Live from Seville – FIRST conference update – 1

Sooo . . . we landed in Spain on Saturday . . . but our luggage landed Monday night. 🙁  I was planning on playing in the FIRST futbol cup but my cleats were in the luggage that had not arrived.  FIRST futbol cup?  Indeed! One of the FIRST members (Martijn) organized a nice soccer err futbol tournament among members that was to be refereed by an official soccer referee (Jim from BB&T)!  Since I didnt' have my cleats, I bailed on it.  Then I found out this morning from someone that about 25 people showed up at the field AND they ended up playing on a rubberized asphalt material like what you find at running tracks.  Son of a!!!!  Ho well - I went and had a nice dinner with my wife and a nice bottle of Andalucian wine so I guess I can't complain - still would have been nice to play some soccer.

The conferrence started officially on Sunday with a reception which was nice but way too crowded and it was in a hall with marble floors and so the echo / noise level was crazy - couldn't really hear that well.  The food was . . . interesting.  I'm still not quite used to Spanish food yet (egg stuff at all hours, salted cured raw meats at all hours, cold soups with interesting ingredients etc.).  I bailed after meeting some folks I wanted to meet.

This conferrence is interesting because Monday and Tuesday (day 1 and 2) are all day training sessions or 'tutorials' . . . yesterday's selection ranged from 'Creating and Managing CSIRTS' to Understanding and 'Analyzing Botnets' to 'Forensic Discovery'.  I don't work in a CSIRT, I 'get' botnets (I think <G>) and Forensic Discovery is something I'm fairly well aquainted with so I decided to tour Seville with my wife and some friends from ISS.  Seville was amazing and we had a great time . . . the majorit of the historic buildings in Seville seem to have been built in the 1100-1600AD time frame with some other 'newer' buildings built in 1929 for the Iberio-American Exhibition (which was held in Seville to promote commerce between Spain and the Americas) . . . more recently Seville hosted the 1992 World Fair (the last one) to commemorate the 500 years since Columbus discovered the Americas.  We drove through it and all of the buildings / pavillions have fallen out of use and are run down - sort of surprising given how big they were (40 million people visited Seville in the 6 months the fair was running).  We also visited the huge Cathedral in the historic district - and it is nothing short of stunning . . . it makes the Notre Dame look downright tiny.  Amazing.

Anyhoo - Today I am, as I type this - sitting in Andreas Schuster's all day 'tutorial' on 'Windows Memory Forensics'.  There are about 80 - 100 people in attendance - all with their notebooks out all working on building a live response toolkit (it's a very interactive class). 🙂  Ahhh - brings back memories.  So far I am very pleased with the presentation - Andreas is speaking at a good pace, is very easy to understand and he's covered some important things you don't normally see addressed by other folks when talking about IR toolkits (i.e. the importance of not using DLL's from the sysem you are investigating, the importance of renaming the EXE's you run and changing their sums to keep them off the radar of anti-forensic malware).  I've heard great things about Schuster and I've read some of his blog posts and this session confirms my already high opinion of him!  Heh - right now he's using LordPE to edit the import table in a PE to change the path / file name of required libraries in fport.exe.

Tonight I'm going to see dancing horses (not 'prancing horses' unfortunately) with my wife.  Apparently Andalucian horses are like the Lipizzaner horses you see dancing on TV on occasion - given my wife is huge into horses - we have to go see that.  There's apparently a big show they put on with them in Jerez . . . hmmm . . . Jerez - where else have I heard of that?  Oh that's right . . .

Hmm . . . maybe I WILL get to go see some 'prancing horse' F1 pr0n while I'm in Jerez . . .

Comments (0)

Skip to main content