2012 HTCIA Conference Call for Speakers

December 14, 2011

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

  • Information security
  • Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
  • Computer forensics
  • eDiscovery
  • Legal issues
  • Courtroom testimony techniques
  • Financial crimes – tax evasion & money laundering
  • International trends – situations – experience
  • White collar & corporate investigations
  • Legal issues – civil & criminal
  • Legal mock trial
  • Report writing for forensic examiners
  • Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!


Learning from the next generation: Student research at #HTCIACon

September 29, 2011
Jon Ford Virtual Desktop research

Jon Ford describes his Virtual Desktop research

Before the HTCIA conference, we blogged about a new style of presentation: student poster presentations, which would give graduate and undergraduate college students the chance to talk to professionals about their research.

Six students were on hand in Indian Wells, presenting on a wide range of topics from information security to law enforcement volunteer jobs:

Infosec and e-government

Tim Perez is a doctoral student at Dakota State University and is working on a dissertation entitled “E-Government Security Concerns for Municipal Government Entities.” Having worked for eight years as an information technologist for a local law enforcement agency, Perez sees that communities with small budgets and few regulatory requirements tend to focus less on security.

However, measures like online bill pay, which increase both efficiency and convenience, make security necessary because they deal with personally identifiable information. Perez’ research focuses on how to communicate these issues in a way that municipal managers will understand.

Learning incident response by doing

Another project that brought together law enforcement, security, and education was a Cal Poly Pomona Senior Project. Chris Curran, at the time a college professor and SoCal HTCIA Chapter President, approached students to design an entire scenario, from players to the crime to the resulting analysis.  The completed project would then be used as a final exam for other forensic students.

Student Steve Gabriel came up with the scenario involving a fictional disgruntled university IT employee, who had “stolen” critical source code and hidden it in a System 33 file when he went to a new job. Gabriel utilized multiple web browsers, along with Trillian instant-messaging and Outlook email software. Several other students played the other fictional roles, communicating and using digital media that was later imaged and provided as “suspect” evidence.

To find the evidence and create an answer key for Curran, Gabriel and the others used FTK, EnCase, AccessData’s Registry Viewer, and a SQLite database viewer. Gabriel said the project received good feedback for being an incident response-type case with multiple exploit layers and 25 gigabytes of evidence.

Security vs. performance with supercomputing

On the preventive side of network security was work that Cal State-San Bernardino students Kyle Sandoval, David Warner and Estevan Trujillo had done for the 2011 Computer System, Cluster and Networking Summer Institute at Los Alamos National Laboratories. Their research broke ground on the cost of deploying firewalls on each node of a supercomputing cluster, rather than on the 4,000-node cluster as a whole.

The reason: security measures should always be installed on each separate computer, but supercomputers are so expensive to power that even a five percent drop in computational performance – such as what a firewall might result in – can exponentially add to their cost.

Thus in their project, Sandoval, Warner and Trujillo used a Linux cluster and created multiple IPTables rule sets. They used these to run a series of benchmarking tools that measured bandwidth, latency, and MPI job performance. They wanted to determine what performance implications IPTables firewall had on a cluster.

With just 10 test machines and a 6-week period, the research concluded simply that more research was needed – and the students anticipate that the lab will continue their work.

Virtualization for mobile device management

Jonathan Ford is a student at Cal State University and a volunteer for a nearby sheriff’s department, which was starting to provide official-use iPads to its officers. A number of issues presented themselves with that initiative:

First, the iPads’ remote access to a virtual machine would work for 10 to 20 users, but large numbers – the kind that would be seen on an average shift – made the virtual machine unstable and caused it to crash. Second, different users would need different levels of access to records depending on their role. Finally, to minimize the risk from vulnerabilities – not just on iPads, but also on the other 3,000 or so disparate devices in use – the agency needed a way to manage a variety of operating systems, software and users.

Ford’s answer: a Virtual Desktop, which would save both time and money by enabling:

  • upgrades and patches to occur just once rather than for each system
  • data to be stored on a server
  • administrators to keep a list of which users had access to which software applications

The second part of Ford’s research shows law enforcement agencies the benefits of integrating academic research into their everyday operations. “Many agencies cannot hire full-time employees, but they still need support with computer forensics and security – the fields students want experience in,” he says. “Writing grants for research means each can get what they need.”

How law enforcement can benefit from student volunteers

Cal State-Sacramento student Alex Krepelka had earned a GCFA and wanted to use it. But he didn’t just stop at volunteering for the Butte County District Attorney’s Office – he turned it into research, the better with which to help law enforcement develop their own computer forensics and security volunteer programs.

Krepelka thinks it would help if agencies could fall back on a set of national standards for forensic investigations that will go to trial – from county to county, some agencies allow for volunteers while others do not, but many agencies have backlogs of hundreds of cases. He also thinks that if students knew they could get valuable real-world experience from organizations that needed their expertise, more would study computer security and forensics.

The value of HTCIA student affiliations

Krepelka believes that organizations like the HTCIA can help – and that’s where the final research project comes in. Austin Pham, a student at Cal Poly Pomona, presented on the Forensic and Security Technology (FAST) organization, HTCIA’s student charter at that school. FAST affords students the opportunity to take workshops on data acquisition, analysis and reporting – as well as on industry standard forensic tools, including EnCase and FTK.

This is thanks to its affiliation with the HTCIA SoCal chapter and the forensic professionals who are members there. “We hold six meetings a quarter and some training workshops throughout the year,” says Pham, “and we always get great turnout.” During the student charter’s first signing, in fact, 25+ students expressed interest in membership, and the organization has grown ever since.

Pham added that he and other FAST students had all volunteered to assist with our conference, because of all that HTCIA had invested in them. They registered participants, directed attendees to lecture and lab rooms, and assisted presenters with equipment and other needs.

All six student presenters told us that they had seen a good amount of foot traffic, which resulted in some good comments and questions – especially those for whom the topics hit home. The feedback will help them validate and refine their research, ultimately making it stronger for the entire community.

Anna Carlin, the instructor who coordinated the presentation, adds that the students themselves benefit in a variety of ways: not just with the ability to conduct more credible research, but also with exposure to the very professionals who are in a position to give them jobs or grants.

Did you meet our students in Indian Wells? Want to see future research presented at our conferences? Leave us a comment and let us know what you think!


Doing more with less: Forensics in the lab and in the field

August 26, 2011

Two of our scheduled lectures address issues which nearly every digital forensic examiner faces these days: limited resources. Whether budget-related or not, a lack of people or equipment has backlogged a number of labs – anywhere from six months to over a year.

On Tuesday Sept. 13, Andrew Rosen, president of ASR Data, will talk about computer forensic examinations and how to conduct them in a way that makes exams more efficient. That same day, Jason Weiss, Jim Watkins and Baden Gardner, of the FBI’s Orange County (CA) Regional Computer Forensic Lab (RCFL), will discuss backlog reduction strategies for labs.

How to work 10 times faster with FTK and EnCase

Creator of the Expert Witness forensic software that is now known as EnCase, Rosen believes that the forensic community has focused so much on tools in the last few years that examiners have lost sight of the processes which could make them more efficient. For example, he says, “Segmenting images was important when FAT32 was dominant and you had to segment. But now, it’s part of the forensic canon when it doesn’t need to be.”

Likewise, forensic examiners don’t know how to remediate the problems inherent in searching images of terabyte drives and petabyte collections within the current forensic paradigm. “’Triage’ is a buzzword that reflects how long it takes even for a skilled examiner to figure out where data falls in the analysis stack,” Rosen explains. “The tools reflect an approach that allows examiners to obtain actionable information quickly.

“But getting less than a full forensic image just to save time and money runs contrary to forensic method,” he continues. “So to get to a solution, you have to take a step back, look from the standpoint of a juror or judge and ask why the current way is what it is. And once you understand how the tools’ methods lead to inefficiency, you can remediate that by leveraging simple logic and the specialized knowledge of the investigator”

For example: “On a keyword search, you start with Sector 0 and move forward until you’ve searched all the data,” Rosen says. “This is a simple, linear implementation, and it means you’re searching for data where it is not likely to exist.”

In other words, rather than focus on higher level details like file names, focus instead on the data – the URLs, images, IP addresses and other underlying characteristics of data. “By defining what we are interested in and what we are not interested in, we can eliminate the slowest and most inefficient part of the forensic search process. This allows the examiner to obtain a full image without having to worry about where data can’t exist,” Rosen says.

This is important for examiners who have already invested heavily in FTK and/or EnCase. “The tool isn’t the most important thing; it has to be an extension of the examiner,” he adds. “If you automate an inefficient process, all you’ll get is faster inefficiency. But if you automate an efficient process, you’ll become more efficient over time. In this way, our forensic tools can provide ROI – the more you run it, the more inefficiency it eats.”

Doing more with less in a lab environment

Weiss, Baden and Gardner have taken a different approach at the OCRCFL. Their focus is also on process – but on the practical side, rather than the purely technical side. As Laboratory Director Jason G. Weiss explains, despite the exponential growth in digital media examinations (the LA FBI has seen the amount of processed data increase over 100% per year for the last 8 years), their approach has helped eliminate most case backlog.

In their lecture, they’ll focus on three elements (along with cost and statistical figures) that have brought them the most success: Case Agent Investigative Review (CAIR), Forensic Preview, and “self-service” kiosks for both cell phones and loose media (such as thumb drives).

“CAIR and Forensic Previews are low cost solutions to improving forensic laboratory efficiency,” says Weiss. “Choosing which process is the best fit for any given case comes down to the case’s size and complexity.”

CAIR enables the primary investigator (“Case Agent”) to review their digital evidence quickly in a safe, forensic environment. Once that is complete, lab staff provide the Case Agent with a disk of relevant files from the digital media, which can help further an investigation and allow the Case Agent to determine the next step without having to wait weeks or even months for a traditional data content review.

Forensic Previews, meanwhile, are useful when conducting searches, especially of child pornography suspects. “Some of the computers Case Agents seize during these investigations may have no child porn on them, so a Forensic Preview of those hard drives helps us determine if the computer in question is contraband, or should be returned to the subject,” says Weiss.

He adds, “The preview process is usually very valuable to the Case Agent and allows both us and the Case Agent to quickly understand a case before we spend significant laboratory resources imaging and/or examining computer data that is not even part of the crime.”

Another time saver are the new “self-service” kiosks that enable the RCFL’s partner agencies to come to the lab and review cell phones, iOS devices and most types of loose media in a forensic environment, without the need for a traditional forensic exam. Most of these exams take significantly less time than do traditional exams, and can usually be done in one short visit to the lab.

In all of the processes discussed in this seminar, forensic examiners have the ability to improve their ability to multitask as well – a process that Weiss says is “harder to do if you are looking at every case in the traditional computer forensics model.” Many of these processes are scalable regardless of lab size – whether you have 3 examiners or 30.

Dealing with backlogs in your lab, or simply need more efficient work processes? Come to Indian Wells next month and learn from those who have been there!


Building the cyber warriors of tomorrow

August 23, 2011

In addition to the Student Poster Presentations which will help introduce graduate and undergraduate researchers to the professionals attending our conference, Cal Poly Pomona Professor Dan Manson and lecturer Anna Carlin will speak about developing a more in-depth training program for the next generation of cyber warriors.

“We’re talking about what we’ve learned from five years of work,” says Carlin. In the beginning, few other schools were involved with digital forensics education; training was available primarily from vendors, and Manson and Carlin had not yet been introduced to HTCIA. “We felt like we were alone in what we wanted to do,” says Carlin.

As they continued to develop more classes, they also became more active in professional associations, including HTCIA. That gave them insights into what employers were looking for, and the skills students would need to meet the demand.

Workforce development through competition

“More companies want people who can secure and defend their networks,” says Carlin. “But you can’t just fill a position; you want to match students as best you can with the company so that they end up staying there for years.”

To get a true sense of students’ capabilities, Carlin and Manson encouraged them to start student clubs, including HTCIA’s first student charter: FAST (Forensic and Security Technology). They also helped to involve their students in the Western Regional Collegiate Cyber Defense Competition, a concept that they’re now working on expanding.

“We want to create a National Cyber League, which will be like the way professional sports are set up – going from a preseason to rounds of events between competing teams,” says Carlin. “The only way to get better at skills like the kind security requires, is to practice. So this is workforce development more than an academic exercise.”

The role of professional associations

Associations’ involvement in competitive activities is important. But they also serve a crucial role on their own: allowing students to develop networking skills. “Our HTCIA student charter has access to chapter meetings, and they’re not shy about inviting people they want to hear,” says Carlin.

Student-focused meetings might include a Career Night, on which four to five senior professionals gather on a panel to answer questions about what they do and what they look for – as well as challenges they faced along the way, and what they would’ve wanted to know when they were starting out.

At these kinds of events, Carlin says she makes the students split up and sit at tables with the pros, where they must collect at least one business card along with two unique things they learned about that person.

In fact, at one meeting, an employee from one of the Big 4 consulting firms liked the student so much that even though the student’s GPA didn’t meet their requirements, they asked for a resume.

The associations’ full-time professional members like the students’ enthusiasm, and they enjoy taking the time to help students out. The more involved students are, in turn – such as volunteering at association events – the more they transition from students to business professionals.

“We’re not a big school, so we have to work a little harder to get our students noticed by the best employers,” says Carlin. But that hard work has paid off, and she and Manson are glad to share their experiences with others who want more for their students as well.

To read more about the specifics of their presentation, read their abstract on the HTCIA Conference website. We hope to see you in Indian Wells!

Image: West Point Public Affairs via Flickr


Beyond marketing, an explanation of Advanced Persistent Threat

August 15, 2011

Advanced Persistent Threat is one of the most talked-about topics in the information security field – and one of the least understood. On Tuesday, September 13, Peter Morin – a member of our Atlantic Canada chapter, and conference treasurer – will discuss the anatomy of Advanced Persistent Threats including the various stages of attack, common attack vectors used, and examples of high-value targets (i.e. SCADA).

We asked Peter to elaborate on his topic, as well as to tell us a little more about his HTCIA experiences:

HTCIA: Why did you choose this topic — what about APT is misunderstood or needs better dialogue?

PM: Although attendees may not be with the government or a top secret facility or popular .com website, that they are at risk. It is important that people realize that the threat landscape has changed dramatically over the last couple of years. Attacks are being carried out with very specific goals and for very different reasons than before (i.e. “hacktivism”). We now have to focus more on concepts such as intellectual property theft, disclosure of stolen data by attackers, attacks that may be conducted over a long period of time, the role of malware in APT attacks, etc.

HTCIA: What do you want participants to know or be able to do when they go home?

PM: What are the various attack vectors and phases of a typical APT campaign? What security-related indicators to look for and how to improve the defenses they may already have in place? Also, tips, tools and techniques used in performing incident response related to some of the common attacks being seen today.

HTCIA: What you want to see out of students during the class?

PM: Interaction would really make the class worthwhile. I try not to provide a speech to students or simply read PowerPoint slides; hearing about their experiences, comments, etc. really makes for an enjoyable interactive session.

HTCIA: On a slightly more personal note, what do you enjoy about teaching?

PM: I enjoy the interaction with others, being able to mentor and share experiences and meet interesting people.

HTCIA: You’re volunteering as conference Treasurer as well as webmaster. How do you make time for everything?

PM: I think balancing work, family and volunteering is important. The people that make up the various committees, board, etc are fabulous and well worth the time!

[In general] the HTCIA has always been an important organization for me [because of] the interactions with other forensic and incident response communities. I am not in the law enforcement field, but because of the HTCIA, I am able to interact with members of law enforcement to share experiences, processes, tools, etc. So, when I was asked to return as conference treasurer, I jumped at the chance!

Questions for Peter? Please comment below, or better yet – come see him in person in Indian Wells next month!


A call for papers… from students

July 21, 2011

Following on its success with the Western Regional Collegiate Cyber Defense Competition, Cal Poly Pomona will be sponsoring something that’s normal for academic conferences, but new to trade shows: a student poster presentation, a way for students to connect with the professionals they’ll be working with following graduation.

What it is

Anna Carlin, a Cal Poly Pomona professor and 2nd Vice President of our SoCal chapter, is looking for 10 full-time students to present their work in our exhibit hall on Tuesday, September 13. We’ll provide a poster board for hanging the presentation, which can be as simple as PowerPoint slides. Posters will be displayed in the Emerald 4 Room, allowing all attendees to see the students’ work.

Not restricted to either Cal Poly students or HTCIA members, the presentation will allow students to connect with cyber security and computer forensics professionals from around the world. The work being presented must be new and current research and development in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted.

HTCIA student charters may present the activities performed by their charter. Student Charter posters may describe charter activities, events, and/or other involvement with cyber security and computer forensics professions.  A single representative should coordinate the submission of each Student Charter proposal.

The Academic Program Committee will be reviewing submissions based on the following criteria:

  • Relevance to the field of cyber security and computer forensics
  • Potential for practical impact
  • Degree of originality
  • Technical depth
  • The overall quality of the submission

Who can participate

We invite full-time undergraduate and graduate students to submit poster presentations on research and work in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted. The poster session can also showcase the activities of HTCIA Student Charters.

Why students should submit

The first 10 students whose poster presentation is accepted will receive FREE conference registration for all 3 days (a $395 value) and a one-year student membership to HTCIA (a $25 value)! Accepted abstracts will be printed in the program and posted on the HTCIA International Conference website.

In addition, five benefits to participating:

5. Obtain a critical review of your work by submitting a poster presentation, and meet potential sponsors of your work.

4. Expand your network of other students interested in cyber security and computer forensics.

3. Listen in on hot-topic panels and presentations and take home the most current research and solutions from industry leading experts.

2. Receive recognition and a Certificate of Participation.

1. Meet potential employers!

When and how to submit

The deadline for submission is July 29, 2011. Send a short 50 to 75 word abstract with three learner outcomes (not part of the word limit) that attendees are expected to gain from the poster presentation. You will be asked to indicate the target audience level (getting started, intermediate, or advanced).

Please email your abstract to the following e-mail address: acarlin@csupomona.edu. A student may submit only one abstract. Students will be notified about acceptance by Friday, August 5, 2011.

For more information, including specific submission guidelines, poster session guidelines and other prep work, see https://www.htciaconference.org/studentposters.html.

Want to see what students are up to in the community? Register for the conference now: https://www.htciaconference.org/registration.html

Image: carmichaellibrary via Flickr


Platinum sponsor MSAB: A full spectrum of mobile forensics labs

July 20, 2011

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today — https://www.htciaconference.org/registration.html