2012 HTCIA Conference Call for Speakers

December 14, 2011

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

  • Information security
  • Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
  • Computer forensics
  • eDiscovery
  • Legal issues
  • Courtroom testimony techniques
  • Financial crimes – tax evasion & money laundering
  • International trends – situations – experience
  • White collar & corporate investigations
  • Legal issues – civil & criminal
  • Legal mock trial
  • Report writing for forensic examiners
  • Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!


Rob Lee’s Super Timeline Analysis: A joint HTCIA/SANS COINS webcast

October 12, 2011

We are very pleased to announce a new joint event between us and and SANS’ Community of Interest for Network Security (COINS): a one-hour webcast on Super Timeline Analysis featuring Rob Lee! The webcast, part of SANS’ complimentary series, will expand on the lab material Rob presented in Indian Wells, delivering an exciting and valuable webcast both for those who attended the labs as well as those who were unable to attend.

Over the past year investigators have started to use timeline analysis to help solve challenging cases.  Learn how to create and analyze automatic file system and artifact timelines during incident response and criminal investigations.

There is no cost to attend this event, but you do need to register at: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

Webcast Details

Date:           Wednesday, October 26, 2011

Time:           8:00pm – 10:00pm (EDT)

Title:            Super Timeline Analysis

Featuring:  Rob Lee, SANS Faculty Fellow

For more information on the webcast contact Andrea Hogan: ahogan@sans.org.

HTCIA: A retrospective journey

October 4, 2011

Today’s post is a guest article written by one of our longest term members, Fred Cotton of our Northern California chapter. This year has marked 25 years since our organization was founded, and we appreciate the opportunity to learn about how we got to where we are — especially given our strategic plan for coming years. Thank you, Fred, for taking the time to write out your perspective!

HTCIA retrospectiveThe High Technology Crime Investigation Association has grown into the largest association of its kind in the world and it has been my honor and privilege to be a member of this organization since it was a single chapter located in Los Angeles, CA.

At that time (around 1988) it was an organization comprising law enforcement, prosecutors and corporate security personnel from high-technology firms fighting the rising tide of component theft across California. I was the Director of Training for SEARCH, the National Consortium for Justice Information and Statistics in Sacramento, CA and was developing a training course for law enforcement on computer crimes investigation. The members of the HTCIA were the ones on the front line of the battle against technology crimes in California. They graciously shared their experiences, techniques, successes and failures with me and helped shape the curriculum which grew to encompass the entire nation and many countries around the globe.

Early HTCIA members like John C. Smith, Jim Black, Abigail Abraham, Ken Citarella, Walker Lane, Joe Chiramonte, and Don Ingraham, to name just a few, gave of their time and experience to help develop training and technical assistance for investigators from across the nation. This in turn helped them fight the ever-increasing plethora of technology crimes.

It soon became apparent that this type of organization was a success and more investigators, prosecutors and corporate security personnel joined the team. The Los Angeles chapter grew and in 1989 the Silicon Valley Chapter was formed. The Northern California chapter followed the next year and soon chapters were being formed across the nation as word spread about the benefits of this cooperative model.

During the ensuing years, most of the investigators and investigation teams who successfully broke the most famous and complex cases of the day were proud members of the HTCIA. They developed innovative investigative and prosecutorial techniques as well as influenced the manufacturers of utility software to pursue the development of specialized tools for computer forensics. Their suggestions and requests helped shape the forensic software we all take for granted today.

As the technology advanced, the job of the individual HTCIA members became more complex and required more sophisticated training and more advanced software. It also became apparent that no single agency, no matter how large, was able to take the problem on alone. The cooperation and teamwork displayed between HTCIA members helped solve hundreds if not thousands of cases around the world.

Our corporate partners stepped up and helped our members learn about the new technologies being used in criminal enterprises and how attacks were being perpetrated against corporate enterprise systems. Our law enforcement partners worked tirelessly to investigate the facts of these cases and combine forensic science and computer science to recover critical evidence from deep within computers and networks. Our prosecutors fought to change antiquated laws, to counter defense arguments against computer evidence, and to see that justice was served. Our training organizations developed curriculum based on these success stories and brought up a whole new generation of members who proudly carry on the traditions of the HTCIA organization. Our software partners continue to develop software tools which are critical to the collection and preservation of computer evidence.

Today, the organization is global and boasts a membership in the thousands. Our members constitute the core of professionals who struggle daily with the ever-increasing tide of computer fraud and abuse. Cell phones and PDA’s have been added to the already complex mix of communications technologies spawning new and innovative investigative protocols and techniques. This knowledge is shared among our members through chapter meetings and training conferences. As a result, HTCIA members continue to impact the safety and security of our nations.

Our creed has spread around the industrialized world and we have set the standard for cooperation and success. I am confident that the organization will continue to grow and stand at the forefront of technology crimes investigation for many years to come. Personally, it has been a wonderful experience to be a small part of it. The highest professional honor I have ever received has been the receipt of the first “Lifetime Achievement Award” from my peers at the HTCIA. I look forward to my continued participation in the HTCIA and the benefit I receive through association with the talented professionals who make up its membership.

Image: Jon Kristian via Flickr

Learning from the next generation: Student research at #HTCIACon

September 29, 2011
Jon Ford Virtual Desktop research

Jon Ford describes his Virtual Desktop research

Before the HTCIA conference, we blogged about a new style of presentation: student poster presentations, which would give graduate and undergraduate college students the chance to talk to professionals about their research.

Six students were on hand in Indian Wells, presenting on a wide range of topics from information security to law enforcement volunteer jobs:

Infosec and e-government

Tim Perez is a doctoral student at Dakota State University and is working on a dissertation entitled “E-Government Security Concerns for Municipal Government Entities.” Having worked for eight years as an information technologist for a local law enforcement agency, Perez sees that communities with small budgets and few regulatory requirements tend to focus less on security.

However, measures like online bill pay, which increase both efficiency and convenience, make security necessary because they deal with personally identifiable information. Perez’ research focuses on how to communicate these issues in a way that municipal managers will understand.

Learning incident response by doing

Another project that brought together law enforcement, security, and education was a Cal Poly Pomona Senior Project. Chris Curran, at the time a college professor and SoCal HTCIA Chapter President, approached students to design an entire scenario, from players to the crime to the resulting analysis.  The completed project would then be used as a final exam for other forensic students.

Student Steve Gabriel came up with the scenario involving a fictional disgruntled university IT employee, who had “stolen” critical source code and hidden it in a System 33 file when he went to a new job. Gabriel utilized multiple web browsers, along with Trillian instant-messaging and Outlook email software. Several other students played the other fictional roles, communicating and using digital media that was later imaged and provided as “suspect” evidence.

To find the evidence and create an answer key for Curran, Gabriel and the others used FTK, EnCase, AccessData’s Registry Viewer, and a SQLite database viewer. Gabriel said the project received good feedback for being an incident response-type case with multiple exploit layers and 25 gigabytes of evidence.

Security vs. performance with supercomputing

On the preventive side of network security was work that Cal State-San Bernardino students Kyle Sandoval, David Warner and Estevan Trujillo had done for the 2011 Computer System, Cluster and Networking Summer Institute at Los Alamos National Laboratories. Their research broke ground on the cost of deploying firewalls on each node of a supercomputing cluster, rather than on the 4,000-node cluster as a whole.

The reason: security measures should always be installed on each separate computer, but supercomputers are so expensive to power that even a five percent drop in computational performance – such as what a firewall might result in – can exponentially add to their cost.

Thus in their project, Sandoval, Warner and Trujillo used a Linux cluster and created multiple IPTables rule sets. They used these to run a series of benchmarking tools that measured bandwidth, latency, and MPI job performance. They wanted to determine what performance implications IPTables firewall had on a cluster.

With just 10 test machines and a 6-week period, the research concluded simply that more research was needed – and the students anticipate that the lab will continue their work.

Virtualization for mobile device management

Jonathan Ford is a student at Cal State University and a volunteer for a nearby sheriff’s department, which was starting to provide official-use iPads to its officers. A number of issues presented themselves with that initiative:

First, the iPads’ remote access to a virtual machine would work for 10 to 20 users, but large numbers – the kind that would be seen on an average shift – made the virtual machine unstable and caused it to crash. Second, different users would need different levels of access to records depending on their role. Finally, to minimize the risk from vulnerabilities – not just on iPads, but also on the other 3,000 or so disparate devices in use – the agency needed a way to manage a variety of operating systems, software and users.

Ford’s answer: a Virtual Desktop, which would save both time and money by enabling:

  • upgrades and patches to occur just once rather than for each system
  • data to be stored on a server
  • administrators to keep a list of which users had access to which software applications

The second part of Ford’s research shows law enforcement agencies the benefits of integrating academic research into their everyday operations. “Many agencies cannot hire full-time employees, but they still need support with computer forensics and security – the fields students want experience in,” he says. “Writing grants for research means each can get what they need.”

How law enforcement can benefit from student volunteers

Cal State-Sacramento student Alex Krepelka had earned a GCFA and wanted to use it. But he didn’t just stop at volunteering for the Butte County District Attorney’s Office – he turned it into research, the better with which to help law enforcement develop their own computer forensics and security volunteer programs.

Krepelka thinks it would help if agencies could fall back on a set of national standards for forensic investigations that will go to trial – from county to county, some agencies allow for volunteers while others do not, but many agencies have backlogs of hundreds of cases. He also thinks that if students knew they could get valuable real-world experience from organizations that needed their expertise, more would study computer security and forensics.

The value of HTCIA student affiliations

Krepelka believes that organizations like the HTCIA can help – and that’s where the final research project comes in. Austin Pham, a student at Cal Poly Pomona, presented on the Forensic and Security Technology (FAST) organization, HTCIA’s student charter at that school. FAST affords students the opportunity to take workshops on data acquisition, analysis and reporting – as well as on industry standard forensic tools, including EnCase and FTK.

This is thanks to its affiliation with the HTCIA SoCal chapter and the forensic professionals who are members there. “We hold six meetings a quarter and some training workshops throughout the year,” says Pham, “and we always get great turnout.” During the student charter’s first signing, in fact, 25+ students expressed interest in membership, and the organization has grown ever since.

Pham added that he and other FAST students had all volunteered to assist with our conference, because of all that HTCIA had invested in them. They registered participants, directed attendees to lecture and lab rooms, and assisted presenters with equipment and other needs.

All six student presenters told us that they had seen a good amount of foot traffic, which resulted in some good comments and questions – especially those for whom the topics hit home. The feedback will help them validate and refine their research, ultimately making it stronger for the entire community.

Anna Carlin, the instructor who coordinated the presentation, adds that the students themselves benefit in a variety of ways: not just with the ability to conduct more credible research, but also with exposure to the very professionals who are in a position to give them jobs or grants.

Did you meet our students in Indian Wells? Want to see future research presented at our conferences? Leave us a comment and let us know what you think!

Recalling the 2011 HTCIA International Conference

September 20, 2011

It’s already been a week since we packed dozens of lectures, 14 hands-on labs, and a sold-out expo hall into our three days at Indian Wells. Here’s a run-down of some of our highlights:

Monday: Cliff Stoll, and Vendor Showcases

The day (and conference) started off strong with Clifford Stoll’s keynote. Clear about the fact that he was making a presentation he first gave in 1986 – and has given several times since then – Stoll nonetheless kept his audience entertained and educated, presenting “evergreen” material that is as relevant today as it was 25 years ago. Among his highlights:

Cliff Stoll arpanet hacking investigationCliff Stoll networking demonstrationCliff Stoll investigation budgets, mandates

Northern California member Ira Victor followed up with an in-depth interview of Cliff, which he recorded for his Cyber Jungle podcast.

Following the day’s main lab and lecture events, Platinum sponsors Micro Systemation AB and AccessData showcased new products in the Emerald ballrooms.

Amid music, hors d’oeuvres and drinks, MSAB unveiled the worldwide preview of XRY 6.0, including an improved user interface, better export options, and Watchlist automation. MSAB will be providing training at our Philadelphia/Delaware Valley chapter in October, followed by training in South Florida in late October-early November. They’re available to come to any chapter needing mobile phone forensics training – is yours one of them?

Meanwhile, AccessData’s Keith Lockhart talked a bit about Early Case Assessment. During the well-attended and well-received presentation, Lockhart went through this e-discovery product, discussing features such as its ability to filter large amounts of data, to handle collaborative web-based review of that same data, and most of all, its immediate cost savings for forensic and legal teams.

And after all was said and done, participants gathered at the Stir Nightclub on-site for the traditional Northeast Chapter Party!

Tuesday: What we liked best, and our Annual Banquet

Just to keep abreast of what was going on from our participants’ point of view, we asked what they liked best about our conference. Some of the responses:

In the evening came our banquet, a richly rewarding experience that started with drummers from the intercollegiate musical group Senryu Taiko and ended with a hilarious comedy routine from “The Lovemaster,” Craig Shoemaker. In between we enjoyed ribeye steak, a 25th Anniversary chocolate torte, and opening for Craig, comedian Richard Aronovitch.

But the evening’s core lay in our awards ceremonies, where we presented plaques to the winners of our Case of the Year, Chapter of the Year, and Lifetime Achievement Awards. This year, as last year, the Case of the Year winners got a standing ovation for their hard work in putting a killer behind bars. And contenders for Chapter of the Year got a challenge: give SoCal a run for their money!

HTCIA 2011 Case of the Year winners Eichbaum, Cook, Sunseri & Maloney

HTCIA 2011 Case of the Year winners Eichbaum, Cook, Sunseri & Maloney

HTCIA 2011 Lifetime Achievement Award winner Ken Citeralla, Northeast Chapter

HTCIA 2011 Lifetime Achievement Award winner Ken Citarella, Northeast Chapter

HTCIA 2011 Chapter of the Year: Southern California

HTCIA 2011 Chapter of the Year: Southern California's board members

Wednesday: Wrapping up great learning experiences

By Wednesday everyone’s brains were just about full, but our labs and lectures enjoyed good attendance nonetheless:

Other conference highlights: lunchtime raffles, international tweets & still more networking

Lunchtimes offered good food and great prizes. Over chicken and pasta (Monday), cold cuts (Tuesday), and Chinese cooking (Wednesday), participants had the chance to buy tickets to enter our raffles. Giveaways included:

Vendors got in on the action too:

If you were following our hashtag #HTCIACon on Twitter, you may have noticed a few foreign-language tweets. As an international organization, we love to see our members reaching out to their own communities in their native languages. Spanish and Dutch participants did exactly that, including a longer blog post by member and presenter Andres Velazquez.

HTCIA conferences would be nothing without networking and the exchange of amazing ideas. Jim Hoerricks wrote about it, and posted some of those ideas in his blog. We also heard from Albert Barsocchini, who came with an e-discovery perspective.

Did you write or podcast about the HTCIA conference or good outcomes you gleaned? Please let us know in comments!

Pre-conference: An eye toward the future days… and years

September 12, 2011

Sunday, Sept. 11 saw us start to welcome our conference participants, have some fun with those who arrived early, and make some plans – not just for the days, but also for the years ahead:

Our earliest event, the 8 a.m. golf tourney, had a successful 42-player turnout. Sally Vesley, marketing communications manager with tourney sponsor CRU-Dataport/WiebeTech, says it was one of the most fun workdays she has ever had. “They were great golfers,” she says. “We gave away four pairs of golf shoes, a golf cart, and of course USB write blockers.” The write blockers went to the top 3 winners:

  • Jim Keith, Closest to Pin
  • Terry Willis, Longest Drive (and winner of the whole tourney)
  • Brian Collins, part of the winning team

Vesley also says she’s planning another tourney for next year’s conference in Hershey, Pennsylvania.

At 11 a.m. registration opened to welcome our first conference participants. Many had arrived the night before or that morning, and lined up to get their badges and conference materials, including shirts and pins, our program, and free software.

Also at 11 a.m., the expo hall opened so that the vendors could set up their booths in advance of the Vendor Reception planned for the evening. Notable exhibits: Wireshark University‘s tropical tiki display (complete with network-devouring shark!), and Paraben’s crime-scene contest. Both sponsors are giving away free stuff: Paraben is making its Chat Examiner software available to participants, while Wireshark U. is providing one-year All Access Passes to its training!

At 1 p.m., chapter presidents (or board representatives) gathered for the International Board of Directors meeting. Among the items discussed there:

  • Membership, including student membership. We currently stand with 38 chapters and 17 student charters, 3,227 members and 214 student members. Our student members continue to be an outstanding addition to our organization, providing needed research and volunteer work to support our regular members.
  • Internet Safety for Children (ISFC). Shadi Hayden, of our Silicon Valley chapter, talked about the renewed interest in the ISFC, which had seen much success in the mid-2000s. Shadi has been working hard to recruit regional volunteers to help with website content and outreach to allied organizations like Internet Crimes Against Children (ICAC) task forces and the OJJDP, so that the ISFC can be a conduit of information between public and private sector investigators. This conduit will include an ISFC website “facelift,” which will allow us to share information both publicly and for member investigators only.
  • Strategic Planning & Communications. In July a Strategic Planning Committee came together to chart the HTCIA’s course over the next five years and beyond. The committee performed a SWOT analysis, determined its goals and strategic objectives, and came up with ideas needed to drive the HTCIA toward those objectives – including a new website, better training and education, and improved communications.
  • The Consortium of Digital Forensics Specialists. Incorporated this year as a way to consolidate the voice of the digital forensics profession, the CDFS asked the HTCIA to become a collective nonprofit member of this complementary (not competing) organization. Board members voted to join – we’ll be sure to update you on future developments as we support this newest organization!

Officers also took care of organization business, including votes on bylaw changes and on International Executive Committee members for the coming year. Joining incoming International President Ron Wilczynski (Northern California) will be: 1st Vice President Tom Quilty (Silicon Valley), 2nd Vice President Jimmy Garcia (Southern California), Secretary Peter Morin (Atlantic Canada), and Treasurer Jose Soltero (Southern California).

Finally, we wish to remember all our members who were affected ten years ago by the 9/11 terrorist attacks. From our New York City members who lost friends and family members – or responded – at the World Trade Center, to other members who committed quantities of time and energy to investigating terrorism, we keep you in our thoughts and our hearts. Your spirit is reflected in the words of our Northeast member Cynthia Hetherington, who was supposed to be aboard United 93:

View more of our photos from pre-conference events and setup at our Facebook page. Be sure to “like” our page while you’re there, so you can see the latest updates over the next few days!

2011 Report on Cybercrime Investigation now available!

September 9, 2011

We’re pleased to announce that we’ve released our 2011 Report on Cyber Crime Investigation. The second report of its kind that we’ve produced, this document is the result of members’ responses to a survey we asked them to complete earlier in the summer. We compared the data we found from one year to the next, and as we note in our executive summary, the outcomes were similar — with a few twists. Among them:

  • Need for improvement in information sharing. We saw a decrease in the frequency of information sharing between this year and last year, which we felt indicates that members and others in the community need better support with their efforts — not just with one another, but also with academic institutions and private companies.
  • Need for better training at multiple levels. Civilians, judges, prosecutors and even middle and upper level management can have a hard time understanding cyber crimes. Computers and the Internet add layers of abstraction to crime; it is harder to find and collect evidence from multiple devices, and victims can be scattered across the country (or in some cases, the world). Investigators may find it difficult to explain these complexities, but without understanding, decision-makers find it easier to budget scarce resources to (or in judges’ case, set legal precedent for) crimes they do understand, can see, and have a measurable impact on, like narcotics or property crimes.

We encourage you to download and read the report — and share your thoughts. Are these similar to trends you’ve seen? What would you like to see in next year’s report?