January HTCIA news and events

January 9, 2012

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

  • Fredericton New Brunswick at 64 Allison Blvd.
  • Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!


Upcoming for HTCIA in 2012: Strategic initiatives, community involvement

December 28, 2011

One of our most recent posts, a retrospective by our longtime member Fred Cotton, covered how HTCIA got its start and how we got to where we are today. This post is about where we’re headed in the coming year, and beyond.

Our strategic plan

In July, a small group of HTCIA leaders gathered to map out a strategic plan, a vision and a road map for where HTCIA would need to go in order to continue to serve its membership. Following a careful assessment of our strengths, weaknesses, opportunities and threats, we devised a new, clearer and more succinct mission statement:

Provide education and collaboration to our global members for the prevention and investigation of high tech crimes.

In addition, we developed goals for education and professional development, membership services, communications, organizational governance, and financial resources. Some of the initiatives we are taking include:

  • a newly redesigned website and logo
  • a High Tech Crime Investigator Certification
  • improvements in the way we help form and support international chapters
  • development of member benefit programs
  • many other actions

Community involvement

Another strategic initiative is to partner with other groups. This has already been happening to some extent at the chapter level, as a few of our chapters band together with those of other associations to hold joint training events. (This is, in fact, one of the reasons SoCal won Chapter of the Year.) However, we want to make it something we do more consistently across all our locations.

At our conference in Indian Wells we unveiled our nascent partnership with the SANS Community of Interest for Network Security (COINS) program, which allows us to help even more chapters offer local events jointly with a great educational resource. Already we’ve seen the debut of SANS360 offered jointly in DC with our Mid-Atlantic chapter, and in February, Mark Gonyea will be teaching Computer Forensic Investigations-Windows In-Depth in Los Angeles. We also hope to work with SANS on virtual events, like our free webcast in October.

In addition, we announced that our International Board of Directors voted to join the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member. We believe that in this way we’ll be able to help shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.

Finally, we’re looking to get more involved with our communities on Facebook and Twitter (and we’d love it if you left more comments here on the blog, too!). Polls, Twitter chats and continued conversation with our members and supporters will be part of what we’re doing.

Get involved! Become a member (guidelines at http://www.htcia.org/membership.shtml) and subscribe to this blog, our Facebook and Twitter pages to find out the latest.

HTCIA joins the CDFS to help set digital forensics standards

December 22, 2011

Consortium of Digital Forensics SpecialistsWe are very pleased to announce that we’ve joined the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member! Established in 2008 to provide leadership and advocacy as the global representative of the digital forensics profession, CDFS offers the chance for HTCIA members, through their board representatives, to collectively help determine standards for digital forensics ethics, practice and professional licensing and certification, among other areas.

Our International President, Duncan Monkhouse, has this to say: “For 25 years, our members have contributed to the development of digital investigation as a science and a profession. Supporting the CDFS is a natural outgrowth of their contributions. We look forward to helping shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.”

Chris Kelly, CDFS’ president and a New England HTCIA chapter member, is likewise excited. “HTCIA’s membership is a welcome addition because of its members’ breadth of experience not just in digital forensics, but also in private investigation, prosecution, and other professions that affect the way digital forensics is perceived within the investigative community,” he says. “We look forward to their input and assistance in driving not just our association, but the entire profession forward.”

HTCIA joins two other nonprofit professional organizations, the International Association of Computer Investigative Specialists (IACIS) and the Association of Digital Forensics, Security and Law (ADFSL) as members of CDFS. We couldn’t be in better company, and we’re so grateful to CDFS for making our membership possible!

Rob Lee’s Super Timeline Analysis: A joint HTCIA/SANS COINS webcast

October 12, 2011

We are very pleased to announce a new joint event between us and and SANS’ Community of Interest for Network Security (COINS): a one-hour webcast on Super Timeline Analysis featuring Rob Lee! The webcast, part of SANS’ complimentary series, will expand on the lab material Rob presented in Indian Wells, delivering an exciting and valuable webcast both for those who attended the labs as well as those who were unable to attend.

Over the past year investigators have started to use timeline analysis to help solve challenging cases.  Learn how to create and analyze automatic file system and artifact timelines during incident response and criminal investigations.

There is no cost to attend this event, but you do need to register at: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

Webcast Details

Date:           Wednesday, October 26, 2011

Time:           8:00pm – 10:00pm (EDT)

Title:            Super Timeline Analysis

Featuring:  Rob Lee, SANS Faculty Fellow

For more information on the webcast contact Andrea Hogan: ahogan@sans.org.

HTCIA: A retrospective journey

October 4, 2011

Today’s post is a guest article written by one of our longest term members, Fred Cotton of our Northern California chapter. This year has marked 25 years since our organization was founded, and we appreciate the opportunity to learn about how we got to where we are — especially given our strategic plan for coming years. Thank you, Fred, for taking the time to write out your perspective!

HTCIA retrospectiveThe High Technology Crime Investigation Association has grown into the largest association of its kind in the world and it has been my honor and privilege to be a member of this organization since it was a single chapter located in Los Angeles, CA.

At that time (around 1988) it was an organization comprising law enforcement, prosecutors and corporate security personnel from high-technology firms fighting the rising tide of component theft across California. I was the Director of Training for SEARCH, the National Consortium for Justice Information and Statistics in Sacramento, CA and was developing a training course for law enforcement on computer crimes investigation. The members of the HTCIA were the ones on the front line of the battle against technology crimes in California. They graciously shared their experiences, techniques, successes and failures with me and helped shape the curriculum which grew to encompass the entire nation and many countries around the globe.

Early HTCIA members like John C. Smith, Jim Black, Abigail Abraham, Ken Citarella, Walker Lane, Joe Chiramonte, and Don Ingraham, to name just a few, gave of their time and experience to help develop training and technical assistance for investigators from across the nation. This in turn helped them fight the ever-increasing plethora of technology crimes.

It soon became apparent that this type of organization was a success and more investigators, prosecutors and corporate security personnel joined the team. The Los Angeles chapter grew and in 1989 the Silicon Valley Chapter was formed. The Northern California chapter followed the next year and soon chapters were being formed across the nation as word spread about the benefits of this cooperative model.

During the ensuing years, most of the investigators and investigation teams who successfully broke the most famous and complex cases of the day were proud members of the HTCIA. They developed innovative investigative and prosecutorial techniques as well as influenced the manufacturers of utility software to pursue the development of specialized tools for computer forensics. Their suggestions and requests helped shape the forensic software we all take for granted today.

As the technology advanced, the job of the individual HTCIA members became more complex and required more sophisticated training and more advanced software. It also became apparent that no single agency, no matter how large, was able to take the problem on alone. The cooperation and teamwork displayed between HTCIA members helped solve hundreds if not thousands of cases around the world.

Our corporate partners stepped up and helped our members learn about the new technologies being used in criminal enterprises and how attacks were being perpetrated against corporate enterprise systems. Our law enforcement partners worked tirelessly to investigate the facts of these cases and combine forensic science and computer science to recover critical evidence from deep within computers and networks. Our prosecutors fought to change antiquated laws, to counter defense arguments against computer evidence, and to see that justice was served. Our training organizations developed curriculum based on these success stories and brought up a whole new generation of members who proudly carry on the traditions of the HTCIA organization. Our software partners continue to develop software tools which are critical to the collection and preservation of computer evidence.

Today, the organization is global and boasts a membership in the thousands. Our members constitute the core of professionals who struggle daily with the ever-increasing tide of computer fraud and abuse. Cell phones and PDA’s have been added to the already complex mix of communications technologies spawning new and innovative investigative protocols and techniques. This knowledge is shared among our members through chapter meetings and training conferences. As a result, HTCIA members continue to impact the safety and security of our nations.

Our creed has spread around the industrialized world and we have set the standard for cooperation and success. I am confident that the organization will continue to grow and stand at the forefront of technology crimes investigation for many years to come. Personally, it has been a wonderful experience to be a small part of it. The highest professional honor I have ever received has been the receipt of the first “Lifetime Achievement Award” from my peers at the HTCIA. I look forward to my continued participation in the HTCIA and the benefit I receive through association with the talented professionals who make up its membership.

Image: Jon Kristian via Flickr

Recalling the 2011 HTCIA International Conference

September 20, 2011

It’s already been a week since we packed dozens of lectures, 14 hands-on labs, and a sold-out expo hall into our three days at Indian Wells. Here’s a run-down of some of our highlights:

Monday: Cliff Stoll, and Vendor Showcases

The day (and conference) started off strong with Clifford Stoll’s keynote. Clear about the fact that he was making a presentation he first gave in 1986 – and has given several times since then – Stoll nonetheless kept his audience entertained and educated, presenting “evergreen” material that is as relevant today as it was 25 years ago. Among his highlights:

Cliff Stoll arpanet hacking investigationCliff Stoll networking demonstrationCliff Stoll investigation budgets, mandates

Northern California member Ira Victor followed up with an in-depth interview of Cliff, which he recorded for his Cyber Jungle podcast.

Following the day’s main lab and lecture events, Platinum sponsors Micro Systemation AB and AccessData showcased new products in the Emerald ballrooms.

Amid music, hors d’oeuvres and drinks, MSAB unveiled the worldwide preview of XRY 6.0, including an improved user interface, better export options, and Watchlist automation. MSAB will be providing training at our Philadelphia/Delaware Valley chapter in October, followed by training in South Florida in late October-early November. They’re available to come to any chapter needing mobile phone forensics training – is yours one of them?

Meanwhile, AccessData’s Keith Lockhart talked a bit about Early Case Assessment. During the well-attended and well-received presentation, Lockhart went through this e-discovery product, discussing features such as its ability to filter large amounts of data, to handle collaborative web-based review of that same data, and most of all, its immediate cost savings for forensic and legal teams.

And after all was said and done, participants gathered at the Stir Nightclub on-site for the traditional Northeast Chapter Party!

Tuesday: What we liked best, and our Annual Banquet

Just to keep abreast of what was going on from our participants’ point of view, we asked what they liked best about our conference. Some of the responses:

In the evening came our banquet, a richly rewarding experience that started with drummers from the intercollegiate musical group Senryu Taiko and ended with a hilarious comedy routine from “The Lovemaster,” Craig Shoemaker. In between we enjoyed ribeye steak, a 25th Anniversary chocolate torte, and opening for Craig, comedian Richard Aronovitch.

But the evening’s core lay in our awards ceremonies, where we presented plaques to the winners of our Case of the Year, Chapter of the Year, and Lifetime Achievement Awards. This year, as last year, the Case of the Year winners got a standing ovation for their hard work in putting a killer behind bars. And contenders for Chapter of the Year got a challenge: give SoCal a run for their money!

HTCIA 2011 Case of the Year winners Eichbaum, Cook, Sunseri & Maloney

HTCIA 2011 Case of the Year winners Eichbaum, Cook, Sunseri & Maloney

HTCIA 2011 Lifetime Achievement Award winner Ken Citeralla, Northeast Chapter

HTCIA 2011 Lifetime Achievement Award winner Ken Citarella, Northeast Chapter

HTCIA 2011 Chapter of the Year: Southern California

HTCIA 2011 Chapter of the Year: Southern California's board members

Wednesday: Wrapping up great learning experiences

By Wednesday everyone’s brains were just about full, but our labs and lectures enjoyed good attendance nonetheless:

Other conference highlights: lunchtime raffles, international tweets & still more networking

Lunchtimes offered good food and great prizes. Over chicken and pasta (Monday), cold cuts (Tuesday), and Chinese cooking (Wednesday), participants had the chance to buy tickets to enter our raffles. Giveaways included:

Vendors got in on the action too:

If you were following our hashtag #HTCIACon on Twitter, you may have noticed a few foreign-language tweets. As an international organization, we love to see our members reaching out to their own communities in their native languages. Spanish and Dutch participants did exactly that, including a longer blog post by member and presenter Andres Velazquez.

HTCIA conferences would be nothing without networking and the exchange of amazing ideas. Jim Hoerricks wrote about it, and posted some of those ideas in his blog. We also heard from Albert Barsocchini, who came with an e-discovery perspective.

Did you write or podcast about the HTCIA conference or good outcomes you gleaned? Please let us know in comments!

2011 Report on Cybercrime Investigation now available!

September 9, 2011

We’re pleased to announce that we’ve released our 2011 Report on Cyber Crime Investigation. The second report of its kind that we’ve produced, this document is the result of members’ responses to a survey we asked them to complete earlier in the summer. We compared the data we found from one year to the next, and as we note in our executive summary, the outcomes were similar — with a few twists. Among them:

  • Need for improvement in information sharing. We saw a decrease in the frequency of information sharing between this year and last year, which we felt indicates that members and others in the community need better support with their efforts — not just with one another, but also with academic institutions and private companies.
  • Need for better training at multiple levels. Civilians, judges, prosecutors and even middle and upper level management can have a hard time understanding cyber crimes. Computers and the Internet add layers of abstraction to crime; it is harder to find and collect evidence from multiple devices, and victims can be scattered across the country (or in some cases, the world). Investigators may find it difficult to explain these complexities, but without understanding, decision-makers find it easier to budget scarce resources to (or in judges’ case, set legal precedent for) crimes they do understand, can see, and have a measurable impact on, like narcotics or property crimes.

We encourage you to download and read the report — and share your thoughts. Are these similar to trends you’ve seen? What would you like to see in next year’s report?