2012 HTCIA Conference Call for Speakers

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

• Information security
• Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
• Computer forensics
• eDiscovery
• Legal issues
• Courtroom testimony techniques
• Financial crimes – tax evasion & money laundering
• International trends – situations – experience
• White collar & corporate investigations
• Legal issues – civil & criminal
• Legal mock trial
• Report writing for forensic examiners
• Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!

Learning from the next generation: Student research at #HTCIACon

Jon Ford describes his Virtual Desktop research

Before the HTCIA conference, we blogged about a new style of presentation: student poster presentations, which would give graduate and undergraduate college students the chance to talk to professionals about their research.

Six students were on hand in Indian Wells, presenting on a wide range of topics from information security to law enforcement volunteer jobs:

Infosec and e-government

Tim Perez is a doctoral student at Dakota State University and is working on a dissertation entitled “E-Government Security Concerns for Municipal Government Entities.” Having worked for eight years as an information technologist for a local law enforcement agency, Perez sees that communities with small budgets and few regulatory requirements tend to focus less on security.

However, measures like online bill pay, which increase both efficiency and convenience, make security necessary because they deal with personally identifiable information. Perez’ research focuses on how to communicate these issues in a way that municipal managers will understand.

Learning incident response by doing

Another project that brought together law enforcement, security, and education was a Cal Poly Pomona Senior Project. Chris Curran, at the time a college professor and SoCal HTCIA Chapter President, approached students to design an entire scenario, from players to the crime to the resulting analysis.  The completed project would then be used as a final exam for other forensic students.

Student Steve Gabriel came up with the scenario involving a fictional disgruntled university IT employee, who had “stolen” critical source code and hidden it in a System 33 file when he went to a new job. Gabriel utilized multiple web browsers, along with Trillian instant-messaging and Outlook email software. Several other students played the other fictional roles, communicating and using digital media that was later imaged and provided as “suspect” evidence.

To find the evidence and create an answer key for Curran, Gabriel and the others used FTK, EnCase, AccessData’s Registry Viewer, and a SQLite database viewer. Gabriel said the project received good feedback for being an incident response-type case with multiple exploit layers and 25 gigabytes of evidence.

Security vs. performance with supercomputing

On the preventive side of network security was work that Cal State-San Bernardino students Kyle Sandoval, David Warner and Estevan Trujillo had done for the 2011 Computer System, Cluster and Networking Summer Institute at Los Alamos National Laboratories. Their research broke ground on the cost of deploying firewalls on each node of a supercomputing cluster, rather than on the 4,000-node cluster as a whole.

The reason: security measures should always be installed on each separate computer, but supercomputers are so expensive to power that even a five percent drop in computational performance – such as what a firewall might result in – can exponentially add to their cost.

Thus in their project, Sandoval, Warner and Trujillo used a Linux cluster and created multiple IPTables rule sets. They used these to run a series of benchmarking tools that measured bandwidth, latency, and MPI job performance. They wanted to determine what performance implications IPTables firewall had on a cluster.

With just 10 test machines and a 6-week period, the research concluded simply that more research was needed – and the students anticipate that the lab will continue their work.

Virtualization for mobile device management

Jonathan Ford is a student at Cal State University and a volunteer for a nearby sheriff’s department, which was starting to provide official-use iPads to its officers. A number of issues presented themselves with that initiative:

First, the iPads’ remote access to a virtual machine would work for 10 to 20 users, but large numbers – the kind that would be seen on an average shift – made the virtual machine unstable and caused it to crash. Second, different users would need different levels of access to records depending on their role. Finally, to minimize the risk from vulnerabilities – not just on iPads, but also on the other 3,000 or so disparate devices in use – the agency needed a way to manage a variety of operating systems, software and users.

Ford’s answer: a Virtual Desktop, which would save both time and money by enabling:

• upgrades and patches to occur just once rather than for each system
• data to be stored on a server
• administrators to keep a list of which users had access to which software applications

The second part of Ford’s research shows law enforcement agencies the benefits of integrating academic research into their everyday operations. “Many agencies cannot hire full-time employees, but they still need support with computer forensics and security – the fields students want experience in,” he says. “Writing grants for research means each can get what they need.”

How law enforcement can benefit from student volunteers

Cal State-Sacramento student Alex Krepelka had earned a GCFA and wanted to use it. But he didn’t just stop at volunteering for the Butte County District Attorney’s Office – he turned it into research, the better with which to help law enforcement develop their own computer forensics and security volunteer programs.

Krepelka thinks it would help if agencies could fall back on a set of national standards for forensic investigations that will go to trial – from county to county, some agencies allow for volunteers while others do not, but many agencies have backlogs of hundreds of cases. He also thinks that if students knew they could get valuable real-world experience from organizations that needed their expertise, more would study computer security and forensics.

The value of HTCIA student affiliations

Krepelka believes that organizations like the HTCIA can help – and that’s where the final research project comes in. Austin Pham, a student at Cal Poly Pomona, presented on the Forensic and Security Technology (FAST) organization, HTCIA’s student charter at that school. FAST affords students the opportunity to take workshops on data acquisition, analysis and reporting – as well as on industry standard forensic tools, including EnCase and FTK.

This is thanks to its affiliation with the HTCIA SoCal chapter and the forensic professionals who are members there. “We hold six meetings a quarter and some training workshops throughout the year,” says Pham, “and we always get great turnout.” During the student charter’s first signing, in fact, 25+ students expressed interest in membership, and the organization has grown ever since.

Pham added that he and other FAST students had all volunteered to assist with our conference, because of all that HTCIA had invested in them. They registered participants, directed attendees to lecture and lab rooms, and assisted presenters with equipment and other needs.

All six student presenters told us that they had seen a good amount of foot traffic, which resulted in some good comments and questions – especially those for whom the topics hit home. The feedback will help them validate and refine their research, ultimately making it stronger for the entire community.

Anna Carlin, the instructor who coordinated the presentation, adds that the students themselves benefit in a variety of ways: not just with the ability to conduct more credible research, but also with exposure to the very professionals who are in a position to give them jobs or grants.

Did you meet our students in Indian Wells? Want to see future research presented at our conferences? Leave us a comment and let us know what you think!

Recalling the 2011 HTCIA International Conference

It’s already been a week since we packed dozens of lectures, 14 hands-on labs, and a sold-out expo hall into our three days at Indian Wells. Here’s a run-down of some of our highlights:

Monday: Cliff Stoll, and Vendor Showcases

The day (and conference) started off strong with Clifford Stoll’s keynote. Clear about the fact that he was making a presentation he first gave in 1986 – and has given several times since then – Stoll nonetheless kept his audience entertained and educated, presenting “evergreen” material that is as relevant today as it was 25 years ago. Among his highlights:

Northern California member Ira Victor followed up with an in-depth interview of Cliff, which he recorded for his Cyber Jungle podcast.

Following the day’s main lab and lecture events, Platinum sponsors Micro Systemation AB and AccessData showcased new products in the Emerald ballrooms.

Amid music, hors d’oeuvres and drinks, MSAB unveiled the worldwide preview of XRY 6.0, including an improved user interface, better export options, and Watchlist automation. MSAB will be providing training at our Philadelphia/Delaware Valley chapter in October, followed by training in South Florida in late October-early November. They’re available to come to any chapter needing mobile phone forensics training – is yours one of them?

Meanwhile, AccessData’s Keith Lockhart talked a bit about Early Case Assessment. During the well-attended and well-received presentation, Lockhart went through this e-discovery product, discussing features such as its ability to filter large amounts of data, to handle collaborative web-based review of that same data, and most of all, its immediate cost savings for forensic and legal teams.

And after all was said and done, participants gathered at the Stir Nightclub on-site for the traditional Northeast Chapter Party!

Tuesday: What we liked best, and our Annual Banquet

Just to keep abreast of what was going on from our participants’ point of view, we asked what they liked best about our conference. Some of the responses:

In the evening came our banquet, a richly rewarding experience that started with drummers from the intercollegiate musical group Senryu Taiko and ended with a hilarious comedy routine from “The Lovemaster,” Craig Shoemaker. In between we enjoyed ribeye steak, a 25^th Anniversary chocolate torte, and opening for Craig, comedian Richard Aronovitch.

But the evening’s core lay in our awards ceremonies, where we presented plaques to the winners of our Case of the Year, Chapter of the Year, and Lifetime Achievement Awards. This year, as last year, the Case of the Year winners got a standing ovation for their hard work in putting a killer behind bars. And contenders for Chapter of the Year got a challenge: give SoCal a run for their money!

HTCIA 2011 Case of the Year winners Eichbaum, Cook, Sunseri & Maloney

HTCIA 2011 Lifetime Achievement Award winner Ken Citarella, Northeast Chapter

HTCIA 2011 Chapter of the Year: Southern California's board members

Wednesday: Wrapping up great learning experiences

By Wednesday everyone’s brains were just about full, but our labs and lectures enjoyed good attendance nonetheless:

Other conference highlights: lunchtime raffles, international tweets & still more networking

Lunchtimes offered good food and great prizes. Over chicken and pasta (Monday), cold cuts (Tuesday), and Chinese cooking (Wednesday), participants had the chance to buy tickets to enter our raffles. Giveaways included:

• autographed copies of Cliff Stoll’s book, “The Cuckoo’s Egg”
• autographed Cliff Stoll Klein bottles (provided by Wireshark University)
• Wireshark Air Pcap software with adapter
• ear buds from Monster Cable
• Abobe Photoshop CS5

Vendors got in on the action too:

• Mobile Forensics Inc.‘s Lee Reiber gave away one copy of Mobile Phone Examiner Plus in each of his labs.
• Forward Discovery raffled several copies of their Raptor on USB
• Sumuri Forensics raffled free Cellebrite and Mac courses, as well as a Wii
• Cellebrite itself gave away one Physical Pro unit
• AccessData raffled off a copy of Forensic Toolkit
• Oxygen Forensics likewise raffled copies of their Forensic Suite 2011 Analyst with USB dongle
• Laura Chappell’s Wireshark Network Analysis Study Guide (and this was on top of the $700 worth of free online training she gave away to each participant!)

If you were following our hashtag #HTCIACon on Twitter, you may have noticed a few foreign-language tweets. As an international organization, we love to see our members reaching out to their own communities in their native languages. Spanish and Dutch participants did exactly that, including a longer blog post by member and presenter Andres Velazquez.

HTCIA conferences would be nothing without networking and the exchange of amazing ideas. Jim Hoerricks wrote about it, and posted some of those ideas in his blog. We also heard from Albert Barsocchini, who came with an e-discovery perspective.

Did you write or podcast about the HTCIA conference or good outcomes you gleaned? Please let us know in comments!

Pre-conference: An eye toward the future days… and years

Sunday, Sept. 11 saw us start to welcome our conference participants, have some fun with those who arrived early, and make some plans – not just for the days, but also for the years ahead:

Our earliest event, the 8 a.m. golf tourney, had a successful 42-player turnout. Sally Vesley, marketing communications manager with tourney sponsor CRU-Dataport/WiebeTech, says it was one of the most fun workdays she has ever had. “They were great golfers,” she says. “We gave away four pairs of golf shoes, a golf cart, and of course USB write blockers.” The write blockers went to the top 3 winners:

• Jim Keith, Closest to Pin
• Terry Willis, Longest Drive (and winner of the whole tourney)
• Brian Collins, part of the winning team

Vesley also says she’s planning another tourney for next year’s conference in Hershey, Pennsylvania.

At 11 a.m. registration opened to welcome our first conference participants. Many had arrived the night before or that morning, and lined up to get their badges and conference materials, including shirts and pins, our program, and free software.

Also at 11 a.m., the expo hall opened so that the vendors could set up their booths in advance of the Vendor Reception planned for the evening. Notable exhibits: Wireshark University‘s tropical tiki display (complete with network-devouring shark!), and Paraben’s crime-scene contest. Both sponsors are giving away free stuff: Paraben is making its Chat Examiner software available to participants, while Wireshark U. is providing one-year All Access Passes to its training!

At 1 p.m., chapter presidents (or board representatives) gathered for the International Board of Directors meeting. Among the items discussed there:

• Membership, including student membership. We currently stand with 38 chapters and 17 student charters, 3,227 members and 214 student members. Our student members continue to be an outstanding addition to our organization, providing needed research and volunteer work to support our regular members.
• Internet Safety for Children (ISFC). Shadi Hayden, of our Silicon Valley chapter, talked about the renewed interest in the ISFC, which had seen much success in the mid-2000s. Shadi has been working hard to recruit regional volunteers to help with website content and outreach to allied organizations like Internet Crimes Against Children (ICAC) task forces and the OJJDP, so that the ISFC can be a conduit of information between public and private sector investigators. This conduit will include an ISFC website “facelift,” which will allow us to share information both publicly and for member investigators only.
• Strategic Planning & Communications. In July a Strategic Planning Committee came together to chart the HTCIA’s course over the next five years and beyond. The committee performed a SWOT analysis, determined its goals and strategic objectives, and came up with ideas needed to drive the HTCIA toward those objectives – including a new website, better training and education, and improved communications.
• The Consortium of Digital Forensics Specialists. Incorporated this year as a way to consolidate the voice of the digital forensics profession, the CDFS asked the HTCIA to become a collective nonprofit member of this complementary (not competing) organization. Board members voted to join – we’ll be sure to update you on future developments as we support this newest organization!

Officers also took care of organization business, including votes on bylaw changes and on International Executive Committee members for the coming year. Joining incoming International President Ron Wilczynski (Northern California) will be: 1st Vice President Tom Quilty (Silicon Valley), 2nd Vice President Jimmy Garcia (Southern California), Secretary Peter Morin (Atlantic Canada), and Treasurer Jose Soltero (Southern California).

Finally, we wish to remember all our members who were affected ten years ago by the 9/11 terrorist attacks. From our New York City members who lost friends and family members – or responded – at the World Trade Center, to other members who committed quantities of time and energy to investigating terrorism, we keep you in our thoughts and our hearts. Your spirit is reflected in the words of our Northeast member Cynthia Hetherington, who was supposed to be aboard United 93:

View more of our photos from pre-conference events and setup at our Facebook page. Be sure to “like” our page while you’re there, so you can see the latest updates over the next few days!

HTCIA 2011: A recap of the fun stuff

In recent weeks we’ve provided snapshots of several of our labs and lectures. We’ve got a lot of high quality training, most of our labs are filled and we’re excited about the learning which we know will be happening. However, with the conference just one week away, we also wanted to provide a recap of the fun stuff you can expect when you arrive in Indian Wells!

Sunday morning: Golf Tourney

On Sunday, September 11, 2011, Bronze sponsor CRU-DataPort/WiebeTech will be sponsoring a tournament at the Indian Wells Golf Resort starting at 8:00am. The tournament fee is $75 per player and includes green fees, cart and deluxe golf and digital forensic prizes.

For more details, see our earlier blog post!

Sunday night: Movie Night

Silver Sponsor Vound (makers of Intella email forensics software) is sponsoring a Movie Night on the Rose Lawn. Co-founder Peter Mercer asked for a movie with kangaroos, and/or cricket. Will we deliver?

Monday morning: Keynote Speaker Cliff Stoll

A quirky but charismatic speaker, Cliff Stoll is known for his “restless energy,” as the TED Talks site notes:

You may not be sure where he’s going, but the ride is always part of the adventure.

An astronomer (though his astronomy career took a turn when he noticed a bookkeeping error that ultimately led him to track down a notorious hacker), researcher and internationally recognized computer security expert — who happens to be a vocal critic of technology — Stoll makes a sharp, witty case for keeping computers out of the classroom. Currently teaching college-level physics to eighth graders at a local school, he stays busy in his spare time building Klein bottles.

Monday night: Northeast Chapter Party

What would an HTCIA annual conference be without the traditional Northeast Chapter Party? This is still tentative on our schedule, but we can’t imagine going without this year. Even if we do, the Renaissance Esmeralda has informed us of their desire to have their nightclub open for Monday Night Football. Either way, see you there!

Tuesday: Awards Banquet with Comedian Craig Shoemaker

Our Tuesday evening dinner is an opportunity for us to recognize our association’s biggest contributors. Here we bestow our Chapter of the Year, Case of the Year, and Lifetime Achievement Awards. This year, meet our winners: our Southern California chapter, Central Valley chapter members James Eichbaum and Jim Cook (and maybe, the detectives and deputy DA they assisted), and Ken Citarella of our Northeast chapter.

The evening’s entertainment will come courtesy of Craig Shoemaker, ABC American Comedy Awards’ Comedian of the Year in 1998. An actor and voiceover artist as well as stand-up talent, Shoemaker has worked in stand-up comedy for 20 years. Viewers voted his half-hour Comedy Central special as one of the network’s Top 20 stand-up specials of all time, and his forum, Laughter Heals, serves people suffering from life-threatening illnesses along with their families.

Our lectures form the core of our training and education efforts, but we’re also known for the networking that can only come when new friends and good friends alike come together to share, eat, drink and have a good time. Join us in Indian Wells – we think it’ll be the event of the year!

Partnerships with students, other associations make SoCal Chapter of the Year

After an extremely intense Chapter of the Year competition, we’re proud to announce that we’ve awarded our annual honor to our Southern California chapter! The variety of activities and events they put together, plus their innovative outreach efforts, have raised the bar for all our chapters and their members. Some highlights:

Student chapter promotion

While the California State Polytechnic University (Cal Poly) Pomona’s student Forensic and Security Technology (FAST) group had been in existence since 2008, it formalized its HTCIA charter in 2010. SoCal chapter president Chris Curran says, however, that it’s not just about having the charter – it’s also about supporting the students in their career paths.

“We invite our students to attend our regular chapter meetings, which several of them have done,” says Curran. “It’s a great opportunity for them to get a feel for what the field is all about, and also to make contacts with potential employers as well as future colleagues.”

The SoCal chapter also gives students access to its job board, which Curran says has a twofold purpose: 1) graduating seniors can apply if they want, but 2) all the students can see the qualifications they’ll need to apply.

And students are encouraged to help represent HTCIA at conferences. A number of Pomona students volunteered at our conference in Atlanta last year, and will be in Indian Wells again this year. In addition, students helped association members staff a booth at both the ISACA Spring Conference and the AccessData User Conference.

This year, the Cal Poly Pomona students showed their appreciation and spirit by designing custom graduation sashes that they wore with their caps and gowns. These sashes are available to any other student charter with graduating members.

Joint training sessions with other associations

The SoCal chapter has taken steps over the past year to build and strengthen relationships with members in other organizations, including the local chapters for the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). Those relationships led to joint training sessions and networking opportunities.

“It’s important for our members to share information, get new contacts and even encourage cross-pollination between the associations,” says Curran. “High tech crime involves so many aspects of technology that you may encounter some uncommon issue where a contact with background in information security or auditing becomes useful.”

Training and education for children and parents

“We gave three presentations on Internet safety – two at elementary schools and one at a middle school,” says Curran. “The schools made sure to invite the parents along with children at all grade levels. The idea was for them to increase their understanding of the good and bad on the Internet, and increase their communication as a result.”

In addition, longtime HTCIA members Donn Hoffman and David Nardoni presented at the Cyber Challenge Camp, as part of a panel on ethics.

Congratulations to our Southern California chapter, and many thanks to our members there for the hours of hard work put into these efforts. We’re looking forward to presenting the 2011 Chapter of the Year plaques in just two weeks. We hope you’ll join us!

One more week of conference registration!

Didn’t get a chance to register last week for our upcoming HTCIA International Conference & Training Expo? Well, you have another chance. We’ve had such a great response, we decided to see if we could get record attendance! Therefore, we have decided to keep registration open one more week until Friday, September 2. After this date, registrations will be accepted on-site.

Please note: The Renaissance Esmeralda is almost full. We have arranged for guests to stay at the Hyatt Grand Champions Resort, which is within walking distance of the Renaissance, as our overflow hotel. When making your reservation with the Hyatt, reference “HTCIA” to receive the $103/night group rate.

Don’t delay – register today!

Platinum sponsor BlackBag: Mac triage, iOS forensics and the new BlackLight™

Rounding out our Platinum sponsorships: BlackBag Technologies, the Mac forensics experts, who are bringing three labs to Indian Wells. Between Monday and Tuesday, BlackBag CTO Derrick Donnelly and forensic analyst Don Brister will present “Mac Triage, and How to Image Without Losing Your Nuts,” “Everything that You Need to Know about iOS Forensics, but Forgot to Ask,” and a demo of the latest MacQuisition™, as well as the upcoming BlackLight™ version which is slated for release shortly after our conference.

iPhone and iPad forensics

In their vendor-agnostic training, Donnelly and Brister will focus on where to find information on iOS devices. “There’s a lot of misinformation about iOS devices,” says Drew Fahey, BlackBag VP of Product Development. “So we’ll cover how the iOS came to be and where it’s going, how and where data is located on the devices, how to get to it and how to extract and analyze it.”

Imaging, encryption and key files and databases will be covered, along with changes from version to version of the iOS – including the tracking information that was available up to version 4.3.3 (Fahey says this is still widely available as evidence on devices that have not yet been updated).

Deleted SQLite records will also be covered. “The number one request from examiners we hear from is the need for both saved and deleted SMS and MMS,” says Fahey. “We take that a step further, and show them how to recover other deleted information, such as voicemail and contact data.”

Mac triage

Fahey says a soon-to-be-released version of BlackBag’s MacQuisition™ software will include triage functionality, including the ability to make both “live” (memory) and “dead” acquisitions. This tool – and the lab – reflect the growing user base for Macs, a market share that has grown from only 5 percent to 15 percent (for desktops alone) in just a few years, thanks largely to the popularity of iOS devices. Together with iOS devices, the market share is closer to 40 percent, Fahey says.

More users, of course, means more suspects using Macs. “I’ve heard from examiners who see a Mac per week, and sometimes per day, in labs where they never saw them before,” says Fahey. And because the operating system is virtually the same across Mac desktops, laptops and mobile devices, he adds, dividing attention between “computer forensics” and “mobile forensics” can be a problem for labs seeking economies of scale.

As such, Fahey says the conference lab will also cover the importance of analyzing a Mac on a Mac. “You can miss a lot when you analyze Mac data in Windows, regardless of the product you’re using,” he explains.

Mac and iOS forensic analysis with BlackLight™

The latest version of BlackLight™, BlackBag’s forensic analysis software, will be released shortly after HTCIA, but this session will offer examiners a preview of what’s coming.

In particular, the new version will offer completely revamped tagging, reporting and data export functionality, a response to popular demand. “Examiners have been asking for more flexibility in identifying, tagging and exporting files, metadata or even parts of files,” says Fahey. “The new version of BlackLight™ will let them do that and much more. We are very aware of the fact that examiners use multiple products across multiple platforms for large investigations. This new functionality in BlackLight™ is specifically designed to offer them the flexibility needed to quickly mesh their BlackLight™ findings with other data and in other reports.”

Seeing more Macs and/or iOS devices in your investigations? Spaces are going fast in the BlackBag labs, so register today to get the chance to sign up!

Doing more with less: Forensics in the lab and in the field

Two of our scheduled lectures address issues which nearly every digital forensic examiner faces these days: limited resources. Whether budget-related or not, a lack of people or equipment has backlogged a number of labs – anywhere from six months to over a year.

On Tuesday Sept. 13, Andrew Rosen, president of ASR Data, will talk about computer forensic examinations and how to conduct them in a way that makes exams more efficient. That same day, Jason Weiss, Jim Watkins and Baden Gardner, of the FBI’s Orange County (CA) Regional Computer Forensic Lab (RCFL), will discuss backlog reduction strategies for labs.

How to work 10 times faster with FTK and EnCase

Creator of the Expert Witness forensic software that is now known as EnCase, Rosen believes that the forensic community has focused so much on tools in the last few years that examiners have lost sight of the processes which could make them more efficient. For example, he says, “Segmenting images was important when FAT32 was dominant and you had to segment. But now, it’s part of the forensic canon when it doesn’t need to be.”

Likewise, forensic examiners don’t know how to remediate the problems inherent in searching images of terabyte drives and petabyte collections within the current forensic paradigm. “’Triage’ is a buzzword that reflects how long it takes even for a skilled examiner to figure out where data falls in the analysis stack,” Rosen explains. “The tools reflect an approach that allows examiners to obtain actionable information quickly.

“But getting less than a full forensic image just to save time and money runs contrary to forensic method,” he continues. “So to get to a solution, you have to take a step back, look from the standpoint of a juror or judge and ask why the current way is what it is. And once you understand how the tools’ methods lead to inefficiency, you can remediate that by leveraging simple logic and the specialized knowledge of the investigator”

For example: “On a keyword search, you start with Sector 0 and move forward until you’ve searched all the data,” Rosen says. “This is a simple, linear implementation, and it means you’re searching for data where it is not likely to exist.”

In other words, rather than focus on higher level details like file names, focus instead on the data – the URLs, images, IP addresses and other underlying characteristics of data. “By defining what we are interested in and what we are not interested in, we can eliminate the slowest and most inefficient part of the forensic search process. This allows the examiner to obtain a full image without having to worry about where data can’t exist,” Rosen says.

This is important for examiners who have already invested heavily in FTK and/or EnCase. “The tool isn’t the most important thing; it has to be an extension of the examiner,” he adds. “If you automate an inefficient process, all you’ll get is faster inefficiency. But if you automate an efficient process, you’ll become more efficient over time. In this way, our forensic tools can provide ROI – the more you run it, the more inefficiency it eats.”

Doing more with less in a lab environment

Weiss, Baden and Gardner have taken a different approach at the OCRCFL. Their focus is also on process – but on the practical side, rather than the purely technical side. As Laboratory Director Jason G. Weiss explains, despite the exponential growth in digital media examinations (the LA FBI has seen the amount of processed data increase over 100% per year for the last 8 years), their approach has helped eliminate most case backlog.

In their lecture, they’ll focus on three elements (along with cost and statistical figures) that have brought them the most success: Case Agent Investigative Review (CAIR), Forensic Preview, and “self-service” kiosks for both cell phones and loose media (such as thumb drives).

“CAIR and Forensic Previews are low cost solutions to improving forensic laboratory efficiency,” says Weiss. “Choosing which process is the best fit for any given case comes down to the case’s size and complexity.”

CAIR enables the primary investigator (“Case Agent”) to review their digital evidence quickly in a safe, forensic environment. Once that is complete, lab staff provide the Case Agent with a disk of relevant files from the digital media, which can help further an investigation and allow the Case Agent to determine the next step without having to wait weeks or even months for a traditional data content review.

Forensic Previews, meanwhile, are useful when conducting searches, especially of child pornography suspects. “Some of the computers Case Agents seize during these investigations may have no child porn on them, so a Forensic Preview of those hard drives helps us determine if the computer in question is contraband, or should be returned to the subject,” says Weiss.

He adds, “The preview process is usually very valuable to the Case Agent and allows both us and the Case Agent to quickly understand a case before we spend significant laboratory resources imaging and/or examining computer data that is not even part of the crime.”

Another time saver are the new “self-service” kiosks that enable the RCFL’s partner agencies to come to the lab and review cell phones, iOS devices and most types of loose media in a forensic environment, without the need for a traditional forensic exam. Most of these exams take significantly less time than do traditional exams, and can usually be done in one short visit to the lab.

In all of the processes discussed in this seminar, forensic examiners have the ability to improve their ability to multitask as well – a process that Weiss says is “harder to do if you are looking at every case in the traditional computer forensics model.” Many of these processes are scalable regardless of lab size – whether you have 3 examiners or 30.

Dealing with backlogs in your lab, or simply need more efficient work processes? Come to Indian Wells next month and learn from those who have been there!

Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

No coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!