2016 Conference Schedule And Agenda
Monday March 14, 2016 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | REGISTRATION | |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:00 – 8:15 | Auditorium | Randall Karstetter | Welcome |
| 8:15 – 9:15 | Auditorium | Brian Steverson | Trust in the Professional Life of a Digital Examiner: A Pain or an Opportunity |
| 9:15 – 9:30 | BREAK | ||
| 9:30 – 10:30 | Auditorium | Brett Shavers | Breaking Anonymity |
| C-206 | Colin Cree | USB for Win10 | |
| C-214 | Kevin Ripa | Hack-a-Shack | |
| 10:30 – 10:45 | BREAK | ||
| 10:45 – 11:45 | Auditorium | Zeke Thackray | Every Contact Leaves a Trace – But How Can Intricate Pieces of Evidence Be Forensically Retrieved? |
| C-206 | Colin Cree | USB for Win10 | |
| C-214 | Kevin Ripa | Hack-a-Shack | |
| 11:45 – 12:45 | LUNCH | ||
| 12:45 – 1:45 | Auditorium | Brett Shavers | Breaking Anonymity |
| C-206 | Terry Lahman | $MFT, $UsnJrnl and $Logfile analysis | |
| C-214 | Kevin Ripa | Email Tracing | |
| 1:45 – 2:00 | BREAK | ||
| 2:00 – 3:00 | Auditorium | Zeke Thackray | Uncovering Hidden Secrets of VSS and Live Boot |
| C-206 | Terry Lahman | $MFT, $UsnJrnl and $Logfile analysis | |
| C-214 | Kevin Ripa | Email Tracing | |
| 3:00 – 3:15 | BREAK | ||
| 3:15 – 4:30 | Auditorium | Sarah Edwards | Mac Log File Analysis |
Tuesday March 15, 2016 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:00 – 9:00 | Auditorium | Steve Beltz | Even Geeks Can Speak – Level 2 |
| C-206 | David Matthews | Electronically Stored Information – The Latest Issues in Electronic Evidence | |
| C-214 | Kevin Ripa | Creating Stellar Reports | |
| 9:00 – 9:15 | BREAK | ||
| 9:15 – 10:15 | Auditorium | Russ McRee | Attack & Detect: Red vs. Blue PowerShell |
| C-206 | Adam Kelly | The Solo Practitioner | |
| C-214 | Kevin Ripa | Creating Stellar Reports | |
| 10:15 – 10:30 | BREAK | ||
| 10:30 – 11:30 | Auditorium | Russ McRee | Attack & Detect: Red vs. Blue PowerShell |
| C-206 | Steve Whalen | Mac Forensics – Timeline Analysis | |
| C-214 | Kevin Ripa | Forensic Acquisition of Apple Products | |
| 11:30 – 12:30 | Lobby | LUNCH | |
| 12:00 – 12:30 | Auditorium | Randall Karstetter | CTIN Membership Meeting |
| 12:30 – 1:30 | Auditorium | Naomi Bornemann | How Hackers (try to) Cover their Tracks |
| C-206 | Amelia Phillips | Digital Forensics and the Law: Creating Law at the Speed of Technology | |
| C-214 | Kevin Ripa | Forensic Acquisition of Apple Products | |
| 1:30 – 1:45 | BREAK | ||
| 1:45 – 2:45 | Auditorium | Naomi Bornemann | How Hackers (try to) Cover their Tracks |
| C-206 | Amelia Phillips | Digital Forensics and the Law: Creating Law at the Speed of Technology | |
| C-214 | Jeff Hedleski | What’s new in Digital Forensic Hardware | |
| 2:45 – 3:00 | BREAK | ||
| 3:00 – 4:30 | Auditorium | Craig Ball | Forms of Production: Dealing with #$%^&*! Luddites!! |
| 4:30 – 4:45 | BREAK | ||
| 4:45 – 5:45 | Auditorium | Steve Whalen | CARBON Forensic Suite Demo |
Wednesday March 16, 2016 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:00 – 9:00 | Auditorium | Steve Beltz | Graphical Analysis of Structured and Unstructured Data |
| C-206 | Brandon Leatha | Windows Event Log Forensics | |
| C-214 | Kevin Ripa | End User License Agreements (EULAs) | |
| 9:00 – 9:15 | BREAK | ||
| 9:15 – 10:15 | Auditorium | Steve Beltz | Graphical Analysis of Structured and Unstructured Data |
| C-206 | Brandon Leatha | Windows Event Log Forensics | |
| C-214 | Kevin Ripa | End User License Agreements (EULAs) | |
| 10:15 – 10:30 | BREAK | ||
| 10:30 – 11:30 | Auditorium | Jeff Hedleski | What’s new in Digital Forensic Hardware |
| C-206 | Allison Goodman | Office 365 | |
| C-214 | Gordon Mitchell | Free and incredibly powerful – Utilities by Nir Sofer | |
| 11:30 – 12:30 | LUNCH | ||
| 12:00 – 12:30 | Auditorium | Randall Karstetter | CTIN Vote |
| 12:30 – 1:30 | Auditorium | Natasha Lockhart | Demystifying Email Investigations |
| C-206 | Steve Whalen | Paladin: Basic and Advanced Features | |
| C-214 | Adam Kelly | The Solo Practitioner | |
| 1:30 – 1:45 | BREAK | ||
| 1:45 – 2:45 | Auditorium | Steve Beltz | Even Geeks Can Speak – Level 2 |
| C-206 | Allison Goodman | Office 365 | |
| C-214 | Gordon Mitchell | Free and incredibly powerful – Utilities by Nir Sofer | |
| 2:45 – 3:00 | BREAK | ||
| 3:00 – 4:30 | Auditorium | Troy Larson | Forensics of Windows Virtual Machines |
| 4:30 – 4:45 | Auditorium | CTIN Raffle | Vendor sponsored raffle items! MUST BE PRESENT TO WIN! |
ADAM KELLY
TOPIC and DESCRIPTION
The Solo Practitioner (second session)
Are you weary of the corporate world, politics in your office, your boss, or going to work for someone else every day? Or do you already work for yourself and want to learn some tips and tricks. Become fulfilled and excited about work again! The forming and growth of a small business designed specifically for the digital forensics specialist solo practitioner will be covered in detail. I invite you to learn from my mistakes and successes over the last decade.
BIOGRAPHY
Adam Kelly, a solo practitioner from Michigan, is a Certified Computer Examiner that has provided digital forensics and eDiscovery services to law firms, law enforcement, and small businesses over the past decade. Mr. Kelly has offered expert testimony in numerous State and Federal courts and takes great pride in our industry. His advocacy for the data and strong work ethic has made him a desirable expert. Mr. Kelly welcomes the opportunity to discuss small business ideas that have worked for him to construct his perfect job.
TOPIC and DESCRIPTION
Learn about the different permissions required and the options that are available to do an Office 365 collection as well as the different log files that will help identify access to the data.
BIOGRAPHY
Allison Goodman is the President of eDiscovery Inc., a consulting firm that provides electronic discovery consulting and digital forensic services to law firms and corporate counsel nationwide.
With more than a decade of experience in the digital forensic industry and over two decades in electronic discovery, Allison brings a wealth of knowledge to the profession. She is a Certified Computer Examiner and is a board member of CTIN.
Allison has presented at numerous seminars on digital forensics and electronic discovery for various groups and agencies, including the Washington State and King County Bar Associations and has testified in both state and federal courts.
TOPIC and DESCRIPTION
Digital Forensics and the Law: Creating Law at the Speed of Technology (second session)
Technology changes constantly as do the devices we retrieve data from and the tools that we employ to accomplish that task. For the last few decades we have seen the need for laws that simply do not yet exist. What can we do to outpace the technology and create laws that will work for us in this burgeoning field? Come and see the challenges and possible solutions to this issue.
BIOGRAPHY
Dr. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with a BS in Astronautical Engineering and a BS in Archaeology. She recently earned her doctorate in Computer Security at the University of Alaska Fairbanks as an interdisciplinary degree.
After working as an engineer at the Jet Propulsion Laboratory and TRW, Amelia worked with e-commerce sites and began her training in digital forensics and investigations during the dot-com boom. She has designed certificate and AAS programs for community colleges in e-commerce, network security, digital forensics and data recovery. Amelia co-authored the textbook Guide to Computer Forensics and Investigations now in its fourth edition. This year the first edition of her next textbook E-Discovery – An Introduction to Digital Evidence was published. Amelia is program lead for the Network Security and Data Recovery/Digital Forensics for Highline Community College in Seattle. She was also the lead for Highline’s first Bachelor of Applied Science degree in Cybersecurity and Forensics which goes online in the Fall of 2014. Amelia is the Regional Director of the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) which Highline has hosted since 2010. The 7th annual event with be this March at Highline.
Amelia also is active in working with developing nations in e-learning, retention, network security, digital forensics and entrepreneurship. She is currently tenured at Highline Community College in Seattle, WA and is serving as the Chair of the Pure & Applied Science Division. Amelia was a visiting Fulbright Scholar at the Polytechnic of Namibia in 2005 and 2006.
TOPIC and DESCRIPTION
Windows Event Log Forensics (second session)
This talk will cover tools and techniques for analyzing windows event logs with an emphasis on using event log artifacts to support your next investigation.
BIOGRAPHY
Mr. Brandon Leatha is a Director at iDiscovery Solutions (iDS), an award-winning e-Discovery, expert testimony, and digital forensics firm headquartered in Washington, DC. Based out of Seattle, Washington, Mr. Leatha is an expert in e-Discovery, data analytics, and computer forensics. With over 13 years of consulting experience in the litigation support industry, Mr. Leatha advises clients throughout the e-Discovery lifecycle, providing guidance on data preservation, evidence collection, data reduction strategies, review methodology, and document production. He has extensive experience performing computer forensic investigations, structured data analytics, and assisting clients in the effective utilization of technology assisted review (TAR).
Mr. Leatha has been a corporate 30(b)(6) witness, a court-appointed neutral computer forensics examiner, and has testified on numerous electronic discovery and computer forensics issues. He has been an active member of the Sedona Conference Working Group on Electronic Document Retention and Production (WG1) since 2005, and he is an active member of the Computer Technology Investigators Network (CTIN). Mr. Leatha has provided training on electronic discovery and computer forensics for seminars, CLE courses, and industry training events. Prior to joining iDS, Mr. Leatha was the founder and owner of Leatha Consulting LLC and the Director of ESI Consulting and Data Analysis at Electronic Evidence Discovery (EED).
TOPIC and DESCRIPTION
Breaking Anonymity (second session)
How to identify anonymous Internet users.
BIOGRAPHY
Brett is a digital forensics examiner and author of two books (Placing the Suspect Behind the Keyboard and X-Ways Forensics Practitioner’s Guide). Brett’s forensic experience spans a law enforcement career in investigating cybercrime to the private sector as an expert consultant in civil litigation. He has over 1,000 hours of formal digital forensics training from many US federal agencies and forensic software companies. Brett is also a frequent speaker across North America in conferences and provides private consultation to government agencies in high tech analysis and covert acquisition methods.
TOPIC and DESCRIPTION
Trust in the Professional Life of a Digital Examiner: A Pain or an Opportunity
Dr. Steverson is Professor of Business Ethics at Gonzaga University. He will discuss the social reliance on trust in our profession, the duties it creates for digital examiners and some of the unique ethical moments digital examiners face while carrying out our duties.
TOPIC and DESCRIPTION
USB for Win10 (second session)
BIOGRAPHY
Colin Cree is a Director of a Vancouver based company, EFS e-Forensic Services Inc., a computer forensic and e-discovery services provider that also provides training and sells related software and hardware. His background includes serving in the RCMP for 25 years. While serving in the RCMP Colin spent 8 years investigating commercial crime and 5 years in the Tech Crime unit. Colin has been involved in computer forensics since 1997. His expertise includes commercial crime investigations, computer crime investigations and analysis, providing expert witness testimony and ensuring the highest teaching and professional practice standards are maintained throughout the courses and investigations for which he is responsible.
TOPIC and DESCRIPTION
Forms of Production: Dealing with #$%^&*! Luddites!!
Forensic examiner and e-discovery service providers deal more with data than documents; yet, we are challenged to supply information to attorneys—and attorneys to opponents—in forms that mirror the utility, functionality and completeness of native ESI. This preserntation examines that challenge and posits ways to move lawyers out of the 19th century (no, that’s not a typo).
BIOGRAPHY
Craig Ball of Austin is a trial lawyer, computer forensic examiner, law professor and noted authority on electronic evidence. He limits his practice to serving as a court-appointed special master and consultant in computer forensics and electronic discovery and has served as the Special Master or testifying expert in computer forensics and electronic discovery in some of the most challenging and celebrated cases in the U.S. A founder of the Georgetown University Law Center E-Discovery Training Academy, Craig serves on the Academy’s faculty and teaches Electronic Discovery and Digital Evidence at the University of Texas School of Law. For nine years, Craig penned the award-winning Ball in Your Court column on electronic discovery for American Lawyer Media and now writes for several national news outlets. For his articles on electronic discovery and computer forensics, please visit www.craigball.com or his blog, www.ballinyourcourt.com.
TOPIC and DESCRIPTION
All CTIN members are invited to attend our annual general membership meeting to discuss and nominate upcoming Board positions.
All CTIN members are invited to vote for the upcoming Board positions.
Raffle for:
One full license of Recon For Mac valued at $1,695.00
One full license of Forensic Examiner valued at $1,295.00
Two one year licenses of X-Ways Forensics valued at $779.00 each
Three six month full licenses of MailXaminer valued at $800.00 each
One Wiebetech USB 3.0 Writeblock device valued at $349.00
One 90-day dongle for Forensic Examiner valued at $295.00
Two military grade encrypted 1TB portable hard drives valued at $150.00 each
MUST BE PRESENT TO WIN!
TOPIC and DESCRIPTION
Electronically Stored Information – The Latest Issues in Electronic Evidence
BIOGRAPHY
David Matthews is the former Director of Incident Response for Expedia, Inc. He has facilitated three regional cyber event exercises. He is also the founder of the Cyber Incident Response Coalition and Analysis Sharing group.
Besides the CISSP & CISM he is a Digital Recovery Forensics Specialist (DRFS), and CyberSecurity Forensic Analyst (CSFA). He is the author of “Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval”, published in the summer of 2012. David was the recipient of the 2012 Information Security Executive of the Decade – West award.
TOPIC and DESCRIPTION
Free and incredibly powerful—Utilities by Nir Sofer (second session)
If you do live captures you will love the utilities by Nir Sofer at https://www.nirsoft.net/. His programs provide information on the usual stuff: passwords, recent searches, autoruns… The good news is that they also do this stuff with command line versions that you can script… if you can find them.
BIOGRAPHY
Gordon has been around CTIN from the early days. He runs Future Focus, a company that does engineering design, debugging and computer forensics. Gordon’s background includes interesting jobs: flying for the US Navy a few wars back, work in big companies, and startups. He has the usual initials after his name; PhD, CPP, CISSP, CPS, GSEC, GCIH, GPen…
TOPIC and DESCRIPTION
What’s new in Digital Forensic Hardware (second session)
BIOGRAPHY
My role at Guidance software these past five years, as their “Forensic Evangelist”, is primarily a customer engagement, channel partner support and business development role. I travel far and wide (places like China, Japan, Canada, Mexico, Brazil, Australia, and New Zealand) to recruit & train our authorized resellers, and to make joint calls on key customers. I also frequently camp out in the DC area and spend a lot of time with the various and sundry alphabet soup Federal agencies. Many of them decide to like me, then trust me, then buy a bunch of our stuff, through one of our esteemed reseller partners.
I’ve been involved in the Technology Sector since 1983, and have worked in and around digital forensics since 2002. I like puppies, dark chocolate and long walks on the beach.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Hack-a-Shack (second session)
This presentation is designed to demystify the world of hacking and response. Environment permitting, experience a hack into one computer from another to show just how easy it can be. From there, learn what can be done to secure networks, as well as to harden the biggest threat to every network – the accidental insiders (AKA employees). This is any network’s most vulnerable vector, and yet fewer resources are spent on this vector than any other. Bring your questions. This presentation is very fast paced and dynamic, but most importantly, it is presented in PLAIN ENGLISH!
SECOND PRESENTATION
Email Tracing (second session)
This training session will give investigators the skills they need to trace an email from sender to receiver and back again. Learn how to expose and interpret email headers, and how to leverage little known tools to trace the components of these headers as close to the originator as possible. If this does not achieve a positive result, then you can use the rest of the techniques and knowledge in this presentation to go the last mile! Not every email can be traced to its originator. Some are simply hampered by money and time – the two most critical factors in email tracing. Use the time tested techniques of some of the top tracers in the world to maximize your success.
THIRD PRESENTATION
Creating Stellar Reports (second session)
You have collected the evidence. You have spent countless hours analyzing it. You have found the smoking guns. But if you can’t communicate all of this effectively, it will have been in vain. How exactly do you show a video in a written report? In many cases, the written report is all the client sees for the big bill they have had to pay. This workshop will show you how to create a stellar report in an electronic format that will wow your clients. We explore many methods to get our evidence across in ways that will have the clients calling back time and time again. The attendee will be provided all the components necessary to create their own stellar reports.
FOURTH PRESENTATION
Forensic Acquisition of Apple Products (second session)
What happens when you encounter an Apple product? Some have normal hard drives, but most today do not. How do you get at the hard drive on these devices? How do you even identify the hard drive in a MacBook Pro Retina? Or a MacBook Air? Mac Pro? What happens if you remove the recognizable hard drive from a newer iMac and try to image it? You won’t get what you are expecting! This presentation will walk through acquisition methodologies specific to Apple. Drives, storage, Fusion, PCIe, RAM, we’ll cover it all! You know you are going to be seeing more and more of these, if you aren’t already. Be prepared!
FIFTH PRESENTATION
End User License Agreements (second session)
EULAs. Some would say synonymous with evil. Ubiquitous nonetheless. The bottom line is that we cannot compute without agreeing to them. But do you really know what you are agreeing to? This lecture will look at some of the more important things that are found in them, as well as discovering some of the more sinister paragraphs. Never fear, we will also look at some of the really silly ones too! This lecture will be interwoven around a story line that will catch you by surprise, and have you rethinking your position on privacy and data release. But not in the ways that you would think!
BIOGRAPHY
Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in many complex cyber-forensics investigations. Mr. Ripa can be contacted via email at kevin@computerpi.com.
TOPIC and DESCRIPTION
How Hackers (try to) Cover their Tracks (second session)
We will introduce the methodology and intent behind penetration testing, with an emphasis on post-exploitation behavior. We will cover some common methods hackers use to cover their tracks after a successful exploitation, on both the attacking system and the victim machine. Though they may complicate a forensic investigation, we will dig into these anti-forensic methods and attempt to detect the malicious activity anyway.
BIOGRAPHY
Naomi Bornemann is an Information Security Analyst at Milliman, an international actuarial and consulting firm headquartered in Seattle. Naomi’s expertise includes web-application and network penetration testing, incident response, and enterprise vulnerability management. Before Milliman, Naomi comes from a strong career background working on Boeing’s security team and also co-founding a security consulting firm, Rhino Security Labs, in Seattle working on penetration testing and security operations.
TOPIC and DESCRIPTION
Demystifying Email Investigations
BIOGRAPHY
Natasha Lockhart currently provides executive level business development strategy for SysTools Software. Her specific go to market strategy centers on forensic and legal review of electronic mail data sets to assist corporate, legal and law enforcement customers with successful education, use and data presentation with MailXaminer technology.
Natasha previously provided sales leadership and customer relations management for Vound Software, LLC. From 2009 to 2015, she has acted as liaison between system integrators, channel partners and multi-jurisdictional federal agencies to help them add to their forensic and electronic discovery tool sets.
Natasha was also a senior sales representative with AccessData Corporation in Lindon, UT. In 2002, she was one of the first two associates and is established in multiple territories – to include: Regional and International sales, Pacific Northwest, Northeast, Canada and Federal, Local and State Law Enforcement spanning North America. Natasha is familiar with all facets of the sales process and maintains knowledge of forensic, decryption, network capture, electronic discovery and enterprise software solutions, including distributed e-data, mobile device collection, and training solutions for Local, State, Federal and International Law Enforcement agencies as well as corporate entities involved in the prevention, investigation and prosecution of mobile device and high-technology crime.
TOPIC and DESCRIPTION
Randall is the president of CTIN and will provide the conference’s opening remarks.
TOPIC and DESCRIPTION
Attack & Detect: Red vs. Blue PowerShell (second session)
Vignettes based in absolute reality: when organizations are attacked and a compromise occurs it may well follow scripts something like these. The most important lesson to be learned is how to assess attacks born of PowerShell, using in memory techniques as well as defensive PowerShell.
An attacker’s goal is to remain undetected, running in memory as often as possible, and limiting file system exposure whenever possible. We’ll explore defensive techniques for these dark arts.
Attack: Phishing, Veil, Metasploit, PowerSploit
Detect: WinPmem, Rekall, PowerForensics
BIOGRAPHY
Russ McRee, GSE, MSISE, directs the Security Response and Investigations team for Microsoft’s Windows & Devices Group (WDG). He writes toolsmith, a monthly column for information security practitioners, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, and Linux Magazine.
Russ also speaks regularly at events such as DEFCON, Derby Con, BlueHat, Black Hat, SANSFIRE, RSA, and others, and is a SANS Internet Storm Center handler. He serves in the Washington State Guard as a joint forces operator and planner on behalf of the Washington Military Department’s cyber and emergency management missions. Russ advocates a holistic approach to the practice of information assurance and, as such maintains holisticinfosec.org. IBM’s ISS X-Force cited Russ as the 6th ranked Top Vulnerability Discoverers of 2009.
TOPIC and DESCRIPTION
When was this user logged on the system? Where was this system on a given date? What devices were used on the system? How often was the system used? Is the system compromised? – These questions may be answered by viewing the logs provided by Mac OS X. This presentation will cover the variety of logs, tools to read them, and analysis of additional file system files to provide a clear picture of events. User, network, or software activities can provide a timeline that can be used to uncover the clandestine activity on the system – whether or not it was meant to be secret.
BIOGRAPHY
Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah’s research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC, Bsides*, Defcon and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the SANS Mac Forensic Analysis Course – FOR518.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Even Geeks can Speak – Level 2 (second session)
For professional technical specialists’ visual presentation and speaking are important and necessary skills. Developing excellent presentation skills along with an attendant ability to make a positive impression to not only one person but even more important to hundreds of people can truly set you apart from the crowd. Your ability to make that impression depends on your skills to convey organized thought.
SECOND PRESENTATION
Graphical Analysis of Structured and Unstructured Data (second session)
Data Analytics to Support Investigations.
BIOGRAPHY
Steve Beltz has been in law enforcement directly or in support operations for over 28 years and is currently Assistant Director of the Federal, Recovery Operation Center in Washington DC. Steve manages a highly specialized technical workforce involved in financial analysis of fraud against the federal government. In the past he has also managed federal contracts that include network security, computer forensic and e-discovery operations located at the U.S. DoS, DEA, FBI, ICE and DOD. Steve had been employed by the Washington State Patrol for 16+ years where he spent most of his career as a detective specializing in major crime scene investigations, computer forensics and criminal intelligence. He has been teaching and giving presentations for over 30+ years to include several Washington State area universities, the Washington State Patrol and other county, city and federal agencies.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Mac Forensics – Timeline Analysis
Timeline Analysis is one of the most popular investigative trends in Digital Forensics. Timeline Analysis can recreate the history of a device’s usage step-by-step and second by second. Unknown to many, Mac OS X contains multiple time stamps in addition to the standard modified, accessed, and created time stamps. Combining all of the available Mac time stamps into a Timeline can greatly enhance any Mac investigation. Learn what Timestamps exist on a Mac, how they can be extracted, and how to interpret the results!
SECOND PRESENTATION
CARBON Forensic Suite Demo
MAC Forensics and Virtual Machine Forensics using CARBON Forensic Suite
THIRD PRESENTATION
Paladin: Basic and Advanced Features
PALADIN 6, a FREE Linux-based forensic suite, contains over 100 forensic tools in 29 different categories in addition to the multifaceted easy-to-use PALADIN Toolbox.
In this demonstration you will learn about PALADIN and what it can do along with it’s basic and advanced features such simplifying Field Triage, tricks to image large data sets and even performing full forensic analysis for free!
PALADIN is provided free to the forensic community as a courtesy from SUMURI.
BIOGRAPHY
Steve Whalen, CFCE is the CEO for SUMURI, a leading provider of training and services relating to digital evidence and computer forensics worldwide. Steve’s experience in computer forensics dates back to 1997. Steve has developed and delivered forensic training to thousands of investigators and examiners around the world through organizations such as the International Association of Computer Investigative Specialists (IACIS), the High Technology Crimes International Association (HTCIA) and the US Department of State Anti-Terrorism Assistance Program. Steve is also the developer of the successful Macintosh Forensic Survival Course (MFSC), PALADIN, RECON and CARBON forensic software and co-developer of TALINO Forensic Workstations. Steve has provided training throughout North America, Central America, Asia, Europe, Middle East, Caribbean, Africa and Oceania.
Previously, Steve served over 15 years as a Delaware State Trooper. During that time, he worked as a detective with the Criminal Investigations Unit and served as their first full-time forensic examiner for digital evidence. Building off that experience, Whalen helped the Delaware State Police develop its first High Technology Crimes Unit in 2001, where he processed thousands of electronic items and devices containing digital evidence from hundreds of cases relating to intrusion, financial crimes, child sexual exploitation, narcotics, stalking and homicides.
Steve’s most current humanitarian project “Mission: No More Victims” will help to combat the sexual exploitation of children on a global level and bring sexual offenders and child pornographers to justice.
TOPIC and DESCRIPTION
$MFT, $UsnJrnl and $Logfile analysis (second session)
Windows NTFS file system is more than just a directory listing in the Master File Table. NTFS is a journaling system that records metadata information about file system changes in the $Logfile and $UsnJrnl files. This presentation will take a look at the $MFT, $Logfile, and $UsnJrnl files using forensics software tools. Live demonstrations will provide a look at a variety of methods that can help analyze the NTFS file system artifacts, Triforce ANJP NTFS Journal Parser, TZWorks NTFS tools, NTFS-Linker, TSK, and other resources for analyzing the NFTS file system and its metadata. No PowerPoint slides in this presentation, real software looking at real data.
BIOGRAPHY
Terry Lahman, Chief Digital Forensics Analyst at eForensicsPro, specializes in computers, tablets, GPS devices, and cell phones. He has over 35 years experience in the fields of computers and electronics, including 17 years at Microsoft. His software development background spans both Microsoft Windows and Apple iOS platforms, including developing software tests for the NTFS file system and Windows NT memory manager. His extensive knowledge of Windows and his expertise in software testing bring a valued skill to the digital forensics field.
TOPIC and DESCRIPTION
Forensics of Windows Virtual Machines
In some very important ways, forensic examinations of virtual systems are no different from forensic examinations of physical machines. In other ways, there are important differences, especially around evidence acquisition. As more of the world’s computing moves to virtual systems, in the home, lab, data center, and cloud, forensics investigators will need to understand what obstacles and opportunities virtual systems impose on forensic acquisition and analysis.
This presentation will look at forensics issues involved with virtual machines based on Microsoft’s virtualization technologies, including cloud based systems. We will begin with a brief overview of Microsoft virtual systems, and then look some tools and procedures for collecting and analyzing memory and “disks” from Windows virtual machines.
BIOGRAPHY
Troy is a 12 year veteran forensic examiner with Microsoft. He is currently a Principle Digital Investigator specializing in the forensic investigations of virtual systems including Windows Azure.
TOPIC and DESCRIPTION
Every Contact Leaves a Trace – But How Can Intricate Pieces of Evidence Be Forensically Retrieved?
Today’s technology is becoming much more sophisticated with the increase in storage volume and the use of encryption as a default. The demand by both investigators and the legal systems to recover truly deleted data from both traditional computer workstations and the array of digital devices, such as, mobile phones and GPS tracking devices has grown expeditiously. In this session, participants will be guided through what is practically possible, what is impossible and more importantly, what can realistically be achieved with today’s forensic computer and mobile investigative techniques and equipment.
Uncovering Hidden Secrets of VSS and Live Boot
Learn how a Volume Shadow Copy Service (VSS) can be swiftly investigated to uncover its hidden historic secrets, which are often forgotten or overlooked. The session will not only discuss a simple approach to the analysis of VSS but will also include data carving for specific metadata artifacts. Using Forensic Explorer (FEX) and the integrated virtual forensic computing of Live Boot, participants will be guided through the reconstruction of a subject computer. This simple approach allows an investigator to turn back the clock and witness the same experience as an original user as if they were sat at the actual computer.
BIOGRAPHY
John (Zeke) Thackray is the Vice President of GetData Forensics USA, based in Los Angeles and responsible for global forensic services and training. Zeke, as he is more commonly known throughout the industry, is a former British Police Detective who specialized in hi-tech crime from the early 1990’s. He was responsible for the establishment and development of the New Zealand Police Electronic Crime Unit based in Auckland. He has also been responsible for the establishment of corporate computer forensic facilities such as Ernst and Young in Australia and the IBM Global IT Security Incident Response Group. Zeke has been involved in many hi-tech, high profile investigations around the world and has delivered computer and cell phone forensics training globally for many years. Zeke considers himself an investigator first and an educator second. Hands-on practical investigative skills are key in keeping pace with technology to educate others. He has recently returned from active investigations and consultancy assignments in the Middle East, Latin America, Asia and the Oceania Region.
2015 Conference Schedule And Agenda
Monday March 16, 2015 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 7:30 – 8:00 | Lobby | REGISTRATION | |
| 8:00 – 8:30 | Auditorium | Randall Karstetter | Welcome |
| 8:30 – 9:30 | Auditorium | Steve Beltz | Life After The Washington State Patrol |
| C-206 | Brandon Leatha Jonathan Karchmer |
IP Theft Investigation | |
| C-204 | Amelia Phillips | Social Media Forensics | |
| 9:30 – 9:45 | BREAK | ||
| 9:45 – 10:45 | Auditorium | John Bair | Mobile Device Forensics – Part 1 |
| C-206 | Colin Cree | Investigating USB Storage on Windows 8 | |
| C-204 | David Matthews | Latest Issues Surrounding eDiscovery | |
| 10:45 – 11:00 | BREAK | ||
| 11:00 – 12:00 | Auditorium | John Bair | Mobile Device Forensics – Part 2 |
| C-206 | David Stenhouse | Making Your Job Better and Easier | |
| C-204 | Panel | eDiscovery Favorite Tools | |
| 12:00 – 1:00 | LUNCH | ||
| 1:00 – 2:30 | Auditorium | Brandon Leatha Jonathan Karchmer |
IP Theft Investigation |
| C-206 | Kevin Ripa | Raw Data Carving | |
| C-204 | Bill Long | E-Discovery Basics | |
| 2:30 – 2:45 | BREAK | ||
| 2:45 – 4:00 | Auditorium | Brett Shavers | Hiding Behind the Keyboard |
| C-206 | David Matthews | Level the Cyber Security Playing Field | |
| C-204 | Panel | Digital Forensics Favorite Tools | |
Tuesday March 17, 2015 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:00 – 9:30 | Auditorium | Terry Lahman | Linux and Open Source Tools Demo |
| C-206 | Kevin Ripa | Raw Data Carving | |
| C-204 | Gordon Mitchell | Incident Handling | |
| 9:30 – 9:45 | BREAK | ||
| 9:45 – 10:45 | Auditorium | John Bair | Mobile Device Forensics – Part 1 |
| C-206 | Nate Bailey | Ethics and the Computer Examiner | |
| C-204 | Amelia Phillips | Social Media Forensics | |
| 10:45 – 11:00 | BREAK | ||
| 11:00 – 12:00 | Auditorium | John Bair | Mobile Device Forensics – Part 2 |
| C-206 | David Stenhouse | Making Your Job Better and Easier | |
| C-204 | Ron Godfrey Bill Nelson Amelia Phillips |
Writing Technical Textbooks | |
| 12:00 – 1:00 | Lobby | LUNCH | CTIN Board Elections Meeting |
| 1:00 – 2:30 | Auditorium | Colin Cree | Investigating USB Storage on Windows 8 |
| C-206 | Terry Lahman | Linux and Open Source Tools Demo | |
| C-204 | Gordon Mitchell | Incident Handling | |
| 2:30 – 2:45 | BREAK | ||
| 2:45 – 4:00 | Auditorium | Steve Beltz | Even Geeks Can Speak |
| C-206 | Brett Shavers | Hiding Behind the Keyboard | |
| C-204 | All Purpose Room: Break, Networking, Speaker reset | ||
Wednesday March 18, 2015 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:00 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:00 – 9:45 | Auditorium | Eric Zimmerman | Plumbing the Depths: Shellbags |
| 9:45 – 10:00 | BREAK | ||
| 10:00 – 12:00 | Auditorium | Craig Ball | Spoiled and Deluded: The Shakespearean Tragedy that is Search in E-Discovery |
| 12:00 – 12:45 | LUNCH | ||
| 12:45 – 1:00 | Auditorium | Vendor Drawings | |
| 1:00 – 2:15 | Auditorium | Steve Beltz | Graphical Analysis of Structured and Unstructured Data |
| 2:15 – 2:30 | BREAK | ||
| 2:30 – 4:00 | Auditorium | Troy Larson | Code Signing |
AMELIA PHILLIPS
TOPIC and DESCRIPTION
FIRST PRESENTATION
Social Media Forensics (second session)
Posting on walls, tweets, blogs, hangouts and more. So much of people’s personal and professional lives are conducted in social media that it now plays a critical role in digital forensics. Come and explore the new tools that can be used for social media forensics. Learn what you can obtain using the tools and when you need a warrant. The challenge for all investigators are the conglomeration of evidence types and the non-consistent manner in which the data is stored.
SECOND PRESENTATION
Writing Technical Textbooks
Writing a textbook for the digital forensics field presents unique challenges. The software always lags behind the latest operating system releases, creation of new drive images, hardware and software costs add to the research that must take place. Come and listen to a candid conversation about writing for the industry.
BIOGRAPHY
Dr. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with a BS in Astronautical Engineering and a BS in Archaeology. She recently earned her doctorate in Computer Security at the University of Alaska Fairbanks as an interdisciplinary degree.
After working as an engineer at the Jet Propulsion Laboratory and TRW, Amelia worked with e-commerce sites and began her training in digital forensics and investigations during the dot-com boom. She has designed certificate and AAS programs for community colleges in e-commerce, network security, digital forensics and data recovery. Amelia co-authored the textbook Guide to Computer Forensics and Investigations now in its fourth edition. This year the first edition of her next textbook E-Discovery – An Introduction to Digital Evidence was published. Amelia is program lead for the Network Security and Data Recovery/Digital Forensics for Highline Community College in Seattle. She was also the lead for Highline’s first Bachelor of Applied Science degree in Cybersecurity and Forensics which goes online in the Fall of 2014. Amelia is the Regional Director of the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) which Highline has hosted since 2010. The 7th annual event with be this March at Highline.
Amelia also is active in working with developing nations in e-learning, retention, network security, digital forensics and entrepreneurship. She is currently tenured at Highline Community College in Seattle, WA and is serving as the Chair of the Pure & Applied Science Division. Amelia was a visiting Fulbright Scholar at the Polytechnic of Namibia in 2005 and 2006.
TOPIC and DESCRIPTION
A step-by-step overview of how it’s done. From the first indication that litigation may ensue, then building a plan and executing the plan through to data production.
BIOGRAPHY
Mr. Long is owner and a Principal of Integrid, specializing in matters involving digital information, electronic discovery and digital forensics. Mr. Long has over thirty-eight years of experience in technology as well as many phases of business activity. In addition to his technology background, Mr. Long has experience in management (including service as CEO) as well as marketing, accounting, and finance. He is a Digital Forensic Certified Practitioner, Certified Computer Examiner, Certified Fraud Examiner and has the Data Recovery Expert Certification. Mr. Long has served as a court-appointed independent computer expert and has testified as a digital forensic expert.
BRANDON LEATHA and JONATHAN KARCHMER
TOPIC and DESCRIPTION
IP Theft Investigation (second session)
A detailed look at the tools and techniques used to extract and analyze forensic artifacts from computers, mobile devices, cloud services and other sources of ESI in support of IP theft investigations.
BIOGRAPHY
Mr. Brandon Leatha is a Director at iDiscovery Solutions (iDS), an award-winning e-Discovery, expert testimony, and digital forensics firm headquartered in Washington, DC. Based out of Seattle, Washington, Mr. Leatha is an expert in e-Discovery, data analytics, and computer forensics. With over 13 years of consulting experience in the litigation support industry, Mr. Leatha advises clients throughout the e-Discovery lifecycle, providing guidance on data preservation, evidence collection, data reduction strategies, review methodology, and document production. He has extensive experience performing computer forensic investigations, structured data analytics, and assisting clients in the effective utilization of technology assisted review (TAR).
Mr. Leatha has been a corporate 30(b)(6) witness, a court-appointed neutral computer forensics examiner, and has testified on numerous electronic discovery and computer forensics issues. He has been an active member of the Sedona Conference Working Group on Electronic Document Retention and Production (WG1) since 2005, and he is an active member of the Computer Technology Investigators Network (CTIN). Mr. Leatha has provided training on electronic discovery and computer forensics for seminars, CLE courses, and industry training events. Prior to joining iDS, Mr. Leatha was the founder and owner of Leatha Consulting LLC and the Director of ESI Consulting and Data Analysis at Electronic Evidence Discovery (EED).
—-
Mr. Jonathan Karchmer is a Senior Manager in the Costa Mesa office of iDiscovery Solutions, Inc. (iDS). Mr. Karchmer has over fourteen years of experience in managing projects dealing with computer forensic examinations, ESI collection/processing, hosting, as well as document review and production. He has advised counsel in engagements regarding intellectual property and trade secret theft, contractual disputes, electronic document production, FTC second requests, due diligence investigations, embezzlement, harassment, illegal surveillance, network attack/incident handling, and network security auditing. Mr. Karchmer has also offered sworn testimony in state and federal courts. Prior to joining iDS, he was a Senior Managing Consultant in the Electronic Discovery Practice at LECG, and a Computer Forensic Analyst for both Spinelli Corporation and Mack/Barclay Inc.
TOPIC and DESCRIPTION
Hiding Behind the Keyboard (second session)
This discussion into the methods used in covert communications and techniques to uncover and analyze electronic communications will give you insight into different avenues of analysis and investigation of hidden communications. This presentation is based on an upcoming Syngress book to be published late 2015 by Brett Shavers.
BIOGRAPHY
Brett is a digital forensics examiner and author of two books (Placing the Suspect Behind the Keyboard and X-Ways Forensics Practitioner’s Guide). Brett’s forensic experience spans a law enforcement career in investigating cybercrime to the private sector as an expert consultant in civil litigation. He has over 1,000 hours of formal digital forensics training from many US federal agencies and forensic software companies. Brett is also a frequent speaker across North America in conferences and provides private consultation to government agencies in high tech analysis and covert acquisition methods.
TOPIC and DESCRIPTION
Investigating USB Storage on Windows 8 (second session)
USB storage drives continue to be used to compromise data in the corporate network. This session will provide guidance on how to investigate the use of a USB drive on a Windows 8 computer.
BIOGRAPHY
Colin Cree is a Director of a Vancouver based company, EFS e-Forensic Services Inc., a computer forensic and e-discovery services provider that also provides training and sells related software and hardware. His background includes serving in the RCMP for 25 years. While serving in the RCMP Colin spent 8 years investigating commercial crime and 5 years in the Tech Crime unit. Colin has been involved in computer forensics since 1997. His expertise includes commercial crime investigations, computer crime investigations and analysis, providing expert witness testimony and ensuring the highest teaching and professional practice standards are maintained throughout the courses and investigations for which he is responsible.
TOPIC and DESCRIPTION
Spoiled and Deluded: The Shakespearean Tragedy that is Search in E-Discovery
Keyword search is the gold standard in electronic discovery, but how well does it work? You may be surprised. This program will open your eyes to what you’re missing and reveal the secret pitfalls of electronic search. You’ll also learn tips you can apply now to significantly improve the quality of search and lower the cost of e-discovery.
BIOGRAPHY
Craig Ball of Austin is a trial lawyer, computer forensic examiner, law professor and noted authority on electronic evidence. He limits his practice to serving as a court-appointed special master and consultant in computer forensics and electronic discovery and has served as the Special Master or testifying expert in computer forensics and electronic discovery in some of the most challenging and celebrated cases in the U.S. A founder of the Georgetown University Law Center E-Discovery Training Academy, Craig serves on the Academy’s faculty and teaches Electronic Discovery and Digital Evidence at the University of Texas School of Law. For nine years, Craig penned the award-winning Ball in Your Court column on electronic discovery for American Lawyer Media and now writes for several national news outlets. For his articles on electronic discovery and computer forensics, please visit www.craigball.com or his blog, www.ballinyourcourt.com.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Latest Issues Surrounding eDiscovery
SECOND PRESENTATION
Level the CyberSecurity Playing Field
Learn why and how to share information, ides and resources to level the cyber security playing field.
BIOGRAPHY
David Matthews is the former Director of Incident Response for Expedia, Inc. He has facilitated three regional cyber event exercises. He is also the founder of the Cyber Incident Response Coalition and Analysis Sharing group.
Besides the CISSP & CISM he is a Digital Recovery Forensics Specialist (DRFS), and CyberSecurity Forensic Analyst (CSFA). He is the author of “Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval”, published in the summer of 2012. David was the recipient of the 2012 Information Security Executive of the Decade – West award.
TOPIC and DESCRIPTION
Making Your Job Better and Easier (second session)
The computer forensics and eDiscovery industry is full of variables that make our daily tasks and career more difficult than ever before. Based on 17 years experience working for a federal agency and the private sector, David Stenhouse will share his insights on how to not only survive in this industry but make the career an enjoyable endeavor no matter your current position.
BIOGRAPHY
David Stenhouse is the President of DS Forensics, Inc. Since 1998, Mr. Stenhouse has provided electronic discovery and computer forensics expertise to Federal Law Enforcement and the legal industry. Mr. Stenhouse is himself a forensic examiner, and has performed hundreds of forensic examinations on multiple types of hardware and operating systems, in criminal cases and civil litigation. He has acted as a neutral expert in numerous cases appointed by the court to create electronic discovery plans, capture and analyze electronic data, provide conclusions in regards to such electronic data, as has been hired to act as a special advisor to the court, providing assistance in the understanding of technical concepts. He has testified in State and Federal court in numerous criminal and civil cases, and has testified in Federal court as an expert witness in computer-generated evidence. Mr. Stenhouse is a former Special Agent in the United States Secret Service and a Trooper in the Washington State Patrol.
TOPIC and DESCRIPTION
Plumbing the Depths: Shellbags
Learn about the most common ShellBag types including timestamps, usernames, changing program associations, file system info, user searches, accessing network resources and so on. This discussion will start at the hex level and culminate with examples of ShellBags Explorer to streamline the review of ShellBags data.
BIOGRAPHY
Eric Zimmerman is an FBI special agent assigned to the Cyber crimes squad of the Salt Lake City FBI field office where he has been investigating child pornography and computer intrusions since 2007. He is a member of the Utah ICAC and has provided training and assistance to dozens of local, state, federal and international law enforcement agencies. Eric has a degree in computer science and has developed several computer programs to aid in the investigation and prosecution of child exploitation matters.
TOPIC and DESCRIPTION
Incident Handling (second session)
There is always tension when the server is down – should it be patched or will it be best to preserve the evidence? What can be done before the attack? Is it really true that there is an intrude inside my network? This talk will be illustrated with examples from real incidents.
BIOGRAPHY
Gordon has been around CTIN from the early days. He runs Future Focus, a company that does engineering design, debugging and computer forensics. Gordon’s background includes interesting jobs: flying for the US Navy a few wars back, work in big companies, and startups. He has the usual initials after his name; PhD, CPP, CISSP, CPS, GSEC, GCIH, GPen…
TOPIC and DESCRIPTION
FIRST PRESENTATION
Mobile Device Forensics – Part 1 (second session)
Case studies involving two homicide and one robbery investigation involving key cell phone data and problems encountered with acquiring and parsing the data.
SECOND PRESENTATION
Mobile Device Forensics – Part 2 (second session)
Learn how to combine texts, stored images and CDR data in a manner that will be understood by the jury.
BIOGRAPHY
John Bair is currently employed as a detective with the Tacoma Police Department. He has been commissioned as a law enforcement officer since May 1989. While working in the homicide unit and exposed to gang violence, he discovered the demand to focus on evidence stored on mobile devices.
In 2006 John created the current forensic lab that focuses on mobile evidence related to violent crimes in the city of Tacoma. His case experience shortly thereafter gained the attention of Mobile Forensics Incorporated (MFI). MFI hired John as a contract instructor. MFI soon merged with AccessData to become their only training vendor for their mobile forensics core. This relationship fosters direct contact with engineers who assist in criminal cases which need anomalies and exploits addressed within their forensic products.
July 2013 he was also hired by Fox Valley Technical College to assist in part time training for the Department Of Justice – Amber Alert Program. His expertize with mobile forensics is being utilized to structure a digital evidence module for investigators responding to scenes where children had been abducted. The program promotes how to prevent mobile evidence contamination and how to triage live devices under exigent circumstances.
Within Pierce County, he began a mobile forensics training program for Superior Court Prosecutors and Judicial Officers which is currently in its third year. The program stresses the proper search warrant language, validation of evidence and how to present this dynamic content in court.
In December 2013, Detective Bair gave a presentation to the University Of Washington’s Institute of Technology which provided an outline to merge digital solutions between the Tacoma Police Department and UWT. The relationship will focus on building a digital forensic lab that will be modeled after the Marshall University Forensic Science Center in West Virginia. The lab proposal also includes the ability to conduct “chip-off” forensics which will be a one of kind facility on the west coast.
Based upon the proposal to create a combined lab, John began part time lecturing at UWT in April 2014. The course covered legal concepts, logical, physical searching methods and manual “carving”. UWT requested the program to continue – allowing additional time to expand the same concepts into three progressive levels. Presently, UWT and Tacoma are currently working collectively to create an advanced lab and are seeking funding opportunities that will further develop the mobile forensics curriculum.
John’s certifications include Mobile Forensics Certified Examiner (MFCE), Cellebrite Certified Physical Analyst (CCPA), AccessData Mobile Examiner (AME), Cellebrite Certified Task Instructor (CCTI), AccessData Certified Examiner (ACE), as well as specialized mobile repair and JTAG forensics courses.
TOPIC and DESCRIPTION
Raw Data Carving (second session)
You have used all of the utilities in EnCase, FTK and X-Ways and think you have found everything but guess again. Learn how to manually carve data and make it useful.
BIOGRAPHY
Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in many complex cyber-forensics investigations. Mr. Ripa can be contacted via email at kevin@computerpi.com.
TOPIC and DESCRIPTION
Ethics and the Computer Examiner
Do digital analysts have an ethical obligation to identify all of the relevant artifacts or only those their clients want to use? Learn how to effectively manage your client’s expectations and protect your reputation at the same time.
BIOGRAPHY
Nate Bailey has a BS in physics from UW and graduated magna cum laude from Indiana University Maurer School of Law. He has also served on the Federal Communications Law Journal and was elected to the Order of the Coif. He is an associate with Sebris Busto James in Bellevue where he represents both private and public employers in a full range of employment law matters, including wage and hour issues and discrimination claims. Nate has worked on several cases where computer forensics were a critical component of the case, including one last year that culminated in a three week trial.
TOPIC and DESCRIPTION
Join a panel of your fellow analysts and examiners to learn about their favorite tools for managing and reviewing electronic data.
Digital Forensics Favorite Tools
Join a panel of your fellow analysts and examiners to learn about their favorite tools to collect and analyze digital media.
RON GODFREY and BILL NELSON and AMELIA PHILLIPS
TOPIC and DESCRIPTION
Writing a textbook for the digital forensics field presents unique challenges. The software always lags behind the latest operating system releases, creation of new drive images, hardware and software costs add to the research that must take place. Come and listen to a candid conversation about writing for the industry.
BIOGRAPHY
Ron Godfrey is a Marine Corps veteran who served with the Military Police in Yuma, Arizona. Prior to joining IT Forensics, Inc. Mr. Godfrey was employed by a Fortune 50 company as a computer forensic examiner. In his eight years of computing forensics experience, Mr. Godfrey has supported numerous corporate investigations by conducting forensic examinations for organizations tasked with enforcing policies and laws. Cases include the successful forensic examination of a high profile laptop theft and the use of computer forensics for the first time in a Malaysia Industrial Court case. His work on a corporate eDiscovery class action lawsuit filed in the Federal courts has been noted in national law journals, and has the potential to be used as a standard process for eDiscovery cases involving large corporate systems. Mr. Godfrey’s work has been reviewed and validated by third party forensic specialists.
As an employee of a National Aeronautics and Space Administration (NASA) and U.S. Government contractor, Mr. Godfrey was responsible for administering computer security procedures and ensuring compliance with government and company requirements for computing systems operating in heterogeneous environments. Mr. Godfrey was recognized for his computing support of the STS-107 Challenger shuttle disaster.
Mr. Godfrey is a member and former secretary of the Computer Technology Investigators Network (www.ctin.org), and is a Data Recovery/Computer Forensics instructor at Highline Community College. He is a co-author of “E-Discovery: An Introduction to Digital Evidence, 1st Edition.” Mr. Godfrey holds a Computer Forensic Examiner Certificate from Highline Community College, and has extensive training and numerous certificates in Microsoft Certified Systems Engineer networking, Department of Defense computer security, and vendor forensic and computer courses.
—-
Mr. Nelson is president of IT Forensics, Inc. and a founding shareholder. Previously, Mr. Nelson was employed by two Fortune 50 Companies.
He was an Automated Fingerprint Identification System software (AFIS) engineer for six years. In addition to AFIS software engineering he was project manager for new AFIS installations. He has served as a Reserve Police officer and civil investigator for a school district.
Mr. Nelson has an Associate of Arts Media Technician degree from Bellevue Community College, Bellevue, WA, and a Bachelor of Science Data Processing degree from Griffin College, Seattle, WA. He has provided training through Computer Technology Investigations Network and is a co-author of “Guide to Computer Forensics and Investigations”.
He is a former president, of Computer Technology Investigators Network (CTIN) and a member of Computer Related Information Management and Education (CRIME). He is formerly an adjunct faculty member with City University involved in the development of a series of degree programs supporting high technology security. He is currently an instructor with the University of Washington Digital Forensics Certificate Program.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Life After the Washington State Patrol
Steve will discuss how his original program with the U.S. Dept. of State grew from 3 to 30 people and then his involvement with DEA, FBI, ICE and DoD culminating in his appointment as Assistant Director for the Recovery Accountability and Transparency Board managing the Recovery Operation Center which specialized in “big data” analysis.
SECOND PRESENTATION
Even Geeks Can Speak
Learn how to prepare, design and deliver professional presentations using a visual and “story board” technique that will both educate and entertain your audience.
THIRD PRESENTATION
Graphic Analysis of Structured and Unstructured Data
Learn how big data analysis labs mine data to uncover relationships, trends and hidden themes. See how this information is translated into detailed reports with interactive link charts and timelines providing valuable intelligence leads for investigators.
BIOGRAPHY
Steve Beltz has been in law enforcement directly or in support operations for over 28 years and is currently Assistant Director of the Federal, Recovery Operation Center in Washington DC. Steve manages a highly specialized technical workforce involved in financial analysis of fraud against the federal government. In the past he has also managed federal contracts that include network security, computer forensic and e-discovery operations located at the U.S. DoS, DEA, FBI, ICE and DOD. Steve had been employed by the Washington State Patrol for 16+ years where he spent most of his career as a detective specializing in major crime scene investigations, computer forensics and criminal intelligence. He has been teaching and giving presentations for over 30+ years to include several Washington State area universities, the Washington State Patrol and other county, city and federal agencies.
TOPIC and DESCRIPTION
Linux and Open Source Tools Demo (second session)
Linux and Open Source digital forensic tools are an incredible value – FREE! Linux is a reliable and stable platform to conduct examinations, host virtual machines and with may distros it isn’t just a single OS. See a live demo of what can be accomplished with Linux and Open Source.
BIOGRAPHY
Terry Lahman, Chief Digital Forensics Analyst at eForensicsPro, specializes in computers, tablets, GPS devices, and cell phones. He has over 35 years experience in the fields of computers and electronics, including 17 years at Microsoft. His software development background spans both Microsoft Windows and Apple iOS platforms, including developing software tests for the NTFS file system and Windows NT memory manager. His extensive knowledge of Windows and his expertise in software testing bring a valued skill to the digital forensics field.
TOPIC and DESCRIPTION
What is code signing and how can you use it? Learn how to use code signing to build hash sets and find malware.
BIOGRAPHY
Troy has been a senior forensics investigator with Microsoft for over 11 years and is also an attorney. He has provided numerous talks on computer forensics and the changes that can be found in the latest Microsoft operating systems.
2014 Conference Schedule And Agenda
Monday March 24, 2014 |
|||
| Time | Room | Speaker(s) | Title |
| 7:00 – 8:30 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 8:30 – 9:00 | Introduction/Housekeeping | ||
| 9:00-10:00 | Auditorium | Troy Larson | KEYNOTE: Don’t Let Your Tools Make You Look Bad |
| 10:00 – 10:30 | BREAK | ||
| 10:30 – 11:30 | C-214 | John Cotton | Defragging the Defrag |
| C-206 | Dave Matthews | Electronic Evidence Case Law | |
| C-151 | Michelle Mullinex | An Analysis of Microsoft Event Logs | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 11:30 – 1:00 | LUNCH | ||
| 1:00 – 2:00 | C-214 | Kevin Ripa | Data Recovery Beyond Software |
| C-206 | Dave Matthews | Exercising your Incident Response Plan | |
| C-151 | Michelle Mullinex | An Analysis of Microsoft Event Logs | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 2:00 – 2:30 | BREAK | ||
| 2:30 – 3:30 | C-214 | David Stenhouse | Mobile Device Forensics |
| C-206 | Russ McRee | Understanding Web Application Security Attacks for Investigators | |
| C-151 | Gordon Mitchell | Jump Bag: what to have ready for that next job; and Timelines: generating logical information easily | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
Tuesday March 25, 2014 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:45 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 9:00 – 10:00 | Auditorium | Ryan Kubasiak Allison Goodman |
Mac Forensics 101 |
| 10:00 – 10:30 | BREAK | ||
| 10:30 – 11:30 | Auditorium | Ryan Kubasiak | Mac Forensics 201 |
| 11:30 – 1:00 | LUNCH | ||
| 1:00 – 2:00 | C-214 | Kevin Ripa | Why the Bad Guys Win |
| C-206 | Gordon Mitchell | Encryption: your friend and your enemy | |
| C-151 | Amelia Phillips | eDiscovery and International Law | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 2:00 – 2:30 | BREAK | ||
| 2:30 – 4:30+ | Auditorium | Ryan Kubasiak | iOS Digital Forensics and iCloud |
Wednesday March 26, 2014 |
|||
| Time | Room | Speaker(s) | Title |
| 7:30 – 8:45 | Lobby | BREAKFAST | NO FOOD OR DRINK ALLOWED IN AUDITORIUM |
| 9:00 – 10:00 | C-214 | Kevin Ripa | Computer Forensics in the Courtroom |
| C-206 | Brandon Leatha Arnold Garcia |
Mobile Device Forensics: Application Analysis Tools and Techniques | |
| C-151 | Walter Hart | Potential for Volatile Memory Persistence | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 10:00 – 10:30 | BREAK | ||
| 10:30 – 11:30 | C-214 | Russ McRee | C3CM – Defeating the Command, Control and Communications of Digital Assailants |
| C-206 | Brian Muchinsky, Esq. | Do the Right Thing: A Guide to Ethical Dilemmas and How to Address Them | |
| C-151 | Amelia Phillips | Comparing eDiscovery Software | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 11:30 – 1:00 | Lobby | LUNCH | CTIN BOARD ELECTIONS MEETING |
| 1:00 – 2:00 | C-214 | Kevin Ripa | Fly Away Kits |
| C-206 | Gordon Mitchell | Expert witness: Dumb Things I Have Done in Court; Photography: A great communication tool | |
| C-151 | Terry Lahman | Observation Skills: I Spy with My Little Eye | |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
| 2:00 – 2:30 | BREAK | ||
| 2:30 – 3:30 | C-214 | Kevin Ripa | Web Page Reconstruction |
| C-151 | Dave Matthew | Legal Considerations Around Mobile Computing | |
| C-101 | Terry Lahman | Cell Towers GPS Technology | |
| 2:30 – 4:30+ | C-206 | Troy Larson | Digital Forensics and Incident Response — Mastering the Battle of Attrition |
| C-101 | All Purpose Room: Break, Networking, Speaker reset | ||
KEYNOTE SPEAKER TROY LARSON
TOPIC and DESCRIPTION
Don’t Let Your Tools Make You Look Bad
Good tools help make good forensics work, while bad tools invite disaster. Even the best of tools, however, can make you look bad. Tools have limits. Tools have bugs. The solution is to better understand that systems and data that you investigate.
BIOGRAPHY
Troy Larson works in Microsoft’s Network Security Analytics team, where he conducts forensics investigations and serves as the technical lead for the Microsoft Network Security host analysis team. The Microsoft Network Security host analysis team provides digital forensics expertise and analysis in support of various security related investigations. Troy is a frequent speaker on Windows and Office incident response and forensics issues. Troy received his undergraduate and law degrees from the University of California at Berkeley, and has been working in the field of digital forensics since the late 90s.
‘Troy is the go-to guy for Windows forensic knowledge. WinFE, dozens of briefings on Windows, and practical experience doing investigations distinguish his career. We are fortunate to have him address the CTIN conference.’ – Gordon Mitchell
TOPIC and DESCRIPTION
Mac Forensics 101 (with RYAN KUBASIAK)
Most of us encounter one Mac for every 50 or more PCs. Learn some tips and tricks for imaging Macs as well as potential pitfalls in capturing data for ediscovery purposes. Also learn how the “pitfalls” for ediscovery can be gold mines for a forensics exam. Ryan Kubasiak is the author of Mac OSX, iPod and IPhone Forensic Analysis and his presentation will take over where this one ends.
BIOGRAPHY
Allison Goodman is the President of eDiscovery Inc., a consulting firm that provides electronic discovery consulting and computer forensic services to law firms and corporate counsel nationwide. She has served on the University of Washington’s Advisory Board for its computer forensics and electronic discovery programs, has taught computer forensics at Bellevue Community College and presented numerous seminars on the topics for various agencies such as the Washington State Bar, King County Bar and the University of Washington law school.
TOPIC and DESCRIPTION
FIRST PRESENTATION
E-Discovery and International Law
Digital forensic investigations are growing in number not only in the United States but nations around the world. The activities of multinational corporations and cybercrime cross jurisdictional boundaries on a daily basis. The research presented lays the foundation by examining existing international laws and treaties, and then uses the three case studies to address constitutional issues, civil and criminal law as they pertain to digital evidence. By ascertaining where the similarities and differences lie, a grounded theory approach is used to provide digital forensic examiners, legal staff and investigators a basis that can be used to approach digital cases that come from or must be presented in foreign jurisdictions. As more countries struggle to establish their digital laws regarding investigations, the resulting approach will serve as a guide and reference.
SECOND PRESENTATION
Comparing E-Discovery Software
As with any new field, the options are endless. This presentation will look at three options and do a comparison of capabilities. It will also introduce you to some of the others and how they will affect your infrastructure moving forward. EDiscovery is expected to continue with double digit growth for the next 5 years. It is critical that all companies prepare for it before it costs them millions.
BIOGRAPHY
Dr. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with a BS in Astronautical Engineering and a BS in Archaeology. She recently earned her doctorate in Computer Security at the University of Alaska Fairbanks as an interdisciplinary degree.
After working as an engineer at the Jet Propulsion Laboratory and TRW, Amelia worked with e-commerce sites and began her training in digital forensics and investigations during the dot-com boom. She has designed certificate and AAS programs for community colleges in e-commerce, network security, digital forensics and data recovery. Amelia co-authored the textbook Guide to Computer Forensics and Investigations now in its fourth edition. This year the first edition of her next textbook E-Discovery – An Introduction to Digital Evidence was published. Amelia is program lead for the Network Security and Data Recovery/Digital Forensics for Highline Community College in Seattle. She was also the lead for Highline’s first Bachelor of Applied Science degree in Cybersecurity and Forensics which goes online in the Fall of 2014. Amelia is the Regional Director of the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) which Highline has hosted since 2010. The 7th annual event with be this March at Highline.
Amelia also is active in working with developing nations in e-learning, retention, network security, digital forensics and entrepreneurship. She is currently tenured at Highline Community College in Seattle, WA and is serving as the Chair of the Pure & Applied Science Division. Amelia was a visiting Fulbright Scholar at the Polytechnic of Namibia in 2005 and 2006.
ARNOLD GARCIA and BRANDON LEATHA
TOPIC and DESCRIPTION
Mobile Device Forensics: Application Analysis Tools and Techniques
There are hundreds of thousands of mobile device applications available, with more being created every day. It is impossible to predict which of these applications may require analysis in your next investigation. From chat logs to geo-location data, social media to file synchronization apps, this presentation will teach you innovative tools and techniques for forensic analysis of mobile device applications – giving you a leg up the next time you encounter a new source of electronically stored information.
BIOGRAPHIES
Mr. Arnold Garcia is a Senior Consultant in the Costa Mesa office of iDiscovery Solutions, Inc. (“iDS”). Mr. Garcia provides services in digital forensics, electronic discovery, technical support, and lab management. He has recorded, collected, and imaged over one thousand different data sources. He conducts examinations of all types of digital media, including computers, cameras, cell phones, PDAs, thumb drives, networking devices and other digital media. His experience includes cases dealing with theft of intellectual property, misappropriation of trade secrets, data recovery, embezzlement, and criminal matters. Mr. Garcia has worked with sensitive data involving major data acquisition efforts in Asia and Europe.
Mr. Brandon Leatha, a Director at iDiscovery Solutions, Inc. (iDS), is an expert in e-Discovery, data analytics, and computer forensics. With over 13 years of consulting experience in the litigation support industry, Mr. Leatha advises clients throughout the e-Discovery lifecycle, providing guidance on data preservation, evidence collection, data reduction strategies, review methodology, and document production. He has extensive experience performing computer forensic investigations, structured data analytics, and assisting clients in the effective utilization of technology assisted review (TAR). Mr. Leatha has been a corporate 30(b)(6) witness, a court-appointed neutral computer forensics examiner, and has testified on numerous electronic discovery and computer forensics issues. He has been an active member of the Sedona Conference Working Group on Electronic Document Retention and Production (WG1) since 2005 and is an active member of the Computer Technology Investigators Network (CTIN). Mr. Leatha has provided training on electronic discovery and computer forensics for seminars, CLE courses, and industry training events. Prior to joining iDS, Mr. Leatha was the founder and owner of Leatha Consulting LLC and the Director of ESI Consulting and Data Analysis at Electronic Evidence Discovery (EED). He is based in Seattle, Washington.
TOPIC and DESCRIPTION
Do the Right Thing: A Guide to Ethical Dilemmas and How to Address Them
BIOGRAPHY
Brian Muchinsky practices commercial litigation with Nold Muchinsky PLLC; including many cases on the cutting edge of electronic discovery.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Electronic Evidence / Case Law
SECOND PRESENTATION
Exercising Your Incident Response Plan
THIRD PRESENTATION
Legal Considerations around Mobile Computing in the Workplace
TOPIC and DESCRIPTION
This presentation will cover the forensic review of Apple iOS and Android mobile devices, what type of data can be recovered, where to search, and how to interpret the data once recovered.
BIOGRAPHY
David Stenhouse is the President of DS Forensics, Inc. Mr. Stenhouse is a former Special Agent in the United States Secret Service. From 1998 to 2000, he was assigned to the Electronic Crimes Special Agent Program (ECSAP) where he conducted investigations involving the use of electronic data in crimes. Prior to his time in the Secret Service, Mr. Stenhouse was a Trooper in the Washington State Patrol.
Mr. Stenhouse is a digital forensic examiner, and has performed hundreds of forensic examinations on multiple types of hardware and operating systems, in criminal cases and civil litigation. Mr. Stenhouse routinely provides expert guidance and training to attorneys and corporate clients faced with the task of electronic discovery. He has been appointed by the court as a neutral expert in numerous cases to create electronic discovery plans, capture and analyze electronic data and provide conclusions in regards to such electronic data. He has also been hired to act as a special advisor to the court, providing assistance in the understanding of technical concepts. He has testified in State and Federal court in numerous criminal and civil cases, and has testified in Federal court as an expert witness in computer-generated evidence.
TOPICS and DESCRIPTION
FIRST PRESENTATION
JumpBag: what to have ready for that next job; and Timelines: generating logical information easily
Jump bag: Suggestions of what to carry to jobs, trying to avoid leaving that critical tool at home. Please email me your list of favorite tools before the conference.
Timelines: Avoiding the pain of doing it all by hand. Just looking through file dates and folding in browser events can easily take an hour of analysis per hour of activity. Tools like the timeline builder in X-Ways Forensics, Splunk, and even Excel can help.
SECOND PRESENTATION
Encryption: your friend and your enemy
How to protect images in transit, ways to get around whole disk encryption, suggestions for protecting your own data, caution adult material (math) will be discussed.
THIRD PRESENTATION
Expert Witness: Dumb Things That I Have Done in Court; and Photography: A great communication tool
Expert Witness: Dumb things that I have done in court: avoiding the obvious mistakes that experts make in the presence of lawyers. Full disclosure — attending this talk may turn you into a cynical wisecracking expert witness.
Photography: A great communication tool. How pictures can make your report human-readable, the secret value of pictures (compensating for inadequate notes), tricks for using little cameras to get great photos
BIOGRAPHY
Gordon has been around CTIN from the early days. He runs Future Focus, a company that does engineering design, debugging and computer forensics. Gordon’s background includes interesting jobs: flying for the US Navy a few wars back, work in big companies, and startups. He has the usual initials after his name; PhD, CPP, CISSP, CPS, GSEC, GCIH, GPen…
TOPIC and DESCRIPTION
Defrag Forensics will take examiners through the ins and outs of the built in Windows Defrag program. We will go through how the defrag works, the different ways it can be run and what effect it has on a data set. The main focus throughout the presentation will be on proving or disproving user input in the execution of the Defrag program, which can mean the difference between intent/spoliation, or not.
BIOGRAPHY
John Cotton has been conducting computer forensic investigations for 5 years, and has a strong background in Network Security and Intrusion Mitigation. John has been accepted as an expert in court proceedings, and routinely gives lectures on Social Media Evidence to judges and attorneys. He is currently serving as lab coordinator with Computer Evidence Recovery, Inc, where he continues to hone his craft.
TOPICS and DESCRIPTION
FIRST PRESENTATION
Data Recovery (Beyond the Software)
Data recovery is probably one of the most misunderstood technologies in the computer world. Myths abound about how to recover data, with freezing your hard drive being a very common one of these myths. This presentation will get down to the nuts and bolts of data recovery, including the actual internal workings of the drive, what to do when a drive motor fails, when read/write heads fail, and when programming turns the hard drive into a brick. This is presented in layman’s terms so it is very easy to understand. We will be showcasing the best software to use for easier recoveries, as well as live demonstrations of some of our lab equipment for advanced data recovery! By the end of this lecture, you will be much more knowledgeable on how hard drives work, how data lives, and how to recover it when all seems lost.
SECOND PRESENTATION
Why The Bad Guys Win
How frustrating is it when another pedophile skates on a possession charge? How many times has your evidence been successfully challenged? This can make any anyone question why they should even bother. This lecture will look at the three biggest mistakes made by LE and Prosecutors, and how to ensure they are no longer made. As well we will look at two of the biggest sham defenses used in court, and how to successfully defeat them! This is a must attend for LE, Prosecutors, Attorneys, and anyone that might end up in a court room.
THIRD PRESENTATION
Computer Forensics in the Court Room—1.0-1.5 Hours
This presentation will give instruction on how computer forensics can be used in testimony. It discusses the differences between civil and criminal matters, as well as addressing dealing with attorneys, courts, judges, and juries. We will also discuss in detail, the art of testifying in court. This is a very informative lecture for anyone that may find themselves in a court room.
FOURTH PRESENTATION
Fly Away Kits – 1.0 Hours
Many of us get quite used to being surrounded by an entire lab full of equipment when we are conducting an acquisition and analysis. But what about when you have to fly 1000 miles to gather the evidence, and must create your image “on site”? There is nothing more frustrating that showing up with the wrong equipment, wrong adapters, etc. It makes you look unprofessional, and costs money. This presentation will explore tried and proven fly away kits, their contents, hands on examples, as well as what to have, why to have it, where to get it, and how to keep it compact. As a bonus, attendees will see first hand, a forensic computer built into a briefcase. This is a full blown, “as-powerful-as-the-lab” unit with all the bells and whistles. There is no compromise on speed or attachments, you can build it yourself, and most importantly, no hefty multi thousand dollar price tags!
FIFTH PRESENTATION
Web Page Reconstruction – 1.5 Hours
Online activity. It is a ubiquitous part of computer use, but is amazingly misunderstood by many investigators. This presentation will address how web pages work, how they get to be on your computer, how they are stored, and most importantly, how to rebuild them without expensive software! In many investigations, the internet artifacts can be something much different in context than they appear to be when they are viewed out of context. Beyond this, we will look at ways of finding how a website used to look, as well as how to find historical whois information on a particular website. This lecture will focus on Internet Explorer and Firefox.
BIOGRAPHY
Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in many complex cyber-forensics investigations. Mr. Ripa can be contacted via email at kevin@computerpi.com.
TOPIC and DESCRIPTION
An Analysis of Microsoft Event Logs (Second Presentation)
Microsoft Windows event logs are central to conducting an investigation when determining whether or not a virus has been installed on a targeted system. However, there was very little substantial research about Windows event logs and how they are used in conducting an investigation. This research explores forensic artifacts recovered during an investigation to determine whether virus activity may be involved. The research describes the relevance of the event logs and discusses various techniques used for investigators to collect and examine the logs. Three viruses, Fizzer, Zeus, and MyDoom were installed and run in virtual machines to determine what events will populate in the logs. This research also explains best practices regarding the use of Windows event logs in an investigation. Keywords: Cybersecurity, Professor Christopher Riddell, Professor Cynthia Gonnella, Security, Application, System, Malware.
BIOGRAPHY
Michelle Mullinix currently works at Department of the Army, Network Command (NETCOM), 7th Signal Command (Theater), 106th Signal Brigade, Network Enterprise Center (NEC), in the Cyber Security Risk Management Branch. She is a Graduate of DeVry University in Computer Information Services (CIS) – Computer Forensics Track and recently completed her Master of Science in Cybersecurity Intelligence and Forensics at Utica College. She has over 16 years of service in the US Army as in Intelligence Analyst and Combat Medic. She served in Desert Shield and Desert Storm, supported Bosnia and Operation Iraqi Freedom. She currently has her Security + Certification and MCITP in Windows 7. She has 4 years experience in Computer Forensics and Risk Management for her former employer, CECOM, Software Engineering Center, Field Support Division based at Joint Base Lewis McChord in Tacoma, WA. She is currently writing Technical Process documents for her current employer to process evidence requested in Litigation Hold orders. Additionally, in her current duties, she performs risk management for military units connecting to the Department of Defense (DoD) Global Infrastructure. She is married for 26 years, has four children, 3 of which have served or is serving in the military and has 3 grandchildren. Her final project for her Master’s Degree was an Analysis of Windows Event Logs.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Understanding Web Application Security Attacks for Investigators
Web and application logs can be analyzed with specific attention to web application security attacks, allowing investigators to recognize the nature of these attacks as defined by the OWASP Top 10. Investigators therefore need to understand how the OWASP Top 10 covers the most critical web application security flaws and how they’re exploited. Via web application specific examples this discussion will cover analysis of attacks and exhibit traits, trends, and tendencies from attacker and victim perspectives. Investigators will leave enabled with resources and ways and means to identify when and if a compromise may have occurred.
SECOND PRESENTATION
C3CM – Defeating the Command, Control, and Communications of Digital Assailants
C3CM is a means with which to identify, interrupt, and counter the command, control, and communications capabilities of our digital assailants. Each of these three phases (identify, interrupt, and counter) will be described with tooling and tactics, complete with demonstrations and methodology attendees can put to use in their environments.
Based on the three part ISSA Journal Toolsmith Series: https://holisticinfosec.blogspot.com/search?q=c3cm&max-results=20&by-date=true
Virtual machines will be available in advance for attendees who wish to review in advance or interact in real time
BIOGRAPHY
Russ McRee directs the Threat Intelligence & Engineering team for Microsoft’s Online Services Security & Compliance organization. He writes Toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security and Linux Magazine. Russ also speaks regularly at events such as DEFCON, SANSFIRE, BlueHat, and Black Hat, and is a SANS Internet Storm Center incident handler. His work includes service in the Washington State Guard as the Cybersecurity Advisor to the Washington Military Department.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Mac Forensics 101 (with ALLISON GOODMAN)
SECOND PRESENTATION
Mac Forensics 201
Ryan Kubasiak of BlackBag Technologies has literally written the book on Mac OS X Forensics. As a former NY law enforcement officer, Ryan will be using his investigative experience and Apple expertise to provide a comprehensive look into solutions for the ever-evolving challenges associated with Apple Forensics, including new system, architecture, user interface and encryption implementations.
THIRD PRESENTATION
iOS Digital Forensics and iCloud
This presentation will show just how interconnected Apple’s latest technologies have become, and explain how the failure to fully understand the relationships between these components can end an analysis early. Covering a range of topics from pairing certificates and iOS backups to iCloud sync data, Ryan Kubasiak of BlackBag Technologies will help investigators learn to make informed decisions when searching for essential data in the Apple ecosystem.
BIOGRAPHY
Ryan Kubasiak joined the New York State Police Department in 1998. He served as an investigator in the Computer Crime Unit and was assigned to high profile cases including crimes against children, homicides, network intrusion, and server analysis. Mr. Kubasiak joined BlackBag Technologies in 2012 as a Forensic Analyst and Instructor. Ryan is motivated by curiosity and a quest for knowledge, and his enthusiasm in the classroom is inspiring. This enthusiasm is shared with all through his website, AppleExaminer.com.
Besides the official presentations, Ryan will be at the conference for all attendees. Ryan wants to get to know the attendees and the attendees get to know him. He will also be available to talk about specific topics.
TOPIC and DESCRIPTION
FIRST PRESENTATION
Observation Skills: I Spy With My Little Eye
Digital Forensics relies on the ability to visually notice anomalies and patterns. In this engaging, interactive, workshop participants will learn some of the challenges associated with processing visual information, including many of the clever ways our eyes and brains trick us. Skills will be taught that the participant can easily learn and practice to improve their performance in identifying relevant information.
SECOND PRESENTATION
Cell Towers GPS Technology
With cell phones playing a key role in more and more court cases, the importance of understanding GPS technology is increasing rapidly as it is being built into more and more devices.
Cell phone tower locations are identified using GPS coordinates. Cell phone records indicate which towers are used during phone calls. In this workshop, participants will learn how to read cell tower information from call detail records, and how to utilize the longitude, latitude, and orientation of a cell tower to plot the cell tower and orientation of the antenna.
BIOGRAPHY
Terry Lahman, Chief Digital Forensics Analyst at eForensicsPro, specializes in computers, tablets, GPS devices, and cell phones. He has over 35 years experience in the fields of computers and electronics, including 17 years at Microsoft where, among numerous other projects, he helped develop software tests for the NTFS file system and Windows NT memory manager. His software development abilities span both Microsoft Windows and Apple iOS platforms, and his extensive knowledge of Windows and expertise in software testing bring valued skills to the digital forensics field.
TOPIC and DESCRIPTION
Digital Forensics and Incident Response—Mastering the Battle of Attrition
Investigating a suspected computer compromise or intrusion can be difficult. In a sense, that is by design. Malicious actors can go to great lengths to conceal their activities. A computer compromise investigation can easily become a battle of attrition between the investigator’s skill and knowledge and the trace evidence left an attacker on a computer. To effectively investigate a sophisticated compromise, forensics investigators must be prepared to exhaust the available evidence. This presentation looks into the goals and methodologies involved in compromise investigations and discusses the sorts of evidence that an investigator might consider in trying to answer the what, when, who, how, and why questions of a computer compromise investigation involving Windows.
BIOGRAPHY
Troy Larson works in Microsoft’s Network Security Analytics team, where he conducts forensics investigations and serves as the technical lead for the Microsoft Network Security host analysis team. The Microsoft Network Security host analysis team provides digital forensics expertise and analysis in support of various security related investigations. Troy is a frequent speaker on Windows and Office incident response and forensics issues. Troy received his undergraduate and law degrees from the University of California at Berkeley, and has been working in the field of digital forensics since the late 90s.
‘Troy is the go-to guy for Windows forensic knowledge. WinFE, dozens of briefings on Windows, and practical experience doing investigations distinguish his career. We are fortunate to have him address the CTIN conference.’ – Gordon Mitchell
TOPIC and DESCRIPTION
Potential for Volatile Memory Persistence
RAM is known to potentially contain many forensic artifacts related to investigations such as incident response, child exploitation, and almost all other computer forensic cases. These artifacts can include evidence such as images or partial images, malware code or partial malware code, passwords or password hashes, port and process data, and words used in a variety of computer applications.
This presentation will examine scenarios when RAM appears to persist after shutdown, re-boot, and removal of power. Testing is done where RAM is captured when it is known to be clear then after using the computer in a variety of shutdown scenarios including, but not limited to; normal shutdown, pulling the plug, normal shutdown followed by pulling the plug, those scenarios and removing the RAM modules from the computer, etc. These tests are also performed on a laptop computer which adds the element of battery power to the above scenarios.
BIOGRAPHY
Walter T. Hart, Senior Manager, Professional Services, Western Region
Currently the Senior Manager for AccessData Group Professional Services for the Western Region, Walter has been active in Digital Forensics and investigations since the early 1990s for the United Stated Government. In that capacity, Walter was involved in investigations related to all manner of crimes involving digital media including cyber security, terrorism, theft of intellectual property, identify theft, Racketeer Influenced and Corrupt Organizations Act (RICO), homicide, and child exploitation, to name a few. Walter supervised a local digital forensics lab for the Department of Homeland Security, Homeland Security Investigations Special Agent in Charge, San Francisco. Walter has performed and/or supervised hundreds of digital forensics examinations.
Walter has Certified Information Systems Security Professional (CISSP), Certified Forensic Computer Examiner (CFCE), GIAC Security Essentials (GSEC), GIAC Information Security Professional (GISP), AccessData Certified Examiner (ACE), and CompTIA A+ certifications and is a member of the American Academy of Forensic Sciences (AAFS), the High Technology Crime Investigation Association (HTCIA), the High Tech Crime Consortium (HTCC) and the International Systems Security Association (ISSA). Walter is an Airline Transport Pilot, a certified aircraft mechanic and inspector and a trained aircraft accident investigator.
2013 Conference Agenda
The agenda for the 2013 conference was extensive, seen below.
Auto-Validate your forensics results using NIST test vectors, civil or criminal, with an emphasis on Linux Ext 4 handhelds (Nathan Watt)
There is a new wave afoot and that is androids 100 percent adoption of Ext 4, not to mention the new laser disks 20-40-60 TB’s will have a much broader buy In in business systems due to the inability of windows to currently cope with those systems using only ntfs. The linux kernel changed ext 4 in some giant ways just in the past 2 weeks getting ready for more mainframe uses as well as new webserver topologies.
Investigating APT A Methodology for Incident Response (Michael Panico)
In 2011, the public witnessed a number of critical information security incidents as they played out in the press. In addition to the high profile attacks perpetrated by the likes of Anonymous and Lulzsec, Advanced Persistent Threats continued to compromise countless enterprise networks, stealing vital intellectual property. Furthermore, these attacks are no longer restricted to the defense industrial base and are now targeted at companies in multiple sectors of the economy. Drawing on his recent experience in investigating APT incidents, our speaker will outline a methodology of responding to these threats, including a review of some of the network and host based artifacts that may be left behind by attackers.
Case Studies and Current Trends (Ivan Orton)
A presentation of several case studies from one of the most respected cybercrime prosecutors in King County, Ivan Orton. Be prepared to be not only to hear about the trends of cybercrime over the past decades, but also be entertained by a great speaker.
Data recovery for forensic examiners (Richard Leickly and David Angell, Circle Hook Data Recovery)
Every digital forensic examiner will – sooner or later – find their examination stymied by a hard drive that they cannot image. David and Richard will demonstrate the problems that beset hard drives: problems that can make them difficult or impossible to examine. They will demonstrate their techniques for diagnosing unreadable hard drives and will show how these problems can be overcome.
Eating the Elephant! Critical Infrastructure Protection: Context, Process & Priorities (Bruce Beebe)
In October of 1997 the President’s Commission on Critical Infrastructure Protection (CIP) published its report Critical Foundations, Protecting America s Infrastructures detailing what was new and unique about the infrastructure problem and, in broad terms, pointing a way ahead. This presentation outlines the development of Critical Infrastructure Policy since before that October report. Furthermore, it addresses the impact of culture and other organizational influences on the development of national policy (using CIP as the vehicle), it explains the state of current CIP policy and it recommends an alternative approach to that used today, a network-centric approach more in keeping with the recommendations of the October report’s authors.
Recommended Audience,Anyone holding a position related to the development of CIP policy (politicians, strategic planners, or those supervising policy development for CIP) and first responders or those with front line responsibilities for safeguarding infrastructure who should understand how developing the wrong CIP policy, one that focuses on them, will likely increase both their costs and their workload.
Electronic Evidence ( Dave Matthews)
In this presentation David will talk about the electronic data that surrounds all of us in an ever deepening fog. He will enumerate all of the different types of data, their sources and where and how they are stored. He will give real life examples and leave you with concrete advice on how to better understand, recover, and manage your electronic identity and the data that you create every day whether you know it or not. This presentation will be equally valuable for the forensics professional, legal or management staff, HR, or just the lay person who want to better understand the world of electronically stored information in which we all live.
Evidence Analysis and Reporting using Internet Examiner (John Bradley)
The ability to efficiently, thoroughly and effectively investigate internet evidence will be illustrated using Internet Examiner (formerly CacheBack). Attendees will be shown how to discover, collect, import, bookmark, extract, decode and report on a wide variety of internet artifacts. Advanced examination topics that will be covered include and are not limited to: Bookmark, Exclude, and Quarantine record filtering (queries); picture analysis using aspect ratio filtering; movie frame-by-frame storyboard reporting; rebuilding web pages; time zone configuration; rich HTML reporting and disclosure techniques.
Evidence Discovery Using NetX Triage (John Bradley)
Attendees will learn how to recover internet artifacts from Windows, Mac, and Unix-based systems using the SiQuest new forensic discovery tool: NetX Triage. A particular focus on GREP expressions, proximity searches and data carving in unallocated space will be covered. Recovery techniques for internet artifacts such as social networking, online chat, email, peer-to-peer, mobile device data, and multimedia will be discussed in detail. This presentation sets the pace for the next presentation: Evidence Analysis and Reporting using Internet Examiner.
Expert Testimony (Christopher K. Steuart)
FTK by Accessdata (Glynn LeBlanc)
A demonstration of the latest features in Forensic Tool Kit (FTK). Virtualization, Cerebus, Making Thumbnails for Videos and many others.
Data Hiding (How to hide data on hard drives which is undiscoverable by conventional forensic software) (James Wiebe)
In this presentation, James Wiebe will present some new thoughts on how data may be hidden on hard drives. Covering old concepts first, (such as Host Protected Areas), James will also present alternative methods for hiding information on hard drives, such as in supervisory areas. These areas are never visible through standard drive commands, and are also are not visible to any operating system. Also discussed will be a hypothetical examples of how drives may be tampered by sophisticated bad guys in order to provide facade characteristics to a forensic investigator.
Macintosh Artifacts (Glynn LeBlanc)
Have you encountered FileVault Encryption? How about the new Full Volume Encryption provided in Lion and Mountain Lion? In this module we will discuss and demonstrate how to defeat File Vault and File Vault II encryption using the Password Recovery Tool Kit from Access Data. A lot of data on a Macintosh is stored in Property List or Plist. There are two versions of Plist, XML and Binary. We will discuss issues with carving Plist from unallocated space. XML Plist are easily carved automatically while the binary Plist have to be carved manually due to the footer being different for each Plist. Setting up automated carvers and manually carving the binary Plist will be demonstrated with FTK.
Memory Analysis with Volatility (Russ McRee)
This discussion will cover the complete life cycle of memory acquisition and analysis for forensics and incident response, using Volatility.
Volatility has been referred to as the Python version of the Windows Internals book, given how much can be learned about Windows by reviewing how Volatility enumerates evidence. We’ll conduct real-time analysis and examine Volatility’s plug-in capabilities.
The Volatility project shortens the amount of time it takes to put cutting-edge research into the hands of practitioners, while encouraging and pushing the technical advancement of the digital forensics field.
Join us and learn more about this outstanding tool.
Mobile Device Forensics (Dave Stenhouse)
This presentation will cover the forensic review of Apple iOS and Android mobile devices, what type of data can be recovered, where to search, and how to interpret the data once recovered.
How to Succeed When Facing Challenges in your Forensic Examinations (Bill Nelson)
Are you prepared to deal with increase cost of forensic software tools, or keeping up with the latest training because of major O/S releases? This along with the constant challenge of limited budgets to acquire the latest tools and to keep up with training will be the topic of discussion for this presentation by Bill Nelson. What will be discussed are such things as identifying your comfort level when using other tools that you may have had little or no training in their use. Determining what problem solving skills you have and how to improve them to create work-a-rounds when you find yourself in a situation without the proper tools to do an acquisition and an analysis.
Forensics on a Shoestring , “Open Source Forensics” (Brett Shavers)
Open Source Forensics Tools: The practice of digital forensics is changing rapidly to match the ways that we use digital technologies and the threat landscape we face. This presentation will show how incident responders and forensic practitioners can add live memory collection and analysis as well as registry analysis to their professional repertoire using Open Source tools.
“New Digital Forensics on New Digital Devices” (Gordon Mitchell)
Electronic evidence from phones, security systems, cameras, web sites, toasters… can be critical to investigations. They all include computers that will yield clues to your skills and common forensic techniques. This talk will illustrate techniques that worked in actual cases to recover clues and to validate observations for court testimony.
Placing the Suspect Behind the Keyboard (Brett Shavers)
Instruction in a workflow process to identify and place the suspect behind a keyboard in civil litigation or criminal investigation cases. Methods to expose suspect knowledge and intention along with case presentation to be discussed. A door prize of the new book, Placing the Suspect Behind the Keyboard, to be given during the presentation.
Predicting Violence through Forensic Examinations of Computers (Gordon Mitchell)
After a big investigation we often sit back and wonder what could have been done to prevent the problem. Of course, anyone who is involved in forensics can see the obvious answer…. Except in earthquakes, few situations are triggered by unexpected events. Crimes are usually planned and sometimes even rehearsed. This activity generates observable clues which can be used to predict violence. Gordon will think through a few interesting cases using them to illustrate some of the signs of impending violence.
Raw Data Carving (Kevin Ripa)
You have used all of the utilities in EnCase, FTK, and other programs to carve files from unallocated file space. Do you think you have found everything? If you answered yes, guess again. The only way that carving utilities are able to recover deleted data automatically is through file header and footer identification, and this recovers an intact file. In other words, a file has been deleted, but not yet overwritten by new data.
What happens if part of the deleted file is now overwritten, but some of the old data still exists? What about file fragments from slack space? This informative and easy to follow lecture will show the attendees how they can manually carve data from unallocated files space, and also what to do with it so that it is useful. We will also be discussing data recognition. This means being able to not only see the search hit, but identify the context in which it is being seen. This alone has solved many cases in our lab!
Registry Forensics (Terry Lahman)
The Windows Registry is full of artifacts that can benefit a computer forensics investigation. Attendees will be shown various hardware, software, configuration, network, and usage artifacts. Open source tools RegRipper and Registry Decoder along with commercial tools Registry Recon and Registry Viewer will be utilized to demonstrate the extraction and analysis of registry artifacts.
Social Network Investigations (Ron Godfrey)
Obtaining online open source information as evidence in civil litigation or criminal investigations. Advanced searching techniques, deep web demonstrations, capturing and preserving online evidence using open source/free software utilities. Beneficial to civil and criminal cases, the online world has a wealth of information to beneift your cases. This presentation includes getting into the Dark Web, where anything and everything you never wanted to know exists.
The very latest on Solid State Drives and forensic practice (James Wiebe)
In this presentation, James Wiebe will provide an updated presentation on how Solid State Drives function, with a specific focus on forensic practice. The forensic examiner will understand how to approach the investigation of a Solid State Drive, in order to ensure highest quality of evidence collection. Covered topics include wear leveling; internal compression; Logical to Physical address translation, all with a strong forensic focus.
Tips and Tricks on utilizing the new features of EnCase Version 7 (William Sutter)
This presentation will include: The case backup application; The case review package; Importing multiple hash values, legacy hash sets and reporting on the contents of the hash library; The new direct preview function of EnCase, and the ability to examine and image a live compromised computer system; Special purpose EnScripts.
Tracking USB Devices (Colin Cree)
The ease of USB thumb drive use, in transferring and storing data has led to its use for nefarious purposes. Subjects have used thumb drives to hide the artifacts of their online habits, store illicit data, spread malicious code and steal proprietary data. Investigators are increasingly called upon to cull digital evidence for signs of USB storage devices. This session will provide methodologies for forensic investigation of USB attached storage devices, including USB hard disks, with a focus on Windows 7. This presentation is a detailed examination of the devices and their artifacts.
Why The Bad Guys Win (Kevin Ripa)
How frustrating is it when another pedophile skates on a possession charge? How many times has your evidence been successfully challenged?
This can make any anyone question why they should even bother. This lecture will look at the three biggest mistakes made by LE and Prosecutors, and how to ensure they are no longer made. As well we will look at three of the biggest sham defenses used in court, and how to successfully defeat them! This is a must attend for LE, Prosecutors, Attorneys, and anyone that might end up in a court room.
Windows Forensics Environment, WinFE (Brett Shavers)
An overview of Linux and Windows forensics bootable operating systems with an emphasis on the Windows Forensic Environment (WinFE). A focus on building a customized WinFE will be demonstrated.
Visualization Forensics (Ron Godfrey)
The computer you examine today might not be one computer! Technology allows multiple computers to reside on one physical device in the form of virtual computers. Identifying these systems, and more importantly how to extract evidence from the virtual machine is critical. Forensic imaging, mounting, and extraction of virtual machine data will be covered in this presentation.
Windows 8 Forensics (Troy Larson)
The newest, most up to date, never seen before information on Windows 8 Forensics. Windows 8 is here and if you want to keep up to date and even be ahead of the field, this is one of those presentations to experience.
Windows Time Stamp Forensics (Randall Karstetter)
The time associated with an event or artifact of evidence on a computer is an important and sometimes critical piece of information in a computer investigation. It is the basis of timeline analysis. And yet, the understanding, evaluating and validation of time stamp evidence is not an area that is well investigated and published. In fact, some of what is written can be misleading and inaccurate. This presentation looks at the fundamentals of time creation and maintenance on the hardware level, the interaction of the Windows operating system with the hardware time systems, the function of the operating system maintaining and updating system time, and known factors such as viruses that can alter system time.
Methods of validating system time before and after a critical time event are provided. A review of published literature is explored and then results of original research is presented on the function and factors involved with the operating system assigning and changing time stamp information on files created, moved, modified and accessed. The goal is to provide a take-away of fundamental rules for examiners to use and further test in their practice. And then the use of the dreaded anti-forensic program TIMESTOMP is analyzed and evidence presented to detect and uncover its use to alter time stamps.
X-Ways Forensics (Pete Donnell and Brett Shavers)
Two sessions covering X-Ways Forensics. Session 1 covers an introduction to X-Ways Forensics, the interface and basic case flow process. Session 2 covers detailed metadata extraction, advanced data carving and use of scripts.