DFIR212
Moroccan Digital Forensics & Incident Response Conference.
DFIR212 is a free scientific and technical conference that brings together academic researchers, industry professionals, and independent experts in the field of Digital Forensics & Incident Response.
The event will also feature an exciting Capture the Evidence challenge, organized in collaboration with SecDojo, to test participants' skills in forensic analysis and incident response in a competitive setting.
The inaugural edition of DFIR212 will take place on December 7, 2024, at DAWLIZ Art & Spa Rabat in Morocco.
Talks will be conducted in English & French. Although DFIR212 is hosted in Morocco, it welcomes specialists from around the globe and actively promotes diversity in all its forms, including age, gender, origin, and disability.
Inspiring Talks
Attend talks led by experts and thought leaders, gaining insights, knowledge on the field of Digital Forensics & Incident Response.
Engaging Challenges
Participate in the thrilling Capture the Evidence experience, where you’ll test your forensic skills and solve complex scenarios in a real-world simulation.
Networking Opportunities
Engage in discussions while connecting with professionals in the field to expand your network and knowledge.
Event Speakers
DFIR212 extends a warm invitation to digital experts from across the globe to join our community. Our event provides a unique platform for professionals, researchers, and enthusiasts in digital forensics and incident response to share their insights and expertise. By bringing together a diverse array of perspectives, we aim to foster innovation, collaboration, and excellence in addressing the challenges of our ever-evolving digital landscape.
Omar Seghrouchni
President of CNDPSaâd Kadhi
Director of CERT-EUCharafeddine Nassiri
Co-Founder & CTO of DefendisChristopher Thiefin
Security Engineer HexanetGiovanni Rattaro
Senior Customer Success Manager for Vectra AIDaniel Bunce
Principal Malware Reverse Engineer at Unit 42Yassir Laaouissi
Senior Security Researcher at Unit 42Abdoul Nasser Hassane Amadou
Ph.D. Student in Cybersecurity at UM6PBaha Eddine Hilali
Technical Manager at Nucleon SecurityDhia Mahjoub
Product builderBadr Eddine Boukari
CSIRT AnalystMohamed Lazar
Cybersecurity Expertat Root-Me Pro
Event Schedules
The Event Schedule at DFIR212 focuses exclusively on insightful and impactful talks by leading experts in digital forensics and incident response. These sessions are designed to deliver cutting-edge knowledge, practical insights, and real-world experiences. Attendees will have the opportunity to deepen their understanding of the field through a carefully curated program of thought-provoking presentations.
Welcome Coffee
Omar Seghrouchni
President ofCNDP
Opening Speech of Mr. President of the National Commission for the Control of Personal Data Protection (CNDP)
French
Saâd Kadhi
DirectorCERT-EU
Opening Keynote: Tales Of The Future Past
English - No recording
In ‘Tales of the Future Past’, Saâd Kadhi, the Director of CERT-EU, invites you to embark on a time-travelling odyssey.
The journey commences with a retrospective dive into the past, where attendees will glean insights from CERT-EU’s unique vantage point on the threat landscape, hovering over noteworthy developments the Cybersecurity Service for the Union entities had been observing.
As the time machine propels us into the future, the presentation demystifies the complexities of Artificial Intelligence, shedding light on AI’s burgeoning role in cyber threats. It offers foresight and thoughtful projections on potential AI-powered dangers, equipping the audience with the knowledge to anticipate and navigate future challenges.
The expedition culminates with a return to the present where Saâd will share his ideas on how to fortify our defences against the cyber threats of today and tomorrow.
Designed for a diverse audience, ‘Tales of the Future Past’ promises to be an enlightening journey, offering a unique blend of historical wisdom, futuristic insights, and practical, present-day solutions.
Abdoul Nasser
Hassane Amadou
Ph.D. Student in Cybersecurity at UM6P
EUREKHA: Enhancing User Representation for Key Hacker Identification in Underground Forums
French
Abdoul Nasser will unveil EUREKHA, an innovative approach for identifying key hackers in underground forums. By modeling users as textual sequences and leveraging Large Language Models and Graph Neural Networks, this method achieves remarkable improvements in accuracy (+6%) and F1-score (+10%) over existing techniques. Backed by the Hack-Forums dataset, the talk promises actionable insights for anyone interested in cyber threat intelligence and network analysis. Bonus: the code will be open-source!
Dhia Mahjoub
Product builderBoosting your Threat Hunting with LLMs
English - No recording
In this presentation, we explore practical approaches to get started with Large Language Models and use them to supercharge your threat hunting.
The goal is to leverage LLMs to improve your workflow of deriving insights on prevention, detection, and response from threat intelligence.
This talk provides a primer on LLMs and GenAI and offers value to both technical and non-technical attendees, equipping them with the knowledge to delve into this emerging field and encourage meaningful conversations.
Badr Eddine Boukari
CSIRT Analystat Orange Cyberdefense
Design, and implementation of a detection tool for temporal anti-forensic techniques: Backdating and Timestomping
French
This research and development project aimed to enhance the technical capabilities of the CSIRT team by developing a tool to detect temporal anti-forensic techniques, specifically “backdating” and “timestomping”. The primary challenge addressed in this project was the need for advanced technical tools to support CSIRT’s incident response efforts. Incident response teams regularly face multiple challenges at every stage of the response process. In this context, the project focused on the feasibility study, design, and implementation of a tool to identify temporal anti-forensic methods used by malicious actors to hide their activity, such as altering timestamps on system events and files. Currently, the CSIRT team is working on various projects to counter anti-forensic tactics, with a specific focus on detecting timestamp manipulations. This tool will enable post-event detection of system clock alterations and file timestamp modifications within the filesystem. These anti-forensic techniques are often employed by attackers to hide their presence. After detecting “timestomping” (file timestamp alteration) and system clock tampering (“backdating”), the project also aims to restore a coherent event timeline to provide analysts with improved visibility into actual events.
Free Break
Yassir Laaouissi
Senior SecurityResearcher
at Unit 42
Disguised Dumplings: Turla's Pelmeni wrapping Kazuar
English
Over the past 25 years, Turla has positioned itself as one of the more sophisticated and persistent state sponsored groups. This technical talk will start with a brief history overview of this group, followed by details of a new campaign (starting Q1 2024) of Turla called Pelmeni. The Pelmeni campaign consists of two distinct components, each revealing the group's advanced tactics and persistence. Throughout the talk, we will explore the discovered samples, strategies of pivoting, insights from reverse engineering efforts, and other pertinent aspects of this campaign. By examining these elements, we aim to gain a deeper understanding of Turla's evolving methodologies and their implications for cybersecurity.
Daniel Bunce
Principal MalwareReverse Engineer
at Unit 42
Crypted Hearts: Exposing The HeartCrypt Operation
English - No recording
In June 2024, Unit 42 began tracking HeartCrypt, a Packer-as-a-Service sold on forums and Telegram. Over 2,000 malware samples packed with HeartCrypt have been identified, spanning 45+ malware families, including Remcos, LummaStealer, and tools linked to ransomware affiliates like BlackSuit and Hive. This talk delves into HeartCrypt's evasion techniques, obfuscation, and development timeline, highlighting its role in recent LummaStealer Fake Captcha campaigns. We'll analyze the threat actor behind HeartCrypt, focusing on sales channels and underground forums, and offer insights into this rapidly evolving malware distribution ecosystem.
Baha Eddine Hilali
Technical Managerat Nucleon Security
From Known Threat Detection to Unknown: Advanced Cybersecurity with Zero-Trust
French
In today's increasingly connected and digital world, cybersecurity systems primarily rely on known threat indicators for detecting attacks. Traditional methodologies, such as antivirus signatures, heuristic algorithms, sandboxing behaviors, Indicators of Compromise (IoCs), YARA and Sigma rules, Living Off The Land Binaries and Scripts (LOLBAS), and tactics, techniques, and procedures (TTPs) from MITRE ATT&CK, all focus on recognizing malicious patterns based on historical data. However, these defense mechanisms face an endless battle against an ever-expanding universe of malicious artifacts. These traditional approaches falter when faced with unknown threats such as Zero-Day exploits. The inability to predict these threats poses a profound weakness to current cybersecurity solutions and technologies, leaving them vulnerable to unseen malicious behaviors. This calls for a paradigm shift in our approach to cybersecurity: the implementation of Zero-Trust principles. Originating from the belief that no user or system should be trusted by default, Zero-Trust operates on a 'never trust, always verify' basis. Utilizing Zero-Trust as a proactive defense mechanism can help detect unknown threats. Rather than focusing on a potentially infinite list of malicious elements, Zero-Trust narrows the focus to verifying and allowing known legitimate behaviors and programs. This concept is akin to defining the permissible actions of an application installed on a smartphone. By deploying Zero-Trust, we can create a more secure ecosystem, ensuring strategic and pragmatic security today while paving the way for the future of cybersecurity.
Coffee Break
Giovanni Rattaro
Senior Customer Success Manager for Vectra AITSURUGI Linux - The Sharpest Weapon In Your DFIR Arsenal
French - No recording
Any DFIR analyst knows that everyday in many companies, it doesn't matter the size, it's not easy to perform forensics investigations often due to lack of internal information (like mastery all IT architecture, have the logs or the right one...) and ready to use DFIR tools.
As DFIR professionals we have faced these problems many times and so we decided last year to create something that can help who will need the right tool in the "wrong time" (during a security incident).
And the answer is the Tsurugi Linux project that, of course, can be used also for educational purposes.
Christopher Thiefin
Security EngineerHexanet
How To Detect A Red Team Operation (With A Cat)
French
Join us for an in-depth exploration of advanced Red Team strategies !
We'll dive into the Cyber Kill Chain, from crafting stealthy droppers to leveraging
redirection tactics and bypassing EDR protections.
Watch live demos on phishing techniques, unconventional persistence and
privilege escalation in action.
In the post-exploitation phase, learn how to perform a DCSync undetected attack or
inject a hook into the Azure AD authentication processes.
This session is packed with actionable insights for Red Teamers eager to refine their
techniques.
Charafeddine Nassiri
Co-Founder & CTODefendis
Ransomware, Insider Threats, & Malware Infiltration In The Digital Era
English - No recording
The topic highlights the evolving tactics of cybercriminals, focusing on insider threats, ransomware, and malware spread through malicious downloads.
Using recent statistics, real-world case studies, and visual data on cyberattacks across Africa and Morocco to reveal the growing risks impact on critical sectors.
Mohamed Lazar
Cybersecurity Expertat Root-Me Pro
Awareness about phishing campaigns with GoPhish
French
This session will raise awareness about phishing campaigns and demonstrate the step-by-step implementation of a phishing attack targeting PayPal using GoPhish. Get ready to dive into the techniques and tools attackers use—and learn how to defend against them!
Event Closure
Registration
Free and open to all.
The event will be completely free, as we strongly believe in promoting the free exchange of information.
However, prior registration is mandatory to ensure better organization and an optimal experience for all participants.
Venue
The event will be held at DAWLIZ Art & Spa Rabat in Morocco, in a modern auditorium with advanced audiovisual equipment.
Transport
Take line 1 or line 2 of the tramway. Get off at the "Bab Mrissa" station. The journey costs 6 MAD. Once you get off the tramway, the conference venue is about a 10-minute walk away from the "Bab Mrissa" station.
Hotel
We have secured preferential rates for staying at DAWLIZ Art & Spa Rabat. Contact us via our email address to take advantage of this offer.
Sponsors
DFIR212 would not be possible without YOU!
DFIR212 is a non-profit event. DFIR212 is a scene where cybersecurity players come to share the state of the art and a Social Event.
We’re relying on sponsors to pay for the costs induced by the event. Without them we wouldn’t even be able to make DFIR212 happen. If you are interested in recruiting security professionals, widen your brand notoriety, and get in touch with our community, we’re offering 3 levels of paid sponsorship.
If you’re interested in sponsoring DFIR212 and be part of the event, you can download our SPONSOR PACKS leaflet below.
SPONSOR PACKSDIAMOND
- Logo on central screen between talks
- Logo on event signs & website
- Link from DFIR212 to your Website
- Company description in event website
- Announcement on social media
- Recognition in all press release
- Exclusive mention on mailings
- Acknowledgement from podium
- Ability to provide goodies
- Pre-con & Post-con anonymized opt-in
- 2-minute introducing speech
- 2-minute closing ceremony speech
PLATINUM
- Logo on central screen between talks
- Logo on event signs & website
- Link from DFIR212 to your Website
- Company description in event website
- Announcement on social media
- Recognition in all press release
- Exclusive mention on mailings
- Acknowledgement from podium
- Ability to provide goodies
- Pre-con & Post-con anonymized opt-in
- 2-minute introducing speech
- 2-minute closing ceremony speech
GOLD
- Logo on central screen between talks
- Logo on event signs & website
- Link from DFIR212 to your Website
- Company description in event website
- Announcement on social media
- Recognition in all press release
- Exclusive mention on mailings
- Acknowledgement from podium
- Ability to provide goodies
- Pre-con & Post-con anonymized opt-in
- 2-minute introducing speech
- 2-minute closing ceremony speech
CNDP
The National Commission for the Control of Personal Data Protection (CNDP) was established by Law No. 09-08 of February 18, 2009, relating to the protection of individuals with regard to the processing of personal data. It is responsible for ensuring that the processing of personal data is lawful, legal, and does not infringe on privacy, freedoms, and fundamental human rights. The Commission is composed of individuals widely recognized for their impartiality, moral integrity, and expertise in the legal, judicial, and IT fields.
SecDojo
Secdojo is a Cyber-Training platform for cyber skills development, available in SaaS mode and hybrid mode. Secdojo’s mission is to position people as the accelerator of organizations' cyber resilience by providing a solution to the challenges of cyber skills shortages within IT teams and the lack of qualified cyber talent. The platform offers comprehensive upskilling/reskilling paths focused on the most in-demand cyber skills (Pentesting, SOC, Secure Coding, Infrastructure Security, etc.). Additionally, it ensures skills validation to help organizations improve the efficiency of their cyber recruitment processes. Secdojo provides learning modules and realistic IT training infrastructures. It also supports the creation of specific content and customized labs. The platform and its content are available in French and English.
ThreatHunt
ThreatHunt.pro specializes in cyber threat detection and incident response, offering three core solutions: DFIR SaaS, a hosted Digital Forensics and Incident Response solution for rapid incident handling without internal tools; SOCaaS & Threat Hunting, a Security Operations Center-as-a-Service designed for small organizations, enabling quick SIEM deployment for efficient monitoring and threat hunting; and Threat Intelligence, providing actionable insights to anticipate and mitigate evolving cyber threats. By empowering organizations to enhance their cybersecurity posture, ThreatHunt.pro ensures proactive defenses and swift responses to modern challenges. Stay protected. Stay ahead.
Foren6
Foren6.com is an innovative lab dedicated to Digital Forensics and Incident Response. It offers a centralized hub for professionals, researchers, and enthusiasts to access cutting-edge resources, tools, and training materials tailored to digital investigations. Whether you're tackling malware analysis, evidence recovery, or incident remediation, Foren6.com provides insightful tools and ressources to enhance your forensic capabilities. With a strong commitment to knowledge sharing and collaboration, the platform bridges academia and industry to advance DFIR practices globally. Join Foren6.com to stay ahead in the rapidly evolving world of cybersecurity and digital forensics. Explore. Investigate. Resolve.
Nucleon
Security
Cybersecurity specialist who redefines endpoint protection and vulnerability management thanks to its Nucleon Smart Endpoint platform. A new-generation, single-agent antivirus (EDR), the Nucleon Smart Endpoint platform blocks attacks, prevents data leaks and manages vulnerabilities by combining Multilayer Zero-Trust technologies and Artificial Intelligence.
Hexadream
HexaDream.io is a platform specializing in cybersecurity training and professional development. Founded by Hamza Kondah, a cybersecurity expert with over 12 years of experience, HexaDream.io offers a wide range of high-quality programs designed to empower individuals and organizations. The platform provides live sessions, video courses, and evening classes, covering topics like GRC fundamentals, Harden AD deployment, DevSecOps essentials, and ENTRA ID attack and defense. Through hands-on bootcamps, certifications, and personalized coaching, HexaDream.io equips participants with critical skills to thrive in the fast-evolving cybersecurity landscape. Accessible, practical, and impactful—HexaDream.io helps you secure your future in cybersecurity.
BlueSec
BlueSec is dedicated to empowering organizations with unparalleled Security Operations Center (SOC) capabilities. In today’s rapidly evolving threat landscape, our tailored solutions ensure your defenses anticipate, neutralize, and respond to risks effectively. Strategic SOC Consulting & Development: From foundational design to advanced operational frameworks, we guide you through every step of creating or enhancing your SOC, building a resilient cybersecurity fortress. SOC Manager-as-a-Service: Gain elite leadership with our experienced SOC managers, ensuring strategic oversight, rapid incident response, and operational excellence without full-time executive recruitment. Specialized Training Programs: Upskill your teams with targeted courses for SOC Analysts, Managers, and Coordinators, preparing them to excel in cybersecurity operations. Transform your cyber posture with BlueSec—your secure future starts here.
The Threat Hunters
TheThreatHunters.org is a Moroccan nonprofit organization dedicated to advancing cybersecurity awareness, education, and protection. Bringing together experts, defenders, and innovators, the organization aims to secure Morocco's digital landscape by addressing emerging threats. Key initiatives include cybersecurity research to anticipate evolving risks, awareness campaigns to educate the public, and training programs to enhance local cybersecurity skills. Additionally, TheThreatHunters.org provides audits and tailored consultations to identify vulnerabilities and strengthen organizational defenses. By fostering collaboration and innovation, TheThreatHunters.org works to build a safer digital future for businesses, institutions, and individuals across Morocco. Securing tomorrow, together.
Call For Papers
The Call For Papers is now closed!
This is the call for submissions for the first edition of DFIR212.
Feel free to submit if you believe you can contribute to the community!
DFIR212 may cover the expenses of student authors with an accepted submission.
Sensivity
The event will be live-streamed and recorded.
However, speakers may request that their sessions remain confidential, and all attendees are expected to honor this request.
Themes
DFIR212 encourages technical and scientific contributions in the field of defensive security. However, non-technical submissions or those related to offensive aspects are also welcome.
Preferred technical topics include, but are not limited to:
- Exploring the latest technologies and methodologies for extracting, analyzing, and preserving evidence
- Modern approaches for detecting and responding to incidents in complex environments.
- Advanced techniques for Memory Analysis to detect advanced threats.
- Leveraging Threat Intelligence to anticipate, detect, and respond to cyberattacks.
- Methodologies for Malware Analysis in the context of incident response.
- How DFIR teams work with law enforcement to solve complex investigations.
Submission
Authors may submit a talk and/or a workshop, with the option to submit multiple proposals.
Each talk or workshop may be presented by only one speaker.
Talks will last 30 minutes, including Q&A, while workshops will run between 2 and 3 hours.
All proposals should be submitted via EasyChair. If you are new to EasyChair, registration is required before accessing the submission form.
Please include key takeaways as bullet points in your submission. Full papers will be given preference over abstract-only submissions, though all submissions will be fully considered.
Selection
The Program Committee will select multiple talks and workshops.
Each submission will be evaluated based on the following criteria:
- Relevance to the conference theme
- Clarity and structure of the proposal
- Technical evaluation: quality, added value, and interest for the community
The Program Committee is committed to selecting proposals that reflect the diversity of the community.
The conference program will also feature invited speakers, such as keynote speakers, to ensure the overall quality of the event. These speakers will not undergo the evaluation process.
Program Committee
Programme committee members are committed to avoid any conflicts when evaluating papers. Should outside reviewers be associated to the evaluation process, the same strict rules will apply.
Program and Organizing Committee members are permitted to submit papers or contribute to submissions. In such cases, these papers will be evaluated by non-conflicting members of the Program Committee with equal consideration.
Timeline
Each submission will be evaluated based on the following criteria:
- Submission deadline: November 6, 2024, 11:59 PM (UTC+1)
- Notifications: November 7, 2024
- Confirmation: November 14, 2024
- Conference: December 7, 2024, DAWLIZ Art & Spa Rabat, Morocco
Authors may be contacted for clarification if needed.
Notifications will be sent by November 7, and the final program will be published by November 14.
Feel free to submit if you believe you can contribute to the community!