Download schedule (PDF)

iOS forensics with OpenSource tools

Speaker: Andrey Belenko

This workshop is for attendees who want to become familiar with current state-of-the-art techniques in iOS forensics. The focus will be on data extraction and we will try to limit ourselves to open-source or freely available tools. Both jailbroken and non-jailbroken devices will be covered.

I will walk you through all required theoretical background and we will then run the hands-on exercises.
  • Introduction to digital forensics
  • Introduction to iOS security
  • How iOS data protection works?
    • How passcode works?
  • Various acquisition methods, their pros and cons
    • Logical
    • Filesystem
    • Physical
    • NAND
  • Making sense of acquired data
  • iCloud Forensics

Requirements for the workshop participants:

  • 2-3 hours
  • Knowledge of the Russian language
  • It will help if you bring a laptop running OS X and an iOS device running anything prior to iOS 8

Computer forensic investigation of {mobile} banking Trojan

Speaker: Boris Ivanov

The number of targeted attacks on banks and financial organizations still tends to grow. One of the existing criminal groups is currently the most active. By now, they have stolen more than 250 million rubles overall.
In this workshop, we will study the techniques used by the group and their malware kit in detail. We will also conduct a practical analysis of system logs, memory, and drives to practise computer forensics.

Workshop plan:

Part I. Theoretical. Intro to computer forensics.
 I.1 The basics of remote banking system fraud
 I.2 New fraud schemes
 I.3 Mobile fraud
 I.4 ATM malware
 I.5 Responding to incidents
Part II. Practical. Researching data media
 II.1 Collecting initial evidence
 II.2 Extracting data out of provided media
 II.3 Analyzing the discovered malware. Researching malware traces
 II. Reconstructing time line

Participants will get:
  • Prepared virtual workstation drive
  • RAM dump
  • Virtual Android phone image
  • Forensics software kit
Requirements for the workshop participants:
  • 2 hours
  • Knowledge of the Russian language
  • Basic knowledge of working with *nix systems
  • Laptop with pre-installed VMware Player 6.0.3
  • Sift Workstation 3.0 VM

Using radare2 framework for reversing and debugging malware and firmware

Speakers: Anton KochkovBoris Ryutin

Radare2 is a complete framework dedicated to reverse engineering. Written in C, completely portable, and released under LGPL, it's a tool of trade to deal to deal with binaries, especially weird ones.

lot of people are using it for a large panel of different purposes; binary exploitation, weird CPU architecture reversing, binary diffing, CTF, emulation, ...

But since it's a really complete tool without a GUI, it has a steep learning curve, hence this workshop.

Part 0. Intro to the radare world

Part I. Static analysis

Chapter 1. Malware

Chapter 2. Firmware

2.1. General MIPS router firmware unpacking

2.2 General ARM firmware analysis - bootloaders and Android executables

2.3. Mobile DSP firmware analysis

Part II. Debugging

Requirements for the workshop participants:

  • 4 hours
  • Knowledge of the English language
  • The attendees must have some basic knowledge in reversing and x86/x86_64 assembly. MIPS, ARM assembly would be a plus. A little Python, Lua, and JavaScript knowledge would be helpful too (for the scripting part). We'll provide a virtual machine, in OVA format (and possibly in another formats too). But if you have Linux system - you'll be able to download and build radare2 from sources, and we'll prepare separate download for used examples, files, firmwares, etc. 

Deriving cryptographic keys via power consumption

Speaker: Roman Korkikyan

Cryptography is considered a magic wand that protects an information system with a single stroke. Surprisingly, cryptographic algorithms can be successfully attacked. Cryptanalytic theories are simple when a minimal intermediate algorithms' information becomes available for an attacker. Apart from implementation errors this information can leak via physical parameters of a device running the cipher, for example power consumption. Power consumption allows breaking cryptographic algorithms implemented in hardware, such as FPGA and ASIC, or software that runs on a processor. In my workshop I would like to demonstrate how this attack can be implemented in practice.

The workshop includes demonstration of a platform for data acquisition, which can be assembled by an attacker; attacks' explanation on the basis of DES implementation (both code and data shall be available before the workshop); practical assignment for AES cypher (partial code and data shall be available before the workshop). If any time remains I can either answer your questions or discuss attacks against protected implementations.

Data analysis code will be available under:

  • VirtualMachine with all the required packages, data and sources
  • Host machine running either gcc or Visual Studio (check requirements)

Requirements for the workshop participants:

  • 3-4 hours
  • Knowledge of the Russian language
  • MANDATORY: computer
  • For Linux or MacOs: gcc+openmp
  • For Windows: Visual Studio
  • For all machines: gnuplot + 5 Gb of free space (for data)
  • Side channel attack knowledge would be a plus
Official support:
Gold sponsor:
Silver sponsor:
Silver sponsor:
Silver sponsor:
Title media partner:
Gold media partner:
Silver media partner:
Strategic media partner:
Strategic media partner:
Media partner: