Open source Android forensics: An HTCIA student charter project

We always like to hear about the cool new projects our students are engaging in, so we were excited to see University of Cincinnati student charter president Shadi Dibbini post on our Facebook page:

When we saw the site osaf-community.org, we definitely wanted to talk more with Shadi about his team’s project!

HTCIA: How did you get the idea for Open Source Android Forensics? How long have you been working on it thus far?

SD: My team started working on this project at the beginning of the school year, late September, and it has to be completed by the beginning of May. In May, we will be presenting at the University of Cincinnati’s Tech Expo event. The Tech Expo is a showcase of senior design projects from IT students, and students from other programs. The event is entirely open to the public, so feel free to come down and check out all the cool projects.

I came up with the idea of Open Source Android Forensics (OSAF) because I really enjoy forensics, and I have been a smartphone enthusiast for the past 8 years. A little off topic here, but believe it or not, I used to buy a new smartphone every three months so that I can have the best device that’s currently out on the market… I learned pretty fast that I was wasting my money, so I quit buying that many phones.

Besides the fact I enjoy forensics and smartphones, what caught my eye a few years ago, during the rise and popularity of Android, was the fact that Google does not have a vetting procedure for the applications that are published on the market. Google is smart by allowing any publisher to rapidly release applications without having to wait or gain approval (cough..cough..Apple)… however, Apple is smart by vetting applications to protect their users.

In recent news though, Google did come up with a new application security scanner called “Bouncer” after realizing that they did have a huge issue with Android malware. Back in Q3 2011, there was a report that had stated that malicious Android apps have risen 473% in about a year or so… that is a lot of malware.

This report pretty much sparked my ingenuity for coming up with the OSAF project. The OSAF project was initially going to be just the OSAF-Toolkit, a Linux OS that has been injected with all the latest Android application analysis software, but I wanted more than that. I wanted to not only create a application ripping toolkit, I wanted to create a community where anyone interested in Android malware analysis can have a one stop shop for any information they need.

I want people to stop at our site before any other site, and  I want people to collaborate with each other, share new techniques and methodologies, and share their findings after they have ripped apart an application (hence the threat index).

Another honorable mention is that my team is currently working on documentation on how to perform analysis against any application. This is an A-Z guide of what tools to use, how to use them, what to look for during static/dynamic analysis and etc… We do not want to give people a toolkit and say, “here you go, figure it out yourself” like many other projects have done.

HTCIA: What need does your research and site fill that others were missing?

SD: Not to be cocky or anything, but the entirely “FREE” price point for a toolkit, documentation and a collaborative work environment is argument enough that our site is better than the rest. I see other companies/sites charging a lot of money for training, certifications, information and etc.

I, at one point, wanted to take some certifications in forensics and information security, but the training and certifications were just way too much money for a college undergrad to afford. So I looked at this project from a college kid’s perspective… If it’s free, it’s for me… That’s why we decided to name the project OSAF. We wanted every aspect of it to be entirely open source.

HTCIA: How many people are working on the project?

SD: There are 4 of us IT seniors, including myself, working on the project right now. I couldn’t have picked a better team for this project. They are very smart and dedicated individuals wanting to make this project the best it can be. I think the reason why we are so dedicated as a team is because the project itself is very fun and unique. I feel like we are pioneers in this sort of work because I can’t find any site online that is dedicate to creating an entire environment dedicated to android malware analysis.

HTCIA: What are your goals for the site over the long term?

SD: I want the OSAF project to be well recognized in the forensics and malware analysis community. I eventually want to get more people on board to help analyze applications, maintain the site and answer any questions people may have. One day, I hope companies will be knocking on our door asking if they can sponsor us, in order to help fund and build the project, while keeping it 100% free of charge.

HTCIA: How long have you been a student HTCIA member? How long have the other students been?

SD: I am actually the founder and President of the University of Cincinnati’s HTCIA student chapter. I started the student chapter back in May 2011. I think we have a little over 20 student members (a mix of IT, IS and Criminal Justice students) in our chapter so far, but I have been getting a lot of email lately about new students interested in joining the chapter.

My team members for this project are not student members of HTCIA sadly. I would like for them to be members, but we only have 3 more months of school before we graduate. I will definitely get them to become full HTCIA members upon graduation.

HTCIA: Anything else you want to mention about the project?

SD: I just want people to know about us and the goals of our project. We can agree that the web is entirely too large right? I feel like it is hard for start-up sites, like us, to make it big these days unless they provide content that interests a vast majority of people, or if the site provides a service that interests organizations.

We want OSAF to be a site that provides both content and services of interest. Organizations, and the general public, have to realize that mobile malware is not going to magically disappear any time soon. Criminals will eventually get more crafty in the way they embed malicious code into applications; who knows, maybe to the point where the malicious codes circumvents the Android permissions mechanism.

That’s where OSAF has an advantage over anyone else. Anyone can ask OSAF to analyze an application, a community member will perform analysis, give the analysis report/results to the OSAF admins for review, then the OSAF admins will publish the finding on the threat index. Ripping apart applications is the only real way to find Android malware, because we all know how well Android “Anti-Virus” works.

Find and bookmark osaf-community.org, and keep an eye out for the site’s development, currently slated for completion in May! Shadi says that the toolkit is currently available online for download, and the malware analysis documentation will be complete in May as well.

Image: victoriawhite2010 via Flickr

March for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. Our meetings and events this month:

March 1

Ontario HTCIA will be featuring a March Madness Double Bill Event! The first meeting on March 1 will feature two sets of speakers. First, Guidance Software, where Robert Ulke and Joseph Pizzo, Account Executives from Guidance Software, will review EnCase 7.0 features and give participants a sneak peek at the upcoming edition of EnCase Enterprise.

Next, chapter officers Eugene Silva and Ben Whittaker will offer their thoughts on the proposed Bill C-30 Investigating and Preventing Criminal Electronic Communications Act  (also known as the ‘lawful access’ legislation) or the Online Surveillance Bill (forcing Internet service providers to collect customer information) from their own perspectives — law enforcement and ISP.

Perhaps a real-life debate will break out, along the lines of the 1970s Point – Counterpoint (as seen on 60 Minutes or as parodied on Saturday Night Live). Audience participation is encouraged! Bring your ideas to Peel Regional Police, 180 Derry Road, Mississauga, Ontario from 7-9pm.

A full day of training will be available from Texas Gulf Coast HTCIA, presenting the US Secret Service Electronic Crimes Task Force (ECTF) Quarterly Meeting from 8:30 AM – 3:00 PM. A special invitation has been extended to members of the HTCIA Texas Gulf Coast Chapter.

Hosted by the Fort Bend County Sheriff Office and taking place at the Gus George Academy, 1410 Williams Way, Richmond, TX, this special meeting will introduce the task force members to Fort Bend County, get information on service needs, initiate mutual contacts between departments and corporate citizens, and to provide a unique educational opportunity.

Topics to be presented include cell phone forensics, real world hack attack case studies, and the ECTF fraud and cybercrime prevention programs. Most important this will provide an introduction to personnel who can assist in asset forfeiture, cybercrime forensics, and investigations and foster stronger ties with the Fort County Sheriff, as well as others in the local area.

For more information and to learn how to RSVP, click here.

March 8

From 11:30 AM to 1 PM at American InterContinental University, Atlanta HTCIA presents “Before You Touch that Cell Phone.” Crime scene processing may be second nature to law enforcement, but how do those of us in the private sector respond to and handle an incident that might later result in criminal charges? Are we using the proper standard of care during incident reponse involving electronic devices that could later stand up in court? The purpose of this presentation will be the proper processing of electronic devices including DNA and latent fingerprints.

Speaker Michael Barker, president of C4 Group, Inc. and Atlanta chapter president, is licensed by the State of Georgia as a Private Investigator and PI Classroom and Firearm Instructor. He holds a number of computer certifcations including the CISSP, CISA and A+. He is currently completing a Masters in Information Security through the Univesity of Fairfax.

March 9

The following week, the Texas Gulf Coast chapter will also host its regular meeting at the United Way Community Resource Center, 50 Waugh at Feagan (near Waugh and Memorial). Speaker and topic TBA; the meeting will run from 1:00 – 3:00 PM, with a networking lunch at JAX Grill starting at 11:30 AM.

March 13

Ottawa HTCIA will present “The Wonderful World of Microsoft Computer Registry Analysis”,  at Russell’s Lounge at the Ottawa Police Association. Greg Bembridge, a Senior Computer Forensic Instructor with the Technological Crime Learning Institute (Canadian Police College, Ottawa) will be speaking on the “gold mine” of forensic information found within registry files: software programs which have since been deleted, externally connected devices, wireless networks that were used, firewall exception rules in place, and much much more.

The meeting, which runs from 5:30 – 7:30 PM at 141 Catherine St. in Ottawa, will include a cash bar and grill. Members come free (cost is included in your annual dues); non-members may register for $15.00. To register, visit the event on the web site.

Southern California HTCIA will offer David Nardoni speaking about memory forensics. In this hands-on lab, we will cover the basics of live memory collection and its importance during an investigation, especially involving malware. Attendees will explore the differences between memory collection and analysis tools. In addition, this lab will cover basic malware triage, tips and tricks, and pitfalls. The meeting will take place from 8:30 – 11:00 AM at the USSS Los Angeles Electronic Crimes Task Force, 725 South Figueroa Street – Suite 1300 (Ernst & Young Building, 13th Floor). Please RSVP to socalhtcia@gmail.com.

March 14

HTCIA Asia-Pacific is hosting a special evening event in Singapore! As a part of our ongoing collaboration with SANS, HTCIA members are welcome to join the following interesting and informative presentation: SANS-HTCIA Community Night Presentation: Introduction to Windows Memory Analysis by Chad Tilbury, SANS Certified Instructor. From 6:30 – 7:30 PM at the Grand Copthorne Waterfront Hotel.

Mid-Atlantic HTCIA‘s meeting will see two speakers. Mark Morgan from Guidance Software will discuss the EnCase Enterprise Cyber Security Module & EnCase Command Center, including hardware requirements, webserver API function, and integration with ArcSight and other IDS tools.

Following his talk, Amanda Thompson, a GWU graduate student employed at the Department of Homeland Security, will present her analysis of how the Microsoft Windows 8 operating system, which is set to be released later this calendar year, will differ from previous versions of Windows. Based on research using the Windows 8 Developers Preview Edition, Thompson will talk about the noticeable differences within the file system (NTFS), where user data resides (such as My Documents, etc.), and the Windows Registry (Microsoft, 2012).

The meeting will run from 9:00 AM to 12 noon at the Department of Education, 550 12th Street S.W. in Washington DC.

March 15

Member Mike Wilkinson’s #DFIROnline virtual meetup will feature Hal Pomeranz speaking on Linux forensics for non-Linux users, and Corey Harrell on ripping volume shadow copies — tracking user activity. Access the meetings via WriteBlocked.org, and follow along on Twitter if you have an account!

March 16

Northeast HTCIA will hold an all-day meeting from 9:00AM-3:00PM at Pace University’s Butcher Suite, 861 Bedford Road, Pleasantville, NY. Speaker and topic TBA.

Washington HTCIA‘s monthly meeting, also with speaker and topic TBA, will take place from 10 AM to noon at the Edmonds Community College main campus, Snohomish Hall room 123.

March 20

San Diego HTCIA presents a LIVE WiFi hacking demonstration setup, with data gathering; WiFi forensics presentation; and WiFi Q&A, complete with luncheon. Starting at 11:00 AM, Gerry Brown, CISSP and the chapter treasurer, will begin with a live WiFi hacking demo. Lunch (free for all current members, $20 for guests, and $45 for new members with completed  HTCIA membership forms) will be served from 11:30 to 12:00 PM; then, Glenn Jacobs, a Senior Information Assurance Engineer at JTT and chapter president,  will give a presentation on WiFi forensics. The afternoon’s activities will end with a Q&A.

The meeting is located at the Admiral Baker Clubhouse, 2400 Admiral Baker Drive in San Diego. HTCIA members are welcome to attend the chapter board meeting beginning at 10:00 AM. If you’ll be joining the meeting, please RSVP ASAP to treasurer@htcia-sd.org!

March 21

Michigan HTCIA presents Mobile Device Forensics: A Case Study of Cell Phone Evidence Recovered in a Homicide Investigation, presented by Detective Wade Higgason of the Livonia Police Department. Det. Higgason has examined more than 700 cellular telephones and more than 170 computers since 2005, when he was assigned to the Michigan ICAC Task Force for foreign, federal, state and local police agencies. The meeting will take place at at 10:00 AM at University of Detroit Mercy – McNichols Campus. Click here to RSVP and register for the event.

March 29

Ontario HTCIA’s March Madness continues with BlueBear and their flagship product called LACE (“Law Enforcement Against Child Exploitation”) and Mr Robert Beggs of Digital Defence, who will update our membership on the latest trends on how criminals are making money on the Internet.

February for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got four upcoming special events as well as regular chapter meetings this month:

HTCIA Chapter Meetings

February 7

HTCIA Ottawa will present “Inclusion of Forensic Video Analysis Within an Agency’s Digital Forensic Program” in Russell’s Lounge at the Ottawa Police Association from 5:30-8 p.m. Jeff Spivack, an IAI Board Certified Forensic Video Examiner, will demonstrate how forensic multimedia analysts obtain investigative leads and actionable intelligence from files that might otherwise be discarded.

Spivack has worked as a Forensic Multimedia Analyst with the Las Vegas Metropolitan Police Department, and has been accepted as an expert witness in courts throughout the U.S. In addition to conducting case work, Jeff is also Cognitech, Inc.’s Forensic Video Software Certification Instructor, and Senior Instructor of Video Forensics for Forensic Data Recovery, Inc., Cognitech’s Canadian affiliate.

For more information and to register, see the Ottawa HTCIA website. Non-HTCIA members are welcome for a guest fee of $15.00.

Also on February 7, our Southern California chapter will be holding a joint meeting with ISACA Los Angeles. A dinner meeting at Monterey Hill Restaurant (3700 W Ramona Blvd., Monterey Park, CA), the presentation, a computer forensics case study, will run from 5:30-8:30 p.m.

Guidance Software’s head of Risk Management, Andy Spruill, will provide his first-hand account of the landmark Victor Stanley, Inc. v. Creative Pipe, Inc. the intellectual property theft case that spawned not one, but two, landmark legal decisions in the world of digital forensics and eDiscovery. To register, please visit ISACA LA’s website.

February 9

Atlanta HTCIA will present “Forensics in your PJs” from 7:30-9:30 a.m. A breakfast meeting at American InterContinental University in Dunwoody, Georgia, the meeting will show you how to use various resources and tools on the internet to gather data. From Facebook to blogs what you can learn while sitting in your PJs!

Speaker Buffy Christie is Senior Director of Equifax Global Security.  Buffy has a BS in Criminal Justice, Forensic Science.  She is a CFE (Certified Fraud Examiner)  and is President of the Southeastern IAFCI (International Association of Financial Crimes Investigators).

To register for this event, visit Atlanta HTCIA’s EventBrite page.

February 10

Texas Gulf Coast HTCIA will meet from 1:00-3:00 p.m. at the FBI Greater Houston Regional Computer Forensics Laboratory. Those planning to attend will need to be vetted by the FBI prior to the meeting. In order to attend, contact Ms. Julie Campbell, Receptionist, Pathway Forensics (713.301.3380) and provide her with your name, DOB and DL#. Chapter members should also RSVP to the Evite invitation that was sent to the e-mail account on file with HTCIA International.

February 14

Midwest HTCIA is offering an Android forensics and software demo by Christopher Triplett, Sr. Forensic Engineer of viaForensics. From 8:30-11:30 a.m., Mr. Triplett will cover Android File Systems, Android Forensic Analysis Techniques, and a demonstration of viaForensics’ viaExtract product.

Midwest HTCIA’s chapter meetings are located in Oakbrook Terrace, IL at the ICE office (16th floor, Oakbrook Terrace Tower).

February 15

Minnesota HTCIA will meet in the Ridgedale Library, RHR West Room in Minnetonka.

February 16

Member Mike Wilkinson’s monthly DFIR Online Meetup will feature Peter Coons and John Clingerman providing e-discovery case studies , along with Jonathan Rajewski speaking on “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf”… or, “A hands on (pen/paper) exercise in basic cryptology/cryptanalysis.” Join in at 8:00 p.m.!

February 17

Washington state HTCIA will be meeting between 10am-12pm. Topic and speaker both TBD.

February 21

Central Valley HTCIA will be meeting at 12:00 noon at the Stanislaus County Sheriff’s Office, 250 East Hackett Road in Modesto, CA. Tentative topics are a presentation on TOR by Cullen Byrne, and an update on the group Anonymous by an FBI representative. Lunch to be provided.

Austin HTCIA, meanwhile, will meet from 1:30 to 3pm at the REJ Building. Rick Andrews will be going over navigation in EnCase v7. Come with questions!

February 22

Atlantic Canada HTCIA will meet from 5:30-7:30 p.m. with Jan Cox from Oracle presenting on the topic of SQL injection, among other things. An update on the chapter’s conference planning efforts will also take place.

February 24

From 11:00 A.M. – 3:00 P.M. at University Hall, Room 465 (51 Goodman Dr. in Cincinnati), Ohio HTCIA will be offering a presentation on Incident Response: Live Memory Capture and Analysis. Presenter Justin Hall has 15 years of experience in the information technology field and has spent the last seven focused on information security.

Mr. Hall is currently a security architect for CBTS, a technology services provider in the Cincinnati area – consulting with the firm’s enterprise customers in developing vulnerability management, incident response, and endpoint & network defense programs. He is a frequent speaker at information security community events, a SANS mentor, and holds a GCIH, GCFA and GPEN.

Following Mr. Hall’s presentation, lunch will be provided and the chapter’s business meeting conducted.

Also on Friday, our Kentucky chapter will meet at 1:oopm at Boone County Sheriff’s Office. Tom Webster will present about Internet Evidence Finder.

February 29

San Diego HTCIA will meet at the Admiral Baker Clubhouse in San Diego. Lunch will be served at 11:30, with the presentation (yet to be determined) running from 12:00-1:00 p.m. HTCIA members are also welcome to attend the 10 a.m. board meeting that day.

Lunch is free for all current members, $20 for guests, and $35 for new members with completed  HTCIA membership forms. RSVP is required, so please RSVP ASAP to treasurer@htcia-sd.org! This will assist in planning for seating and food requirements.

Northern California HTCIA will also be meeting on February 29. Topic and location to be determined.

Special Training Events

February 6-11: SANS COINS event coming to Los Angeles!

Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10”! Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs/

February 15

ISSA Ottawa and Women in Defence & Security will be co hosting a National Capital Security Partners’ Forum Event featuring Marene Allison, VP & CISO of Johnson and Johnson. The opening speaker will be Rennie Marcoux, Assistant Secretary to the Cabinet (PCO); the closing speaker will be Carol Osler, VP Physical Security TD Bank. For more information and to register, see http://www1.carleton.ca/npsia/upcoming-events/4409-2

February 20-24

Free law enforcement training! Minnesota HTCIA is advertising “Fighting Cyber Crime”, 40 POST credits’ worth of courses at the St Cloud State Campus. The training is a response to the increased ease with which people can access the Internet to commit crimes, as well as the increased emphasis on issues of homeland security. Participants will learn ways to uncover, protect, and exploit digital evidence to respond to crimes. Register via the course flyer at http://www.mn-htcia.org/documents/Cybercrimecourseflyer.pdf.

February 27-March 1

The New York District Attorney’s Office has partnered with the National White Collar Crime Center to offer Cybercop 101 – Basic Data Recovery & Acquisition (BDRA) to qualified members. This 4 day course teaches the fundamentals of computer operations and hardware function, and how to protect, preserve and image digital evidence.

This class introduces participants to the unique skills, best practices and methodologies necessary to assist in the investigation and prosecution of computer crime. It includes presentations and hands-on instruction on such topics as Partitioning, Formatting, Data Storage, Hardware and Software write blockers, the Boot Up process, and Duplicate Imaging. Register here for this and future courses!

REMEMBER: To get discounts or free training (where applicable), you must be a member.  Please join or renew your 2012 membership today!

January HTCIA news and events

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

• Fredericton New Brunswick at 64 Allison Blvd.
• Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!

Partnerships with students, other associations make SoCal Chapter of the Year

After an extremely intense Chapter of the Year competition, we’re proud to announce that we’ve awarded our annual honor to our Southern California chapter! The variety of activities and events they put together, plus their innovative outreach efforts, have raised the bar for all our chapters and their members. Some highlights:

Student chapter promotion

While the California State Polytechnic University (Cal Poly) Pomona’s student Forensic and Security Technology (FAST) group had been in existence since 2008, it formalized its HTCIA charter in 2010. SoCal chapter president Chris Curran says, however, that it’s not just about having the charter – it’s also about supporting the students in their career paths.

“We invite our students to attend our regular chapter meetings, which several of them have done,” says Curran. “It’s a great opportunity for them to get a feel for what the field is all about, and also to make contacts with potential employers as well as future colleagues.”

The SoCal chapter also gives students access to its job board, which Curran says has a twofold purpose: 1) graduating seniors can apply if they want, but 2) all the students can see the qualifications they’ll need to apply.

And students are encouraged to help represent HTCIA at conferences. A number of Pomona students volunteered at our conference in Atlanta last year, and will be in Indian Wells again this year. In addition, students helped association members staff a booth at both the ISACA Spring Conference and the AccessData User Conference.

This year, the Cal Poly Pomona students showed their appreciation and spirit by designing custom graduation sashes that they wore with their caps and gowns. These sashes are available to any other student charter with graduating members.

Joint training sessions with other associations

The SoCal chapter has taken steps over the past year to build and strengthen relationships with members in other organizations, including the local chapters for the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). Those relationships led to joint training sessions and networking opportunities.

“It’s important for our members to share information, get new contacts and even encourage cross-pollination between the associations,” says Curran. “High tech crime involves so many aspects of technology that you may encounter some uncommon issue where a contact with background in information security or auditing becomes useful.”

Training and education for children and parents

“We gave three presentations on Internet safety – two at elementary schools and one at a middle school,” says Curran. “The schools made sure to invite the parents along with children at all grade levels. The idea was for them to increase their understanding of the good and bad on the Internet, and increase their communication as a result.”

In addition, longtime HTCIA members Donn Hoffman and David Nardoni presented at the Cyber Challenge Camp, as part of a panel on ethics.

Congratulations to our Southern California chapter, and many thanks to our members there for the hours of hard work put into these efforts. We’re looking forward to presenting the 2011 Chapter of the Year plaques in just two weeks. We hope you’ll join us!

HTCIA chapter leader training invites volunteers to grow with us

Flock together with other HTCIA chapter leader volunteers!

One of the sessions offered at the 2011 HTCIA International Training Conference & Exposition will be Monday afternoon’s Chapter Officer Training, a session that will help chapter leaders – or anyone interested in volunteering to be an officer – develop better methods for recruiting new members, offering quality training, and running the chapter overall.

Last year’s session was quite successful, with chapter leaders able to ask and answer many questions. The open forum allowed them to help one another out, to brainstorm new solutions and ideas based on leaders’ experiences. We talked with International President Duncan Monkhouse about this coming year’s training:

HTCIA: Why have a training session for chapter officers?

DM: The purposes of this training session are many:

• It is an opportunity for the IEC [International Executive Committee] to interact with the chapter officers to provide information about running a chapter, and the functions of chapter officers.
• It provides a forum for the chapter officers to interact with the IEC, providing suggestions about the running of chapters and the association.
• It provides a location where the chapter officers can exchange information between themselves about how to make a chapter successful.
• It will assist members who are interested in becoming chapter officers a way of finding out how the association works and the work involved in being a chapter officer or IEC officer.

HTCIA: Don’t current and previous officers provide institutional knowledge?

DM: The major way that institutional knowledge is passed down is from current to future chapter officers. However, there can be gaps in the knowledge that is passed and this training session is a way to insure that these gaps are filled.

It is also a way for the IEC to reach out to the chapter officers to give and receive suggestions about the functions of the officers, the chapters and the IEC.

HTCIA: You’re covering how to hold meetings, what the officers’ functions are and also allowing officers to network. Why these three things in particular — what have you found that officers misunderstand or need to know better?

DM: These things are important to a successful HTCIA. The frequency and content of the meetings are the key to having a successful chapter. No regular meeting means a chapter is in trouble. Good content on a regular basis attracts new members and builds the chapter and the association. More members in a chapter means more candidates for the chapter officer positions and more possibilities for a wider range of speakers.

By assisting the officer in understanding their positions, the whole association benefits with smoother running administration and better service to the membership. The ability for chapter officers to network allows the chapters that have been successful to make suggestions to the other chapters on how they can achieve the same success.

HTCIA: Will it be sort of a “roundtable” like last year, or more directed this year?

DM: The plan for this year is to emulate last year. The format appeared to work well, allowing the officers to interact, but with some formal part at the start to initiate discussion.

Monkhouse acknowledges that it’s important to have the flexibility and support of both family and employer, for what can sometimes be a time-consuming role. However, he adds that his volunteerism at both chapter and international levels leadership has given him even more quality networking and job opportunities than just membership alone. “This is an opportunity to see what the association can give to you and how you can give back to your community of cybercrime professionals through HTCIA,” he says.

The chapter officer training will be informed by, and will also feed back into, the the association’s 5-year strategic plan that’s under development this weekend. Knowing where the past 25 years have taken us, and where we’ll be going in response to the high tech crime investigation community as a whole, will help us better serve our chapter leaders – at the conference, and beyond.

Chapter President, Vice President, Secretary, or Treasurer – or have interest in running for any of these positions? Please join us on Monday, September 12 at 3:30pm in the Emerald 8 room. Be sure to register for the conference!

Image: lifeinfrozenframes via Flickr

Sponsoring the next generation of cyber defense talent

One of HTCIA’s core values is security, not just via law enforcement but also through critical infrastructure protection. Our members who work in these fields understand that it’s often the hands-on experience that leads to the best problem-solving — both reactive and proactive.

That’s why our SoCal chapter, together with the International Executive Committee, is sponsoring the Western Regional Collegiate Cyber Defense Competition. Held at Cal Poly Pomona, the three-day event pits college students (the Blue Team, as network security administrators) against the best security professionals in the business (the Red Team, as criminal hackers). Blue Team members gain points for keeping their network services up and responding to business injects, and lose points each time they are successfully attacked.

Part of the competition’s appeal is that it doesn’t just ask students to defend against hackers; it also asks them to balance security against business needs, including requests for service from end users. Students are also asked to maintain careful documentation of their actions, and to make recommendations on security improvements.

“This is experience that students won’t get any other way,” says Dr. Dan Manson, SoCal 1st Vice President and the event’s administrator. “Because they need more than just technical skills, they learn more in one weekend than they can in an entire year in the classroom.”

Winning Blue Teams have the opportunity to advance to national finals in San Antonio (Texas), where they compete against other regional teams. In 2009, the Western Regional Blue Team finished fourth at nationals — and Boeing interviewed the Cal Poly team as a whole and hired all six graduating members. “At the national competition is where major employers court the students,” says Manson.

While news media coverage of last year’s event was very positive, Manson plans to take it a step further this year by providing Flip cameras to each team, along with roving observers. “They’ll film participants’ back stories and provide a play by play of the competition, almost like a sporting event,” Manson says. He plans to use the video for recruitment purposes.

Ultimately, the WRCCDC provides its participants with the chance to learn “how the real world works,” as Manson puts it. Recent attacks on major security firms including HBGary Federal and RSA, and on governments including France’s, bear this out.

And HTCIA support, in conjunction with sponsorships from industry leaders such as Intel, Cisco, McAfee, and ISACA, reinforces the importance of community involvement in developing the next generation of security professionals.

We look forward to seeing how the competition goes this weekend. Meanwhile, what kinds of student programs are you or your chapter involved with?

Digital evidence training RFP: The Northeast chapter wants you!

Our Northeast chapter has issued a request for proposals! For Calendar Year 2011, the HTCIA Northeast Chapter seeks qualified vendors to provide 1-day, on-site training classes to the HTCIA membership.

Objectives and audience

Specifically, the chapter seeks training in tools and techniques that can be used to assist in identifying, collecting, analyzing and reporting on digital evidence. Training classes must be limited to no more than 8 hours in length, must be delivered within one working day, and must be offered in the NY/NJ area. Preference will be given for training in the following regions:

• New York City metro area
• White Plains, NY
• Albany, NY
• Buffalo, NY,
• Princeton, NJ
• Eatontown, NJ

The proposed training classes must support HTCIA’s mission, and must be open to both law enforcement and private industry representatives. The classes will improve our members’ ability to identify, acquire, analyze and report on digital evidence in support of their professional responsibilities to respond to an apparent high technology-related incident.

Budget, schedule and evaluation

No proposal for a single training class can exceed $2,500 in total costs to the chapter. (Proposals that include additional student tuition to cover a cost over $2,500 will be considered but are not preferred.) A vendor, however, may offer multiple training sessions in different locations, each of which can be priced separately. The training must be offered during the calendar year 2011.

The training proposals will be evaluated based upon the following factors:

• Budget (20%)
• Training content (20%)
• Timeframe of delivery (10%)
• Number of students to be trained in a session (10%)
• Qualification of the applicant and of the personnel who will be providing the training (20%)
• Other, including applicability to all HTCIA membership (20%)

Got questions?

Any questions in response to the solicitation must be sent via email to the HTCIA Northeast Chapter Secretary (email address: sec@htcianortheast.org) with a copy to the Chapter President (pres@htcianortheast.org).

Questions may be sent until 11:59pm on March 25th, 2011. All questions will be answered as they are received. Responses to all submitted questions will be provided via email to all potential bidders who have so identified themselves via email to the Chapter President or Secretary. Any potential bidder who identifies themselves after a question has been answered will be sent copies of all previously submitted questions and answers.

Send your RFP responses

Responses must be sent to the HTCIA Northeast Chapter Secretary (email address: sec@htcianortheast.org) by 11:59pm on March 30th, 2011 via email.

Your response should contain all the parts listed below.

I. The General Training Goals, including the specific issue(s) to be addressed by the training and/or product(s) and process(es) to be presented

II. The Target Audiences, including relevance to all HTCIA membership

III. Objectives

IV. Project Details

• Cost
• Content Summary
• Venue
• Length of Presentation
• Team Organization
• Deliverables
• Quality/Quantity Standards
• Identification of Previous Presentations of this Training

V. Resources Provided

VI. Resumes of individuals that will provide training

We look forward to hearing from you!

This spring: Upcoming events

Throughout March, April and May our chapters will be hosting a number of training events — both regular meetings and regional conferences — and they’re looking forward to seeing members and non-members alike.

In March

On Tuesday, March 15 our Central Valley (CA) chapter will be hosting W.R. McKenzie, a Stanislaus County deputy district attorney. McKenzie will address a number of frequently asked questions about legal aspects of high tech investigations, including:

• sexting, sextortion and sexual harassment via mobile phone
• cell phone searches
• discussion of 528.5PC (California’s penal code regarding impersonating another via the Internet)
• discussion of 637.7PC (another penal code regarding GPS and the private citizen
• non-law-enforcement searches of workplace computers
• Q & A

The meeting will start at 11:45 am at the Stanislaus County Sheriff’s Department; lunch will be provided for members and their guests.

On Wednesday, March 16 our Western Canadian chapter will host Jason Smith, Account Executive for Guidance Software. He’ll be providing their views regarding the direction of forensics and forensic investigations over the next few years.  As part of the presentation Guidance will also be providing a demonstration of their Cybersecurity product for proactive auditing and incident response.  This product will be of definite interest for the members in private industry and law enforcement facing increasing demands by management to reduce or eliminate security incidents through proactive measures.

The meeting will begin at noon at the Nexen building in Calgary.

Wednesday, March 16 will also see our Florida chapter’s meeting. At the FDA building in Plantation, Bob Masterson of Windward Development will run through some Basic Linux Forensics. The meeting starts at 9am.

On Thursday, March 17, our Atlanta chapter will be, in conjunction with the Atlanta chapter of the  American Society for Digital Forensics and eDiscovery (ASDFED), hosting AccessData Group for a discussion of:

• eDiscovery from a practitioner’s perspective
• legal review & case data management
• forensic investigations
• the future of threat detection

The meeting will run from 10:30am – 1pm at the AIU Atlanta campus, located at 500 Embassy Row.

On Tuesday, March 22, our Northeast chapter will host a series of three presentations:

Cyber Situational Awareness through Graph Mining. Tina Eliassi-Rad, an Assistant Professor at the Department of Computer Science at Rutgers University, will outline applications of graph mining to various problems associated with cyber situational awareness.  In particular, it will discuss Eliassi-Rad’s work on (1) traffic profiling in presence of encryption and obfuscation, (2) anomaly detection in volatile networks, and (3) vulnerability-measure of a network and shield-value of a host in the network. Time-permitting, the presentation will detail a linear-time algorithm with a 94% success rate in identifying Web-based attacks.

Responding To Advanced Persistent Threat Intrusions:  Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations. Stephen Windsor, who leads Booz Allen Hamilton’s Digital Forensics and Incident Response Team, will focus on effective incident management, investigative techniques, indicators of compromise and how to find them in the enterprise, and ultimately, remediation and risk mitigation techniques. He will follow this up with a conversation on developing an enterprise APT risk mitigation strategy.

Securing Your Mac. Waldo Gonzalez, a detective with the New York City Police Department Computer Crimes Squad, will give a step by step presentation about how investigators should secure and lock down their Macintosh computers from physical and network threats. Although the Mac OSX operating system is considered to be safer because viruses are mainly geared towards the Windows environment, it is still important to secure.

The meeting will run from 9:30 AM – 3:00 PM at Booz & Co. Inc., 101 Park Avenue in Manhattan. It will also be available via WebEx. See more details, including RSVP information, at the Northeast chapter website.

Between March 29 and April 1, the Minnesota chapter will be holding its 9th annual spring conference. Designed for security managers, law enforcement, county and state attorneys/prosecutors, corporate security investigators, homeland security administrators, students pursuing a forensics degree and others, the conference will feature lecture tracks on common investigative problems, three excellent keynote speakers, and breakout hands-on sessions will all be available. See our earlier blog post for many more details!

April meetings

On Wednesday, April 13th, our Arizona chapter will meet from 9:00 a.m. to 12:00 p.m. at the Tempe Police Department – Apache Substation. Featured speaker, InfinaDyne’s Paul Crowley, will present on CD/DVD forensics with CD/DVD Inspector version 4.1 and digital video indexing with Vindex. Meeting attendees will receive a disc containing trial versions of each application. (Remember: these tools will also be available free to all international conference participants!)

Thursday, April 14 from  9:00am – 12:00noon, our Delaware Valley chapter will host Michael L. Levy, Assistant United States Attorney and Chief, Computer Crimes in speaking on recent developments in the law regarding the seizures and searches of computers. In addition, Leonard Deutchman, General Counsel and Administrative Partner of LDiscovery, LLC will speak on theft of trade secrets and confidential information from the corporate perspective.

On Friday, April 15, our Northeast chapter will hold its monthly meeting from 9:30 AM – 3:30 PM. Speakers and topics are to be announced, but you can plan to attend at St. John’s University, NYC Campus. Learn more at the chapter website.

On Tuesday, April 19, our Ottawa chapter will be hosting John R. Schafer, PhD for a talk on Psychological Narrative Analysis (PNA). A new technique based on scientific research, PNA is a professional method that detects deception in both written and oral communications. It applies to social and professional environments, and is a passive technique that can benefit law enforcement officers, attorneys, and psychologists alike as they interview subjects.

Held at Toronto’s BMO Institute for Learning, in person or via a live webcast, the meeting will run from 1-3:30 PM. For more information and to register, please visit the website at www.cticanada.ca.

In May

Our Michigan chapter’s next meeting is scheduled for May 11. From 10:00 AM to 12:00 noon, Joel Weever, will present a “Malware Economy Update”. The meeting will be at the Troy Police Department.

And in Ottawa on May 26, our chapter is organizing a one-day training event, “From the Beginning.” Designed for first responders, the session will bring together subject matter experts in various fields to give you an updated view of the challenges faced by today’s first responders under different conditions.

The agenda will include:

• The legal aspects and challenges for proper collection of digital information
• Corporate responsibility when faced with a requirement (internal or external) to produce digital evidence current practices relating to computing systems – hard wired, mobile, networked or “in the cloud”
• Critical data to collect and how to collect it while maintaining its integrity

In addition you will have an opportunity to question our subject matter experts relating to your specific circumstances.

Questions about any of these events? Visit the websites linked from this post, and find contact info there. You can also leave a comment below, and we’ll get back to you with the right contact information.

A Midwestern training conference based on community

March 29-April 1 this year will see our Minnesota chapter hosting its 9th annual spring training conference. Its competitive lineup of sessions centers on computer investigation issues, tools and techniques, including:

• computer crime investigation
• cellular/smart phone analysis
• live forensics
• Windows 7 tips and tricks
• legal updates
• security issues
• internet evidence

Keynote speakers include Andy Crocker, COO of CyByL Technologies and subject of the book “Fatal System Error” by Joseph Menn, Marc Goodman from the Cybercrime Research Institute and Micheal Kobett from the Defense Cyber Investigations Training Academy.

“We took a page from the international conference’s playbook by focusing on topics this year, rather than on speakers we were already familiar with,” says Jason Bergum, Minnesota chapter president. “As a result, we have a much more diverse lineup. Jim Moeller will be speaking on xBox and Windows forensics, while a speaker from Purdue will talk about social networking. We’ll have case studies on phone cloning fraud, and a local case centered on threats made to the Vice President.”

Breakout, bring-your-own-laptop sessions will also be included to get hands-on experience with some of the newest digital forensic tools. Vendors like Intella, Red Wolf Systems (makers of Drive Prophet), Guidance, Susteen and Technology Pathways (makers of ProDiscover) will be on site demonstrating hardware and software products. Some vendors will additionally provide classes: AccessData on triage, Guidance on RAM analysis, and others.

Affordability in the spirit of community

Held at the Bureau of Criminal Apprehension in Saint Paul, MN, the conference costs $300 for non-members, $260 for members and $100 for students (proof of enrollment required). This inexpensive event is in direct response to the current state of the economy.

“Many departments and corporations, especially in these economic times, frown on expensive training and we have been able to provide an event that is not only affordable, but high quality,” Bergum explains. “Our chapter membership spans 3 states and this conference provides great training that people don’t have to travel long distances to obtain.”

Conference organizers hold costs down by appealing to the sense of community learning on which HTCIA was founded. “We all know we can’t do this work alone,” says Bergum. “We are fortunate to have volunteers who give their time, as well as speakers who contribute their knowledge and experience just because they know it is needed.”

No investigative conference would be complete without the opportunity for investigative professionals to gather together and discuss current trends, the latest tools, and to build camaraderie. Bergum says this is consistently the aspect which participants like best about the conference, as well as quality of speakers.

In addition, a change of venue — from the 90-seat limit at Target Corp. to the 150-seat maximum at BCA — will allow for many more participants to attend and network.

A co-sponsorship with higher education

For the first time in its history, the Minnesota chapter will be co-sponsoring its conference with Century College, an arrangement made possible by the Investigative Sciences and Law Enforcement Technology (ISLET) program.

“The ISLET grant is specifically for forensics training,” says Bergum, adding that he anticipates nearly two dozen students at the conference this year — a significantly greater number than last year. The chapter is working on creating student charters with both Century College and Metro State.

We wanted to know one final thing: how does the chapter attract people to Minnesota at a time of year that isn’t yet as warm as in other areas of the country? Bergum says that’s easy — the state holds many different types of attractions. “The Land of 10,000 Lakes” attracts outdoorsy adventurers, while others come to see (and shop at) the Mall of America.

“Many people are also intrigued by our Skyway system,” says Bergum, “which makes it easy to get around each of the Twin Cities.” Additionally, a train goes directly from the airport into downtown Minneapolis.

In the Midwest, or planning to travel there at the end of March? Join our Minnesota chapter members while you’re there!