Difference between pages "Determining OS version from an evidence image" and "Upcoming events"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(HP/UX)
 
(Conferences)
 
Line 1: Line 1:
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
+
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
 +
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
 +
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
  
==Windows==
+
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
  
===Windows 95/98/ME===
+
This listing is divided into three sections (described as follows):<br>
 +
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
 +
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
 +
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
  
Establish the boot volume, verify that it is a FAT file system, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:
+
== Calls For Papers ==
 +
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
  
{| class="wikitable"
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="30%|Title
 +
! width="15%"|Due Date
 +
! width="15%"|Notification Date
 +
! width="40%"|Website
 
|-
 
|-
! WinVer
+
|CyberPatterns 2014
! OS
+
|Jan 03, 2014
 +
|Jan 17, 2014
 +
|http://tech.brookes.ac.uk/CyberPatterns2014/CFPCyberpatterns2014.pdf
 
|-
 
|-
| 4.00.0950
+
|12th International Conference on Applied Cryptography and Network Security
| Windows 95
+
|Jan 10, 2014
 +
|Mar 14, 2014
 +
|http://acns2014.epfl.ch/callpapers.php
 
|-
 
|-
| 4.00.1111
+
|9th Annual Conference on Digital Forensics, Security and Law
| Windows 95 OSR2
+
|Jan 15, 2014
 +
|
 +
|http://www.digitalforensics-conference.org/callforpapers.htm
 
|-
 
|-
| 4.03.1212
+
|2nd ACM Workshop on Information Hiding and Multimedia Security
| Windows 95 OSR2.1
+
|Jan 17, 2014
 +
|Mar 31, 2014
 +
|http://www.ihmmsec.org/index.php/cfp
 
|-
 
|-
| 4.03.1214
+
|USENIX Annual Technical Conference
| Windows 95 OSR2.5
+
|Jan 28, 2014
 +
|Apr 07, 2014
 +
|https://www.usenix.org/conference/atc14/call-for-papers
 
|-
 
|-
| 4.10.1998
+
|Audio Engineering Society (AES) Conference on Audio Forensics
| Windows 98
+
|Jan 31, 2014
 +
|Mar 15, 2014
 +
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
 
|-
 
|-
| 4.10.2222
+
|DFRWS - USA 2014
| Windows 98 SE
+
|Feb 13, 2014
 +
|Apr 07, 2014
 +
|http://dfrws.org/2014/cfp.shtml
 
|-
 
|-
| 4.90.3000
 
| Windows ME
 
 
|}
 
|}
  
Alternatively, establish WinDir ([Paths]WinDir in \MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)
+
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
  
===Windows NT===
+
== Conferences ==
 
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
===Windows 2000/2003/XP/Vista===
+
|- style="background:#bfbfbf; font-weight: bold"
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
+
! width="40%"|Title
 
+
! width="20%"|Date/Location
During a forensic examination, information regarding the version of Windows can be found in a number of places.  For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt".  This is not definitive, however, because this directory name is easily modified during installation.
+
! width="40%"|Website
 
+
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
+
 
+
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means.  There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
+
 
+
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
+
 
+
{| class="wikitable" border="1"
+
 
|-
 
|-
!Value (MPC)!!Version
+
|IFIP WG 11.9 International Conference on Digital Forensics
 +
|Jan 08-10<br>Vienna, Austria
 +
|http://www.ifip119.org/Conferences/
 
|-
 
|-
|55034 || Windows XP Professional English
+
|AAFS 66th Annual Scientific Meeting
 +
|Feb 17-22<br>Seattle, WA, USA
 +
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
 
|-
 
|-
|55683 || Windows XP Professional Russian
+
|21st Network & Distributed System Security Symposium
 +
|Feb 23-26<br>San Diego, CA, USA
 +
|http://www.internetsociety.org/events/ndss-symposium
 
|-
 
|-
|55681 || Windows XP Home Edition Russian
+
|Fourth ACM Conference on Data and Application Security and Privacy 2014
|}
+
|Mar 03-05<br>San Antonio, TX, USA
 
+
|http://www1.it.utsa.edu/codaspy/
==Unix/Linux==
+
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
+
 
+
===Linux===
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
+
 
+
<pre>
+
/etc/issue
+
/etc/issue.net
+
</pre>
+
 
+
{| class="wikitable" border="1"
+
 
|-
 
|-
!Distro!!Tag
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
 +
|Mar 24-25<br>West Lafayette, IN, USA
 +
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
 
|-
 
|-
|Red Hat || /etc/redhat-release
+
|CyberPatterns 2014
 +
|Apr 11<br>Oxford, United Kingdom
 +
|http://tech.brookes.ac.uk/CyberPatterns2014/
 
|-
 
|-
|Debian  || /etc/debian-version
+
|US Cyber Crime Conference 2014
|}
+
|Apr 29-May 02<br>Leesburg, VA
 
+
|http://www.usacybercrime.com/
=== (Open) Solaris ===
+
 
+
===Free/Net/OpenBSD===
+
A first indicator of the presence of a BSDs operating system is the partition table on a MBR-partitioned disk:
+
 
+
{| class="wikitable" border="1"
+
 
|-
 
|-
!OS!!Partition type
+
|DFRWS-Europe 2014
 +
|May 07-09<br>Amsterdam, Netherlands
 +
|http://dfrws.org/2014eu/index.shtml
 
|-
 
|-
|FreeBSD || FreeBSD (0xA5)
+
|8th International Conference on IT Security Incident Management & IT Forensics
 +
|May 12-14<br>Muenster, Germany
 +
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
 
|-
 
|-
|OpenBSD || OpenBSD (0xA6)
+
|2014 IEEE Symposium on Security and Privacy
 +
|May 16-23<br>Berkley, CA, USA
 +
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
 
|-
 
|-
|NetBSD || NetBSD (0xA9)
+
|9th ADFSL Conference on Digital Forensics, Security and Law
 +
|May 28-29<br>Richmond, VA
 +
|http://www.digitalforensics-conference.org/
 
|-
 
|-
|}
+
|Techno-Security and Forensics Conference
 
+
|Jun 01-04<br>Myrtle Beach, SC, USA
You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.
+
|http://www.techsec.com/html/Security%20Conference%202014.html
 
+
{| class="wikitable" border="1"
+
 
|-
 
|-
!OS!!Kernel path
+
|Mobile Forensics World
 +
|Jun 01-04<br>Myrtle Beach, SC, USA
 +
|http://www.techsec.com/html/MFC-2014-Spring.html
 
|-
 
|-
|FreeBSD || /boot/kernel/kernel
+
|12th International Conference on Applied Cryptography and Network Security
 +
|Jun 10-13<br>Lausanne, Switzerland
 +
|http://acns2014.epfl.ch/
 
|-
 
|-
|OpenBSD || /bsd
+
|2nd ACM Workshop on Information Hiding and Multimedia Security
 +
|Jun 11-13<br>Salzburg, Austria
 +
|http://www.ihmmsec.org/
 
|-
 
|-
|NetBSD || /netbsd
+
|54th Conference on Audio Forensics
 +
|Jun 12-14<br>London, England
 +
|http://www.aes.org/conferences/54/
 +
|-
 +
|2014 USENIX Annual Technical Conference
 +
|Jun 19-20<br>Philadelphia, PA, USA
 +
|https://www.usenix.org/conference/atc14
 +
|-
 +
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
 +
|Jun 23-26<br>Atlanta, GA, USA
 +
|http://www.dsn.org/
 +
|-
 +
|Symposium On Usable Privacy and Security (SOUPS) 2014
 +
|Jul 09-11<br>Menlo Park, CA, USA
 +
|http://cups.cs.cmu.edu/soups/2013/
 +
|-
 +
|Black Hat USA 2014
 +
|Aug 02-07<br>Las Vegas, NV, USA
 +
|https://www.blackhat.com
 +
|-
 +
|DFRWS 2014
 +
|Aug 03-06<br>Denver, CO, USA
 +
|http://dfrws.org/2014/index.shtml
 +
|-
 +
|RCFG GMU 2014
 +
|Aug 04-08<br>Fairfax, VA, USA
 +
|http://www.rcfg.org/gmu/
 +
|-
 +
|23rd USENIX Security Symposium
 +
|Aug 20-22<br>San Diego, CA, USA
 +
|https://www.usenix.org/conferences
 +
|-
 +
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
 +
|Oct 06-10<br>Coeur d’Alene, ID, USA
 +
|http://www.leva.org/annual-training-conference/
 
|-
 
|-
 
|}
 
|}
  
You can use <tt>strings</tt> and <tt>grep</tt> tools to find this information with <tt>strings kernel_path | grep os_name</tt>. (e.g.: <tt>strings /bsd | grep OpenBSD</tt>)
+
==See Also==
 
+
* [[Training Courses and Providers]]
===AIX===
+
==References==
 
+
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
===HP/UX===
+
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
 
+
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
===Other===
+
* Plan9
+
* QNX RTOS
+
* OS2
+
* MacOS-X/IOS
+
 
+
[[Category:Howtos]]
+

Revision as of 12:01, 17 December 2013

PLEASE READ BEFORE YOU EDIT THE LISTS BELOW
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).
Some events may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

This is a BY DATE listing of upcoming events relevant to digital forensics. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic conferences page, but entries in this list have specific dates and locations for the upcoming event.

This listing is divided into three sections (described as follows):

  1. Calls For Papers - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)

  2. Conferences - Conferences relevant for Digital Forensics (Name, Date, Location, URL)

  3. Training Courses and Providers - Training

Contents

Calls For Papers

Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.

Title Due Date Notification Date Website
CyberPatterns 2014 Jan 03, 2014 Jan 17, 2014 http://tech.brookes.ac.uk/CyberPatterns2014/CFPCyberpatterns2014.pdf
12th International Conference on Applied Cryptography and Network Security Jan 10, 2014 Mar 14, 2014 http://acns2014.epfl.ch/callpapers.php
9th Annual Conference on Digital Forensics, Security and Law Jan 15, 2014 http://www.digitalforensics-conference.org/callforpapers.htm
2nd ACM Workshop on Information Hiding and Multimedia Security Jan 17, 2014 Mar 31, 2014 http://www.ihmmsec.org/index.php/cfp
USENIX Annual Technical Conference Jan 28, 2014 Apr 07, 2014 https://www.usenix.org/conference/atc14/call-for-papers
Audio Engineering Society (AES) Conference on Audio Forensics Jan 31, 2014 Mar 15, 2014 http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
DFRWS - USA 2014 Feb 13, 2014 Apr 07, 2014 http://dfrws.org/2014/cfp.shtml

See also WikiCFP 'Forensics'

Conferences

Title Date/Location Website
IFIP WG 11.9 International Conference on Digital Forensics Jan 08-10
Vienna, Austria
http://www.ifip119.org/Conferences/
AAFS 66th Annual Scientific Meeting Feb 17-22
Seattle, WA, USA
http://www.aafs.org/aafs-66th-annual-scientific-meeting
21st Network & Distributed System Security Symposium Feb 23-26
San Diego, CA, USA
http://www.internetsociety.org/events/ndss-symposium
Fourth ACM Conference on Data and Application Security and Privacy 2014 Mar 03-05
San Antonio, TX, USA
http://www1.it.utsa.edu/codaspy/
9th International Conference on Cyber Warfare and Security (ICCWS-2014) Mar 24-25
West Lafayette, IN, USA
http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
CyberPatterns 2014 Apr 11
Oxford, United Kingdom
http://tech.brookes.ac.uk/CyberPatterns2014/
US Cyber Crime Conference 2014 Apr 29-May 02
Leesburg, VA
http://www.usacybercrime.com/
DFRWS-Europe 2014 May 07-09
Amsterdam, Netherlands
http://dfrws.org/2014eu/index.shtml
8th International Conference on IT Security Incident Management & IT Forensics May 12-14
Muenster, Germany
http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
2014 IEEE Symposium on Security and Privacy May 16-23
Berkley, CA, USA
http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
9th ADFSL Conference on Digital Forensics, Security and Law May 28-29
Richmond, VA
http://www.digitalforensics-conference.org/
Techno-Security and Forensics Conference Jun 01-04
Myrtle Beach, SC, USA
http://www.techsec.com/html/Security%20Conference%202014.html
Mobile Forensics World Jun 01-04
Myrtle Beach, SC, USA
http://www.techsec.com/html/MFC-2014-Spring.html
12th International Conference on Applied Cryptography and Network Security Jun 10-13
Lausanne, Switzerland
http://acns2014.epfl.ch/
2nd ACM Workshop on Information Hiding and Multimedia Security Jun 11-13
Salzburg, Austria
http://www.ihmmsec.org/
54th Conference on Audio Forensics Jun 12-14
London, England
http://www.aes.org/conferences/54/
2014 USENIX Annual Technical Conference Jun 19-20
Philadelphia, PA, USA
https://www.usenix.org/conference/atc14
44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Jun 23-26
Atlanta, GA, USA
http://www.dsn.org/
Symposium On Usable Privacy and Security (SOUPS) 2014 Jul 09-11
Menlo Park, CA, USA
http://cups.cs.cmu.edu/soups/2013/
Black Hat USA 2014 Aug 02-07
Las Vegas, NV, USA
https://www.blackhat.com
DFRWS 2014 Aug 03-06
Denver, CO, USA
http://dfrws.org/2014/index.shtml
RCFG GMU 2014 Aug 04-08
Fairfax, VA, USA
http://www.rcfg.org/gmu/
23rd USENIX Security Symposium Aug 20-22
San Diego, CA, USA
https://www.usenix.org/conferences
25th Annual Conference & Digital Multimedia Evidence Training Symposium Oct 06-10
Coeur d’Alene, ID, USA
http://www.leva.org/annual-training-conference/

See Also

References