Presentations

 

Download PDF versions of previous talks presented at Forensic Summits and events.

 

 

How do you know it Works as Intended?
April 2022

Why you should validate your tools, when to validate and how to validate, with a walked example and comparison of some common file carving tools.

PDF file hashes:
MD5: c1498cd5d0041d25bd4c7bacc2144704
SHA-1: 4cc7a5b462265e2948ddbf73ebc498300a8212ab
SHA-256: 72aba44c06b47da20750b10b172244dc54d9ff911fe6ee2fba8a08aa9f4807a7
MUS2022_khedley_How_do_you_know_it_works[...]
Adobe Acrobat document [1.0 MB]
Pining for Data - PinePhone forensic analysis
May 2021

The PinePhone is one of the first true Linux-based smartphone projects that has released mobile devices, available to the general public, with a smartphone-specific variant of Linux pre-flashed onto the device. These devices can be used out of the box, or can be re-flashed with other Linux variants. Available devices are still very much in the development phase, which brings the added fun of the occasional device or application crash, and some hardware not being supported at all by some Linux variants. However, there is the prospect of such devices becoming more common in the future, and it's fun to see what data may be stored on a device, where, and how we can acquire it, to work out how it may be useful to a digital forensic investigation if one of these devices was seized.

PD
Pining for data - PinePhone forensics - [...]
Adobe Acrobat document [6.3 MB]
The Importance of Validation
February 2019

We rely on many tools to do our day jobs and tell us what's going on in our systems and networks, but are they giving us the right information and how would we know whether they were or not? Validation of tools is often one of those tasks that ends up being forgotten or omitted due to lack of time or resources. Is it really important? Spoiler alert... yes!
SANS_atnight_feb2019_importance_of_valid[...]
Adobe Acrobat document [5.1 MB]
System Profiler - Automating the Routine Stuff
October 2018

This presentation outlines a number of shortcomings in existing tools used to parse information from a disk, and demonstrates a script that uses a combination of existing tools and manual parsing to automatically produce some routinely required sections of a forensic report.
DFIR_prague_2018_sysprofiler_presentatio[...]
Adobe Acrobat document [2.8 MB]
Print Print | Sitemap
© Khyrenz 2022