1
00:00:00,000 --> 00:00:02,250
BENJAMIN CAUDILL: Welcome to DEF CON

2
00:00:02,250 --> 00:00:05,751
to "Offensive Forensics: CSI for Bad Guys."

3
00:00:12,542 --> 00:00:15,918
I am if you can read, Benjamin Caudill.

4
00:00:16,459 --> 00:00:24,542
I want to get this talk started off with how this concept came about.

5
00:00:24,542 --> 00:00:28,709
I was doing a pen test several years ago when I was a junior assessor

6
00:00:28,709 --> 00:00:32,626
to a financial institution in a case a while back where

7
00:00:32,626 --> 00:00:37,584
during the information gathering phase we have determined that it was

8
00:00:37,584 --> 00:00:41,876
a decentralized structure to a centralized one, which means

9
00:00:41,876 --> 00:00:45,334
they have database base service now.

10
00:00:47,501 --> 00:00:52,834
We had discovered enumerated a lot of information and found out a lot

11
00:00:52,834 --> 00:00:57,501
of data assessors had a local copies of the entire PI database

12
00:00:57,501 --> 00:00:59,999
on the local system.

13
00:01:00,125 --> 00:01:01,542
What can go wrong, right?

14
00:01:05,542 --> 00:01:09,209
Naturally this was the target and managed to get access

15
00:01:09,209 --> 00:01:11,209
to the systems.

16
00:01:11,709 --> 00:01:16,999
We needed one of these PI databases to be golden.

17
00:01:16,999 --> 00:01:20,542
That was the whole objective here, went over one system after another,

18
00:01:20,542 --> 00:01:24,334
after another, hours and hours of searching, days and weeks even,

19
00:01:24,334 --> 00:01:26,999
and couldn't find anything.

20
00:01:26,999 --> 00:01:29,459
Not a single Soc number on any of these systems.

21
00:01:29,918 --> 00:01:32,792
So we kind of wrapped things up and had

22
00:01:32,792 --> 00:01:37,292
the post talk discussion with the manager there.

23
00:01:37,292 --> 00:01:39,751
Where it came out that he had previously sent an email

24
00:01:39,751 --> 00:01:41,999
out to the system saying if you have any

25
00:01:41,999 --> 00:01:45,999
of these databases still laying around, make sure you one, delete them

26
00:01:45,999 --> 00:01:48,834
and two, empty the recycle bin.

27
00:01:48,959 --> 00:01:49,999
(Laughter).

28
00:01:50,083 --> 00:01:51,542
Yeah, nice.

29
00:01:51,999 --> 00:01:55,459
So kind of just having finished up the pen test and so forth,

30
00:01:55,459 --> 00:01:58,375
between my partner and I, we became this guy

31
00:01:58,375 --> 00:02:01,999
as we realized that if we would have looked at the MFT

32
00:02:01,999 --> 00:02:05,083
and grabbed a disk image of the system and done

33
00:02:05,083 --> 00:02:08,792
a forensic analysis of these systems that we would have

34
00:02:08,792 --> 00:02:13,083
compromised, we would have had millions of Social Security numbers

35
00:02:13,083 --> 00:02:16,334
on any one of these given systems.

36
00:02:16,667 --> 00:02:17,667
So close.

37
00:02:18,999 --> 00:02:23,334
So this kind of concept really led to the the concept I'm kind

38
00:02:23,334 --> 00:02:26,999
of talking about today, offensive forensics and this

39
00:02:26,999 --> 00:02:30,918
is really where I realized that if I would have taken

40
00:02:30,918 --> 00:02:35,250
a more forensics based approach to the post exploitation phase,

41
00:02:35,250 --> 00:02:39,250
we would have had a lot much more success.

42
00:02:39,292 --> 00:02:41,999
So, again, this is not really a talk so much

43
00:02:41,999 --> 00:02:45,876
about the forensic side of things and it's about forensics in a new

44
00:02:45,876 --> 00:02:48,083
and unconventional way.

45
00:02:49,999 --> 00:02:52,918
So, again, I'm Benjamin Caudill, principal consultant

46
00:02:52,918 --> 00:02:55,083
with Rhino Security Labs.

47
00:03:01,999 --> 00:03:04,959
I have been with aerospace and defense industry,

48
00:03:04,959 --> 00:03:09,834
I mentioned finance a little bit, been doing consulting recently.

49
00:03:09,834 --> 00:03:11,209
Kind of normal stuff.

50
00:03:11,375 --> 00:03:12,999
About eight years in IT.

51
00:03:12,999 --> 00:03:15,751
So I'm a well versed narrative.

52
00:03:15,959 --> 00:03:18,876
And a number of certifications but we are at DEF CON,

53
00:03:18,876 --> 00:03:21,584
and who really cares about that.

54
00:03:21,792 --> 00:03:26,083
AUDIENCE MEMBER: Woo hoo!

55
00:03:26,083 --> 00:03:28,999
BENJAMIN CAUDILL: Someone started drinking early.

56
00:03:28,999 --> 00:03:29,999
We will start with the traditional forensics

57
00:03:29,999 --> 00:03:32,999
a little bit about the background on that and what that means

58
00:03:32,999 --> 00:03:35,999
and kind of how this ties into everything.

59
00:03:35,999 --> 00:03:39,083
I will jump into the offensive side and offensive forensics, introduction

60
00:03:39,083 --> 00:03:40,999
of that and the basics and everything

61
00:03:40,999 --> 00:03:44,667
and then I will do a deep dive into really the technical details here,

62
00:03:44,667 --> 00:03:47,375
looking at the memory forensics and the potential and

63
00:03:47,375 --> 00:03:50,999
the problem we have with that, disk and registry.

64
00:03:53,999 --> 00:03:59,334
All of these are Windows based and then towards the end,

65
00:03:59,334 --> 00:04:05,999
releasing a new metasploit module, and some quick usage and hopefully

66
00:04:05,999 --> 00:04:07,626
a demo.

67
00:04:07,999 --> 00:04:10,959
So the traditional kind of digital forensics is essentially

68
00:04:10,959 --> 00:04:15,959
the recovery and investigation of information found in digital devices.

69
00:04:15,959 --> 00:04:17,417
Pretty simple concept.

70
00:04:17,417 --> 00:04:21,209
This is a useful idea for pen testers as we are essentially trying

71
00:04:21,209 --> 00:04:25,501
to get digital information from these systems.

72
00:04:25,584 --> 00:04:31,292
This kind of is is applicable to us, not only explicitly sensitive information,

73
00:04:31,292 --> 00:04:35,292
Social Security numbers, passwords and things like that

74
00:04:35,292 --> 00:04:40,334
but also implicitly sensitive, things like a calendar, a contact list

75
00:04:40,334 --> 00:04:42,999
of the entire company.

76
00:04:42,999 --> 00:04:46,459
These are things that we can utilize towards social engineering,

77
00:04:46,459 --> 00:04:50,999
towards password cracking, a lot of other attack avenues that wouldn't be

78
00:04:50,999 --> 00:04:56,667
necessarily on a technical front, but can still certainly be very useful.

79
00:04:56,999 --> 00:05:00,083
So, again, kind of a lot of the traditional forensic tools

80
00:05:00,083 --> 00:05:03,999
and really concepts are really for investigations, whether that's civil,

81
00:05:03,999 --> 00:05:07,584
corporate, criminal, whatever the case may be.

82
00:05:07,584 --> 00:05:08,667
The objective for forensics essentially

83
00:05:08,667 --> 00:05:11,626
is to solve a crime, loosely speaking.

84
00:05:11,876 --> 00:05:16,334
So, again, as a result of this, there's very few forensic tools that are

85
00:05:16,334 --> 00:05:19,626
applicable to pen testers directly.

86
00:05:20,292 --> 00:05:25,999
So kind of on a more direct front then, offensive forensics, is the use

87
00:05:25,999 --> 00:05:31,584
of forensics for technical purposes, again, improve social engineering,

88
00:05:31,584 --> 00:05:35,918
more efficient password cracking and being able to get

89
00:05:35,918 --> 00:05:42,209
a better dictionary list, by, grabbing a contact list is very useful.

90
00:05:42,751 --> 00:05:46,083
And, again, kind of going back to what I said earlier, this

91
00:05:46,083 --> 00:05:49,542
is really useful in a traditional exploitation situation,

92
00:05:49,542 --> 00:05:52,999
where those kind of typical steps post exploitation steps

93
00:05:52,999 --> 00:05:56,876
are really insufficient to get to the next level, moving laterally

94
00:05:56,876 --> 00:06:00,209
or getting passwords and things like that.

95
00:06:00,459 --> 00:06:03,250
And pen testing has a time limit.

96
00:06:03,250 --> 00:06:07,292
You can't spend all day, even if you do have access, and waiting

97
00:06:07,292 --> 00:06:13,792
for the user or the multiple users to go to a particular forum or web page.

98
00:06:14,125 --> 00:06:16,542
It's much more easy, much more efficient to kind

99
00:06:16,542 --> 00:06:20,083
of do some of this forensic analysis and grab previous files,

100
00:06:20,083 --> 00:06:23,751
like browser files, for example and grab those and use those

101
00:06:23,751 --> 00:06:26,083
as a basis for your next steps rather than

102
00:06:26,083 --> 00:06:28,751
the key logging out route.

103
00:06:30,209 --> 00:06:32,876
The offensive with the traditional forensics,

104
00:06:32,876 --> 00:06:36,459
the objective is to gain access to sensitive additional sensitive

105
00:06:36,459 --> 00:06:40,667
information, again, whether that's explicit or implicit.

106
00:06:42,667 --> 00:06:44,999
So, again, the forensic comparison here,

107
00:06:44,999 --> 00:06:50,167
traditional forensics and offensive forensics have different processes.

108
00:06:51,834 --> 00:06:56,083
Traditional forensic, the process is grab the memory, pull the plug

109
00:06:56,083 --> 00:07:00,709
and do disk forensic and get a lot of the file that you couldn't access

110
00:07:00,709 --> 00:07:05,167
when it was live because they are being used by the OS.

111
00:07:05,167 --> 00:07:07,751
I use the example here of hyrofill.sys.

112
00:07:11,999 --> 00:07:14,999
A live analysis for offensive forensics.

113
00:07:20,501 --> 00:07:24,999
We have the benefit of not having to worry about the legal side of things.

114
00:07:24,999 --> 00:07:28,083
We don't have to worry about chain of custody, potential loss

115
00:07:28,083 --> 00:07:31,751
or modification of evidence and really the legal analysis

116
00:07:31,751 --> 00:07:35,792
but we also have the disadvantage of a lot of permissions issues

117
00:07:35,792 --> 00:07:39,999
in Windows or whatever your OS is prevents you from accessing a lot

118
00:07:39,999 --> 00:07:44,167
of those core OS files that we would want to access.

119
00:07:44,167 --> 00:07:45,918
So, again, there's a little bit of a difference, some

120
00:07:45,918 --> 00:07:49,667
of those files are less useful than they would be otherwise.

121
00:07:49,751 --> 00:07:53,167
On the dead analysis, again, it's assumed you have physical access

122
00:07:53,167 --> 00:07:57,083
to the box when you are doing a traditional forensic analysis of things,

123
00:07:57,083 --> 00:08:01,083
which we can also kind of presume is the case with the offensive forensics

124
00:08:01,083 --> 00:08:03,292
but it's not as common.

125
00:08:03,626 --> 00:08:07,667
In addition to that, also we lose the potential kind of user interaction

126
00:08:07,667 --> 00:08:11,250
or live memory exploitation of having the user actually be

127
00:08:11,250 --> 00:08:13,999
on the system at that time.

128
00:08:13,999 --> 00:08:16,250
If you happen to be typing in your password

129
00:08:16,250 --> 00:08:19,999
at the same time I'm grabbing a memory dump, I win.

130
00:08:21,876 --> 00:08:24,918
So kind of, again, for the offensive forensic side,

131
00:08:24,918 --> 00:08:28,667
when we are actually doing a pen test, more often than not, this

132
00:08:28,667 --> 00:08:32,792
will be a remote attack or a live analysis scenario.

133
00:08:32,792 --> 00:08:35,083
So I will kind of focus on the live analysis situations

134
00:08:35,083 --> 00:08:36,999
from here on out.

135
00:08:38,792 --> 00:08:42,417
So diving more into the technical details here.

136
00:08:42,584 --> 00:08:44,167
On the memory side, we have a wide range

137
00:08:44,167 --> 00:08:47,999
of things that we can look at, and, again, memory forensics in itself

138
00:08:47,999 --> 00:08:49,999
is its own science.

139
00:08:49,999 --> 00:08:54,876
This is not a forensic lesson, but more of an application lesson.

140
00:08:54,999 --> 00:08:58,083
This ranges from the simple, again, Windows clipboard, I use it

141
00:08:58,083 --> 00:09:02,209
as an example applicable when you are talking about passenger managers,

142
00:09:02,209 --> 00:09:05,375
copy, paste, if I grabbed it at the right time, again,

143
00:09:05,375 --> 00:09:10,083
clear text passwords to kind of the niche command line history.

144
00:09:10,083 --> 00:09:11,626
I have never seen this myself.

145
00:09:16,542 --> 00:09:21,083
Dosky.history this could bring up anything from added users,

146
00:09:21,083 --> 00:09:25,792
for like a sys admin case, and telnet sessions and any number

147
00:09:25,792 --> 00:09:29,876
of other things, as well as a more fragmented subject,

148
00:09:29,876 --> 00:09:33,999
things like files, encryption keys, at the very least,

149
00:09:33,999 --> 00:09:38,751
you can grab encryption keys and things like that.

150
00:09:38,751 --> 00:09:41,209
There are numerous papers on TrueCrypt, being able to grab

151
00:09:41,209 --> 00:09:44,375
the cryption key in open containers.

152
00:09:44,584 --> 00:09:47,083
As I mentioned with the Windows clipboard example,

153
00:09:47,083 --> 00:09:49,834
in certain cases, you can grab clear text examples

154
00:09:49,834 --> 00:09:51,999
from any given process.

155
00:09:52,999 --> 00:09:56,999
Another one I wanted to mention on almost the privacy side,

156
00:09:56,999 --> 00:10:00,334
is private browsing and sandboxing.

157
00:10:00,334 --> 00:10:04,417
There's a lot of despite the moniker of porn mode, a lot

158
00:10:04,417 --> 00:10:07,250
of these browsers are used by users

159
00:10:07,250 --> 00:10:12,959
because of the implied sensitive nature of the browser.

160
00:10:12,959 --> 00:10:15,292
You can't there's no records kept and so forth and so it would be

161
00:10:15,292 --> 00:10:18,584
theoretically more secure to, you know, go to your bank or go

162
00:10:18,584 --> 00:10:21,584
to a sensitive site, things like that.

163
00:10:22,626 --> 00:10:28,000
And again, there's multiple papers on the flaws with a lot of this logic.

164
00:10:28,167 --> 00:10:32,876
The one that comes to mind is IEs in private, which actually writes files

165
00:10:32,876 --> 00:10:36,250
to disk during that private session.

166
00:10:36,709 --> 00:10:41,042
It deletes the files at the end, but, again, going back a slide or two, being able

167
00:10:41,042 --> 00:10:43,999
to recover those files through the MFT and grab those

168
00:10:43,999 --> 00:10:45,834
deleted files.

169
00:10:45,834 --> 00:10:51,000
Essentially it allows me to replicate or look into your private session.

170
00:10:51,000 --> 00:10:53,999
Which who knows why you are doing that.

171
00:10:54,209 --> 00:10:56,918
Along the same line, another kind of example of this

172
00:10:56,918 --> 00:11:01,083
is when you are actually catching this in memory, there's a lot more kind

173
00:11:01,083 --> 00:11:03,667
of unique identifiers for nearly every one

174
00:11:03,667 --> 00:11:06,918
of these private browsers that if you were to catch it

175
00:11:06,918 --> 00:11:10,792
in memory do a memory dump or so forth, you can identify that this

176
00:11:10,792 --> 00:11:14,542
is running as a private session, it could highlight why the user

177
00:11:14,542 --> 00:11:19,292
is doing that and it might be something to look at specifically.

178
00:11:19,501 --> 00:11:22,999
And actually, we are working on a volatility plug in to do exactly this,

179
00:11:22,999 --> 00:11:25,959
but I wasn't able to get it done today.

180
00:11:25,959 --> 00:11:27,542
So look for it.

181
00:11:28,999 --> 00:11:32,083
On the disk and registry side, there are a number

182
00:11:32,083 --> 00:11:37,167
of files here that I will list and kind of areas really to look at.

183
00:11:37,375 --> 00:11:38,999
The first one that really comes to mind here, kind

184
00:11:38,999 --> 00:11:41,999
of through my own research was browser files.

185
00:11:41,999 --> 00:11:44,417
Every one of the four or five major browsers has

186
00:11:44,417 --> 00:11:47,999
some sort of browser leakage to one extreme or the other,

187
00:11:47,999 --> 00:11:50,792
but all of them are useful.

188
00:11:50,959 --> 00:11:53,999
I use the example here of Firefox, really to pick on them.

189
00:11:55,250 --> 00:11:58,999
I list a number of Firefox files here from the obvious or

190
00:11:58,999 --> 00:12:02,584
the simple password files, bookmarks and history again

191
00:12:02,584 --> 00:12:07,959
in the right context, certainly useful, to things that air little bit more subtle

192
00:12:07,959 --> 00:12:11,667
but certainly interesting, like the form history.SQL file

193
00:12:11,667 --> 00:12:15,167
is something that I will look more into.

194
00:12:15,250 --> 00:12:20,083
It contains all the saved form data for the particular browser.

195
00:12:21,167 --> 00:12:26,083
So kind of following that bunny hole, this particular example was

196
00:12:26,083 --> 00:12:31,375
from a pen test I did a while back of a that same formhistory.SQLite,

197
00:12:31,375 --> 00:12:37,876
which is where we got full credit card data from the particular victim.

198
00:12:38,083 --> 00:12:39,417
Pretty crazy stuff.

199
00:12:39,999 --> 00:12:43,375
It didn't help with the actual pen test.

200
00:12:43,918 --> 00:12:48,834
Moving forward we did more analysis here and found that there was both

201
00:12:48,834 --> 00:12:53,125
a clear text account or a user name, essentially, as well

202
00:12:53,125 --> 00:12:58,209
as clear text recovery questions recovery questions?

203
00:12:58,584 --> 00:13:00,125
To actually reset that account.

204
00:13:00,209 --> 00:13:03,667
So kind of using some of those previous things I had

205
00:13:03,667 --> 00:13:08,667
mentioned, the this particular database, the HR database, actually,

206
00:13:08,667 --> 00:13:11,459
was being used and this in conjunction

207
00:13:11,459 --> 00:13:15,667
with the saved password or the saved history, I was able

208
00:13:15,667 --> 00:13:19,501
to reset the password on this account and get access

209
00:13:19,501 --> 00:13:21,542
to the system.

210
00:13:22,417 --> 00:13:26,125
So some more examples here of things to look at.

211
00:13:26,209 --> 00:13:29,999
The MRU list, most recently used, what was the user looking at.

212
00:13:29,999 --> 00:13:31,125
The prefetched files.

213
00:13:31,125 --> 00:13:34,209
What has the user been running, I use truecryptformat.exe.

214
00:13:39,959 --> 00:13:42,999
It's only created when the user has created

215
00:13:42,999 --> 00:13:46,751
a true crypt container on that system.

216
00:13:47,083 --> 00:13:49,584
So this is really the difference between finding TrueCrypt

217
00:13:49,584 --> 00:13:52,876
on the system and believing they may have a TrueCrypt container

218
00:13:52,876 --> 00:13:56,125
on there and knowing that there is a TrueCrypt container out there

219
00:13:56,125 --> 00:13:58,918
and where to actually find that.

220
00:13:59,501 --> 00:14:01,999
Another big one, as I mentioned at the very beginning was

221
00:14:01,999 --> 00:14:03,999
deletedfiles/SLAAC space.

222
00:14:08,584 --> 00:14:11,626
We won't dive too much into that.

223
00:14:11,667 --> 00:14:14,542
But backups and shadow copy service.

224
00:14:14,709 --> 00:14:18,334
Another huge area that you can get a lot of good information on.

225
00:14:18,667 --> 00:14:23,125
A quick horror story on this is I was doing another pen test where

226
00:14:23,125 --> 00:14:27,709
the I was able to get on the system of a sys admin who did

227
00:14:27,709 --> 00:14:30,083
the reset for user.

228
00:14:32,334 --> 00:14:34,834
After every single one of these password resets

229
00:14:34,834 --> 00:14:38,083
he would clear the entire log of his chat history, which is where

230
00:14:38,083 --> 00:14:40,626
he gave the passwords out to prevent data leakage

231
00:14:40,626 --> 00:14:42,999
or whatever the case may be.

232
00:14:43,167 --> 00:14:46,999
He never actually defeated the file so I couldn't grab it

233
00:14:46,999 --> 00:14:50,083
through the MFT or the deleted files but he had

234
00:14:50,083 --> 00:14:54,417
the volume shadow copy service running and when I accessed that,

235
00:14:54,417 --> 00:14:57,167
I could see all the previous conversations

236
00:14:57,167 --> 00:15:00,584
from previous backups of this, and actually access

237
00:15:00,584 --> 00:15:04,876
all of those previous passwords he had given out.

238
00:15:05,709 --> 00:15:08,876
A couple more examples, crash dumps.

239
00:15:08,876 --> 00:15:11,792
Again, theoretically, this is something that's useful.

240
00:15:11,792 --> 00:15:13,125
Typically this is really only kernel memory that's

241
00:15:13,125 --> 00:15:15,584
being dumped on a Windows.

242
00:15:15,584 --> 00:15:16,584
system anyway.

243
00:15:16,584 --> 00:15:20,083
This is really useful as this can be changed.

244
00:15:20,083 --> 00:15:21,459
It's a setting in Windows.

245
00:15:21,459 --> 00:15:24,792
Again, it's something to look at, if you find them.

246
00:15:24,999 --> 00:15:28,667
And the last one here is kind of a list of miscellaneous things, calendars,

247
00:15:28,667 --> 00:15:32,250
address books, smartphone backups, again, you can get contacts being

248
00:15:32,250 --> 00:15:34,375
pictures, GPS data off of iTunes backup

249
00:15:34,375 --> 00:15:36,542
and things like that.

250
00:15:36,792 --> 00:15:40,751
Print spools, what has the user been printing and a ton more.

251
00:15:40,999 --> 00:15:45,542
This is implicitly sensitive information, you can use for spear fishing,

252
00:15:45,542 --> 00:15:48,959
watering holes and more efficient password cracking,

253
00:15:48,959 --> 00:15:51,125
using tools like Cup.

254
00:15:54,999 --> 00:15:58,918
As we get more files to look for, more potential, we also have

255
00:15:58,918 --> 00:16:01,999
the problem of practicality, looking through these,

256
00:16:01,999 --> 00:16:05,999
let's say 500 files, it's going to be very difficult and very time

257
00:16:05,999 --> 00:16:09,626
consuming to actually do this all by hand.

258
00:16:09,959 --> 00:16:12,083
Again, not all of these apply to every OS.

259
00:16:12,083 --> 00:16:15,584
Every Windows and application and so forth.

260
00:16:16,292 --> 00:16:18,375
This is where an interpreter script goes

261
00:16:18,375 --> 00:16:20,250
into the forensic.

262
00:16:22,667 --> 00:16:28,709
It grabs and downloads all of this stuff, browser files, most recently used files,

263
00:16:28,709 --> 00:16:32,375
prefetch data, window crash dumps, print spools and

264
00:16:32,375 --> 00:16:36,250
a ton more that I can't even list here.

265
00:16:37,083 --> 00:16:40,999
So kind of a very quick demo because I'm running out of time here.

266
00:16:41,167 --> 00:16:46,501
It's a very simple MetaSplay module here.

267
00:16:46,501 --> 00:16:48,459
It's point and shoot.

268
00:16:48,959 --> 00:16:51,292
I through up a couple of quick snapshots.

269
00:16:51,292 --> 00:16:53,959
The first is IE cookies.

270
00:16:53,999 --> 00:16:56,375
You can see in the Windows directory there,

271
00:16:56,375 --> 00:17:00,209
and very shortly thereafter is network short cuts, which

272
00:17:00,209 --> 00:17:05,626
is all the network short cuts that are saved under my computer.

273
00:17:05,959 --> 00:17:07,209
Again, useful stuff.

274
00:17:07,626 --> 00:17:11,292
This is another example where they had two browsers on one system,

275
00:17:11,292 --> 00:17:15,709
and you can actually see all the stuff in yellow is all the Chrome files that

276
00:17:15,709 --> 00:17:19,250
were grabbed, including cookies, history, log in data, passwords

277
00:17:19,250 --> 00:17:21,501
and things like that.

278
00:17:21,501 --> 00:17:23,501
And the Firefox is all the information that I had

279
00:17:23,501 --> 00:17:26,999
mentioned previously, again, that form data downloads, log

280
00:17:26,999 --> 00:17:29,876
in data and so on and so forth.

281
00:17:32,125 --> 00:17:38,501
So for QA, for QA, there's a QA room actually afterwards.

282
00:17:38,501 --> 00:17:39,626
You can find me there.

283
00:17:39,626 --> 00:17:43,375
I will be there for a little bit on the actual forensic scraper module.

284
00:17:43,501 --> 00:17:46,167
We will be releasing that in the next couple of days.

285
00:17:46,999 --> 00:17:50,083
We will be sending it to DEF CON.

286
00:17:50,626 --> 00:17:53,709
It will be out there, anyway.

287
00:17:53,999 --> 00:17:56,125
Contact, there's my email address or you can find us on Twitter

288
00:17:56,125 --> 00:17:58,334
if you have something else.

289
00:17:58,334 --> 00:17:59,999
And that's all I've got.