Open source Android forensics: An HTCIA student charter project

We always like to hear about the cool new projects our students are engaging in, so we were excited to see University of Cincinnati student charter president Shadi Dibbini post on our Facebook page:

When we saw the site osaf-community.org, we definitely wanted to talk more with Shadi about his team’s project!

HTCIA: How did you get the idea for Open Source Android Forensics? How long have you been working on it thus far?

SD: My team started working on this project at the beginning of the school year, late September, and it has to be completed by the beginning of May. In May, we will be presenting at the University of Cincinnati’s Tech Expo event. The Tech Expo is a showcase of senior design projects from IT students, and students from other programs. The event is entirely open to the public, so feel free to come down and check out all the cool projects.

I came up with the idea of Open Source Android Forensics (OSAF) because I really enjoy forensics, and I have been a smartphone enthusiast for the past 8 years. A little off topic here, but believe it or not, I used to buy a new smartphone every three months so that I can have the best device that’s currently out on the market… I learned pretty fast that I was wasting my money, so I quit buying that many phones.

Besides the fact I enjoy forensics and smartphones, what caught my eye a few years ago, during the rise and popularity of Android, was the fact that Google does not have a vetting procedure for the applications that are published on the market. Google is smart by allowing any publisher to rapidly release applications without having to wait or gain approval (cough..cough..Apple)… however, Apple is smart by vetting applications to protect their users.

In recent news though, Google did come up with a new application security scanner called “Bouncer” after realizing that they did have a huge issue with Android malware. Back in Q3 2011, there was a report that had stated that malicious Android apps have risen 473% in about a year or so… that is a lot of malware.

This report pretty much sparked my ingenuity for coming up with the OSAF project. The OSAF project was initially going to be just the OSAF-Toolkit, a Linux OS that has been injected with all the latest Android application analysis software, but I wanted more than that. I wanted to not only create a application ripping toolkit, I wanted to create a community where anyone interested in Android malware analysis can have a one stop shop for any information they need.

I want people to stop at our site before any other site, and  I want people to collaborate with each other, share new techniques and methodologies, and share their findings after they have ripped apart an application (hence the threat index).

Another honorable mention is that my team is currently working on documentation on how to perform analysis against any application. This is an A-Z guide of what tools to use, how to use them, what to look for during static/dynamic analysis and etc… We do not want to give people a toolkit and say, “here you go, figure it out yourself” like many other projects have done.

HTCIA: What need does your research and site fill that others were missing?

SD: Not to be cocky or anything, but the entirely “FREE” price point for a toolkit, documentation and a collaborative work environment is argument enough that our site is better than the rest. I see other companies/sites charging a lot of money for training, certifications, information and etc.

I, at one point, wanted to take some certifications in forensics and information security, but the training and certifications were just way too much money for a college undergrad to afford. So I looked at this project from a college kid’s perspective… If it’s free, it’s for me… That’s why we decided to name the project OSAF. We wanted every aspect of it to be entirely open source.

HTCIA: How many people are working on the project?

SD: There are 4 of us IT seniors, including myself, working on the project right now. I couldn’t have picked a better team for this project. They are very smart and dedicated individuals wanting to make this project the best it can be. I think the reason why we are so dedicated as a team is because the project itself is very fun and unique. I feel like we are pioneers in this sort of work because I can’t find any site online that is dedicate to creating an entire environment dedicated to android malware analysis.

HTCIA: What are your goals for the site over the long term?

SD: I want the OSAF project to be well recognized in the forensics and malware analysis community. I eventually want to get more people on board to help analyze applications, maintain the site and answer any questions people may have. One day, I hope companies will be knocking on our door asking if they can sponsor us, in order to help fund and build the project, while keeping it 100% free of charge.

HTCIA: How long have you been a student HTCIA member? How long have the other students been?

SD: I am actually the founder and President of the University of Cincinnati’s HTCIA student chapter. I started the student chapter back in May 2011. I think we have a little over 20 student members (a mix of IT, IS and Criminal Justice students) in our chapter so far, but I have been getting a lot of email lately about new students interested in joining the chapter.

My team members for this project are not student members of HTCIA sadly. I would like for them to be members, but we only have 3 more months of school before we graduate. I will definitely get them to become full HTCIA members upon graduation.

HTCIA: Anything else you want to mention about the project?

SD: I just want people to know about us and the goals of our project. We can agree that the web is entirely too large right? I feel like it is hard for start-up sites, like us, to make it big these days unless they provide content that interests a vast majority of people, or if the site provides a service that interests organizations.

We want OSAF to be a site that provides both content and services of interest. Organizations, and the general public, have to realize that mobile malware is not going to magically disappear any time soon. Criminals will eventually get more crafty in the way they embed malicious code into applications; who knows, maybe to the point where the malicious codes circumvents the Android permissions mechanism.

That’s where OSAF has an advantage over anyone else. Anyone can ask OSAF to analyze an application, a community member will perform analysis, give the analysis report/results to the OSAF admins for review, then the OSAF admins will publish the finding on the threat index. Ripping apart applications is the only real way to find Android malware, because we all know how well Android “Anti-Virus” works.

Find and bookmark osaf-community.org, and keep an eye out for the site’s development, currently slated for completion in May! Shadi says that the toolkit is currently available online for download, and the malware analysis documentation will be complete in May as well.

Image: victoriawhite2010 via Flickr

DFIROnline: Defragmenting the digital forensics community with HTCIA member Mike Wilkinson

In our posts for monthly HTCIA chapter meetings, we’ve done something a bit unusual: linked to a virtual conference call that isn’t a chapter meeting. The monthly, hour-long DFIROnline is the brainchild of New England chapter member Mike Wilkinson (@MikeWilko on Twitter), who invites some of the most well-respected minds in the digital forensics and incident response (DFIR) community to interact with participants via live chat.

DFIROnline, like most of our chapter meetings, is open to anyone. We asked Mike to talk more to us about how he got the idea, why he’s doing it, and where it’s going:

HTCIA: How long have you been an HTCIA member, and what led to your creation of the DFIROnline
meetups?

MW: I have only been a member of the HTCIA since I moved to the US in August 2010. I had been aware of the HTCIA for many years prior to that and was considering setting up a chapter in Sydney, prior to leaving the NSW Police Force. I had run into Paul Jackson, at a [law enforcement] conference the previous year, where I presented a proposal for creating an organization similar to the CDFS, he had just got the Asia Pacific HTCIA chapter up and running and was very enthusiastic about the HTCIA.

I was inspired to create the meetups after watching on from the sidelines as Harlan Carvey started his NoVA [forensic] meetups. I would have loved to get along to one of the meetings, but the travel from Burlington VT to North Virginia was just a little hard to manage!

I ran into Harlan at PFIC and was talking about the meetups with him there. A few days later I thought that maybe an online meetup would work, I contacted Harlan to see if he was interested in getting involved and he was keen, I don’t think it would have worked so well without his support.

HTCIA: What about this particular format (as opposed to a webinar or conference call) did you think would be more beneficial than others?

MW: I have been using this format for in my online classes for the Masters program at Champlain College, and found that it worked well in class. The interface is highly customizable and allows a high level of participant interaction, far more than I have seen with other systems.

So far we have had a heap of chat going on at the same time as the presentation, the audience can ask questions and contribute suggestions as the presentation is running. Last session we had a bunch of helpful links posted and a lot of friendly banter, along with a drinking game, just to make it more interesting!

It also provides a video feed of the presenters so you get to see the person who is talking. In the first session we had a tour of Harlan’s office which was pretty cool. So although it is not the same as getting together face to face it does get pretty close.

Finally it does not require user registration, which helps to keep everything quite informal. Personally I find that if I have to register for something I am much less likely to get involved, I guess I just hate giving out my details.

HTCIA: Why do you think the community is so fragmented, and how can programs like this one help?

MW: This is something that has been bugging me for years. There is no simple answer to this and David Kovar wrote a great post on it last year, everyone in the industry should read it here.

I think historically there has been a high level of mistrust between LE/government and private practitioners. In some cases this may be well founded but for the most part people of both sides have a high level of integrity and are just doing their job.

This is compounded by the different closed lists, whether it is IACIS, HTCIA, CCE or DFIR each one is only open to a select group of people, in some cases based on if you hold a certification and in other if you work for the right organization. In either case you are artificially excluding some great people.

The other part of the problem is the different types of work we do. Forensics for LE is quite different to incident response. Some things (for example documentation) that I take for granted coming from a LE forensic background appear quite novel or even pedantic to some IR people.

Moving forward we should be focusing on what we have in common, rather than what our differences are. I would like to see a situation where the only barrier to involvement was appropriate ethical behaviour. Unfortunately there are a handful of people out there whose behaviour should result in their exclusion from the profession. However this group is very small and it is a pity to stifle the development of the profession in order to defend against this tiny group.

HTCIA: What kind of information sharing do you want to encourage?

MW: Well as an academic everything, from a LE perspective I recognize that there is a small amount of information that once it becomes common knowledge can hinder investigations.

However the at this point in time the bad guys are far more organized and specialized than we are. There is so much duplication of work going on as a result of poor sharing that massive amounts of time are wasted.

Harlan has a great example he uses, where if one person spends 20 hours solving a problem and shares it with another five people, it has the potential to save 100 hours of work, as they will not have to repeat his/her efforts.

One other thing I think everyone needs to realize is that they all have something to contribute. In my online classes we have lots of discussion and I find that it does not matter how long someone has been in the profession they always have something to contribute.

One of the things I love about teaching is getting to interact with all these great people. Just the other day I had a student who has only just completed his bachelors degree and is just starting out in the profession suggest a solution I had never considered. We need to realize that no one has all the answers and it is always worthwhile listening to others as you never know what you might learn.

HTCIA: What would you like to see for the meetups by the end of the year?

MW: More people involved and more great presentations. At the moment the time we run at is not much good for the rest of the world. I would like to run at least one session for Europe and another for Asia Pacific. I have already had people put their hand up to present in Europe and I could probably put some pressure on a few really smart people I know in Australia to do something. I just have to find the time to organize it.

HTCIA: Anything else you want to discuss?

MW: Yes, I have high hopes for [HTCIA partner] CDFS; I think it is the first time we have had an organization with transparent leadership and good representation of all parts of the profession. It is great to see it moving forward, I hope it continues to do so and take my hat off to the handful of people that have put the time into making it happen.

Also on a more personal note I have just created a new Master of Science in Digital Forensic Science, with a fair bit of help from a number of people listed here. This program is designed for people who already have a solid background in digital forensics and are looking for advanced education. Officially enrollment does not start until the fall term, but we can get students into a class over the summer if they are keen.

Again, DFIROnline is open to anyone. It’s next planned for February 16, with sessions planned on cryptology along with e-discovery case studies. Hope you’ll be there!

February for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got four upcoming special events as well as regular chapter meetings this month:

HTCIA Chapter Meetings

February 7

HTCIA Ottawa will present “Inclusion of Forensic Video Analysis Within an Agency’s Digital Forensic Program” in Russell’s Lounge at the Ottawa Police Association from 5:30-8 p.m. Jeff Spivack, an IAI Board Certified Forensic Video Examiner, will demonstrate how forensic multimedia analysts obtain investigative leads and actionable intelligence from files that might otherwise be discarded.

Spivack has worked as a Forensic Multimedia Analyst with the Las Vegas Metropolitan Police Department, and has been accepted as an expert witness in courts throughout the U.S. In addition to conducting case work, Jeff is also Cognitech, Inc.’s Forensic Video Software Certification Instructor, and Senior Instructor of Video Forensics for Forensic Data Recovery, Inc., Cognitech’s Canadian affiliate.

For more information and to register, see the Ottawa HTCIA website. Non-HTCIA members are welcome for a guest fee of $15.00.

Also on February 7, our Southern California chapter will be holding a joint meeting with ISACA Los Angeles. A dinner meeting at Monterey Hill Restaurant (3700 W Ramona Blvd., Monterey Park, CA), the presentation, a computer forensics case study, will run from 5:30-8:30 p.m.

Guidance Software’s head of Risk Management, Andy Spruill, will provide his first-hand account of the landmark Victor Stanley, Inc. v. Creative Pipe, Inc. the intellectual property theft case that spawned not one, but two, landmark legal decisions in the world of digital forensics and eDiscovery. To register, please visit ISACA LA’s website.

February 9

Atlanta HTCIA will present “Forensics in your PJs” from 7:30-9:30 a.m. A breakfast meeting at American InterContinental University in Dunwoody, Georgia, the meeting will show you how to use various resources and tools on the internet to gather data. From Facebook to blogs what you can learn while sitting in your PJs!

Speaker Buffy Christie is Senior Director of Equifax Global Security.  Buffy has a BS in Criminal Justice, Forensic Science.  She is a CFE (Certified Fraud Examiner)  and is President of the Southeastern IAFCI (International Association of Financial Crimes Investigators).

To register for this event, visit Atlanta HTCIA’s EventBrite page.

February 10

Texas Gulf Coast HTCIA will meet from 1:00-3:00 p.m. at the FBI Greater Houston Regional Computer Forensics Laboratory. Those planning to attend will need to be vetted by the FBI prior to the meeting. In order to attend, contact Ms. Julie Campbell, Receptionist, Pathway Forensics (713.301.3380) and provide her with your name, DOB and DL#. Chapter members should also RSVP to the Evite invitation that was sent to the e-mail account on file with HTCIA International.

February 14

Midwest HTCIA is offering an Android forensics and software demo by Christopher Triplett, Sr. Forensic Engineer of viaForensics. From 8:30-11:30 a.m., Mr. Triplett will cover Android File Systems, Android Forensic Analysis Techniques, and a demonstration of viaForensics’ viaExtract product.

Midwest HTCIA’s chapter meetings are located in Oakbrook Terrace, IL at the ICE office (16th floor, Oakbrook Terrace Tower).

February 15

Minnesota HTCIA will meet in the Ridgedale Library, RHR West Room in Minnetonka.

February 16

Member Mike Wilkinson’s monthly DFIR Online Meetup will feature Peter Coons and John Clingerman providing e-discovery case studies , along with Jonathan Rajewski speaking on “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf”… or, “A hands on (pen/paper) exercise in basic cryptology/cryptanalysis.” Join in at 8:00 p.m.!

February 17

Washington state HTCIA will be meeting between 10am-12pm. Topic and speaker both TBD.

February 21

Central Valley HTCIA will be meeting at 12:00 noon at the Stanislaus County Sheriff’s Office, 250 East Hackett Road in Modesto, CA. Tentative topics are a presentation on TOR by Cullen Byrne, and an update on the group Anonymous by an FBI representative. Lunch to be provided.

Austin HTCIA, meanwhile, will meet from 1:30 to 3pm at the REJ Building. Rick Andrews will be going over navigation in EnCase v7. Come with questions!

February 22

Atlantic Canada HTCIA will meet from 5:30-7:30 p.m. with Jan Cox from Oracle presenting on the topic of SQL injection, among other things. An update on the chapter’s conference planning efforts will also take place.

February 24

From 11:00 A.M. – 3:00 P.M. at University Hall, Room 465 (51 Goodman Dr. in Cincinnati), Ohio HTCIA will be offering a presentation on Incident Response: Live Memory Capture and Analysis. Presenter Justin Hall has 15 years of experience in the information technology field and has spent the last seven focused on information security.

Mr. Hall is currently a security architect for CBTS, a technology services provider in the Cincinnati area – consulting with the firm’s enterprise customers in developing vulnerability management, incident response, and endpoint & network defense programs. He is a frequent speaker at information security community events, a SANS mentor, and holds a GCIH, GCFA and GPEN.

Following Mr. Hall’s presentation, lunch will be provided and the chapter’s business meeting conducted.

Also on Friday, our Kentucky chapter will meet at 1:oopm at Boone County Sheriff’s Office. Tom Webster will present about Internet Evidence Finder.

February 29

San Diego HTCIA will meet at the Admiral Baker Clubhouse in San Diego. Lunch will be served at 11:30, with the presentation (yet to be determined) running from 12:00-1:00 p.m. HTCIA members are also welcome to attend the 10 a.m. board meeting that day.

Lunch is free for all current members, $20 for guests, and $35 for new members with completed  HTCIA membership forms. RSVP is required, so please RSVP ASAP to treasurer@htcia-sd.org! This will assist in planning for seating and food requirements.

Northern California HTCIA will also be meeting on February 29. Topic and location to be determined.

Special Training Events

February 6-11: SANS COINS event coming to Los Angeles!

Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10”! Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs/

February 15

ISSA Ottawa and Women in Defence & Security will be co hosting a National Capital Security Partners’ Forum Event featuring Marene Allison, VP & CISO of Johnson and Johnson. The opening speaker will be Rennie Marcoux, Assistant Secretary to the Cabinet (PCO); the closing speaker will be Carol Osler, VP Physical Security TD Bank. For more information and to register, see http://www1.carleton.ca/npsia/upcoming-events/4409-2

February 20-24

Free law enforcement training! Minnesota HTCIA is advertising “Fighting Cyber Crime”, 40 POST credits’ worth of courses at the St Cloud State Campus. The training is a response to the increased ease with which people can access the Internet to commit crimes, as well as the increased emphasis on issues of homeland security. Participants will learn ways to uncover, protect, and exploit digital evidence to respond to crimes. Register via the course flyer at http://www.mn-htcia.org/documents/Cybercrimecourseflyer.pdf.

February 27-March 1

The New York District Attorney’s Office has partnered with the National White Collar Crime Center to offer Cybercop 101 – Basic Data Recovery & Acquisition (BDRA) to qualified members. This 4 day course teaches the fundamentals of computer operations and hardware function, and how to protect, preserve and image digital evidence.

This class introduces participants to the unique skills, best practices and methodologies necessary to assist in the investigation and prosecution of computer crime. It includes presentations and hands-on instruction on such topics as Partitioning, Formatting, Data Storage, Hardware and Software write blockers, the Boot Up process, and Duplicate Imaging. Register here for this and future courses!

REMEMBER: To get discounts or free training (where applicable), you must be a member.  Please join or renew your 2012 membership today!

HTCIA Lifetime Achievement Award winner Ken Citarella: A generation’s worth of institutional knowledge

One of the things we enjoy most about giving out our annual awards is the opportunity to highlight how our members’ best work contributes to our overall community. This is certainly the case with our 2011 Lifetime Achievement Award winner, Ken Citarella, Managing Director of Investigations for Guidepost Solutions.

In his role at Guidepost, Mr. Citarella directs investigations concerning fraud, information assurance, employee misconduct, and related matters. Most notably, he is directing the investigation of suspected fraud claims submitted to the Gulf Coast Claims Facility due to the catastrophic BP oil spill. Previously Mr. Citarella served in the Westchester County (NY) District Attorney’s Office for 27 years, including as Deputy Division Chief of the Investigations Division and Bureau Chief of the High Technology Crime and Economic Crime Bureaus.

Mr. Citarella is a nationally recognized authority on computer and white collar crime, having obtained convictions for computer intrusions, malicious software attacks, a software time bomb, spamming, digital child pornography, and the use of the Internet for child exploitation. In doing so, he helped to pioneer the investigation and prosecution of computer crimes in New York State and nationally.

In addition to his career with the DA and his work at Guidepost Solutions, Mr. Citarella has worked with a commercial litigation law firm and with the Corporate Investigations Division of Prudential Insurance. He is also an Adjunct Professor of Law at New York Law School, where he teaches a cybercrime course, and a Certified Fraud Examiner.

Mr. Citarella has been an HTCIA member since the mid-1980s and was the founding President of its Northeast Chapter in 1990.

“As one of our longest time members, Ken has a generation’s worth of institutional knowledge, which he has worked hard to bring to the investigative community throughout his career,” says Duncan Monkhouse, HTCIA International President.

“I am honored to accept this award from HTCIA, the foremost organization of its kind in the world,” says Mr. Citarella. “The members of HTCIA pioneered the fight against high technology crime by asking questions about how to acquire digital evidence that would be admissible in court, what criminal statutes would address the crimes we were seeing and what new ones we would need.

“As an organization we have grown the same way, by asking how we can assist each other in trying to bring some law and order to the frontier of cyberspace.  The pride I have felt for more than 25 years as a member of HTCIA has never been stronger, and I am confident HTCIA will help meet the continual challenge to grow strong as cyber threats continue to grow ever more threatening.”

Mr. Citarella will formally accept his award at the 2011 HTCIA International Training Conference & Expo, September 12-14 in Indian Wells, CA. Please join us in congratulating him!

Our members’ March contributions

Our members find many ways to contribute to the high tech crime investigation community. They teach, present at conferences, and write. We’re introducing a new series: monthly blog posts that round up our members’ work.

Recapping March:

HTCIA co-sponsored (together with our SoCal chapter) the Western Regional Collegiate Cyber Defense Competition. We’re pleased to announce that the Cal Poly Pomona team won! They’re advancing to nationals this coming weekend. Good luck SoCal team, and kudos to Dr. Dan Manson for organizing the regional event!

Midwest member Tom Yarrish debuted a new blog: RAM Slack, where his inaugural post discusses E01 images together with SIFT (the SANS Investigative Forensic Toolkit).

Eric Huber, in our Northeast chapter, discussed a variety of topics in his two blog posts this month. These included live response and the cloud, the underground economy around stolen intellectual property, and English football — among many other topics!

Part of Eric’s blog played off Midwest member David Kovar’s excellent post about the fragmentation of the digital forensics community. You might expect that as a community grows, it splinters into specialized groups… but that’s not what he’s talking about. Be sure to read the comments for more.

Northeast member Steve Branigan wondered whether virus scanners would be a thing of the past, as virus writers outpace the defenders. Could a virtual operating system be the answer?

Ottawa chapter member Chris Pierre blogged about how law enforcement needs to get past thinking that internet investigators are only for white collar and divorce investigations. Chris also blogged about some training that he and his firm are involved with, so be sure to check out his other postings.

Joe Garcia, also in our Northeast chapter, posted a Cybercrime 101 podcast episode about online child exploitation. He also blogged about securing iOS devices, focusing on Long as opposed to Simple passcodes and how they work.

Speaking of iOS devices, a fourth Northeast chapter member, Ryan Kubasiak, posts regular updates to his blog AppleExaminer.com.

Finally, our International 2nd Vice President, Tom Quilty of the Silicon Valley chapter, wrote about the impact of disasters on the international supply chain — notably, that the disruption of supply in a just-in-time inventory system makes it easier for counterfeit parts and goods to enter the stream of commerce.

Certainly, these blogs and other activities represent only a small subset of our members’ contributions to our community. So please, if you’re a member or you know of a member’s accomplishment that you’d like to see highlighted next month, please leave us a comment below, tweet us, or leave a comment on our Facebook page!

Next-Gen Networking: Our Student Member-Volunteers

Josh Chin, Michael Chau & Edmund Cheung, HTCIA student volunteers

If you attended our conference in Atlanta, you encountered our student volunteers at some point: at the registration desks for the event and the labs, in the corridors to assist with wayfinding, and (in one case) taking pictures for our Facebook page. If you were a speaker, you worked with at least one student volunteer long before arriving in Atlanta.

Our students weren’t just there to help us out. They were there to learn and to network, too: they’re the next generation of cybercrime investigators, and their work helped them as well as us. And they did such a great job with it all that we wanted to take the time to introduce them by name.

Edmund Cheung assisted with registration and helped get our speakers situated in their rooms. “I was also appointed to the position of conference photographer,” he says. “I basically ran around taking picture from the exhibit hall, to the lab sessions, and Tuesday night’s dinner.”

Having been involved with conference planning from the beginning of the year, Edmund found it rewarding to see how his and fellow volunteers’ hard work came together. But that wasn’t the only benefit. “I had a great time networking with a lot of great people, getting to know each other better, and hearing their stories about why they enjoy doing what they’re doing or just the importance of combating high tech crimes.”

A full-time fourth-year student at California State Polytechnic University (Cal Poly) Pomona, Edmund is studying Business Administration with a focus in Computer Information Systems, and a minor in General Management. Upon graduating, he plans to pursue a career in computer forensics, possibly as part of an electronic crimes task force, and to obtain a graduate degree along with certifications.

Like many professionals in the industry, Edmund says he’s captivated by the way the technology is ever growing and changing – one of the main reasons he attended the conference. He plans to join HTCIA “to be part of an association that wants to promote awareness and educate those who want to battle against electronic crimes. [Also], I get to interact with and learn from the men and women in this community who enjoy their work in investigations that deal with sophisticated technologies.”

Michael Chau, like Edmund, volunteered with registration and speakers. “By helping out in this year’s conference, I was able to meet new people that share the same interest as I do,” he says. “I would say the best thing about being there was the fact that everyone is associated or wanting to be associated with [investigating] the high-tech crime that is going on in today’s reality. I love the atmosphere this association brings to the community – that of people who enjoy learning and being associated with the prevention of high-tech crimes.”

Also a a full-time student attending Cal Poly Pomona, Michael is pursuing his bachelor’s degree in computer information systems. He plans to work as a network analyst or in a network security position. “Being part of the first group to graduate from my high school’s technology program allowed me to realize that this particular field is what I want to do as my career,” he says. “Technology is always growing and that fascinates me.”

Josh Chin‘s volunteer role was similar: to work with guest speakers on coordinating logistics as well as ensuring their needs were met. Pre-conference, he was part of the team that collaborated with potential speakers on compiling their proposals and requests. During the conference, Josh worked with Edmund and Michael to assisted both speakers and attendees.

“For our attendees, we guided them to different workshops and lectures as well as addressed any concerns they may have regarding the conference,” says Josh. “For our speakers, we made sure they were settled in well, answered any questions and addressed any concerns they may have had. We also looked in from time to time on our speakers or made necessary adjustments to the conference schedule to balance speakers’ flight delays or cancellations”

Josh appreciated the opportunities his volunteer work gave him “to work with each of the speakers as well as network with different attendees. It was wonderful meeting everyone. Joining HTCIA is a brilliant opportunity to make friends in law enforcement, as well as gain an infinite amount of wealth and knowledge on computer forensics, and a glimpse at the challenges we’re facing on fighting cyber crime.”

Josh, likewise a Cal Poly Pomona student earning a degree in Business Administration with a concentration in Computer Information Systems and an emphasis on Information Assurance, plans “to make a positive difference and impact on cyber space, and to take a bite out of cyber crime. This field is an opportunity to make a difference in the world, ensuring that our next generation will be prepared to face the next set of cyber challenges.”

Ryan Jafarkhani did not attend the conference, but volunteered alongside Josh and Edmund as the point of contact between speakers and HTCIA. “I ensured that the speaker’ needs and questions were answered, [and I] helped solve any issues that arose. I also coordinated with the speakers to retrieve information and documentation required by the HTCIA,” he says.

Already a graduate of Cal Poly Pomona with a Bachelor of Science degree in Business Administration (emphasis on Computer Information Systems), Ryan is an IT/Finance Auditor Associate with Beckman Coulter Inc., a manufacturer of medical lab instruments.

“I do plan on going into the computer forensics and security field in the near future,” he says. “Ever since I was young, I’ve always wanted to be a detective of sorts. Computer forensics provides me the opportunity to solve complex problems, work in a dynamic industry and provides the challenging career I am looking for.

“Joining the HTCIA gives me the opportunity to network with very bright and talented individuals who provide information and insight in areas of computer forensics that I may have never been exposed to before. Joining the HTCIA also exposes me to talent in both private and public (government) industries.”

Are you a student interested in joining HTCIA?

The GPA requirement we used to have has been waived completely, and school charters are active in Washington state, New England and Ohio. Those who are studying computer science, forensics, criminal justice, law enforcement, corrections, accounting, auditing, or similar program of study are eligible; 10 or more Student Members from one college or university may form an HTCIA School Charter.

The power of the HTCIA investigator network

One of HTCIA’s great strengths, and the quality for which it is perhaps best known, is the power of its network. Whether in public or private sector, members know that they can call on one another whenever they need assistance – or when they think they can help their colleagues.

Executive Secretary Art Bowker had this experience recently. Reading a news article about cybercrime, Bowker noticed a comment made following the article was not, technically, a response.

Instead, the poster – apparently a woman – described being jilted by a vice president in a large and well-known corporation. Searching on the username attached to the comment, Bowker found multiple other comments on other news sites. Several of them mentioned that the commenter was thinking of suicide every day.

“To me it seemed like someone had a lot of anger [and was] expressing it on the Internet,” he says. “As it appeared numerous times, I took some screen shots and looked up HTCIA members who worked at the corporation to alert them.”

Located in Ohio, far from the company’s headquarters, Bowker had never communicated with these particular members before. But the company’s security intelligence analysis team manager responded.
“They were apparently unaware this was going on, and had been for about six months,” says Bowker.

From networking to security education

“I think in this day and age, companies should be putting alerts on themselves out there,” says Bowker, “preferably rather complicated ones beyond just their name. If a person can go on any news site and post a comment, the company needs to be aware of it – particularly if those comments get worse… threatening, etc.

“This person could actually show up at their door and shoot someone, and hindsight would show they had been posting all over the place their thoughts, including on suicide. This shows companies what they need to do to protect themselves.”

To Bowker, who has been an HTCIA member for 10 years, this case wasn’t just about members coming together to stop a security incident or help someone in need. It also means that the members he contacted are in a better position to educate 1) the C-suite on the need for social media monitoring, and 2) other employees – and HTCIA members in their own community – on how to respond if they ever see or hear something among themselves.

“It is about knowledge sharing, about techniques as well as dangers, with our members and obviously the public. Thank goodness we had HTCIA members from this company, as I would have spent time trying to find out whom to advise about it,” Bowker says.

Image: Ella’s Dad via Flickr

Case of the Year winner Eric Pahlberg: How networking and perseverance netted child pornography suspects home and abroad

This year’s nomination for Case of the Year, from a colleague of winner Det. Eric Pahlberg of the Sacramento County Sheriff’s Department, noted that investigation of child pornography suspect Benjamin Kendrick could have ended at any point with simply the “low hanging fruit” found on the suspect’s hard drive.

However, Pahlberg argues that case circumstances demanded he go further – that it’s possible to balance preview with in-depth investigation, and that a tight network of investigators followed the case through to its successful conclusion.

HTCIA: You could’ve said “good enough” at several points in your investigation, and would not have found crucial evidence if you had. What motivated you to keep digging?

EP: The circumstances of the case motivated me. There were interesting problems to be solved, and once I realized I could identify an abused child who was in danger, it was important to follow through to rescue her.

In most cases, your goal as an investigator is to determine that a crime occurred, prevent further damage or loss, document the circumstances of the crime, and to show the suspect committed the crime. When the suspect has an explanation, you want to fully investigate to either prove his story is true, or to prove it is not true, whichever way the evidence leads.

This was a serious crime when it started with the investigation of distributing child pornography. Because the forensic evidence showed there was another suspect in Brazil and a child who was in imminent danger, I had to follow up on leads until I could not think of anything else to follow.

Fortunately, this is the age of social networking, and the Internet reaches across countries and continents. The suspect in Brazil posted enough information and images of herself online to locate her in Brazil. Because we work on a task force, I had access to an FBI Special Agent that was working in Brazil. The investigation was forwarded through the Special Agent to the Federal Police and Prosecutor in Brazil. The suspects network globally, and so can we.

HTCIA: Digital triage is a big topic because of the sheer amount of evidence on suspect hard drives. When should investigators stop at triage, and when should they dig more? Should they ever worry about missing a Kendrick?

EP: I have been in trials where I have prepared a forensic examination report that filled binders, and had only a few pages introduced as evidence in court. A lot of time and effort was wasted because it was not needed.

But, if I had not done the work, and did not prepare a thorough report, the questions would have come up about what I did not find and why. I try to err on the side of examining too much, rather than too little.

In my reports and while testifying, I talk about what I observed and what I searched for. I also explain what I did not examine and why. I will always admit that among the huge volume of data that is stored on modern hard drives, there may be evidence that I did not observe or did not recognize.

Triaging is important, particularly when there are multiple computers and multiple hard drives to process. In the real world, an investigator cannot look at every file stored on every hard drive and every device. Triaging is how the investigator can focus on the devices that may have been used by the suspects and are likely to contain the evidence, or just identify the owner of a stolen device without spending time examining everything on the device.

The investigator should be very careful to search for, and document any exculpatory evidence, but especially with a case like check fraud, there may be a point of diminishing return in finding every possible shred of evidence on a hard drive.

I think an experienced investigator can evaluate the physical and digital evidence that has already been found, look at the circumstances of the case, and strike a balance between a quick preview and a full examination. In most cases, the original evidence will still be available if the circumstances change and a further examination needs to be done.

HTCIA: How long have you been investigating Internet crimes against children? What brought you to it?

EP: I am very new to investigating Internet Crimes Against Children. I am assigned to a task force that has an ICAC component, so I have assisted over the years with search warrants and computer forensic examinations. For more than a decade, I have been primarily assigned to investigate identity theft crimes.

I recently had the opportunity to cross train with some Internet based tools and techniques, and that led me to work on some child porn cases. But no matter what the crime, we mostly use the same basic tools; surveillance, search warrants, computer forensics, witness interviews, etc., coupled with a lot of report writing.

HTCIA: How long have you been an HTCIA member? What’s your favorite aspect about the organization?

EP: I am a bit lazy about maintaining memberships in professional organizations. I have been an HTCIA member off and on since around 2001. I was at the HTCIA conference in Long Beach when the World Trade Center and the Pentagon were attacked. There were some reports of possible cyber attacks that day also.

Those incidents turned out to be unrelated, but it did not seem at all unrelated at the time. The attendees and instructors were all trying to arrange to get back to their agencies without flying. I remember thinking that even though the attack was in cities on the other side of the continent, there were a lot of HTCIA members at that conference who were critical to the response in the following days and weeks.

HTCIA: Anything else you would like us to mention?

EP: If there is one thing I have learned from each assignment in my career, it is the importance of working with a good team. Starting with good partners in the jail and on patrol, to working at the Sacramento Valley Hi Tech Crimes Task Force, I know that many of my successes have been the result of working with great partners. This case was just one example.

Our Task Force has members that each bring unique experiences, skills, and tools to the team. The Kendrick investigation would not have been as smooth without the cooperation we have with the various partners on the Task Force.

When I needed to stop Kendrick as he was fleeing on the highway, we had a CHP partner who could make that happen. When I needed a background check run on the co-defendant, I had a partner with connections to NCMEC. When I was ready for the investigation to continue to Brazil, I had an FBI partner who could make that connection. When I needed to find residences and conduct interviews in Ione, I had an Amador County SO partner to help.

I see the membership with HTCIA in a similar way. The connections we make with other HTCIA members allows us to learn from each other’s experience, find experts for specific problems, and just learn what are the latest issues in the field.

Social Networking…in my pajamas: Cynthia Navarro teaches investigative skills

Proprietor of private investigation firm Finnegan’s Way, Cynthia Navarro has conducted online investigations for years. Her presentation, “Social Networking in My Pajamas,” will travel through inner workings of search engines, networking sites and under the covers of using internet social networking engineering and tools to gather information:

Who are we going after, what do they look like, where do they go, who are their friends? And sometimes the biggest question, who are we? Understanding the vast amount of information that can be retrieved from the internet and the best tools for the project is your first start.

HTCIA: You say sometimes the biggest question is “Who are we?” Many investigators probably don’t think about that. What do you mean, and how should investigators answer?

CN: It’s important to ask yourself whether you’re giving away yourself, or your persona’s self. We have to think like the folks we’re trying to be, not ourselves – which is not easy! You have to go places and say things that are atypical for you, and you have to be believable.

For example, I once worked a case for a state medical board, and I was able to pretext based on real symptoms. You can choose to be knowledgeable or not, which is easy when your persona is a woman, because people want to help you out. You can also be obvious; when you’re researching for a client, say it’s “for my boss.”

Not everyone is comfortable with pretexting, and when it comes to vocabulary, it can be especially difficult with young people, because you have to stay on top of how they text and email each other.

HTCIA: What’s the difference between search and social engineering, and when should investigators use them? How can they tell when each is appropriate?

CN: Searching is when you are looking for particular information on your subject. If you are able to collect enough information without interaction from your subject then you normal searches via search engines, social networks, websites, business sites etc can work just perfect.

However, if you’re unable to find that information based on your research, then creativity and online social engineering kicks in. You try to be part of the subject’s life/business with the outcome being information.

You may either need direct or indirect contact. Perhaps they have a private social network. You may want to open a profile that would allow you to appear in…say the same industry, circle of friends, interests, or sports. Or possibly become friends with their friends.

You are building on basic information to collect a piece of information here and there to finally have a complete profile on your subject.

HTCIA: How long have you used social networking in your investigations?

CN: I started with social networking before computers were on every investigator’s desk. Does that age me? I moved to the internet in 1996 for some Alta Vista postings of stolen product and have been doing it since.

HTCIA: What do you like to see from your lecture audiences?

CN: I love an interactive group, but for those that have a hard time staying awake, I’ve got a great water gun!

As long as they walk away with at least one new thing, then I’ve done my job. With the internet I am always learning something new…I just want to pass that knowledge to others.

HTCIA: How long have you been an HTCIA member?

CN: I believe it was 1991 or 1992. I do recall that there were very few investigators involved let alone women.

HTCIA: What’s the greatest benefit you derive from the organization?

CN: In two words, lasting relationships! The best example involves a police chief I met many years ago in Dublin, Ireland. In 1998 he asked me to help with a training program for the European Union; they wanted information on how U.S. investigators handled some things, so I and other members brought over and hosted him and his group on the West Coast (he also spent some time in New York City).

They then asked us to provide training in Europe, but the first time we tried to go, England had a foot and mouth epidemic [which affected the food and tourism industry]. The second time was just after 9/11, when no one was flying. We (about 4 or 5 of us) went anyway. And that relationship has continued, with this chief, because HTCIA members came together to help him out.

I’m always overwhelmed by the way HTCIA members always follow through, even if they have never seen each other. In the 18 years since I joined, I’ve maintained some kind of relationship with about 80 percent of my contacts. We know we can always call on each other, even to the extent that our relationships help with getting jobs!

Readers: Cynthia’s presentation will focus on the skills for search engine navigation, usage of terms, and key word searches that will assist in obtaining a more precise outcome. You will learn how to pull pieces of information from private profiles on social networking sites such as Facebook, mySpace, Mocospace, and LinkedIn. And most important, you can do all this from the comfort of your home in your pajamas!

Questions for Cynthia? Please let us know in comments!

Image: cw3283 via Flickr

Forensics under martial law: Lori Whalen talks more about the Ottawa Case Study

HTCIA Ottawa’s storyboard for its annual case study was so compelling that we wanted to find out more: did their scenario have anything to do with Toronto’s recent experience? What’s the purpose of their case studies? And what do attendees learn? We interviewed program director Lori Whalen:

HTCIA: This scenario is striking, coming just after the unrest in Toronto with the G20. How did you come up with the idea, and why?

LW: The Annual Fall Case Study purpose and focus is to identify trends and to expose our membership to new ideas in the field of investigation and security. This year’s study looks at security and investigations in an operational, in-field context, where time is critical, along with results. We look at how we can explore real-time practices, and the benefits, along with the challenges and requirements to perform the function in this study.

The topic was proposed in December 2009 for the Fall Case Study 2010, it takes considerable coordination to pull off our annual case studies, but it’s worth it!

HTCIA: What will the three different phases be? Do members need to attend all 3 to get the full benefit of the study, or can they attend just one or two?

LW: Each Phase of the Annual Fall Case Study focuses on a certain aspect of the scenario. Phase I is the introduction of the scenario, the issue, and the parties involved in the study. Phase II offers further review of the scenario, and delves into the complexity of the situation and technical overview, and explores the real issues at hand, Phase III is the investigation, and the outcome of the investigation.

We also review the case study as a whole at the end of the presentation, and try to delve into any legal or policy issues that might arise from the scenario. As we begin each Phase, we recap the previous presentations, if an attendee misses a session they are able to catch up in the study.

HTCIA: What’s the mix of policy, procedure & practices you hope attendees will take away from this study?

LW: During the Phases of the case studies we review policies, procedures and practices both current, and what the membership and attendees would like to see in the future to support the work of our community as a whole.

HTCIA: This is the third case study you’ve presented. What were the other two? What was your turnout for those, and what kind of feedback did you get?

LW: In the past we have hosted case studies on “Organized Crime in a Virtual World” and “The Illegal Practices of Competitive Intelligence and Industrial Espionage” from a tech crime perspective. These studies generate a large and well spread audience, which is a big draw for our membership.

HTCIA: Who typically shows up, and how do the case studies enhance their existing skills?

LW: As the case studies include a wide range of considerations, including physical security, the interests of law enforcement and the military, intelligence aspects, the law and technology, attendees are varied from many communities, including police agencies, government, consultants, military and defence, legal professionals, technology, and the private sector.

These studies offer preparation and awareness training, along with community interaction to solve and build a base of techniques and procedures for challenging and frontier oriented crimes and threats.

HTCIA: How did your chapter come up with the idea for annual case studies?

LW: We offer monthly program events that cover a particular topic. In response to membership input, we came up with the idea of hosting in-depth case studies to explore a scenario in its entirety. We host the annual study to bring awareness to future crimes and investigation realms that are burgeoning on the frontier.

The goal is interactive, to create discussion and awareness for investigators and security practitioners so that we better prepare the community for the future.

HTCIA: Anything else?

LW: The Annual Fall Case Study is a large event, it takes several months of consistent coordination, and industry knowledge to pull together the right resources, create a relevant and challenging scenario, and create a cohesive study between the speakers and presenters. The Board allocates a dedicated resource to this program activity, and that is a result of our lessons learned over the last three years. If other chapters are interested in hosting this kind of event we would be happy to share our lessons learned with them!

Lori can be contacted through her LinkedIn profile: http://ca.linkedin.com/in/loriwhalen.