CyberForensics Conference 2014 – Day 2

Day 2 was just as good as day one, here are the highlights:

  • Ethan Bayne presented on how to use GPUs to speed up carving and searching for files in a forensic image. Amazingly this has not been done yet, and the results he presented were spectacular as you can imagine! Essentially it’s just parallelising a search; and in a demo during the morning break he showed me he could search a 20GB image in 45 seconds – and this was just using his MacBook graphics card. It amazes me that Guidance or AccessData have not yet thought about this in their products.
  • An interesting and lively discussion followed Jim Fraser‘s talk on the issues of modern police forensics. He (as a chemical/biological forensic expert) thought computer forensics was less rigorous and scientific than general forensics, as that was very much based on the scientific method. The debate followed that digital forensics is still a relatively new field in the history of forensics, and perhaps it’s yet to settle down into a more rigorous manner. However due to the ever changing nature of operating systems and applications, we’ll never have one method of doing anything. Blood and DNA doesn’t change; the data, software and hardware on a computer does. 
  • James Sutherland gave a talk on leaking Intel CPUs AESKEYGENASSIST to an attacker. AESKEYGENASSIST is an instruction which is used to access the on-board AES encryption engine. James showed showed a proof of concept backdoor where the FDIV instruction (completely unrelated to AESKEYGENASSIST) was modified so that with specially crafted inputs, the AES key could be revealed. He then created a webpage with JavaScript that triggered the backdoor, and revealed the key. He mentioned that the NSA have been known to use JavaScript for similar purposes, and they have been known to intercept servers to install backdoors

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s