James Wiebe has been a fixture in the digital forensics community for years: WiebeTech write-blockers are known throughout the industry, and even after selling the company to CRU-DataPort in January 2008, Wiebe remained vice president of research and development overseeing WiebeTech as a unique brand.
Conference attendees can expect to meet Wiebe in two capacities: at the WiebeTech booth, and as a lecturer in three presentations:
Bitlocker and the Forensic Investigator
Date: Tuesday, September 21, 2010 Time: 10:30AM
“Bitlocker is Microsoft®’s standard encryption tool, which they fully support and have been enhancing,” says Wiebe. “As a result, it is ubiquitous among corporations and individuals.”
Any forensic professional who needs to know how to deal with search warrants with regard to Bitlocker (and encryption in general) should attend the session, which will include:
- Technical information on Bitlocker’s encrypting engine
- Background technical information on encryption
- On which operating system versions Bitlocker can be found
- What kind of keys Microsoft provides for users.
Wiebe will also describe a typical Bitlocker case, along with methodologies for key recovery.
Detecting Hidden Areas on Suspect Hard Drives
Date: Wednesday, September 22, 2010 Time: 10:30AM
Wiebe will present a survey of methodologies for hiding data on hard drives, in particular Host Protected Areas and Device Configuration Overlays (HPAs and DCOs). “HPAs are very common,” he says. “An understanding of where HPAs are used (e.g. BIOS backup) will preclude most legitimate uses.”
Wiebe will discuss both legitimate and potential illegitimate and illegal uses of HPAs, including examples of each. The lecture will also include technical information, which shows how HPAs are manipulated at the code level, and descriptions of various hardware and software tools, which allow forensic investigators to detect, document, and manipulate HPAs.
Forensic investigators will walk away from this lecture understanding how to image – and correctly analyze – seized hard drives. “Investigators should always look for HPAs,” saysWiebe. “If they are not imaged, the investigator has not imaged the entire disk.”
The Use of Ciphers in Crime Fighting History
Date: Wednesday, September 22, 2010 Time: 3:30PM
Ciphers and steganography have been used by criminals over the years to taunt forensic investigators and hide information. Wiebe will discuss and explain several historical cases. Among them: the famous Zodiac killer cipher, along with the question of whether steganography (a masking cipher) was used by Sept 11 terrorists.
Wiebe will present both codes and steganographic examples, along with case facts for context and illustrations which illustrate the difficulty of breaking encryption. Wiebe will also provide background information on how cipher science provides a basis for modern encryption technique. Finally, he’ll talk about statistical analysis that can help show a cipher’s likelihood of being a hoax.
This discussion is meant to be informative, fast moving, challenging and fun. “I enjoy ‘connecting with the audience,’” says Wiebe. “I like to see that I’ve kept their attention, and that they’ve learned something. I like the questions, and I like the ongoing opportunity to improve my product.”
WiebeTech Booth Activities
A conference Bronze sponsor, WiebeTech will have a booth. Product demonstrations are planned for digital forensics, data storage and encryption, and booth visitors can enter to win USB WriteBlockers. Notable about these products:
- They are the smallest forensic USB write-blocking devices on the market.
- They capture and image 20%-25% faster than the competing product.
- They provide easy, write-blocked access to USB drives at 8-10 MB/s.
- They work with USB Mass Storage Devices, and are compatible with single storage devices with Multiple Mountable Volumes (multiple LUNs)