Open source Android forensics: An HTCIA student charter project

We always like to hear about the cool new projects our students are engaging in, so we were excited to see University of Cincinnati student charter president Shadi Dibbini post on our Facebook page:

When we saw the site osaf-community.org, we definitely wanted to talk more with Shadi about his team’s project!

HTCIA: How did you get the idea for Open Source Android Forensics? How long have you been working on it thus far?

SD: My team started working on this project at the beginning of the school year, late September, and it has to be completed by the beginning of May. In May, we will be presenting at the University of Cincinnati’s Tech Expo event. The Tech Expo is a showcase of senior design projects from IT students, and students from other programs. The event is entirely open to the public, so feel free to come down and check out all the cool projects.

I came up with the idea of Open Source Android Forensics (OSAF) because I really enjoy forensics, and I have been a smartphone enthusiast for the past 8 years. A little off topic here, but believe it or not, I used to buy a new smartphone every three months so that I can have the best device that’s currently out on the market… I learned pretty fast that I was wasting my money, so I quit buying that many phones.

Besides the fact I enjoy forensics and smartphones, what caught my eye a few years ago, during the rise and popularity of Android, was the fact that Google does not have a vetting procedure for the applications that are published on the market. Google is smart by allowing any publisher to rapidly release applications without having to wait or gain approval (cough..cough..Apple)… however, Apple is smart by vetting applications to protect their users.

In recent news though, Google did come up with a new application security scanner called “Bouncer” after realizing that they did have a huge issue with Android malware. Back in Q3 2011, there was a report that had stated that malicious Android apps have risen 473% in about a year or so… that is a lot of malware.

This report pretty much sparked my ingenuity for coming up with the OSAF project. The OSAF project was initially going to be just the OSAF-Toolkit, a Linux OS that has been injected with all the latest Android application analysis software, but I wanted more than that. I wanted to not only create a application ripping toolkit, I wanted to create a community where anyone interested in Android malware analysis can have a one stop shop for any information they need.

I want people to stop at our site before any other site, and  I want people to collaborate with each other, share new techniques and methodologies, and share their findings after they have ripped apart an application (hence the threat index).

Another honorable mention is that my team is currently working on documentation on how to perform analysis against any application. This is an A-Z guide of what tools to use, how to use them, what to look for during static/dynamic analysis and etc… We do not want to give people a toolkit and say, “here you go, figure it out yourself” like many other projects have done.

HTCIA: What need does your research and site fill that others were missing?

SD: Not to be cocky or anything, but the entirely “FREE” price point for a toolkit, documentation and a collaborative work environment is argument enough that our site is better than the rest. I see other companies/sites charging a lot of money for training, certifications, information and etc.

I, at one point, wanted to take some certifications in forensics and information security, but the training and certifications were just way too much money for a college undergrad to afford. So I looked at this project from a college kid’s perspective… If it’s free, it’s for me… That’s why we decided to name the project OSAF. We wanted every aspect of it to be entirely open source.

HTCIA: How many people are working on the project?

SD: There are 4 of us IT seniors, including myself, working on the project right now. I couldn’t have picked a better team for this project. They are very smart and dedicated individuals wanting to make this project the best it can be. I think the reason why we are so dedicated as a team is because the project itself is very fun and unique. I feel like we are pioneers in this sort of work because I can’t find any site online that is dedicate to creating an entire environment dedicated to android malware analysis.

HTCIA: What are your goals for the site over the long term?

SD: I want the OSAF project to be well recognized in the forensics and malware analysis community. I eventually want to get more people on board to help analyze applications, maintain the site and answer any questions people may have. One day, I hope companies will be knocking on our door asking if they can sponsor us, in order to help fund and build the project, while keeping it 100% free of charge.

HTCIA: How long have you been a student HTCIA member? How long have the other students been?

SD: I am actually the founder and President of the University of Cincinnati’s HTCIA student chapter. I started the student chapter back in May 2011. I think we have a little over 20 student members (a mix of IT, IS and Criminal Justice students) in our chapter so far, but I have been getting a lot of email lately about new students interested in joining the chapter.

My team members for this project are not student members of HTCIA sadly. I would like for them to be members, but we only have 3 more months of school before we graduate. I will definitely get them to become full HTCIA members upon graduation.

HTCIA: Anything else you want to mention about the project?

SD: I just want people to know about us and the goals of our project. We can agree that the web is entirely too large right? I feel like it is hard for start-up sites, like us, to make it big these days unless they provide content that interests a vast majority of people, or if the site provides a service that interests organizations.

We want OSAF to be a site that provides both content and services of interest. Organizations, and the general public, have to realize that mobile malware is not going to magically disappear any time soon. Criminals will eventually get more crafty in the way they embed malicious code into applications; who knows, maybe to the point where the malicious codes circumvents the Android permissions mechanism.

That’s where OSAF has an advantage over anyone else. Anyone can ask OSAF to analyze an application, a community member will perform analysis, give the analysis report/results to the OSAF admins for review, then the OSAF admins will publish the finding on the threat index. Ripping apart applications is the only real way to find Android malware, because we all know how well Android “Anti-Virus” works.

Find and bookmark osaf-community.org, and keep an eye out for the site’s development, currently slated for completion in May! Shadi says that the toolkit is currently available online for download, and the malware analysis documentation will be complete in May as well.

Image: victoriawhite2010 via Flickr

March for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. Our meetings and events this month:

March 1

Ontario HTCIA will be featuring a March Madness Double Bill Event! The first meeting on March 1 will feature two sets of speakers. First, Guidance Software, where Robert Ulke and Joseph Pizzo, Account Executives from Guidance Software, will review EnCase 7.0 features and give participants a sneak peek at the upcoming edition of EnCase Enterprise.

Next, chapter officers Eugene Silva and Ben Whittaker will offer their thoughts on the proposed Bill C-30 Investigating and Preventing Criminal Electronic Communications Act  (also known as the ‘lawful access’ legislation) or the Online Surveillance Bill (forcing Internet service providers to collect customer information) from their own perspectives — law enforcement and ISP.

Perhaps a real-life debate will break out, along the lines of the 1970s Point – Counterpoint (as seen on 60 Minutes or as parodied on Saturday Night Live). Audience participation is encouraged! Bring your ideas to Peel Regional Police, 180 Derry Road, Mississauga, Ontario from 7-9pm.

A full day of training will be available from Texas Gulf Coast HTCIA, presenting the US Secret Service Electronic Crimes Task Force (ECTF) Quarterly Meeting from 8:30 AM – 3:00 PM. A special invitation has been extended to members of the HTCIA Texas Gulf Coast Chapter.

Hosted by the Fort Bend County Sheriff Office and taking place at the Gus George Academy, 1410 Williams Way, Richmond, TX, this special meeting will introduce the task force members to Fort Bend County, get information on service needs, initiate mutual contacts between departments and corporate citizens, and to provide a unique educational opportunity.

Topics to be presented include cell phone forensics, real world hack attack case studies, and the ECTF fraud and cybercrime prevention programs. Most important this will provide an introduction to personnel who can assist in asset forfeiture, cybercrime forensics, and investigations and foster stronger ties with the Fort County Sheriff, as well as others in the local area.

For more information and to learn how to RSVP, click here.

March 8

From 11:30 AM to 1 PM at American InterContinental University, Atlanta HTCIA presents “Before You Touch that Cell Phone.” Crime scene processing may be second nature to law enforcement, but how do those of us in the private sector respond to and handle an incident that might later result in criminal charges? Are we using the proper standard of care during incident reponse involving electronic devices that could later stand up in court? The purpose of this presentation will be the proper processing of electronic devices including DNA and latent fingerprints.

Speaker Michael Barker, president of C4 Group, Inc. and Atlanta chapter president, is licensed by the State of Georgia as a Private Investigator and PI Classroom and Firearm Instructor. He holds a number of computer certifcations including the CISSP, CISA and A+. He is currently completing a Masters in Information Security through the Univesity of Fairfax.

March 9

The following week, the Texas Gulf Coast chapter will also host its regular meeting at the United Way Community Resource Center, 50 Waugh at Feagan (near Waugh and Memorial). Speaker and topic TBA; the meeting will run from 1:00 – 3:00 PM, with a networking lunch at JAX Grill starting at 11:30 AM.

March 13

Ottawa HTCIA will present “The Wonderful World of Microsoft Computer Registry Analysis”,  at Russell’s Lounge at the Ottawa Police Association. Greg Bembridge, a Senior Computer Forensic Instructor with the Technological Crime Learning Institute (Canadian Police College, Ottawa) will be speaking on the “gold mine” of forensic information found within registry files: software programs which have since been deleted, externally connected devices, wireless networks that were used, firewall exception rules in place, and much much more.

The meeting, which runs from 5:30 – 7:30 PM at 141 Catherine St. in Ottawa, will include a cash bar and grill. Members come free (cost is included in your annual dues); non-members may register for $15.00. To register, visit the event on the web site.

Southern California HTCIA will offer David Nardoni speaking about memory forensics. In this hands-on lab, we will cover the basics of live memory collection and its importance during an investigation, especially involving malware. Attendees will explore the differences between memory collection and analysis tools. In addition, this lab will cover basic malware triage, tips and tricks, and pitfalls. The meeting will take place from 8:30 – 11:00 AM at the USSS Los Angeles Electronic Crimes Task Force, 725 South Figueroa Street – Suite 1300 (Ernst & Young Building, 13th Floor). Please RSVP to socalhtcia@gmail.com.

March 14

HTCIA Asia-Pacific is hosting a special evening event in Singapore! As a part of our ongoing collaboration with SANS, HTCIA members are welcome to join the following interesting and informative presentation: SANS-HTCIA Community Night Presentation: Introduction to Windows Memory Analysis by Chad Tilbury, SANS Certified Instructor. From 6:30 – 7:30 PM at the Grand Copthorne Waterfront Hotel.

Mid-Atlantic HTCIA‘s meeting will see two speakers. Mark Morgan from Guidance Software will discuss the EnCase Enterprise Cyber Security Module & EnCase Command Center, including hardware requirements, webserver API function, and integration with ArcSight and other IDS tools.

Following his talk, Amanda Thompson, a GWU graduate student employed at the Department of Homeland Security, will present her analysis of how the Microsoft Windows 8 operating system, which is set to be released later this calendar year, will differ from previous versions of Windows. Based on research using the Windows 8 Developers Preview Edition, Thompson will talk about the noticeable differences within the file system (NTFS), where user data resides (such as My Documents, etc.), and the Windows Registry (Microsoft, 2012).

The meeting will run from 9:00 AM to 12 noon at the Department of Education, 550 12th Street S.W. in Washington DC.

March 15

Member Mike Wilkinson’s #DFIROnline virtual meetup will feature Hal Pomeranz speaking on Linux forensics for non-Linux users, and Corey Harrell on ripping volume shadow copies — tracking user activity. Access the meetings via WriteBlocked.org, and follow along on Twitter if you have an account!

March 16

Northeast HTCIA will hold an all-day meeting from 9:00AM-3:00PM at Pace University’s Butcher Suite, 861 Bedford Road, Pleasantville, NY. Speaker and topic TBA.

Washington HTCIA‘s monthly meeting, also with speaker and topic TBA, will take place from 10 AM to noon at the Edmonds Community College main campus, Snohomish Hall room 123.

March 20

San Diego HTCIA presents a LIVE WiFi hacking demonstration setup, with data gathering; WiFi forensics presentation; and WiFi Q&A, complete with luncheon. Starting at 11:00 AM, Gerry Brown, CISSP and the chapter treasurer, will begin with a live WiFi hacking demo. Lunch (free for all current members, $20 for guests, and $45 for new members with completed  HTCIA membership forms) will be served from 11:30 to 12:00 PM; then, Glenn Jacobs, a Senior Information Assurance Engineer at JTT and chapter president,  will give a presentation on WiFi forensics. The afternoon’s activities will end with a Q&A.

The meeting is located at the Admiral Baker Clubhouse, 2400 Admiral Baker Drive in San Diego. HTCIA members are welcome to attend the chapter board meeting beginning at 10:00 AM. If you’ll be joining the meeting, please RSVP ASAP to treasurer@htcia-sd.org!

March 21

Michigan HTCIA presents Mobile Device Forensics: A Case Study of Cell Phone Evidence Recovered in a Homicide Investigation, presented by Detective Wade Higgason of the Livonia Police Department. Det. Higgason has examined more than 700 cellular telephones and more than 170 computers since 2005, when he was assigned to the Michigan ICAC Task Force for foreign, federal, state and local police agencies. The meeting will take place at at 10:00 AM at University of Detroit Mercy – McNichols Campus. Click here to RSVP and register for the event.

March 29

Ontario HTCIA’s March Madness continues with BlueBear and their flagship product called LACE (“Law Enforcement Against Child Exploitation”) and Mr Robert Beggs of Digital Defence, who will update our membership on the latest trends on how criminals are making money on the Internet.

DFIROnline: Defragmenting the digital forensics community with HTCIA member Mike Wilkinson

In our posts for monthly HTCIA chapter meetings, we’ve done something a bit unusual: linked to a virtual conference call that isn’t a chapter meeting. The monthly, hour-long DFIROnline is the brainchild of New England chapter member Mike Wilkinson (@MikeWilko on Twitter), who invites some of the most well-respected minds in the digital forensics and incident response (DFIR) community to interact with participants via live chat.

DFIROnline, like most of our chapter meetings, is open to anyone. We asked Mike to talk more to us about how he got the idea, why he’s doing it, and where it’s going:

HTCIA: How long have you been an HTCIA member, and what led to your creation of the DFIROnline
meetups?

MW: I have only been a member of the HTCIA since I moved to the US in August 2010. I had been aware of the HTCIA for many years prior to that and was considering setting up a chapter in Sydney, prior to leaving the NSW Police Force. I had run into Paul Jackson, at a [law enforcement] conference the previous year, where I presented a proposal for creating an organization similar to the CDFS, he had just got the Asia Pacific HTCIA chapter up and running and was very enthusiastic about the HTCIA.

I was inspired to create the meetups after watching on from the sidelines as Harlan Carvey started his NoVA [forensic] meetups. I would have loved to get along to one of the meetings, but the travel from Burlington VT to North Virginia was just a little hard to manage!

I ran into Harlan at PFIC and was talking about the meetups with him there. A few days later I thought that maybe an online meetup would work, I contacted Harlan to see if he was interested in getting involved and he was keen, I don’t think it would have worked so well without his support.

HTCIA: What about this particular format (as opposed to a webinar or conference call) did you think would be more beneficial than others?

MW: I have been using this format for in my online classes for the Masters program at Champlain College, and found that it worked well in class. The interface is highly customizable and allows a high level of participant interaction, far more than I have seen with other systems.

So far we have had a heap of chat going on at the same time as the presentation, the audience can ask questions and contribute suggestions as the presentation is running. Last session we had a bunch of helpful links posted and a lot of friendly banter, along with a drinking game, just to make it more interesting!

It also provides a video feed of the presenters so you get to see the person who is talking. In the first session we had a tour of Harlan’s office which was pretty cool. So although it is not the same as getting together face to face it does get pretty close.

Finally it does not require user registration, which helps to keep everything quite informal. Personally I find that if I have to register for something I am much less likely to get involved, I guess I just hate giving out my details.

HTCIA: Why do you think the community is so fragmented, and how can programs like this one help?

MW: This is something that has been bugging me for years. There is no simple answer to this and David Kovar wrote a great post on it last year, everyone in the industry should read it here.

I think historically there has been a high level of mistrust between LE/government and private practitioners. In some cases this may be well founded but for the most part people of both sides have a high level of integrity and are just doing their job.

This is compounded by the different closed lists, whether it is IACIS, HTCIA, CCE or DFIR each one is only open to a select group of people, in some cases based on if you hold a certification and in other if you work for the right organization. In either case you are artificially excluding some great people.

The other part of the problem is the different types of work we do. Forensics for LE is quite different to incident response. Some things (for example documentation) that I take for granted coming from a LE forensic background appear quite novel or even pedantic to some IR people.

Moving forward we should be focusing on what we have in common, rather than what our differences are. I would like to see a situation where the only barrier to involvement was appropriate ethical behaviour. Unfortunately there are a handful of people out there whose behaviour should result in their exclusion from the profession. However this group is very small and it is a pity to stifle the development of the profession in order to defend against this tiny group.

HTCIA: What kind of information sharing do you want to encourage?

MW: Well as an academic everything, from a LE perspective I recognize that there is a small amount of information that once it becomes common knowledge can hinder investigations.

However the at this point in time the bad guys are far more organized and specialized than we are. There is so much duplication of work going on as a result of poor sharing that massive amounts of time are wasted.

Harlan has a great example he uses, where if one person spends 20 hours solving a problem and shares it with another five people, it has the potential to save 100 hours of work, as they will not have to repeat his/her efforts.

One other thing I think everyone needs to realize is that they all have something to contribute. In my online classes we have lots of discussion and I find that it does not matter how long someone has been in the profession they always have something to contribute.

One of the things I love about teaching is getting to interact with all these great people. Just the other day I had a student who has only just completed his bachelors degree and is just starting out in the profession suggest a solution I had never considered. We need to realize that no one has all the answers and it is always worthwhile listening to others as you never know what you might learn.

HTCIA: What would you like to see for the meetups by the end of the year?

MW: More people involved and more great presentations. At the moment the time we run at is not much good for the rest of the world. I would like to run at least one session for Europe and another for Asia Pacific. I have already had people put their hand up to present in Europe and I could probably put some pressure on a few really smart people I know in Australia to do something. I just have to find the time to organize it.

HTCIA: Anything else you want to discuss?

MW: Yes, I have high hopes for [HTCIA partner] CDFS; I think it is the first time we have had an organization with transparent leadership and good representation of all parts of the profession. It is great to see it moving forward, I hope it continues to do so and take my hat off to the handful of people that have put the time into making it happen.

Also on a more personal note I have just created a new Master of Science in Digital Forensic Science, with a fair bit of help from a number of people listed here. This program is designed for people who already have a solid background in digital forensics and are looking for advanced education. Officially enrollment does not start until the fall term, but we can get students into a class over the summer if they are keen.

Again, DFIROnline is open to anyone. It’s next planned for February 16, with sessions planned on cryptology along with e-discovery case studies. Hope you’ll be there!

February for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got four upcoming special events as well as regular chapter meetings this month:

HTCIA Chapter Meetings

February 7

HTCIA Ottawa will present “Inclusion of Forensic Video Analysis Within an Agency’s Digital Forensic Program” in Russell’s Lounge at the Ottawa Police Association from 5:30-8 p.m. Jeff Spivack, an IAI Board Certified Forensic Video Examiner, will demonstrate how forensic multimedia analysts obtain investigative leads and actionable intelligence from files that might otherwise be discarded.

Spivack has worked as a Forensic Multimedia Analyst with the Las Vegas Metropolitan Police Department, and has been accepted as an expert witness in courts throughout the U.S. In addition to conducting case work, Jeff is also Cognitech, Inc.’s Forensic Video Software Certification Instructor, and Senior Instructor of Video Forensics for Forensic Data Recovery, Inc., Cognitech’s Canadian affiliate.

For more information and to register, see the Ottawa HTCIA website. Non-HTCIA members are welcome for a guest fee of $15.00.

Also on February 7, our Southern California chapter will be holding a joint meeting with ISACA Los Angeles. A dinner meeting at Monterey Hill Restaurant (3700 W Ramona Blvd., Monterey Park, CA), the presentation, a computer forensics case study, will run from 5:30-8:30 p.m.

Guidance Software’s head of Risk Management, Andy Spruill, will provide his first-hand account of the landmark Victor Stanley, Inc. v. Creative Pipe, Inc. the intellectual property theft case that spawned not one, but two, landmark legal decisions in the world of digital forensics and eDiscovery. To register, please visit ISACA LA’s website.

February 9

Atlanta HTCIA will present “Forensics in your PJs” from 7:30-9:30 a.m. A breakfast meeting at American InterContinental University in Dunwoody, Georgia, the meeting will show you how to use various resources and tools on the internet to gather data. From Facebook to blogs what you can learn while sitting in your PJs!

Speaker Buffy Christie is Senior Director of Equifax Global Security.  Buffy has a BS in Criminal Justice, Forensic Science.  She is a CFE (Certified Fraud Examiner)  and is President of the Southeastern IAFCI (International Association of Financial Crimes Investigators).

To register for this event, visit Atlanta HTCIA’s EventBrite page.

February 10

Texas Gulf Coast HTCIA will meet from 1:00-3:00 p.m. at the FBI Greater Houston Regional Computer Forensics Laboratory. Those planning to attend will need to be vetted by the FBI prior to the meeting. In order to attend, contact Ms. Julie Campbell, Receptionist, Pathway Forensics (713.301.3380) and provide her with your name, DOB and DL#. Chapter members should also RSVP to the Evite invitation that was sent to the e-mail account on file with HTCIA International.

February 14

Midwest HTCIA is offering an Android forensics and software demo by Christopher Triplett, Sr. Forensic Engineer of viaForensics. From 8:30-11:30 a.m., Mr. Triplett will cover Android File Systems, Android Forensic Analysis Techniques, and a demonstration of viaForensics’ viaExtract product.

Midwest HTCIA’s chapter meetings are located in Oakbrook Terrace, IL at the ICE office (16th floor, Oakbrook Terrace Tower).

February 15

Minnesota HTCIA will meet in the Ridgedale Library, RHR West Room in Minnetonka.

February 16

Member Mike Wilkinson’s monthly DFIR Online Meetup will feature Peter Coons and John Clingerman providing e-discovery case studies , along with Jonathan Rajewski speaking on “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf”… or, “A hands on (pen/paper) exercise in basic cryptology/cryptanalysis.” Join in at 8:00 p.m.!

February 17

Washington state HTCIA will be meeting between 10am-12pm. Topic and speaker both TBD.

February 21

Central Valley HTCIA will be meeting at 12:00 noon at the Stanislaus County Sheriff’s Office, 250 East Hackett Road in Modesto, CA. Tentative topics are a presentation on TOR by Cullen Byrne, and an update on the group Anonymous by an FBI representative. Lunch to be provided.

Austin HTCIA, meanwhile, will meet from 1:30 to 3pm at the REJ Building. Rick Andrews will be going over navigation in EnCase v7. Come with questions!

February 22

Atlantic Canada HTCIA will meet from 5:30-7:30 p.m. with Jan Cox from Oracle presenting on the topic of SQL injection, among other things. An update on the chapter’s conference planning efforts will also take place.

February 24

From 11:00 A.M. – 3:00 P.M. at University Hall, Room 465 (51 Goodman Dr. in Cincinnati), Ohio HTCIA will be offering a presentation on Incident Response: Live Memory Capture and Analysis. Presenter Justin Hall has 15 years of experience in the information technology field and has spent the last seven focused on information security.

Mr. Hall is currently a security architect for CBTS, a technology services provider in the Cincinnati area – consulting with the firm’s enterprise customers in developing vulnerability management, incident response, and endpoint & network defense programs. He is a frequent speaker at information security community events, a SANS mentor, and holds a GCIH, GCFA and GPEN.

Following Mr. Hall’s presentation, lunch will be provided and the chapter’s business meeting conducted.

Also on Friday, our Kentucky chapter will meet at 1:oopm at Boone County Sheriff’s Office. Tom Webster will present about Internet Evidence Finder.

February 29

San Diego HTCIA will meet at the Admiral Baker Clubhouse in San Diego. Lunch will be served at 11:30, with the presentation (yet to be determined) running from 12:00-1:00 p.m. HTCIA members are also welcome to attend the 10 a.m. board meeting that day.

Lunch is free for all current members, $20 for guests, and $35 for new members with completed  HTCIA membership forms. RSVP is required, so please RSVP ASAP to treasurer@htcia-sd.org! This will assist in planning for seating and food requirements.

Northern California HTCIA will also be meeting on February 29. Topic and location to be determined.

Special Training Events

February 6-11: SANS COINS event coming to Los Angeles!

Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10”! Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs/

February 15

ISSA Ottawa and Women in Defence & Security will be co hosting a National Capital Security Partners’ Forum Event featuring Marene Allison, VP & CISO of Johnson and Johnson. The opening speaker will be Rennie Marcoux, Assistant Secretary to the Cabinet (PCO); the closing speaker will be Carol Osler, VP Physical Security TD Bank. For more information and to register, see http://www1.carleton.ca/npsia/upcoming-events/4409-2

February 20-24

Free law enforcement training! Minnesota HTCIA is advertising “Fighting Cyber Crime”, 40 POST credits’ worth of courses at the St Cloud State Campus. The training is a response to the increased ease with which people can access the Internet to commit crimes, as well as the increased emphasis on issues of homeland security. Participants will learn ways to uncover, protect, and exploit digital evidence to respond to crimes. Register via the course flyer at http://www.mn-htcia.org/documents/Cybercrimecourseflyer.pdf.

February 27-March 1

The New York District Attorney’s Office has partnered with the National White Collar Crime Center to offer Cybercop 101 – Basic Data Recovery & Acquisition (BDRA) to qualified members. This 4 day course teaches the fundamentals of computer operations and hardware function, and how to protect, preserve and image digital evidence.

This class introduces participants to the unique skills, best practices and methodologies necessary to assist in the investigation and prosecution of computer crime. It includes presentations and hands-on instruction on such topics as Partitioning, Formatting, Data Storage, Hardware and Software write blockers, the Boot Up process, and Duplicate Imaging. Register here for this and future courses!

REMEMBER: To get discounts or free training (where applicable), you must be a member.  Please join or renew your 2012 membership today!

January HTCIA news and events

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

• Fredericton New Brunswick at 64 Allison Blvd.
• Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!

Upcoming for HTCIA in 2012: Strategic initiatives, community involvement

One of our most recent posts, a retrospective by our longtime member Fred Cotton, covered how HTCIA got its start and how we got to where we are today. This post is about where we’re headed in the coming year, and beyond.

Our strategic plan

In July, a small group of HTCIA leaders gathered to map out a strategic plan, a vision and a road map for where HTCIA would need to go in order to continue to serve its membership. Following a careful assessment of our strengths, weaknesses, opportunities and threats, we devised a new, clearer and more succinct mission statement:

Provide education and collaboration to our global members for the prevention and investigation of high tech crimes.

In addition, we developed goals for education and professional development, membership services, communications, organizational governance, and financial resources. Some of the initiatives we are taking include:

• a newly redesigned website and logo
• a High Tech Crime Investigator Certification
• improvements in the way we help form and support international chapters
• development of member benefit programs
• many other actions

Community involvement

Another strategic initiative is to partner with other groups. This has already been happening to some extent at the chapter level, as a few of our chapters band together with those of other associations to hold joint training events. (This is, in fact, one of the reasons SoCal won Chapter of the Year.) However, we want to make it something we do more consistently across all our locations.

At our conference in Indian Wells we unveiled our nascent partnership with the SANS Community of Interest for Network Security (COINS) program, which allows us to help even more chapters offer local events jointly with a great educational resource. Already we’ve seen the debut of SANS360 offered jointly in DC with our Mid-Atlantic chapter, and in February, Mark Gonyea will be teaching Computer Forensic Investigations-Windows In-Depth in Los Angeles. We also hope to work with SANS on virtual events, like our free webcast in October.

In addition, we announced that our International Board of Directors voted to join the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member. We believe that in this way we’ll be able to help shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.

Finally, we’re looking to get more involved with our communities on Facebook and Twitter (and we’d love it if you left more comments here on the blog, too!). Polls, Twitter chats and continued conversation with our members and supporters will be part of what we’re doing.

Get involved! Become a member (guidelines at http://www.htcia.org/membership.shtml) and subscribe to this blog, our Facebook and Twitter pages to find out the latest.

HTCIA joins the CDFS to help set digital forensics standards

We are very pleased to announce that we’ve joined the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member! Established in 2008 to provide leadership and advocacy as the global representative of the digital forensics profession, CDFS offers the chance for HTCIA members, through their board representatives, to collectively help determine standards for digital forensics ethics, practice and professional licensing and certification, among other areas.

Our International President, Duncan Monkhouse, has this to say: “For 25 years, our members have contributed to the development of digital investigation as a science and a profession. Supporting the CDFS is a natural outgrowth of their contributions. We look forward to helping shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.”

Chris Kelly, CDFS’ president and a New England HTCIA chapter member, is likewise excited. “HTCIA’s membership is a welcome addition because of its members’ breadth of experience not just in digital forensics, but also in private investigation, prosecution, and other professions that affect the way digital forensics is perceived within the investigative community,” he says. “We look forward to their input and assistance in driving not just our association, but the entire profession forward.”

HTCIA joins two other nonprofit professional organizations, the International Association of Computer Investigative Specialists (IACIS) and the Association of Digital Forensics, Security and Law (ADFSL) as members of CDFS. We couldn’t be in better company, and we’re so grateful to CDFS for making our membership possible!

2012 HTCIA Conference Call for Speakers

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

• Information security
• Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
• Computer forensics
• eDiscovery
• Legal issues
• Courtroom testimony techniques
• Financial crimes – tax evasion & money laundering
• International trends – situations – experience
• White collar & corporate investigations
• Legal issues – civil & criminal
• Legal mock trial
• Report writing for forensic examiners
• Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!

Rob Lee’s Super Timeline Analysis: A joint HTCIA/SANS COINS webcast

We are very pleased to announce a new joint event between us and and SANS’ Community of Interest for Network Security (COINS): a one-hour webcast on Super Timeline Analysis featuring Rob Lee! The webcast, part of SANS’ complimentary series, will expand on the lab material Rob presented in Indian Wells, delivering an exciting and valuable webcast both for those who attended the labs as well as those who were unable to attend.

Over the past year investigators have started to use timeline analysis to help solve challenging cases.  Learn how to create and analyze automatic file system and artifact timelines during incident response and criminal investigations.

There is no cost to attend this event, but you do need to register at: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

Webcast Details

Date:           Wednesday, October 26, 2011

Time:           8:00pm – 10:00pm (EDT)

Title:            Super Timeline Analysis

Featuring:  Rob Lee, SANS Faculty Fellow

For complete details and to register, please visit: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

For more information on the webcast contact Andrea Hogan: ahogan@sans.org.

HTCIA: A retrospective journey

Today’s post is a guest article written by one of our longest term members, Fred Cotton of our Northern California chapter. This year has marked 25 years since our organization was founded, and we appreciate the opportunity to learn about how we got to where we are — especially given our strategic plan for coming years. Thank you, Fred, for taking the time to write out your perspective!

The High Technology Crime Investigation Association has grown into the largest association of its kind in the world and it has been my honor and privilege to be a member of this organization since it was a single chapter located in Los Angeles, CA.

At that time (around 1988) it was an organization comprising law enforcement, prosecutors and corporate security personnel from high-technology firms fighting the rising tide of component theft across California. I was the Director of Training for SEARCH, the National Consortium for Justice Information and Statistics in Sacramento, CA and was developing a training course for law enforcement on computer crimes investigation. The members of the HTCIA were the ones on the front line of the battle against technology crimes in California. They graciously shared their experiences, techniques, successes and failures with me and helped shape the curriculum which grew to encompass the entire nation and many countries around the globe.

Early HTCIA members like John C. Smith, Jim Black, Abigail Abraham, Ken Citarella, Walker Lane, Joe Chiramonte, and Don Ingraham, to name just a few, gave of their time and experience to help develop training and technical assistance for investigators from across the nation. This in turn helped them fight the ever-increasing plethora of technology crimes.

It soon became apparent that this type of organization was a success and more investigators, prosecutors and corporate security personnel joined the team. The Los Angeles chapter grew and in 1989 the Silicon Valley Chapter was formed. The Northern California chapter followed the next year and soon chapters were being formed across the nation as word spread about the benefits of this cooperative model.

During the ensuing years, most of the investigators and investigation teams who successfully broke the most famous and complex cases of the day were proud members of the HTCIA. They developed innovative investigative and prosecutorial techniques as well as influenced the manufacturers of utility software to pursue the development of specialized tools for computer forensics. Their suggestions and requests helped shape the forensic software we all take for granted today.

As the technology advanced, the job of the individual HTCIA members became more complex and required more sophisticated training and more advanced software. It also became apparent that no single agency, no matter how large, was able to take the problem on alone. The cooperation and teamwork displayed between HTCIA members helped solve hundreds if not thousands of cases around the world.

Our corporate partners stepped up and helped our members learn about the new technologies being used in criminal enterprises and how attacks were being perpetrated against corporate enterprise systems. Our law enforcement partners worked tirelessly to investigate the facts of these cases and combine forensic science and computer science to recover critical evidence from deep within computers and networks. Our prosecutors fought to change antiquated laws, to counter defense arguments against computer evidence, and to see that justice was served. Our training organizations developed curriculum based on these success stories and brought up a whole new generation of members who proudly carry on the traditions of the HTCIA organization. Our software partners continue to develop software tools which are critical to the collection and preservation of computer evidence.

Today, the organization is global and boasts a membership in the thousands. Our members constitute the core of professionals who struggle daily with the ever-increasing tide of computer fraud and abuse. Cell phones and PDA’s have been added to the already complex mix of communications technologies spawning new and innovative investigative protocols and techniques. This knowledge is shared among our members through chapter meetings and training conferences. As a result, HTCIA members continue to impact the safety and security of our nations.

Our creed has spread around the industrialized world and we have set the standard for cooperation and success. I am confident that the organization will continue to grow and stand at the forefront of technology crimes investigation for many years to come. Personally, it has been a wonderful experience to be a small part of it. The highest professional honor I have ever received has been the receipt of the first “Lifetime Achievement Award” from my peers at the HTCIA. I look forward to my continued participation in the HTCIA and the benefit I receive through association with the talented professionals who make up its membership.

Image: Jon Kristian via Flickr