No coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.
“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”
Social media, Macintosh analysis, decryption and Windows 7
On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.
Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.
Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.
On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.
E-discovery for forensics examiners, social media, and early case assessment
David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.
On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!
“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.
Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.
Memory analysis, man-in-the-middle attacks, and handling advanced exploits
Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.
Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.
On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.
AccessData tools presentations
On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.
On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.
Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!