2012 HTCIA Conference Call for Speakers

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

• Information security
• Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
• Computer forensics
• eDiscovery
• Legal issues
• Courtroom testimony techniques
• Financial crimes – tax evasion & money laundering
• International trends – situations – experience
• White collar & corporate investigations
• Legal issues – civil & criminal
• Legal mock trial
• Report writing for forensic examiners
• Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!

Learning from the next generation: Student research at #HTCIACon

Jon Ford describes his Virtual Desktop research

Before the HTCIA conference, we blogged about a new style of presentation: student poster presentations, which would give graduate and undergraduate college students the chance to talk to professionals about their research.

Six students were on hand in Indian Wells, presenting on a wide range of topics from information security to law enforcement volunteer jobs:

Infosec and e-government

Tim Perez is a doctoral student at Dakota State University and is working on a dissertation entitled “E-Government Security Concerns for Municipal Government Entities.” Having worked for eight years as an information technologist for a local law enforcement agency, Perez sees that communities with small budgets and few regulatory requirements tend to focus less on security.

However, measures like online bill pay, which increase both efficiency and convenience, make security necessary because they deal with personally identifiable information. Perez’ research focuses on how to communicate these issues in a way that municipal managers will understand.

Learning incident response by doing

Another project that brought together law enforcement, security, and education was a Cal Poly Pomona Senior Project. Chris Curran, at the time a college professor and SoCal HTCIA Chapter President, approached students to design an entire scenario, from players to the crime to the resulting analysis.  The completed project would then be used as a final exam for other forensic students.

Student Steve Gabriel came up with the scenario involving a fictional disgruntled university IT employee, who had “stolen” critical source code and hidden it in a System 33 file when he went to a new job. Gabriel utilized multiple web browsers, along with Trillian instant-messaging and Outlook email software. Several other students played the other fictional roles, communicating and using digital media that was later imaged and provided as “suspect” evidence.

To find the evidence and create an answer key for Curran, Gabriel and the others used FTK, EnCase, AccessData’s Registry Viewer, and a SQLite database viewer. Gabriel said the project received good feedback for being an incident response-type case with multiple exploit layers and 25 gigabytes of evidence.

Security vs. performance with supercomputing

On the preventive side of network security was work that Cal State-San Bernardino students Kyle Sandoval, David Warner and Estevan Trujillo had done for the 2011 Computer System, Cluster and Networking Summer Institute at Los Alamos National Laboratories. Their research broke ground on the cost of deploying firewalls on each node of a supercomputing cluster, rather than on the 4,000-node cluster as a whole.

The reason: security measures should always be installed on each separate computer, but supercomputers are so expensive to power that even a five percent drop in computational performance – such as what a firewall might result in – can exponentially add to their cost.

Thus in their project, Sandoval, Warner and Trujillo used a Linux cluster and created multiple IPTables rule sets. They used these to run a series of benchmarking tools that measured bandwidth, latency, and MPI job performance. They wanted to determine what performance implications IPTables firewall had on a cluster.

With just 10 test machines and a 6-week period, the research concluded simply that more research was needed – and the students anticipate that the lab will continue their work.

Virtualization for mobile device management

Jonathan Ford is a student at Cal State University and a volunteer for a nearby sheriff’s department, which was starting to provide official-use iPads to its officers. A number of issues presented themselves with that initiative:

First, the iPads’ remote access to a virtual machine would work for 10 to 20 users, but large numbers – the kind that would be seen on an average shift – made the virtual machine unstable and caused it to crash. Second, different users would need different levels of access to records depending on their role. Finally, to minimize the risk from vulnerabilities – not just on iPads, but also on the other 3,000 or so disparate devices in use – the agency needed a way to manage a variety of operating systems, software and users.

Ford’s answer: a Virtual Desktop, which would save both time and money by enabling:

• upgrades and patches to occur just once rather than for each system
• data to be stored on a server
• administrators to keep a list of which users had access to which software applications

The second part of Ford’s research shows law enforcement agencies the benefits of integrating academic research into their everyday operations. “Many agencies cannot hire full-time employees, but they still need support with computer forensics and security – the fields students want experience in,” he says. “Writing grants for research means each can get what they need.”

How law enforcement can benefit from student volunteers

Cal State-Sacramento student Alex Krepelka had earned a GCFA and wanted to use it. But he didn’t just stop at volunteering for the Butte County District Attorney’s Office – he turned it into research, the better with which to help law enforcement develop their own computer forensics and security volunteer programs.

Krepelka thinks it would help if agencies could fall back on a set of national standards for forensic investigations that will go to trial – from county to county, some agencies allow for volunteers while others do not, but many agencies have backlogs of hundreds of cases. He also thinks that if students knew they could get valuable real-world experience from organizations that needed their expertise, more would study computer security and forensics.

The value of HTCIA student affiliations

Krepelka believes that organizations like the HTCIA can help – and that’s where the final research project comes in. Austin Pham, a student at Cal Poly Pomona, presented on the Forensic and Security Technology (FAST) organization, HTCIA’s student charter at that school. FAST affords students the opportunity to take workshops on data acquisition, analysis and reporting – as well as on industry standard forensic tools, including EnCase and FTK.

This is thanks to its affiliation with the HTCIA SoCal chapter and the forensic professionals who are members there. “We hold six meetings a quarter and some training workshops throughout the year,” says Pham, “and we always get great turnout.” During the student charter’s first signing, in fact, 25+ students expressed interest in membership, and the organization has grown ever since.

Pham added that he and other FAST students had all volunteered to assist with our conference, because of all that HTCIA had invested in them. They registered participants, directed attendees to lecture and lab rooms, and assisted presenters with equipment and other needs.

All six student presenters told us that they had seen a good amount of foot traffic, which resulted in some good comments and questions – especially those for whom the topics hit home. The feedback will help them validate and refine their research, ultimately making it stronger for the entire community.

Anna Carlin, the instructor who coordinated the presentation, adds that the students themselves benefit in a variety of ways: not just with the ability to conduct more credible research, but also with exposure to the very professionals who are in a position to give them jobs or grants.

Did you meet our students in Indian Wells? Want to see future research presented at our conferences? Leave us a comment and let us know what you think!

Doing more with less: Forensics in the lab and in the field

Two of our scheduled lectures address issues which nearly every digital forensic examiner faces these days: limited resources. Whether budget-related or not, a lack of people or equipment has backlogged a number of labs – anywhere from six months to over a year.

On Tuesday Sept. 13, Andrew Rosen, president of ASR Data, will talk about computer forensic examinations and how to conduct them in a way that makes exams more efficient. That same day, Jason Weiss, Jim Watkins and Baden Gardner, of the FBI’s Orange County (CA) Regional Computer Forensic Lab (RCFL), will discuss backlog reduction strategies for labs.

How to work 10 times faster with FTK and EnCase

Creator of the Expert Witness forensic software that is now known as EnCase, Rosen believes that the forensic community has focused so much on tools in the last few years that examiners have lost sight of the processes which could make them more efficient. For example, he says, “Segmenting images was important when FAT32 was dominant and you had to segment. But now, it’s part of the forensic canon when it doesn’t need to be.”

Likewise, forensic examiners don’t know how to remediate the problems inherent in searching images of terabyte drives and petabyte collections within the current forensic paradigm. “’Triage’ is a buzzword that reflects how long it takes even for a skilled examiner to figure out where data falls in the analysis stack,” Rosen explains. “The tools reflect an approach that allows examiners to obtain actionable information quickly.

“But getting less than a full forensic image just to save time and money runs contrary to forensic method,” he continues. “So to get to a solution, you have to take a step back, look from the standpoint of a juror or judge and ask why the current way is what it is. And once you understand how the tools’ methods lead to inefficiency, you can remediate that by leveraging simple logic and the specialized knowledge of the investigator”

For example: “On a keyword search, you start with Sector 0 and move forward until you’ve searched all the data,” Rosen says. “This is a simple, linear implementation, and it means you’re searching for data where it is not likely to exist.”

In other words, rather than focus on higher level details like file names, focus instead on the data – the URLs, images, IP addresses and other underlying characteristics of data. “By defining what we are interested in and what we are not interested in, we can eliminate the slowest and most inefficient part of the forensic search process. This allows the examiner to obtain a full image without having to worry about where data can’t exist,” Rosen says.

This is important for examiners who have already invested heavily in FTK and/or EnCase. “The tool isn’t the most important thing; it has to be an extension of the examiner,” he adds. “If you automate an inefficient process, all you’ll get is faster inefficiency. But if you automate an efficient process, you’ll become more efficient over time. In this way, our forensic tools can provide ROI – the more you run it, the more inefficiency it eats.”

Doing more with less in a lab environment

Weiss, Baden and Gardner have taken a different approach at the OCRCFL. Their focus is also on process – but on the practical side, rather than the purely technical side. As Laboratory Director Jason G. Weiss explains, despite the exponential growth in digital media examinations (the LA FBI has seen the amount of processed data increase over 100% per year for the last 8 years), their approach has helped eliminate most case backlog.

In their lecture, they’ll focus on three elements (along with cost and statistical figures) that have brought them the most success: Case Agent Investigative Review (CAIR), Forensic Preview, and “self-service” kiosks for both cell phones and loose media (such as thumb drives).

“CAIR and Forensic Previews are low cost solutions to improving forensic laboratory efficiency,” says Weiss. “Choosing which process is the best fit for any given case comes down to the case’s size and complexity.”

CAIR enables the primary investigator (“Case Agent”) to review their digital evidence quickly in a safe, forensic environment. Once that is complete, lab staff provide the Case Agent with a disk of relevant files from the digital media, which can help further an investigation and allow the Case Agent to determine the next step without having to wait weeks or even months for a traditional data content review.

Forensic Previews, meanwhile, are useful when conducting searches, especially of child pornography suspects. “Some of the computers Case Agents seize during these investigations may have no child porn on them, so a Forensic Preview of those hard drives helps us determine if the computer in question is contraband, or should be returned to the subject,” says Weiss.

He adds, “The preview process is usually very valuable to the Case Agent and allows both us and the Case Agent to quickly understand a case before we spend significant laboratory resources imaging and/or examining computer data that is not even part of the crime.”

Another time saver are the new “self-service” kiosks that enable the RCFL’s partner agencies to come to the lab and review cell phones, iOS devices and most types of loose media in a forensic environment, without the need for a traditional forensic exam. Most of these exams take significantly less time than do traditional exams, and can usually be done in one short visit to the lab.

In all of the processes discussed in this seminar, forensic examiners have the ability to improve their ability to multitask as well – a process that Weiss says is “harder to do if you are looking at every case in the traditional computer forensics model.” Many of these processes are scalable regardless of lab size – whether you have 3 examiners or 30.

Dealing with backlogs in your lab, or simply need more efficient work processes? Come to Indian Wells next month and learn from those who have been there!

Building the cyber warriors of tomorrow

In addition to the Student Poster Presentations which will help introduce graduate and undergraduate researchers to the professionals attending our conference, Cal Poly Pomona Professor Dan Manson and lecturer Anna Carlin will speak about developing a more in-depth training program for the next generation of cyber warriors.

“We’re talking about what we’ve learned from five years of work,” says Carlin. In the beginning, few other schools were involved with digital forensics education; training was available primarily from vendors, and Manson and Carlin had not yet been introduced to HTCIA. “We felt like we were alone in what we wanted to do,” says Carlin.

As they continued to develop more classes, they also became more active in professional associations, including HTCIA. That gave them insights into what employers were looking for, and the skills students would need to meet the demand.

Workforce development through competition

“More companies want people who can secure and defend their networks,” says Carlin. “But you can’t just fill a position; you want to match students as best you can with the company so that they end up staying there for years.”

To get a true sense of students’ capabilities, Carlin and Manson encouraged them to start student clubs, including HTCIA’s first student charter: FAST (Forensic and Security Technology). They also helped to involve their students in the Western Regional Collegiate Cyber Defense Competition, a concept that they’re now working on expanding.

“We want to create a National Cyber League, which will be like the way professional sports are set up – going from a preseason to rounds of events between competing teams,” says Carlin. “The only way to get better at skills like the kind security requires, is to practice. So this is workforce development more than an academic exercise.”

The role of professional associations

Associations’ involvement in competitive activities is important. But they also serve a crucial role on their own: allowing students to develop networking skills. “Our HTCIA student charter has access to chapter meetings, and they’re not shy about inviting people they want to hear,” says Carlin.

Student-focused meetings might include a Career Night, on which four to five senior professionals gather on a panel to answer questions about what they do and what they look for – as well as challenges they faced along the way, and what they would’ve wanted to know when they were starting out.

At these kinds of events, Carlin says she makes the students split up and sit at tables with the pros, where they must collect at least one business card along with two unique things they learned about that person.

In fact, at one meeting, an employee from one of the Big 4 consulting firms liked the student so much that even though the student’s GPA didn’t meet their requirements, they asked for a resume.

The associations’ full-time professional members like the students’ enthusiasm, and they enjoy taking the time to help students out. The more involved students are, in turn – such as volunteering at association events – the more they transition from students to business professionals.

“We’re not a big school, so we have to work a little harder to get our students noticed by the best employers,” says Carlin. But that hard work has paid off, and she and Manson are glad to share their experiences with others who want more for their students as well.

To read more about the specifics of their presentation, read their abstract on the HTCIA Conference website. We hope to see you in Indian Wells!

Image: West Point Public Affairs via Flickr

Beyond marketing, an explanation of Advanced Persistent Threat

Advanced Persistent Threat is one of the most talked-about topics in the information security field – and one of the least understood. On Tuesday, September 13, Peter Morin – a member of our Atlantic Canada chapter, and conference treasurer – will discuss the anatomy of Advanced Persistent Threats including the various stages of attack, common attack vectors used, and examples of high-value targets (i.e. SCADA).

We asked Peter to elaborate on his topic, as well as to tell us a little more about his HTCIA experiences:

HTCIA: Why did you choose this topic — what about APT is misunderstood or needs better dialogue?

PM: Although attendees may not be with the government or a top secret facility or popular .com website, that they are at risk. It is important that people realize that the threat landscape has changed dramatically over the last couple of years. Attacks are being carried out with very specific goals and for very different reasons than before (i.e. “hacktivism”). We now have to focus more on concepts such as intellectual property theft, disclosure of stolen data by attackers, attacks that may be conducted over a long period of time, the role of malware in APT attacks, etc.

HTCIA: What do you want participants to know or be able to do when they go home?

PM: What are the various attack vectors and phases of a typical APT campaign? What security-related indicators to look for and how to improve the defenses they may already have in place? Also, tips, tools and techniques used in performing incident response related to some of the common attacks being seen today.

HTCIA: What you want to see out of students during the class?

PM: Interaction would really make the class worthwhile. I try not to provide a speech to students or simply read PowerPoint slides; hearing about their experiences, comments, etc. really makes for an enjoyable interactive session.

HTCIA: On a slightly more personal note, what do you enjoy about teaching?

PM: I enjoy the interaction with others, being able to mentor and share experiences and meet interesting people.

HTCIA: You’re volunteering as conference Treasurer as well as webmaster. How do you make time for everything?

PM: I think balancing work, family and volunteering is important. The people that make up the various committees, board, etc are fabulous and well worth the time!

[In general] the HTCIA has always been an important organization for me [because of] the interactions with other forensic and incident response communities. I am not in the law enforcement field, but because of the HTCIA, I am able to interact with members of law enforcement to share experiences, processes, tools, etc. So, when I was asked to return as conference treasurer, I jumped at the chance!

Questions for Peter? Please comment below, or better yet – come see him in person in Indian Wells next month!

A call for papers… from students

Following on its success with the Western Regional Collegiate Cyber Defense Competition, Cal Poly Pomona will be sponsoring something that’s normal for academic conferences, but new to trade shows: a student poster presentation, a way for students to connect with the professionals they’ll be working with following graduation.

What it is

Anna Carlin, a Cal Poly Pomona professor and 2nd Vice President of our SoCal chapter, is looking for 10 full-time students to present their work in our exhibit hall on Tuesday, September 13. We’ll provide a poster board for hanging the presentation, which can be as simple as PowerPoint slides. Posters will be displayed in the Emerald 4 Room, allowing all attendees to see the students’ work.

Not restricted to either Cal Poly students or HTCIA members, the presentation will allow students to connect with cyber security and computer forensics professionals from around the world. The work being presented must be new and current research and development in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted.

HTCIA student charters may present the activities performed by their charter. Student Charter posters may describe charter activities, events, and/or other involvement with cyber security and computer forensics professions.  A single representative should coordinate the submission of each Student Charter proposal.

The Academic Program Committee will be reviewing submissions based on the following criteria:

• Relevance to the field of cyber security and computer forensics
• Potential for practical impact
• Degree of originality
• Technical depth
• The overall quality of the submission

Who can participate

We invite full-time undergraduate and graduate students to submit poster presentations on research and work in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted. The poster session can also showcase the activities of HTCIA Student Charters.

Why students should submit

The first 10 students whose poster presentation is accepted will receive FREE conference registration for all 3 days (a $395 value) and a one-year student membership to HTCIA (a $25 value)! Accepted abstracts will be printed in the program and posted on the HTCIA International Conference website.

In addition, five benefits to participating:

5. Obtain a critical review of your work by submitting a poster presentation, and meet potential sponsors of your work.

4. Expand your network of other students interested in cyber security and computer forensics.

3. Listen in on hot-topic panels and presentations and take home the most current research and solutions from industry leading experts.

2. Receive recognition and a Certificate of Participation.

1. Meet potential employers!

When and how to submit

The deadline for submission is July 29, 2011. Send a short 50 to 75 word abstract with three learner outcomes (not part of the word limit) that attendees are expected to gain from the poster presentation. You will be asked to indicate the target audience level (getting started, intermediate, or advanced).

Please email your abstract to the following e-mail address: acarlin@csupomona.edu. A student may submit only one abstract. Students will be notified about acceptance by Friday, August 5, 2011.

For more information, including specific submission guidelines, poster session guidelines and other prep work, see https://www.htciaconference.org/studentposters.html.

Want to see what students are up to in the community? Register for the conference now: https://www.htciaconference.org/registration.html

Image: carmichaellibrary via Flickr

Platinum sponsor MSAB: A full spectrum of mobile forensics labs

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today — https://www.htciaconference.org/registration.html

Cell phones: The new DNA

Just as correctly identified DNA can show irrefutable evidence that a person committed a crime, so can forensically analyzed cell phones matched with wireless carriers’ call detail records. Modesto (Calif.) wireless expert Jim Cook will explain how on Monday, September 12, in his conference lecture entitled “Cellular Phones: The New DNA.”

The importance of cell site and sector mapping

The power of cell data mapping came to light in a 2009 homicide case on which Cook worked. Profiled in the May 2011 issue of Law Enforcement Technology, People v. Zumot showed how mapping call detail records — along with GPS data and images recovered from suspect and victim devices — can show normal patterns of behavior, broken during commission of a crime.

Cook will talk about the kind of cell site and sector mapping he did on that case and others, and why it’s relevant versus the phone’s 360-degree radius. Class participants will get a list of the verbiage he suggests investigators use when requesting carrier data, along with a discussion about why more — and faster — is better.

“This list is a result of many bloody noses that resulted from people losing evidence,” he says, “because they used incorrect words or had to write multiple search warrants, which wasted time.” In fact, he’ll be able to show a sample warrant that almost needed to be rewritten because it left out requests for key call detail record data; he’ll also show where verbiage could have been added that would have gotten better data.

Factors affecting data acquisition include services like MobileMe (soon to be iCloud) for Apple mobile devices, which enable remote wiping, and wireless carrier policies themselves, which call for limited data retention.

For himself, Cook has worked with law enforcement for a number of years, both as a consultant and as a trainer. He’s also an expert witness certified by the state of California and the federal courts. “I have a sales background, so I got to be good at explaining communications so Grandma could understand how it works,” he says. “I don’t talk to juries about control channels, data channels, bandwidth, frequencies, wireless or tower sectors; I talk about telephone lines and pie pieces.”

Hence mapping, which helps juries (along with prosecutors, judges and others) visualize data that would be very confusing if presented in raw or tabular form.

Basic and advanced cell site analysis labs

Cook will also present two labs on behalf of Micro Systemation, makers of XRY mobile forensic software. On Tuesday, September 13, his basic lab will — like his lecture — show investigators the basics about cell sites and sectors, azimuths and call detail record correlations. But it will be much more hands-on; necessary software will be pre-loaded on laptops in the lab room, and participants will spend more time mapping cell sites using Microsoft® MapPoint®, as well as manually.

The following day, Cook’s advanced lab will get into real world cases. Focusing more heavily on tower dumps and their evidentiary value, he’ll ask participants to map, as accurately as possible, small samplings of cell sites, sectors and call detail as well as SMS records from a love-triangle homicide, a gang-related homicide, and a domestic-violence homicide.

This lab will take the form of a contest, with participants separated into teams. Each team will draw one of the cases from a hat. After mapping the data, they’ll be asked to appoint a “spokesperson” to present the map and its data to the rest of the room.

“The idea is for participants to explain how they came up with their own results so that they can better understand the process that goes into mapping,” Cook explains. “That will help them meet any challenges in court.”

To learn about cell site analysis and related investigative techniques, register for the conference here. Once registered you’ll receive an email within a few weeks that will invite you to sign up for labs. Register today!

Image: locomotive8 via Flickr

iOS Wi-Fi access point verification, smartphone geolocation and other mobile forensics content from Gold sponsor Oxygen Forensics

Forensic acquisition of smartphones is one of the most important investigative needs today. The more consumers adopt the robust computing power of iPhone, Android and like mobile operating systems, the more evidence available to law enforcement, corporate and legal investigators.

This is why Russia-based mobile forensics software provider Oxygen Forensics specializes in smartphone forensic acquisition. Co-founders Oleg Fedorov and Oleg Davydov are offering a full day of pre-conference training along with their planned lecture and hourlong Vendor Showcase on these topics.

Verification of Wi-Fi access points data for Apple iOS

Fedorov and Davydov will be co-presenting a lecture on the morning of Tuesday, September 13. “Every iOS device stores a list of Wi-Fi networks it has been ever connected to,” says Fedorov. “This list contains the name of the network, its MAC address and the timestamps for the first and last connections.”

Certain techniques allow investigators to calculate each Wi-Fi network’s approximate geographical coordinates, and from there, the device’s position at the time of connection. However, Fedorov and Davydov caution that investigators may not be able to trust all the coordinates they get.

Their lecture will cover what investigators should know about Wi-Fi access point types, as well as other sources of geolocative information and how to carve Wi-Fi networks information, should the history happen to have been deleted. They’ll also cover timestamp verification and even anti-forensics for jailbroken devices.

Geolocation, according to Fedorov, will be the topic of discussion at Oxygen’s Monday night Vendor Showcase, slated to run from 5:30 to 6:30pm. Android, Symbian and (time permitting) BlackBerry devices will be covered together with Apple devices.

Pre-conference training: Advanced techniques in Forensic Examination of Smartphones and Cell Phones with Oxygen Forensic Suite

In June, Oxygen announced that its Forensic Suite v3.4 is the first tool ever to enable full Android physical acquisition via root access. This demonstration will be among topics covered at its one-day training class on Saturday, September 10.

“We focus on smartphones, therefore the main topics will be Apple, Android, Blackberry, Symbian and Windows Mobile devices,” says Fedorov. The training will also discuss certain models of Nokia, Sony Ericsson, and Samsung cell phones.

Designed for forensic investigators at all levels of expertise, this bring-your-own-laptop training will discuss the main advantages and disadvantages of current mobile forensic procedure, as well as Oxygen Forensic Suite’s advanced features.

It will use case studies to demonstrate these features and issues, “small tasks where students have to find evidence, determine phone geoposition at the given time and so on,” says Fedorov. “Prizes are famous Russian Matreshka dolls.”

Learn more and register for the pre-conference training at Oxygen Forensics’ site; register for the HTCIA conference here. We look forward to seeing you in September!

Image: Phil Roeder via Flickr

International investigations: Digital forensics and social media

Several of our lectures this year will discuss international issues with high tech crime investigations. Among the presentations: a joint talk on Tuesday, Sept. 13 about international social media investigation, from members Cynthia Navarro and Andres Velazquez; and on Wednesday, a Latin American perspective on digital forensics from Andres Velazquez.

A Latin American perspective on digital forensics

Velazquez, a Mexican digital forensics expert who built the country’s first private digital forensics labs through his company MaTTica, says one of the key differences between the United States and Latin American countries is the legal system structures. “US judges rely mainly on precedent, but in Latin America, judges rely solely on codes,” he explains. “So, if the defendant’s conduct does not meet the law’s requirements, it won’t be a felony.”

For example, a denial of service attack does not qualify as a felony. Nor does identity theft, or theft of other data, because the codes are based on physical robbery — the theft of tangible items. “A robbery charge depends on the absence of goods,” Velazquez explains, “but when the data is still there, according to the law, how can it have been stolen?”

In addition, civil or tort laws’ requirements are difficult to meet because none of the laws cover e-discovery, so examinations as US investigators understand them are not possible. And although a law in Mexico was passed last year that covers privacy of personal information, legislators have yet to approve guidelines, so investigators still face difficulty in this area.

Meanwhile, because many Internet service providers are headquartered in the US, Latin American investigators face difficulties with getting data because of international agreements. “Currently, we have to get a court order through our Exterior Relationships Secretary [comparable to the US Secretary of State],” Velazquez explains. “That has to go through the embassy, then through the US federal government, to the state, and then finally to the company. By the time the process is complete, it can be up to two years, and then the data we needed are gone.”

Agreements similar to the Budapest Open Access Agreement would help, but even at that, few Latin American attorneys and judges understand computers. Velazquez recalls a search he coordinated in which investigators seized only keyboards and monitors — but not the actual computers. Part of his mission is to educate and assist law enforcement and other investigators in the region.

Yet decisions continue to be made by the very judges who don’t understand computers, and to whom investigators have no access. The answer: for investigators to find a way to be in what Velazquez terms “unofficial contact” to start meeting needs, such as collecting forensic images with which forensic examiners can practice, or working with vendors to obtain metadata if not content.

Investigation mechanics from across the world

Until the laws sort themselves out, investigators are left with doing the best they can with what they have. Fortunately, although investigations are never “easy,” certain tools — among them social media — make the task easier than it was even a few years ago.

Cynthia Navarro, a California-based private investigator who will be co-presenting with Velazquez on social tools, says: “I have always said that with the internet we have no boundaries…. I have a project to watch how the narco in Mexico is affecting a specific town (and the surrounding towns.) It’s been easy, their mayor uses Twitter to warn the townspeople of street closures due to shootings, murders and rival gang takeovers. They they tweet when things are back to normal. This is the most up to date tracking anyone could ask for!”

Because social networking is for the most part publicly available, investigators deal with few legal issues. Navarro says she has encountered few cultural conflicts, and as for language barriers, “Thank God for Google Translate!” she says. “While it is not a perfect translation, you can get the gist of what is being said. I have used it for Spanish, German, Chinese, and Vietnamese with great success.”

Perhaps surprisingly, Facebook is the #1 resource for online investigators not just in the US, but overall, thanks to its widespread adoption in Europe as well as in Asia. Orkut is #2, says Navarro (due largely to its overwhelming popularity in Brazil), followed by Qzone and then Twitter. V Kontakte and LiveJournal are the most popular in Russia; a network called Hi5 attracts the most users from Thailand, Romania, Peru and Portugal, while Lide draws Czech users. Other countries have their own preferred social networking sites.

“For other countries, censorship and blocking can be a problem,” says Navarro. “I’ve heard that Zing is #1 for Vietnam because some Vietnamese ISPs have blocked it.” Other countries that block content: China, Uganda, Egypt, Iran, Saudi Arabia, and the United Arab Emirates.

Navarro adds that between investigation and teaching, the quality she appreciates most is learning. “Teaching to me is learning, we have to keep up in order to teach effectively,” she explains. “I am [also] lucky enough that there are always different things I investigate so I don’t get stuck on the same thing day in and day out.”

Interested in hearing what Andres and Cynthia will have to say, along with our other presentations on international perspectives? Join us in Indian Wells and register here: https://www.htciaconference.org/registration.html

Image: caruba via Flickr