Workshop poster

Introduction

Learn how to use CinCan tools at our hands-on workshop!

CinCan is a project helping analysts install and run their DFIR tools. In this workshop we will:

  • Demostrate running containerized tools with our automation tool cincan-command.
  • Let you perform DFIR exercises with chat support (4 different task in 4 hours)
  • Wrap up the session with solution speedruns by CinCan project staff

General info

The workshop will take place in Whereby meeting rooms. We will have different meeting rooms based on the task. Our project members will answer your questions and guide you through the analysis. In each room, different analysis tools are used, but our cincan command line tool will act as an inteface to all of them.

After the workshop, you can fill a short survey about the tasks where you also have the opportunity to provide us feedback about the CinCan project. Participate in the survey here: CinCan Virtual Workshop Survey.

Prerequisites

  • Python 3.6
  • Docker 18.09
  • cincan-command

You are recommended to be running Ubuntu 18.04 or later. Apart from the base Ubuntu system you need to have Docker installed (easiest: install the Ubuntu docker.io package) and Python 3.6+

Install cincan-command with the respective instructions for your environment.

NOTE: New work-in-progress documentation for installing the tool in here.

Optional: You can also get a head-start by pulling and running the tools from our DockerHub with cincan run cincan/[tool] and trying them out.

Workshop tasks

APK malware -- Start at 8:30

Link to the task

Shady site has provided this shady APK as an drive-by download. It is believed to be ransomware for Android phones. It encrypts files on the victim phone, figure out some key facts about the ransomware.

Tools you can use in this task include:

  • apktool - APK reverse engineering
  • dex2jar - Android dex tools
  • jd-cmd - Java Decompiler
  • fernflower - Java decompiler
  • cfr - Java decompiler

Join WhereBy room for support

Memory dump -- Start at 8:30

Link to the task

This task is a bit like a CTF challenge, as there is a backstory behind the memory dump. We are going to take a look at it with Volatility and extract some pertinent artifacts

Tools used:

  • Volatility - memory analysis
  • Some common Linux utilities

Join WhereBy room for support

Memory dump pt.2 -- Start at 9:30

Link to the task

You can participate for this part even if you don't want to do memory analysis part. We will give you a sample file.

This part is based on analysing a certain Word document which was extracted from the memory. You can continue the analysis with these tools:

  • oledump - document analysis
  • oletools - suite of document analysis tools
  • ilspy - .NET Assembly based binary decompilation
  • radare2 - reverse engineering binaries
  • ghidra-decompiler - General machine-code decompilation
  • openssl and some common Linux utilities

Join WhereBy room for support

Phishing emails -- Start at 8:30

Link to the task

Your organization has received some emails that might be malicious. You need to analyze and figure out which are malicious and which are not.

Some of the tools you can use in this task:

  • scrape-website - scrape contents of URLs and screenshot the results
  • headless-thunderbird - screenshot .eml files with Thunderbird
  • oledump - document analysis
  • oletools - suite document analysis tools
  • ilspy - .NET Assembly based binary decompilation

Join WhereBy room for support