Platinum sponsor BlackBag: Mac triage, iOS forensics and the new BlackLight™

Rounding out our Platinum sponsorships: BlackBag Technologies, the Mac forensics experts, who are bringing three labs to Indian Wells. Between Monday and Tuesday, BlackBag CTO Derrick Donnelly and forensic analyst Don Brister will present “Mac Triage, and How to Image Without Losing Your Nuts,” “Everything that You Need to Know about iOS Forensics, but Forgot to Ask,” and a demo of the latest MacQuisition™, as well as the upcoming BlackLight™ version which is slated for release shortly after our conference.

iPhone and iPad forensics

In their vendor-agnostic training, Donnelly and Brister will focus on where to find information on iOS devices. “There’s a lot of misinformation about iOS devices,” says Drew Fahey, BlackBag VP of Product Development. “So we’ll cover how the iOS came to be and where it’s going, how and where data is located on the devices, how to get to it and how to extract and analyze it.”

Imaging, encryption and key files and databases will be covered, along with changes from version to version of the iOS – including the tracking information that was available up to version 4.3.3 (Fahey says this is still widely available as evidence on devices that have not yet been updated).

Deleted SQLite records will also be covered. “The number one request from examiners we hear from is the need for both saved and deleted SMS and MMS,” says Fahey. “We take that a step further, and show them how to recover other deleted information, such as voicemail and contact data.”

Mac triage

Fahey says a soon-to-be-released version of BlackBag’s MacQuisition™ software will include triage functionality, including the ability to make both “live” (memory) and “dead” acquisitions. This tool – and the lab – reflect the growing user base for Macs, a market share that has grown from only 5 percent to 15 percent (for desktops alone) in just a few years, thanks largely to the popularity of iOS devices. Together with iOS devices, the market share is closer to 40 percent, Fahey says.

More users, of course, means more suspects using Macs. “I’ve heard from examiners who see a Mac per week, and sometimes per day, in labs where they never saw them before,” says Fahey. And because the operating system is virtually the same across Mac desktops, laptops and mobile devices, he adds, dividing attention between “computer forensics” and “mobile forensics” can be a problem for labs seeking economies of scale.

As such, Fahey says the conference lab will also cover the importance of analyzing a Mac on a Mac. “You can miss a lot when you analyze Mac data in Windows, regardless of the product you’re using,” he explains.

Mac and iOS forensic analysis with BlackLight™

The latest version of BlackLight™, BlackBag’s forensic analysis software, will be released shortly after HTCIA, but this session will offer examiners a preview of what’s coming.

In particular, the new version will offer completely revamped tagging, reporting and data export functionality, a response to popular demand. “Examiners have been asking for more flexibility in identifying, tagging and exporting files, metadata or even parts of files,” says Fahey. “The new version of BlackLight™ will let them do that and much more. We are very aware of the fact that examiners use multiple products across multiple platforms for large investigations. This new functionality in BlackLight™ is specifically designed to offer them the flexibility needed to quickly mesh their BlackLight™ findings with other data and in other reports.”

Seeing more Macs and/or iOS devices in your investigations? Spaces are going fast in the BlackBag labs, so register today to get the chance to sign up!

Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

No coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!

Platinum sponsor Cellebrite: Labs on mobile forensics best practices, and the latest tools

Do you know how that cell phone in your hand actually works? If not, how do you know your mobile forensic tool will get the data you expect? How about that iPhone or Android — do you know what’s really involved with a physical acquisition on these devices?

Cellebrite will be offering multiple mobile forensic labs, both on its own and in conjunction with training partner Sumuri Forensics, on these topics and more. We talked with instructors Keith Daniels, Ronen Engler, and Steve Whalen about what they’ll be offering in September:

Best Practices in Mobile Forensics

One of the most misunderstood aspects of mobile forensics, according to Cellebrite director of training Keith Daniels, is the need for investigators to understand the device from which they’re trying to retrieve data.

“Get the device’s manual from the FCC,” says Daniels. “Log on to an investigative community like [conference Bronze sponsor] Teel Technologies’ Mobile Forensics Central. That’s where investigators talk about phone features and limitations, the hoops you have to jump through to get the phone to communicate with the forensic device.”

Doing so can mean all the difference between getting the correct data in the correct way, and having to take the time to snap photos of each of the phone’s screens. But that’s not all that’s at stake. Daniels points to the Laci Peterson homicide, in which mobile device evidence was crucial.

“Scott Peterson is on Death Row. Fifteen years from now in a new trial, will the original investigators remember case details, or even be available to testify? But if they have the manual, they’ll be able to testify as to what phones could do in 2003, what his particular device was capable of, and why that evidence was relevant to the case.”

Other practices besides knowing the phone:

• Taking the phone off the network — and understanding the dangers of not doing so.
• Create the right folder structure. “Some investigators use more than one forensic tool, so the right folder structure will segment the evidence according to the tool that retrieved it,” says Daniels.
• Thinking outside the box. “The phone can be physical evidence as well as containing digital evidence,” says Daniels, referring to a homicide in which gunshot residue was found on a cell phone.

“Remember,” Daniels adds, “the defense will attack not the evidence itself, but the way it was obtained. Doing your due diligence will elevate your credibility and your position in court.”

Basic and advanced UFED work

Authorized Cellebrite trainer Steve Whalen, Managing Director and co-founder of Sumuri Forensics, will show how the UFED tool puts these best practices to work in his two introductory labs, one each on the UFED and the Physical Pro. “We’ll do a brief overview of each tool and its important features, with examples so that the students can learn hands-on how it all works,” he says.

But the training won’t only be about what buttons to push. Instead, it provides the background of why investigators push those buttons, the way the unit functions and how it applies to forensic methodology.

“So-called ‘push-button’ forensics is not a problem as long as the examiner understands the device’s basic functionality and what it’s doing to perform the extraction,” Whalen says. “It’s not about how hard or easy the tool is to use; tools can be validated.  It’s about following the basic forensic principles that everyone should follow.”

In fact, Whalen says, the UFED’s simplicity is a benefit toward this goal. “The basic UFED Logical lab will show how the UFED extracts information from within the device’s filesystem, such as the call logs, and interprets the directory structure.

“The Cellebrite Physical Pro lab will show how the device extracts both the logical filesystem, and the physical data — the bit-for-bit copy including unallocated space on the chip. We’ll also cover the variety of search functions in Physical Analyzer, including regular expressions, predefined search patterns like 7-bit SMS strings, and GREP,” Whalen says.

“Physical Pro simplifies the process of making a physical image of a mobile device, which significantly increases the amount of evidence that can be located,” Whalen adds. “Because Cellebrite takes the time to ensure its tools’ processes are as un-intrusive as possible, more users can acquire physical data without having to resort to non-forensic hacker tools like flasher boxes, which can ruin evidence if used the wrong way.”

What does all this add up to? Time saved, says Whalen, explaining that the UFED is a standalone unit and doesn’t rely on a good or bad installation of forensic software, or whether that software communicates properly with the device. “Debugging a comm port can take time and increases the chance of hair loss as the examiner troubleshoots the device and/or the computer,” he says. “The UFED saves that time.”

A deep dive into iPhone and Android physical extractions

The final block of Cellebrite instruction will be a “deep dive” into physical forensic exams, as students work with iPhones and iPads that have been locked without having to jailbreak the device. Cellebrite engineering product manager Ronen Engler and Daniels will demonstrate the Physical Pro’s password bypass, along with its data parsing capabilities and a newer feature – decoding for encrypted iPhones, including the iPhone 4.

Decoding will also be demonstrated for BlackBerry. “We showed this in June at the Mobile Forensics Conference,” says Engler, “and we will show it again in Indian Wells.” The decoding process is for physical data recovered during the chip-off process.

Finally, students will be able to see dumps of Android devices using four different methods, two of which, says Engler, are unique to Cellebrite. “We’ll also show how to bypass the pattern lock on an Android without modifying the device,” he adds. (These details are covered more in a recent blog post by mobile forensic tool reviewer Christopher Vance.)

And he and Daniels will discuss the ability to dump Chinese knockoff devices. “The UFED supports logical extractions from more than 150 Chinese clones,” says Engler. These include iPhone, Nokia, Motorola, Samsung and LG knockoffs.

Just getting into mobile device examinations, or want to take your exams further into physical extractions? Register for our conference and be eligible to sign up for these labs!

Movie Night, courtesy of Silver sponsor Vound

One of last year’s most popular conference sessions was Pizza Night, Vound Software‘s dinner-and-a-demo look at its Intella email forensics software. This year, they changed it up a bit. They’ll still hold a demo, but they’re also sponsoring some entertainment – not just for conference participants, but also for their families who come to Indian Wells with them.

We talked more with Vound about what will be involved and why:

HTCIA: “Movie Night” isn’t typical conference fare, at least in this industry. What made Vound decide to sponsor it?

Vound: We took a fly at doing something original  in Pizza Night last year and were impressed with its success and feedback. We wanted to keep it fresh and interesting this year so opted for Movie Night.

We will have treats, popcorn, candy, soda, and domestic beer for the enjoyment of those who can make it, and we hope everyone does. We are hoping attendees will see it as an opportunity to bring their partners and  chill out. Let’s also not forget we are in movie making territory.

HTCIA: Any word on what the movie will be?

Vound: No idea yet, but Peter [Mercer, Vound co-founder] insists on it having kangaroos or being about cricket.  [HTCIA note: our Conference Committee decided on “Source Code.” No kangaroos or cricket that we know of!]

HTCIA: What trends have you noticed in the last year with email investigations?

Vound: More and more cases are becoming “email only”. This is  where the case starts when the investigator is handed 50 PST files on a USB drive with  no image in sight and 2 days to complete it . This is exactly why we developed Intella and  where it more than pays for itself…

HTCIA: What’s new with Intella that you’ll be sharing during your lab session?

This year at HTCIA, investigators will see how their agencies can get the most out of their digital forensic investment by integrating Intella’s search and analytical abilities into their existing investigation and case management software.

A common problem is that the weight of digital forensic evidence is lost in translation when it is delivered to the analyst or officer who has no forensic background. Officers or analysts from outside of digital forensics may use completely different tools and methods to identify and organize useful information.

As a demonstration of how Intella solves that problem by augmenting existing software suites, this year at HTCIA the Vound team will demonstrate how Intella is used in conjunction with i2’s award winning Analyst’s Notebook and iBase. We’ll show how our customers can add Intella search results and forensic information to the investigation management software, the same way they add other pieces of information.

We’re proud to say that Intella has grown by leaps and bounds since Version 1.0 was unveiled in 2008 at the HTCIA Conference in Atlantic City.  Thousands of federal, state, and local law enforcement officers now rely on Intella every day for e-mail and data analysis. We’ve found that agencies where evidence is transmitted effectively between forensic and non-forensic officers see an exponential increase in the value of the forensic phase, leading to better results.

Come join us at the HTCIA Conference and let us tell more about how Intella can help you search data, analyze evidence, and close cases quickly.

HTCIA: Anything else you’d like us to share about your sponsorship?

Vound: Could some of the sponsorship money be invested in projects that will help with inventing teleportation? The 15 hour flight is killing Peter. :)

HTCIA: We’ll look into that. Meanwhile, thanks so much for the scoop on your lab and Movie Night. We look forward to seeing you in September!

Not yet registered for the conference? Register at https://www.htciaconference.org/registration.html and be sure to mark your calendar for Sunday’s Vound Movie Night following the Exhibitor Reception!

Image: tvol via Flickr

Platinum sponsor MSAB: A full spectrum of mobile forensics labs

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today — https://www.htciaconference.org/registration.html

iOS Wi-Fi access point verification, smartphone geolocation and other mobile forensics content from Gold sponsor Oxygen Forensics

Forensic acquisition of smartphones is one of the most important investigative needs today. The more consumers adopt the robust computing power of iPhone, Android and like mobile operating systems, the more evidence available to law enforcement, corporate and legal investigators.

This is why Russia-based mobile forensics software provider Oxygen Forensics specializes in smartphone forensic acquisition. Co-founders Oleg Fedorov and Oleg Davydov are offering a full day of pre-conference training along with their planned lecture and hourlong Vendor Showcase on these topics.

Verification of Wi-Fi access points data for Apple iOS

Fedorov and Davydov will be co-presenting a lecture on the morning of Tuesday, September 13. “Every iOS device stores a list of Wi-Fi networks it has been ever connected to,” says Fedorov. “This list contains the name of the network, its MAC address and the timestamps for the first and last connections.”

Certain techniques allow investigators to calculate each Wi-Fi network’s approximate geographical coordinates, and from there, the device’s position at the time of connection. However, Fedorov and Davydov caution that investigators may not be able to trust all the coordinates they get.

Their lecture will cover what investigators should know about Wi-Fi access point types, as well as other sources of geolocative information and how to carve Wi-Fi networks information, should the history happen to have been deleted. They’ll also cover timestamp verification and even anti-forensics for jailbroken devices.

Geolocation, according to Fedorov, will be the topic of discussion at Oxygen’s Monday night Vendor Showcase, slated to run from 5:30 to 6:30pm. Android, Symbian and (time permitting) BlackBerry devices will be covered together with Apple devices.

Pre-conference training: Advanced techniques in Forensic Examination of Smartphones and Cell Phones with Oxygen Forensic Suite

In June, Oxygen announced that its Forensic Suite v3.4 is the first tool ever to enable full Android physical acquisition via root access. This demonstration will be among topics covered at its one-day training class on Saturday, September 10.

“We focus on smartphones, therefore the main topics will be Apple, Android, Blackberry, Symbian and Windows Mobile devices,” says Fedorov. The training will also discuss certain models of Nokia, Sony Ericsson, and Samsung cell phones.

Designed for forensic investigators at all levels of expertise, this bring-your-own-laptop training will discuss the main advantages and disadvantages of current mobile forensic procedure, as well as Oxygen Forensic Suite’s advanced features.

It will use case studies to demonstrate these features and issues, “small tasks where students have to find evidence, determine phone geoposition at the given time and so on,” says Fedorov. “Prizes are famous Russian Matreshka dolls.”

Learn more and register for the pre-conference training at Oxygen Forensics’ site; register for the HTCIA conference here. We look forward to seeing you in September!

Image: Phil Roeder via Flickr

1st Annual HTCIA Golf Classic

Update: golf tournament rescheduled! It will still be on Sunday — but now in the morning so that our International Board of Directors can enjoy. It will now begin at 8:00am instead!

Please join us for a morning of golf! On Sunday, September 11, 2011, Bronze sponsor CRU-DataPort/WiebeTech will be sponsoring a tournament at the Indian Wells Golf Resort starting at 8:00am.

The tournament fee is $75 per player and includes green fees, cart and deluxe golf and digital forensic prizes.

HTCIA is hosting a welcome reception with hors d’oeuvres, cocktails and awards directly after the golf tournament, followed by a movie shown on the Rose Lawn.

General Information - Situated in the Coachella Valley of sunny Southern California, the secluded enclave of Indian Wells Golf Resort is an award-winning golf course and host of the Golf Channel’s ‘The Big Break‘.

Participation in the golf tournament is open to all HTCIA attendees and spouses/guests. Foursomes will be arranged and posted at the meeting registration desk. A scramble format will be used in the tournament.

Proper Golf Attire - Players must wear collared shirts and slacks or dress shorts. Shoes must be soft spiked or soft soled.

For more information and to register for the tournament, please visit https://www.wiebetech.com/golf-classic/ We look forward to seeing you in Indian Wells!

Super Timeline Analysis, Web Browser Analysis, & Community Building with SANS

The SANS Institute is one of the pillars of the network security and digital forensics community, so the two labs they are offering as part of their sponsorship really excite us. On Tuesday, September 13, they’ll offer two chances to attend each 90-minute lab: “Super Timeline Analysis and Case Studies” and “Intermediate Web Browser Analysis – Beyond History Analysis.”

The advanced bring-your-own-laptop labs are “definitely for the geek digital forensics/incident response folks out there,” says Rob Lee, who will be instructing both.

Super Timeline Analysis and Case Studies

Temporal data is located everywhere on a computer system, regardless of operating system or software applications. File system MAC times, log files, network data, registry data, Internet history files and file metadata all contain time data that can be correlated into critical analysis to successfully solve cases.

Last year in Atlanta, Dave Hull taught a single 90-minute lecture on Super Timeline Analysis. This year, says Lee, the course will be updated with more examples from different cases. It will also incorporate some of the new analysis methods utilized in 2010-2011, along with other advances. By the end of the course, Lee anticipates that participants will be able to create and analyze their own timelines.

“Timeline analysis is not well understood within the community,” says Lee. “It requires many skills to master.  From filesystem details, artifact analysis, and registry data, it is very overwhelming.  It is utilized in very specific situations, not in cases where it is a guess where data might be.

“Timeline analysis is [also] not widely understood as none of the major forensic products incorporate a timeline analysis feature set in their products.  They obfuscate too much of the raw data and it makes it near impossible for someone by hand to create.

“As a result, without the exposure, there is a general lack of appreciation what a timeline will be able to generate for you.  As Henry Ford once said, ‘If I’d asked customers what they wanted, they would have said faster horses.’”

Intermediate Web Browser Analysis – Beyond History Analysis

As browsers continue to add functionality to make users’ experiences better, they inevitably leave even more browser artifacts for the forensic investigator to find.  From Private Browsing to Session Restore Points, browser forensics has become more complex that simply examining a history file.

Where are the key file locations, what is stored in them, how can examiners recover and examine these items? What is the difference between residue left by a Flash Cookie and a Super Cookie? How can you recover critical items if a user utilizes Private Browsing mode?

These key questions and many more will be detailed in this advanced session discussing the latest in browser analysis technology.  Participants will explore the latest artifacts that Internet Explorer and Firefox leave on a workstation.

Both labs require participants to download the SIFT Workstation and participants should have some artifact (LNK files, registry, USBkey, EXIF data, etc.) analysis skills, along with some filesystem knowledge.

Chapter Leader Breakfast

On Tuesday morning before the labs, Rob Lee together with Deanna Boyden, Director of Community SANS, will host a breakfast buffet for HTCIA chapter presidents and 1st vice presidents. There they’ll present the SANS Community of Interest in Network Security (COINS) program.

A localized outreach program, COINS enables SANS to support chapters with speakers and training topics. “We know the chapter leaders are volunteers with day jobs, so our goal is to provide speakers and SANS content for their monthly training,” Boyden says. “We also want them to have continuity since we know their offices change from year to year.”

Under COINS, chapter members also receive discounts to SANS events in the area, and leaders have the opportunity to talk briefly during events about the chapter, its activities and member benefits. “We also host a COINS Evening that provides both free CPEs from an instructor presentation,” says Boyden, “and networking among chapter members from ISSA, Infragard, HTCIA, WITI, and other nearby associations.”

In short, the Chapter Leaders’ Breakfast will show what what is available to chapters from SANS, and how SANS works with associations overall to bring everyone together for better relationships within the community.

Both lab and breakfast registration will be posted at a later date. Meanwhile, reserve your space in Indian Wells today! 

Platinum sponsor Infinadyne: 3 free tools and a lab

Digital forensics examiners dealing with video, CD or DVD, and/or Flash device forensics may be interested in what’s coming this fall from Infinadyne, one of our conference Platinum sponsors: three pieces of free software (valued at more than $1,000) per participant, plus labs that introduce the software and help investigators figure out where it fits in their day-to-day.

The software

The three pieces of software – CD/DVD Inspector, Vindex, and Flash Retriever – represent a mix of what Infinadyne has to offer investigators. “CD/DVD Inspector is the best known of our products, having been around since 2003,” says Paul Crowley, the company’s president. “Vindex is our newest software, while Flash Retriever addresses a different need by imaging data from Flash devices and SD memory cards.”

Conference participants will be able to download a one-year license from Infinadyne.com for all three fully featured products, which will be available on a CD-ROM at the conference.

Who can use these tools?

Crowley says that although copyright infringement (especially of movies) and child exploitation constitute 85 to 90 percent of cases that most often see this software used, other “more esoteric” uses emerge, too.

In one case, a suspect being raided by the U.S. Secret Service snapped a DVD in half in front of the agents. “They called us, and we explained how to put it back together and sent them an evaluation copy of CD/DVD Inspector,” says Crowley. “An hour later they bought four copies.”

Inspector was also used in Baghdad, during an investigation into mercenary outsourcing abuses. That order came in via satellite phone call. Improvised explosive device (IED) plans have been found on DVDs overseas, and Navy SEALS were reported to have found about 100 Flash drives at Osama bin Laden’s compound.

The lab

Crowley expects to cover the CD/DVD Inspector and Flash Retriever capabilities during Infinadyne’s lab. “These tools make it easy for participants to do hands-on imaging,” he explains.

Last year, the Inspector lab exercise took a DVD that was not playable, then extracted the video from the disc so that it could be played. This phenomenon happens more often than many people think, especially when it comes to disk images that have not been properly finalized. Crowley says this is most frequent with direct camera-to-disk video surveillance or other recording.

The Flash Retriever lab, meanwhile, will use three camera cards: one card that holds digital images, one card that contains deleted images, and a third from a camera that has been formatted so that the images have been wiped.

Crowley relates the story of a forensic examiner from Arizona who had gone through the lab at a conference in Las Vegas. He emailed Crowley a week later to tell him that the evaluation copy of Flash Retriever he’d received had helped him retrieve images that his usual method could not.

Exhibiting a new product

At its booth, Infinadyne will be showcasing a new hardware product: Rescue Drive, a modified DVD-ROM player that works with CD/DVD Inspector to help examiners read discs that will not mount.

“A CD or DVD is not like a hard drive,” says Crowley. “You can’t get at the data in it unless the drive lets you. So in the past, the solution might have been to take the drive apart, but most supervisors nixed the idea because exposing the laser was a safety hazard.”

Crowley will demonstrate how the patent-pending Rescue Drive works, which is by using a “swap mode.” Examiners first put a good disc in the drive. Then, they press and hold the Eject button to put the drive in swap mode; when the tray opens, the examiner places the bad disc inside.

“Swapping” the disc in this way fools the drive into “thinking” that it’s seeing the otherwise inaccessible disc. Then, the examiner can use CD/DVD Inspector to analyze what’s there.

Lab registration will be available at a later date. Meanwhile, reserve your space in Indian Wells now! 

More than “free stuff,” software offers augment investigators’ efforts

Our sponsors’ generosity never ceases to inspire us. This year, three of our sponsors have offered $1200 worth of free software – and a fourth is offering unlimited access to its training, valued at $699.

Infinadyne: CD/DVD Inspector, Vindex, Flash Retriever Forensic*

Infinadyne’s offerings promise to round out investigators’ work by allowing them fuller access to other forms of digital media:

• Vindex, or Video Indexer, saves time and increases accuracy. It plays videos at up to 64 times the normal playing speed, but also captures changes in the frame.  Investigators therefore see a relatively small number of frame thumbnails showing the significant action in the video, without having to watch the whole thing — or risk missing important frames during high-speed play.
• Flash Retriever Forensic likewise reduces the time it takes to get data off a Flash drive, by eliminating the need for painstaking tasks like data carving. “Raw” camera images are also supported without the need for additional software.
• CD/DVD Inspector supports all forms of optical media – not just CDs and DVDs, but also HD DVD and Blu-Ray.

Paraben: Chat Examiner*

The P2 Examination Technology-compatible Chat Examiner supports ICQ, Yahoo, MSN, Trillian, Skype, Hello, & Miranda chat logs. Investigators working cyber stalking/harassment, child exploitation, homicide, gang-related crimes, organized crime, or any other case involving victim/perpetrator or conpirator communication can capture conversations’ histories as part of their forensic examinations.

McAfee: 2011 Total Protection Suite*

Our first 400 registered attendees will receive a copy of this year’s Total Protection Suite. Licensed for up to three computers, the Suite boasts 99.9% malware detection and blocking in virtual real time, along with a host of other technology that reduces downtime for users.

Whether protecting your work or your family’s computer(s), the 2011 Total Protection Suite most of all offers peace of mind so you can focus on other matters – the work you’re doing as a high tech crimes investigator.

*Only attendees that register at the member/non-member rate are eligible for the complimentary
software. Student/faculty pricing are not eligible. The licenses for all three of the software products will be good for one year.

Chappell University: All Access Pass Membership

Laura Chappell is one of our most supportive members. Following the free, HTCIA-sponsored Wireshark webinar she offered in October, Chappell University is going several steps further. Its All Access Pass includes unlimited access to a variety of courses covering network analysis, troubleshooting and security, along with live online events which highlight new products, tools or techniques in network analysis. Some of the most popular courses include:

Core 1: Wireshark Functionality and TCP/IP Analysis
Core 2: Wireshark Network Troubleshooting/Security
CS42: Hacked Hosts
CS44: Top 10 Reasons Your Network is Slow
CS50: WLAN Analysis 101
CS61: Tshark Command-Line Capture

Hands-on labs coming from 3 of these sponsors

Keep an eye out on this blog for more information about the hands-on labs which Chappell University, Infinadyne and McAfee will be offering in September. We couldn’t be more pleased that they’ve chosen to support our conference and its participants with both tools and training, and we’re looking forward to seeing what else they plan to offer!

Looking for copies of any of these tools? Register for our conference here!