Open Source Digital Forensics
Your function signature here please.
<p>Software reverse engineering is a very useful tool in digital forensics. Not only can it tells us a lot about the inner workings of the software of interest, it can also lead us to quirks and even vulnerabilities not even available in the source (e.g. compiler quirks). With enough effort it even turns proprietary implementations into open-source, what's not to like?</p>
<p>Of course, with a technique this powerful, there will always be downsides. Reverse engineering large binaries can be a monumental task. Where a few kB's of storage seem tiny, a few kB's of code can be huge if you have to reverse it all. A secondary problem to this, is that all this work is quite hard to reuse in the future. Binary code can differ, even with the same source, purely based on compiler options. SRE tools change, making your scripts obsolete. Decompilers change, making your signatures obsolete and so on. </p>
<p>We present an open-source machine learning model, server and Ghidra plugin for creating function signatures from aarch64 assembly. These function signatures can be stored and compared to a database of known functions to easily reuse all the blood, sweat and tears you put into reversing that library that has since been updated twice.</p>
<p>All code is of course open source and available at https://github.com/NetherlandsForensicInstitute/asmtransformers</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ub4132 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>There are lots of carving tools out there, but surprisingly there's no open-source one for carving JSON objects. <a href="https://www.reportersunited.gr/en/">Reporters United</a>, a network of investigative reporters in Greece, wrote <a href="https://github.com/reportersunited/json-carver"><code>json-carver</code></a> as part of our investigation into the <a href="https://www.theregister.com/2025/08/10/telemessage_archive_online/?td=readmore">Telemessage leaks</a>. <a ...
|
| 2/1/26 |
<p>Bugbane is an open-source Android application that simplifies consensual forensics by building on Amnesty TechLab's Mobile Verification Toolkit (MVT). Bugbane makes MVT's capabilities accessible to everyone through a user-friendly interface, allowing users to self-test in just a few minutes without needing a second device. It also enables periodic data acquisitions, supporting the analysis of past acquisitions with updated IoCs in an "acquire-now, detect-later" workflow. Bugbane reliably ...
|
| 2/1/26 |
<p>In this talk, we will introduce PUMA (Programmable Utility for Mobile Automation), an open-source Python tool developed by the Netherlands Forensic Institute. PUMA streamlines mobile app automation by allowing users to define high-level actions—like sending messages or searching in apps—without manual UI scripting. PUMA is designed for ease-of-use and reproducibility, making it ideal for testing, research, and workflow automation. We’ll explore PUMA’s architecture, key features, and ...
|
| 2/1/26 |
<p>Fox-IT's Dissect has a huge collection of features and parsers, but what does it take to maintain those and, more importantly, make them easily usable and accessibly to analysts? Wondered how we made recursive hypervisor analysis a hell of a lot easier? Or why it's so ridiculously easy to build custom tools on top of Dissect? Join us as we take you on a tour of some of the features of Dissect, as well as the challenges that come with maintaining it.</p>
|
| 2/1/26 |
<p>Activists and whistleblowers often handle sensitive documents that can incriminate both the exposed parties and themselves for acquiring or distributing the material. To move forward with their revelations, they must ensure they leave no identifiable trail. Enter <a href="https://dangerzone.rocks/">Dangerzone</a>, an open-source tool that sanitizes suspicious documents and removes incriminating metadata in the process.</p> <p>This talk covers metadata removal: concrete examples of how ...
|
| 2/1/26 |
<p>The absence of forensics data can be just as dangerous as the presence of malicious activity. While traditional digital forensics focuses on artefacts located on storage devices, containerized environments like Kubernetes introduce new challenges for collection of digital evidence from compromised applications, where malware now routinely leaves no traces. In this talk, we are going to explore how to collect, preserve, and analyse forensic snapshots with transparent checkpointing methods ...
|
| 2/1/26 |
<p>Someone on the internet told me I was wrong. Or, well, that my code was wrong. And a totally normal response to that is to spend over a month reverse engineering proprietary kernels and kernel modules.</p> <p>How did we get here? Well, once upon a time I was fed up with all the bugs in vmfs-tools and vmfs6-tools, so I wrote my own VMFS implementation. Except that I took a lot of shortcuts, and in doing so I inherited some of the same bugs! Fast forward to 2025, and those bugs are finally ...
|
