer wanted to make sure I, a mere conference attendee, had made it safely to the event. Was it strange that the keynote speaker for the conference, who was traveling with me, did not have such a note? So the real question is…whom was Angela supposed to notify of my arrival?
In conclusion, my opinion of the Summit has obviously not changed but having the opportunity to see both Andrew’s and Joe’s presentations made the trip worth it. If you are a presenter and you want your presentation to have the broadest impact, I would suggest striving for a venue like Black Hat. If you are an attendee hoping to network, I would suggest saving your money for Black Hat and organizing a meet-up or try an intimate setting like DFRWS. If you care about open source forensics tools, I would suggest Brian’s Open Source Digital Forensics Conference. If you care about cutting edge memory forensics and analysis, you should attend our Open Memory Forensics Workshop (OMFW). If you want to spend a lot of money to hang with Rob and people that are trying to teach for Rob, the Summit is definitely the place for you! Granted, what do I know…. I spend all my time focusing on “just the memory forensics niche” while others put open source tools on a virtual machine that “is challenging FTK and other commercial products and is routinely listed as the 3rd most popular forensic tool” (Stand in awe before the glory!). As with the Summit, does the true value come from the platform or the content that is delivered from that platform? The only thing that can save the community, is the community itself. SOSFD!