Platinum sponsor BlackBag: Mac triage, iOS forensics and the new BlackLight™

August 26, 2011

Rounding out our Platinum sponsorships: BlackBag Technologies, the Mac forensics experts, who are bringing three labs to Indian Wells. Between Monday and Tuesday, BlackBag CTO Derrick Donnelly and forensic analyst Don Brister will present “Mac Triage, and How to Image Without Losing Your Nuts,” “Everything that You Need to Know about iOS Forensics, but Forgot to Ask,” and a demo of the latest MacQuisition™, as well as the upcoming BlackLight™ version which is slated for release shortly after our conference.

iPhone and iPad forensics

In their vendor-agnostic training, Donnelly and Brister will focus on where to find information on iOS devices. “There’s a lot of misinformation about iOS devices,” says Drew Fahey, BlackBag VP of Product Development. “So we’ll cover how the iOS came to be and where it’s going, how and where data is located on the devices, how to get to it and how to extract and analyze it.”

Imaging, encryption and key files and databases will be covered, along with changes from version to version of the iOS – including the tracking information that was available up to version 4.3.3 (Fahey says this is still widely available as evidence on devices that have not yet been updated).

Deleted SQLite records will also be covered. “The number one request from examiners we hear from is the need for both saved and deleted SMS and MMS,” says Fahey. “We take that a step further, and show them how to recover other deleted information, such as voicemail and contact data.”

Mac triage

Fahey says a soon-to-be-released version of BlackBag’s MacQuisition™ software will include triage functionality, including the ability to make both “live” (memory) and “dead” acquisitions. This tool – and the lab – reflect the growing user base for Macs, a market share that has grown from only 5 percent to 15 percent (for desktops alone) in just a few years, thanks largely to the popularity of iOS devices. Together with iOS devices, the market share is closer to 40 percent, Fahey says.

More users, of course, means more suspects using Macs. “I’ve heard from examiners who see a Mac per week, and sometimes per day, in labs where they never saw them before,” says Fahey. And because the operating system is virtually the same across Mac desktops, laptops and mobile devices, he adds, dividing attention between “computer forensics” and “mobile forensics” can be a problem for labs seeking economies of scale.

As such, Fahey says the conference lab will also cover the importance of analyzing a Mac on a Mac. “You can miss a lot when you analyze Mac data in Windows, regardless of the product you’re using,” he explains.

Mac and iOS forensic analysis with BlackLight™

The latest version of BlackLight™, BlackBag’s forensic analysis software, will be released shortly after HTCIA, but this session will offer examiners a preview of what’s coming.

In particular, the new version will offer completely revamped tagging, reporting and data export functionality, a response to popular demand. “Examiners have been asking for more flexibility in identifying, tagging and exporting files, metadata or even parts of files,” says Fahey. “The new version of BlackLight™ will let them do that and much more. We are very aware of the fact that examiners use multiple products across multiple platforms for large investigations. This new functionality in BlackLight™ is specifically designed to offer them the flexibility needed to quickly mesh their BlackLight™ findings with other data and in other reports.”

Seeing more Macs and/or iOS devices in your investigations? Spaces are going fast in the BlackBag labs, so register today to get the chance to sign up!


Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

August 24, 2011

AccessData HTCIA Platinum Star SupporterNo coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!

Platinum sponsor Cellebrite: Labs on mobile forensics best practices, and the latest tools

August 16, 2011

Do you know how that cell phone in your hand actually works? If not, how do you know your mobile forensic tool will get the data you expect? How about that iPhone or Android — do you know what’s really involved with a physical acquisition on these devices?

Cellebrite will be offering multiple mobile forensic labs, both on its own and in conjunction with training partner Sumuri Forensics, on these topics and more. We talked with instructors Keith Daniels, Ronen Engler, and Steve Whalen about what they’ll be offering in September:

Best Practices in Mobile Forensics

One of the most misunderstood aspects of mobile forensics, according to Cellebrite director of training Keith Daniels, is the need for investigators to understand the device from which they’re trying to retrieve data.

“Get the device’s manual from the FCC,” says Daniels. “Log on to an investigative community like [conference Bronze sponsor] Teel Technologies’ Mobile Forensics Central. That’s where investigators talk about phone features and limitations, the hoops you have to jump through to get the phone to communicate with the forensic device.”

Doing so can mean all the difference between getting the correct data in the correct way, and having to take the time to snap photos of each of the phone’s screens. But that’s not all that’s at stake. Daniels points to the Laci Peterson homicide, in which mobile device evidence was crucial.

“Scott Peterson is on Death Row. Fifteen years from now in a new trial, will the original investigators remember case details, or even be available to testify? But if they have the manual, they’ll be able to testify as to what phones could do in 2003, what his particular device was capable of, and why that evidence was relevant to the case.”

Other practices besides knowing the phone:

  • Taking the phone off the network — and understanding the dangers of not doing so.
  • Create the right folder structure. “Some investigators use more than one forensic tool, so the right folder structure will segment the evidence according to the tool that retrieved it,” says Daniels.
  • Thinking outside the box. “The phone can be physical evidence as well as containing digital evidence,” says Daniels, referring to a homicide in which gunshot residue was found on a cell phone.

“Remember,” Daniels adds, “the defense will attack not the evidence itself, but the way it was obtained. Doing your due diligence will elevate your credibility and your position in court.”

Basic and advanced UFED work

Authorized Cellebrite trainer Steve Whalen, Managing Director and co-founder of Sumuri Forensics, will show how the UFED tool puts these best practices to work in his two introductory labs, one each on the UFED and the Physical Pro. “We’ll do a brief overview of each tool and its important features, with examples so that the students can learn hands-on how it all works,” he says.

But the training won’t only be about what buttons to push. Instead, it provides the background of why investigators push those buttons, the way the unit functions and how it applies to forensic methodology.

“So-called ‘push-button’ forensics is not a problem as long as the examiner understands the device’s basic functionality and what it’s doing to perform the extraction,” Whalen says. “It’s not about how hard or easy the tool is to use; tools can be validated.  It’s about following the basic forensic principles that everyone should follow.”

In fact, Whalen says, the UFED’s simplicity is a benefit toward this goal. “The basic UFED Logical lab will show how the UFED extracts information from within the device’s filesystem, such as the call logs, and interprets the directory structure.

“The Cellebrite Physical Pro lab will show how the device extracts both the logical filesystem, and the physical data — the bit-for-bit copy including unallocated space on the chip. We’ll also cover the variety of search functions in Physical Analyzer, including regular expressions, predefined search patterns like 7-bit SMS strings, and GREP,” Whalen says.

“Physical Pro simplifies the process of making a physical image of a mobile device, which significantly increases the amount of evidence that can be located,” Whalen adds. “Because Cellebrite takes the time to ensure its tools’ processes are as un-intrusive as possible, more users can acquire physical data without having to resort to non-forensic hacker tools like flasher boxes, which can ruin evidence if used the wrong way.”

What does all this add up to? Time saved, says Whalen, explaining that the UFED is a standalone unit and doesn’t rely on a good or bad installation of forensic software, or whether that software communicates properly with the device. “Debugging a comm port can take time and increases the chance of hair loss as the examiner troubleshoots the device and/or the computer,” he says. “The UFED saves that time.”

A deep dive into iPhone and Android physical extractions

The final block of Cellebrite instruction will be a “deep dive” into physical forensic exams, as students work with iPhones and iPads that have been locked without having to jailbreak the device. Cellebrite engineering product manager Ronen Engler and Daniels will demonstrate the Physical Pro’s password bypass, along with its data parsing capabilities and a newer feature – decoding for encrypted iPhones, including the iPhone 4.

Decoding will also be demonstrated for BlackBerry. “We showed this in June at the Mobile Forensics Conference,” says Engler, “and we will show it again in Indian Wells.” The decoding process is for physical data recovered during the chip-off process.

Finally, students will be able to see dumps of Android devices using four different methods, two of which, says Engler, are unique to Cellebrite. “We’ll also show how to bypass the pattern lock on an Android without modifying the device,” he adds. (These details are covered more in a recent blog post by mobile forensic tool reviewer Christopher Vance.)

And he and Daniels will discuss the ability to dump Chinese knockoff devices. “The UFED supports logical extractions from more than 150 Chinese clones,” says Engler. These include iPhone, Nokia, Motorola, Samsung and LG knockoffs.

Just getting into mobile device examinations, or want to take your exams further into physical extractions? Register for our conference and be eligible to sign up for these labs!

Movie Night, courtesy of Silver sponsor Vound

July 28, 2011

One of last year’s most popular conference sessions was Pizza Night, Vound Software‘s dinner-and-a-demo look at its Intella email forensics software. This year, they changed it up a bit. They’ll still hold a demo, but they’re also sponsoring some entertainment – not just for conference participants, but also for their families who come to Indian Wells with them.

We talked more with Vound about what will be involved and why:

HTCIA: “Movie Night” isn’t typical conference fare, at least in this industry. What made Vound decide to sponsor it?

Vound: We took a fly at doing something original  in Pizza Night last year and were impressed with its success and feedback. We wanted to keep it fresh and interesting this year so opted for Movie Night.

We will have treats, popcorn, candy, soda, and domestic beer for the enjoyment of those who can make it, and we hope everyone does. We are hoping attendees will see it as an opportunity to bring their partners and  chill out. Let’s also not forget we are in movie making territory.

HTCIA: Any word on what the movie will be?

Vound: No idea yet, but Peter [Mercer, Vound co-founder] insists on it having kangaroos or being about cricket.  [HTCIA note: our Conference Committee decided on “Source Code.” No kangaroos or cricket that we know of!]

HTCIA: What trends have you noticed in the last year with email investigations?

Vound: More and more cases are becoming “email only”. This is  where the case starts when the investigator is handed 50 PST files on a USB drive with  no image in sight and 2 days to complete it . This is exactly why we developed Intella and  where it more than pays for itself…

HTCIA: What’s new with Intella that you’ll be sharing during your lab session?

This year at HTCIA, investigators will see how their agencies can get the most out of their digital forensic investment by integrating Intella’s search and analytical abilities into their existing investigation and case management software.

A common problem is that the weight of digital forensic evidence is lost in translation when it is delivered to the analyst or officer who has no forensic background. Officers or analysts from outside of digital forensics may use completely different tools and methods to identify and organize useful information.

As a demonstration of how Intella solves that problem by augmenting existing software suites, this year at HTCIA the Vound team will demonstrate how Intella is used in conjunction with i2’s award winning Analyst’s Notebook and iBase. We’ll show how our customers can add Intella search results and forensic information to the investigation management software, the same way they add other pieces of information.

We’re proud to say that Intella has grown by leaps and bounds since Version 1.0 was unveiled in 2008 at the HTCIA Conference in Atlantic City.  Thousands of federal, state, and local law enforcement officers now rely on Intella every day for e-mail and data analysis. We’ve found that agencies where evidence is transmitted effectively between forensic and non-forensic officers see an exponential increase in the value of the forensic phase, leading to better results.

Come join us at the HTCIA Conference and let us tell more about how Intella can help you search data, analyze evidence, and close cases quickly.

HTCIA: Anything else you’d like us to share about your sponsorship?

Vound: Could some of the sponsorship money be invested in projects that will help with inventing teleportation? The 15 hour flight is killing Peter. 🙂

HTCIA: We’ll look into that. 🙂 Meanwhile, thanks so much for the scoop on your lab and Movie Night. We look forward to seeing you in September!

Not yet registered for the conference? Register at and be sure to mark your calendar for Sunday’s Vound Movie Night following the Exhibitor Reception!

Image: tvol via Flickr

Platinum sponsor MSAB: A full spectrum of mobile forensics labs

July 20, 2011

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today —

iOS Wi-Fi access point verification, smartphone geolocation and other mobile forensics content from Gold sponsor Oxygen Forensics

July 14, 2011

Forensic acquisition of smartphones is one of the most important investigative needs today. The more consumers adopt the robust computing power of iPhone, Android and like mobile operating systems, the more evidence available to law enforcement, corporate and legal investigators.

This is why Russia-based mobile forensics software provider Oxygen Forensics specializes in smartphone forensic acquisition. Co-founders Oleg Fedorov and Oleg Davydov are offering a full day of pre-conference training along with their planned lecture and hourlong Vendor Showcase on these topics.

Verification of Wi-Fi access points data for Apple iOS

Fedorov and Davydov will be co-presenting a lecture on the morning of Tuesday, September 13. “Every iOS device stores a list of Wi-Fi networks it has been ever connected to,” says Fedorov. “This list contains the name of the network, its MAC address and the timestamps for the first and last connections.”

Certain techniques allow investigators to calculate each Wi-Fi network’s approximate geographical coordinates, and from there, the device’s position at the time of connection. However, Fedorov and Davydov caution that investigators may not be able to trust all the coordinates they get.

Their lecture will cover what investigators should know about Wi-Fi access point types, as well as other sources of geolocative information and how to carve Wi-Fi networks information, should the history happen to have been deleted. They’ll also cover timestamp verification and even anti-forensics for jailbroken devices.

Geolocation, according to Fedorov, will be the topic of discussion at Oxygen’s Monday night Vendor Showcase, slated to run from 5:30 to 6:30pm. Android, Symbian and (time permitting) BlackBerry devices will be covered together with Apple devices.

Pre-conference training: Advanced techniques in Forensic Examination of Smartphones and Cell Phones with Oxygen Forensic Suite

In June, Oxygen announced that its Forensic Suite v3.4 is the first tool ever to enable full Android physical acquisition via root access. This demonstration will be among topics covered at its one-day training class on Saturday, September 10.

“We focus on smartphones, therefore the main topics will be Apple, Android, Blackberry, Symbian and Windows Mobile devices,” says Fedorov. The training will also discuss certain models of Nokia, Sony Ericsson, and Samsung cell phones.

Designed for forensic investigators at all levels of expertise, this bring-your-own-laptop training will discuss the main advantages and disadvantages of current mobile forensic procedure, as well as Oxygen Forensic Suite’s advanced features.

It will use case studies to demonstrate these features and issues, “small tasks where students have to find evidence, determine phone geoposition at the given time and so on,” says Fedorov. “Prizes are famous Russian Matreshka dolls.”

Learn more and register for the pre-conference training at Oxygen Forensics’ site; register for the HTCIA conference here. We look forward to seeing you in September!

Image: Phil Roeder via Flickr

1st Annual HTCIA Golf Classic

June 14, 2011

Update: golf tournament rescheduled! It will still be on Sunday — but now in the morning so that our International Board of Directors can enjoy. It will now begin at 8:00am instead!

Please join us for a morning of golf! On Sunday, September 11, 2011, Bronze sponsor CRU-DataPort/WiebeTech will be sponsoring a tournament at the Indian Wells Golf Resort starting at 8:00am.

The tournament fee is $75 per player and includes green fees, cart and deluxe golf and digital forensic prizes.

HTCIA is hosting a welcome reception with hors d’oeuvres, cocktails and awards directly after the golf tournament, followed by a movie shown on the Rose Lawn.

General Information – Situated in the Coachella Valley of sunny Southern California, the secluded enclave of Indian Wells Golf Resort is an award-winning golf course and host of the Golf Channel’s ‘The Big Break‘.

Participation in the golf tournament is open to all HTCIA attendees and spouses/guests. Foursomes will be arranged and posted at the meeting registration desk. A scramble format will be used in the tournament.

Proper Golf Attire – Players must wear collared shirts and slacks or dress shorts. Shoes must be soft spiked or soft soled.

For more information and to register for the tournament, please visit We look forward to seeing you in Indian Wells!