Untitled Document

Workshop

Workshop on Windows Forensics and Investigations

ISFS hosted the first ISFS Beijing Workshop in Windows Forensics on Mar 1-2, 2012 at Institute of High Energy Physics (IHEP), Chinese Academy of Science (CAS). A total of over 50 digital forensics practitioners attended the workshop and more than 30 of them submitted their applications as affiliate members of ISFS. The workshop was organized by Sprite Guo (ISFS China Liaison Officer) and his team together with Prof. Xu of IHEP CAS. The workshop was conducted by Ricci Ieong and Frankie Li, assisted by Virchow and Kan.

Date :	1 - 2 Mar 2012
Venue :	Beijing, China
Photos :

Malware Forensics Workshop (APT - Final Session)

Date :	28 October, 2011 (Friday)
Time:	7:00 pm - 10:00 pm
Venue :	Room 1305, 13/F, Fortress Tower, 250 King's Road, North Point, Hong Kong (Exit B, Fortress Hill MTR Station)
Equipment required :	Participants are required: (1) to come with laptop installed with VMware, VMPlayer or VMFusion (2) to prepare a 10G -15G hard disk spare space for holding all virtual machines
Outline :	The workshop is the final session of our APT* malware workshop series. After analyzed the dropper and successfully injected the malicious DLL into a debugging explorer.exe process, we shall perform the code analysis on the injected code and try to identify the encryption key of the http traffic. If time is allowed, we shall perform code analysis of three more downloaded Trojan-spy. APT was defined, by MANDIANT, as a group of sophisticated, determined and coordinated attackers that have been systematically compromising a specific target or entity's networks for a prolonged period. Who Should Attend :* - Members of ISFS - Law Enforcement - Individual who has responsibilities to handle incident response, forensics investigation or Windows system administrators - Security Professionals - Participants are expected to have good understanding of Windows system and networking concepts - Preferable to have some programming knowledge, such as variables, loops and functions calls or some exposure to assembly concepts Suggested readings and online materials before the workshop : http://www.princeton.edu/~yctwo/files/readings/M-Trends.pdf http://www.mandiant.com/services/advanced_persistent_threat/

Malware Forensics Workshop (APT - Part 3)

Date :	14 October, 2011 (Friday)
Time:	7:00 pm - 10:00 pm
Venue :	Room 907, Stanhope House, 734 King's Road, Quarry Bay (near Quarry Bay MTR Station)
Equipment required :	Participants are required: (1) to come with laptop installed with VMware, VMPlayer or VMFusion (2) to prepare a 10G -15G hard disk spare space for holding all virtual machines
Outline :	The workshop is the third of our APT* malware workshop series. After reviewed the PE structure and studied some basic reverse engineering techniques, we shall proceed to the detail code analysis by using tools of OllyDbg and IDA Pro. Participants will be guided to use these tools to identify the key functions of the malware. If time is allowed, we shall manually unpack the dropped malicious DLL and inject the DLL into the second copy of Windows Explorer process for further study. APT was defined, by MANDIANT, as a group of sophisticated, determined and coordinated attackers that have been systematically compromising a specific target or entity's networks for a prolonged period. Who Should Attend :* - Members of ISFS - Law Enforcement - Individual who has responsibilities to handle incident response, forensics investigation or Windows system administrators - Security Professionals - Participants are expected to have good understanding of Windows system and networking concepts - Preferable to have some programming knowledge, such as variables, loops and functions calls or some exposure to assembly concepts Suggested readings and online materials before the workshop : http://www.princeton.edu/~yctwo/files/readings/M-Trends.pdf http://www.mandiant.com/services/advanced_persistent_threat/

Malware Forensics Workshop (APT - Part 2)

Date :	9 September , 2011 (Friday)
Time :	7:00 pm - 10:00 pm
Venue :	Room 907, Stanhope House, 734 King's Road, Quarry Bay (near Quarry Bay MTR Station)
Equipment required :	Participants are required: (1) to come with laptop installed with VMware, VMPlayer or VMFusion (2) to prepare a 10G -15G hard disk spare space for holding all virtual machines
Outline :	The workshop is the second of our APT* malware workshop series. Before we go into detail code analysis, this time we are going to study some basis stuff of reverse engineering. Firstly, we go over the PE file structure, discuss the logic of packing and unpacking and go over some basic topics about assemble language. Secondly, we shall demo how to use static analysis tools of OllyDbg and IDA Pro. Participants will be given chances to play around the tools with on hand guides. Detail code analysis will be performed in next workshops. APT was defined, by MANDIANT, as a group of sophisticated, determined and coordinated attackers that have been systematically compromising a specific target or entity's networks for a prolonged period. Suggested readings and online materials before the workshop :* http://www.princeton.edu/~yctwo/files/readings/M-Trends.pdf http://www.mandiant.com/services/advanced_persistent_threat/

Malware Forensics Workshop (APT - Part 1)

Date :	5 August , 2011 (Friday)
Time :	7:00 pm - 10:00 pm
Venue :	Room 1307, 13/F, Fortress Tower, 250 King's Road, North Point (Exit B, Fortress Hill MTR Station)
Equipment required :	Participants are required: (1) to come with laptop installed with VMware, VMPlayer or VMFusion (2) to prepare a 10G -15G hard disk spare space for holding all virtual machines
Outline :	The workshop is an extension of our previous ZeuS malware workshop. Before we go into detail code analysis of Zeus malware, this time we are going to study an easier malware that we believe it belongs to the category of an Advanced Persistent Threat (APT). APT was defined, by MANDIANT, as a group of sophisticated, determined and coordinated attackers that have been systematically compromising a specific target or entity's networks for a prolonged period. We shall demo how to perform a dynamic analysis and to learn deeper usage of tools like, Process Explorer, Process Monitor, Autoruns, Regshot, CaptureBAT, Handlediff, PEiD, Bintext, Winobj, FileInsight, Stud_PE and more. Participants will be given chances to play around the tools on the APT malware with on hand guides. Detail code analysis will be performed in another workshops. Suggested readings and online materials before the workshop : http://www.princeton.edu/~yctwo/files/readings/M-Trends.pdf http://www.mandiant.com/services/advanced_persistent_threat/

CISC : Second Annual Workshop on Internet Security and Digital Forensics

31 Aug 2009 (Mon)

Time :	2:20 pm - 5:00 pm
Venue :	Room K223, 2/F, Knowles Building, The University of Hong Kong, Pokfulam Road, Hong Kong
Details :	Link

Workshop on Digital Photo Analysis: Digital Photo editing

23 May 2009 (Sat)

Time :

9:30 am - 1:30 pm

Venue :

Room LG103 (.NET Lab), Lower Ground Floor, Chow Yei Ching Bldg, HKU, Pokfulam Road, HK Island

Invited Speaker :

Mr Calvin Yeung - a real photo-writer

Description :

Last year, ISFS organized a photo forensics seminar. This year, we would like to organize a series of digital photo analysis workshops. The first one is the digital photo editing workshop. We have invited Mr Calvin Yeung - a real photo-writer. If you look at his blogs and art works, you may notice his poems and artistic digital photo. He is also a frequent speaker on photo editing and photography skills.

http://hk.myblog.yahoo.com/calvin_yeung_hk/article?mid=597
http://hk.myblog.yahoo.com/calvin_yeung_hk/article?mid=527
http://hk.myblog.yahoo.com/calvin_yeung_hk/article?mid=480
http://hk.myblog.yahoo.com/calvin_yeung_hk/article?mid=308
http://www.saltstudio.net/photo_e05_21.htm
http://www.saltstudio.net/photo_a081_12.htm
http://www.saltstudio.net/photo_a20_34.htm

Tentative Agenda :

1.	Introduction
	- What is digital image retouching, alternation and creation - A glance of photo editing software - Some reflection on Photo editing ethics
2.	Basic operation
	- Zooming And Panning - Layers concepts - layer transparency - Selection skill
3.	Cropping
4.	Level optimizing
5.	Dodging & Darkening
6.	Color enhancing
	- Overall image color enhancing - Color enhancing part of a image
7.	Cloning/Stamp
8.	Softening effect
9.	Final exercise and Q & A

Photos :

Malware Investigation: From Infection to Removal (Some tips on handling PRC malwares)

21 February 2009 (Sat)

Time :	9:30 am - 12:30 pm
Venue :	Room 607, United Centre, 95 Queensway Road, Hong Kong
Agenda :	We try to answer some questions, such as: (a) Are we infected? (b) How to locate these malwares? (c) How they are started? (d) How to identify them? (e) Malware removal guide. During the lab session, we shall play around some malwares downloaded from PRC networks after a live removal demo. A mini contest on hand on removal test under VM environment.
Photos :