TC October, 2004

Day 1 04 October 2004
08:30 - 08:40 Introductions
08:40 - 10:10 Mark Dowd (ISS)
Professional Exploit Development Techniques/Practices;
Presentation, demonstration, discussion.
Coffee break  
10:40 - 11:40 Robert Hensing (Microsoft)
Rootkit detection on live systems and on-line incident response using a live response toolkit;
Presentation and discussion.
11:40 - 12:10 Klaus-Peter Kossakowski (PreSecure) and Don Stikvoort (Elsinore)
Extended services of the "Trusted Introducer" for CSIRTs in Europe, including statistics gathering, in-band and out-of-band alerting and a multi-protocol re-encrypting mail gateway;
Short presentation with open questions.
Lunch break  
13:30 - 14:00 Wietse Venema (IBM)
Journaling file system forensics;
Short presentation.
14:00 - 14:40 Michael H. Warfield (ISS)
Wireless Security - State of 802.11 (and variants) security profiles, developments, and practices;
Presentation and discussion.
14:40 - 15:10 Masato Terada (JPCERT/CC)
JVN - JP Vendor Status Notees; JPCERT activities of Vulnerability and Exploit DEF
15:10 - 15:40 The FIRST Steering Committee
Members ask the SC
Tea break  
16:25 - 17:00 Errol Weiss (SAIC)
World Wide ISAC
Presentation (discussion in the panel afterwards)
17:00 - 17:40

Panel discussion on the cooperation of ISACs and CSIRTs
with an introduction by Peter Allor (ISS)

Panel members:

  • Chris Gibson (Citigroup);
  • Errol Weiss (SAIC);
  • Peter Allor (ISS).

ISS organises a short tour of the facility for those interested.


Day 2 05 October 2004
from 08:30am onwards HANDS-ON WORKSHOP

Coordinators: Wietse Venema and Jacomo Picollini.


  • o Robert Hensing (Microsoft)
  • o Steve Romig (Ohio State University)
  • o Brian Wolfinger and Thomas Akin (ISS)
  • o Francisco Jesus Monserrat Coll (REDIRIS

Below is a list of hands-on exercises and demos. Each exercise or demo will run once in the morning and once in the afternoon, and can accommodate about 8-10 students.



Analysis of binaries found on compromised systems
Francisco Jesus Monserrat Coll, REDIRIS.

Tips to find malware binaries on different Unix systems and how to perform a light analysis of the assembler code to find configuration files and other binaries without using a full forensic analysis.

  • Format: Hands-on exercise.
  • Bring your own laptop and wired ethernet card.
  • Capacity: 6-8

MD5 and SHA-1 in Evidence Files and tool demonstration
Brian Wolfinger and Thomas Akin, ISS

A discussion of the collision issues in MD5, SHA-0 and SHA-1, their implications on the day to day work of forensic examiners & IT security professionals, and suggestions for avoiding pitfalls. Also includes a exercise with and demonstration of a open source hashing tool written by Mr. Akin.

  • Format: Presentation, exercise and demonstration
  • Handouts: Students will receive a copy of the CDROM
  • Capacity: 8-10 students

Malware analysis
Steve Romig, Ohio State University

How to investigate malicious software with general tools like VMware, various web resources, a variety of common tools (like tcpdump, ethereal, flow-tools and so on) and possibly dissassemblers and debuggers. This is illustrated with a walk through an incident that occurred early in 2002 where some "unknown" malicious software was found on OSU systems.

  • Format: Hands-on. Students can use their own Linux laptop (Redhat 8 or 9 with BIND, Apache, FTP and VMware) or can use one of a few laptops that Steve Romig arranges for.
  • Handouts: CDs with Vmware images and config files.
  • Capacity: about 8 students

Introduction to Windows Online Forensics (WOLF)
Rob Hensing, Microsoft

This is a follow-up on Robert Hensing's TC presentation about rootkit detection on live systems and on-line incident response using a live
response toolkit.

  • Format: Demonstration, possibly some hands-on opportunity.
  • Capacity: any number of students