M1 Learning Reverse Engineering: A Highly Immersive Approach, Day 1 NEW!
Frank Adelstein, ATC-NY; Golden G. Richard III, University of New Orleans
9:00 a.m.–5:00 p.m.

Who should attend: Anyone who wants to understand modern malicious software in order to craft solutions to recover from and prevent attacks, or who wants to create interoperable software or verify that software patches function as promised, or who just seeks the simple joy of understanding at a deep level how software works. Attendees should have a basic knowledge of assembler and systems concepts and should be either currently comfortable with reading assembler or recall a time when they were comfortable. Attendees should also possess basic knowledge of systems, including compilation, linking, debuggers, concepts associated with executable file formats, etc. The course will not cover legal issues associated with reverse engineering. No textbooks are required, but the motivated attendee may wish to review the following books before attending the course, in addition to a text on Intel assembler: the IDA Pro Book (Eagle, No Starch Press); Reversing (Eilam, Wiley); The Art of Computer Virus Research and Defense (Szor, Symantec Press).

Take back to work: A solid foundation on which to build additional skills in reverse engineering.

Reverse engineering involves deep analysis of the code, structure, and functionality of software using both static and dynamic methods. This tutorial provides an immersive experience in reverse engineering malware, covering a range of malware examples, from "historical" (e.g., DOS boot sector viruses) through modern malware. The tutorial is modeled on experiences in teaching full-semester, highly immersive, hands-on reverse engineering concepts to undergraduate and graduate students. The tutorial is intended to appeal both to researchers who are curious about reverse engineering and to academics who intend to develop courses in reverse engineering. Naturally, a two-day session provides insufficient time for "mastering" reverse enginering, but the tutorial provides a firm foundation on which to build additional skills for practice or instruction. Static and dynamic analysis tools, including IDA Pro, OllyDbg, and HBGary's Responder are demonstrated and detailed walk-throughs of malware source code consume the bulk of the time. This tutorial is not taught passively and you won't simply see hundreds of Powerpoint slides.

Topics include:

• Why learn/teach reverse engineering?
• Overview of historical and current-generation malware
• Viruses, worms, trojans
• Infection/propagation strategies
• Polymorphic/metamorphic malware
• Tools for static and dynamic analyis
• Examination of executable file formats
• Disassemblers
• Debuggers
• Tools for live analysis: registry monitoring, filesystem monitoring, system call tracing
• Brief refresher on Intel Assembler (with handouts, cheat sheets)
• PE/COFF executable file format internals (with handouts)
• First Immersion: Virus #1
• Essential OS internals (with handouts, cheat sheets)
• Teamwork: attendees tackle analysis of source code wwith the help of the instructors
• Detailed, line-by-line analysis by the instructors

Frank Adelstein is the technical director of computer security at ATC-NY in Ithaca, NY. His areas of expertise include digital forensics, intrusion detection, networking, and wireless systems. He has co-authored a book on mobile and pervasive computing. He received his GIAC Certified Forensic Analyst certification in 2004. Dr. Adelstein is the vice-chair of the Digital Forensics Research Workshop (DFRWS). He has been the principal investigator on projects that created two commercial products: P2P Marshal, a popular forensic tool to detect and anaylze peer-to-peer use, and OnLine Digital Forensic Suite, a tool that gatheres volatile data from running systems in a non-disruptive way. He has given tutorials at a number of conferences.

Golden G. Richard III is Professor of Computer Science at the University of New Orleans, where he developed the Information Assurance curriculum. He is also co-founder of Digital Forensics Solutions, LLC, a private firm specializing in digital forensics investigations and security analysis. He teaches courses in reverse engineering, digital forensics, computer security, and operating systems internals at the University of New Orleans. He is a member of the United States Secret Service Taskforce on Electronic Crime and a member of the ACM, IEEE Computer Society, the American Academy of Forensics Sciences (AAFS), and USENIX.

T1 Learning Reverse Engineering: A Highly Immersive Approach, Day 2 NEW!
Frank Adelstein, ATC-NY; Golden G. Richard III, University of New Orleans
9:00 a.m.–5:00 p.m.

Who should attend: Anyone who wants to understand modern malicious software in order to craft solutions to recover from and prevent attacks, or who wants to create interoperable software or verify that software patches function as promised, or who just seeks the simple joy of understanding at a deep level how software works. Attendees should have a basic knowledge of assembler and systems concepts and should be either currently comfortable with reading assembler or recall a time when they were comfortable. Attendees should also possess basic knowledge of systems, including compilation, linking, debuggers, concepts associated with executable file formats, etc. The course will not cover legal issues associated with reverse engineering. No textbooks are required, but the motivated attendee may wish to review the following books before attending the course, in addition to a text on Intel assembler: the IDA Pro Book (Eagle, No Starch Press); Reversing (Eilam, Wiley); The Art of Computer Virus Research and Defense (Szor, Symantec Press).

Take back to work: A solid foundation on which to build additional skills in reverse engineering.

Reverse engineering involves deep analysis of the code, structure, and functionality of software using both static and dynamic methods. This tutorial provides an immersive experience in reverse engineering malware, covering a range of malware examples, from "historical" (e.g., DOS boot sector viruses) through modern malware. The tutorial is modeled on experiences in teaching full-semester, highly immersive, hands-on reverse engineering concepts to undergraduate and graduate students. The tutorial is intended to appeal both to researchers who are curious about reverse engineering and to academics who intend to develop courses in reverse engineering. Naturally, a two-day session provides insufficient time for "mastering" reverse enginering, but the tutorial provides a firm foundation on which to build additional skills for practice or instruction. Static and dynamic analysis tools, including IDA Pro, OllyDbg, and HBGary's Responder are demonstrated and detailed walk-throughs of malware source code consume the bulk of the time. This tutorial is not taught passively and you won't simply see hundreds of Powerpoint slides.

Topics include:

• Second immersion: virus #2
• Essential OS internals (with handouts, cheat sheets)
• Teamwork: attendees tackle analysis of source code wwith the help of the instructors
• Detailed, line-by-line analysis by the instructors
• Final immersion: virus #3
• Essential OS internals (with handouts, cheat sheets)
• Teamwork: attendees tackle analysis of source code wwith the help of the instructors
• Detailed, line-by-line analysis by the instructors
• Advanced reverse engineering: what you need to learn to tackle modern malware
• Encrypted/packed executables
• Anti-debugging/anti-emulation techniques
• Code obfuscation

Frank Adelstein is the technical director of computer security at ATC-NY in Ithaca, NY. His areas of expertise include digital forensics, intrusion detection, networking, and wireless systems. He has co-authored a book on mobile and pervasive computing. He received his GIAC Certified Forensic Analyst certification in 2004. Dr. Adelstein is the vice-chair of the Digital Forensics Research Workshop (DFRWS). He has been the principal investigator on projects that created two commercial products: P2P Marshal, a popular forensic tool to detect and anaylze peer-to-peer use, and OnLine Digital Forensic Suite, a tool that gatheres volatile data from running systems in a non-disruptive way. He has given tutorials at a number of conferences.

Golden G. Richard III is Professor of Computer Science at the University of New Orleans, where he developed the Information Assurance curriculum. He is also co-founder of Digital Forensics Solutions, LLC, a private firm specializing in digital forensics investigations and security analysis. He teaches courses in reverse engineering, digital forensics, computer security, and operating systems internals at the University of New Orleans. He is a member of the United States Secret Service Taskforce on Electronic Crime and a member of the ACM, IEEE Computer Society, the American Academy of Forensics Sciences (AAFS), and USENIX.