February for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got four upcoming special events as well as regular chapter meetings this month:

HTCIA Chapter Meetings

February 7

HTCIA Ottawa will present “Inclusion of Forensic Video Analysis Within an Agency’s Digital Forensic Program” in Russell’s Lounge at the Ottawa Police Association from 5:30-8 p.m. Jeff Spivack, an IAI Board Certified Forensic Video Examiner, will demonstrate how forensic multimedia analysts obtain investigative leads and actionable intelligence from files that might otherwise be discarded.

Spivack has worked as a Forensic Multimedia Analyst with the Las Vegas Metropolitan Police Department, and has been accepted as an expert witness in courts throughout the U.S. In addition to conducting case work, Jeff is also Cognitech, Inc.’s Forensic Video Software Certification Instructor, and Senior Instructor of Video Forensics for Forensic Data Recovery, Inc., Cognitech’s Canadian affiliate.

For more information and to register, see the Ottawa HTCIA website. Non-HTCIA members are welcome for a guest fee of $15.00.

Also on February 7, our Southern California chapter will be holding a joint meeting with ISACA Los Angeles. A dinner meeting at Monterey Hill Restaurant (3700 W Ramona Blvd., Monterey Park, CA), the presentation, a computer forensics case study, will run from 5:30-8:30 p.m.

Guidance Software’s head of Risk Management, Andy Spruill, will provide his first-hand account of the landmark Victor Stanley, Inc. v. Creative Pipe, Inc. the intellectual property theft case that spawned not one, but two, landmark legal decisions in the world of digital forensics and eDiscovery. To register, please visit ISACA LA’s website.

February 9

Atlanta HTCIA will present “Forensics in your PJs” from 7:30-9:30 a.m. A breakfast meeting at American InterContinental University in Dunwoody, Georgia, the meeting will show you how to use various resources and tools on the internet to gather data. From Facebook to blogs what you can learn while sitting in your PJs!

Speaker Buffy Christie is Senior Director of Equifax Global Security.  Buffy has a BS in Criminal Justice, Forensic Science.  She is a CFE (Certified Fraud Examiner)  and is President of the Southeastern IAFCI (International Association of Financial Crimes Investigators).

To register for this event, visit Atlanta HTCIA’s EventBrite page.

February 10

Texas Gulf Coast HTCIA will meet from 1:00-3:00 p.m. at the FBI Greater Houston Regional Computer Forensics Laboratory. Those planning to attend will need to be vetted by the FBI prior to the meeting. In order to attend, contact Ms. Julie Campbell, Receptionist, Pathway Forensics (713.301.3380) and provide her with your name, DOB and DL#. Chapter members should also RSVP to the Evite invitation that was sent to the e-mail account on file with HTCIA International.

February 14

Midwest HTCIA is offering an Android forensics and software demo by Christopher Triplett, Sr. Forensic Engineer of viaForensics. From 8:30-11:30 a.m., Mr. Triplett will cover Android File Systems, Android Forensic Analysis Techniques, and a demonstration of viaForensics’ viaExtract product.

Midwest HTCIA’s chapter meetings are located in Oakbrook Terrace, IL at the ICE office (16th floor, Oakbrook Terrace Tower).

February 15

Minnesota HTCIA will meet in the Ridgedale Library, RHR West Room in Minnetonka.

February 16

Member Mike Wilkinson’s monthly DFIR Online Meetup will feature Peter Coons and John Clingerman providing e-discovery case studies , along with Jonathan Rajewski speaking on “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf”… or, “A hands on (pen/paper) exercise in basic cryptology/cryptanalysis.” Join in at 8:00 p.m.!

February 17

Washington state HTCIA will be meeting between 10am-12pm. Topic and speaker both TBD.

February 21

Central Valley HTCIA will be meeting at 12:00 noon at the Stanislaus County Sheriff’s Office, 250 East Hackett Road in Modesto, CA. Tentative topics are a presentation on TOR by Cullen Byrne, and an update on the group Anonymous by an FBI representative. Lunch to be provided.

Austin HTCIA, meanwhile, will meet from 1:30 to 3pm at the REJ Building. Rick Andrews will be going over navigation in EnCase v7. Come with questions!

February 22

Atlantic Canada HTCIA will meet from 5:30-7:30 p.m. with Jan Cox from Oracle presenting on the topic of SQL injection, among other things. An update on the chapter’s conference planning efforts will also take place.

February 24

From 11:00 A.M. – 3:00 P.M. at University Hall, Room 465 (51 Goodman Dr. in Cincinnati), Ohio HTCIA will be offering a presentation on Incident Response: Live Memory Capture and Analysis. Presenter Justin Hall has 15 years of experience in the information technology field and has spent the last seven focused on information security.

Mr. Hall is currently a security architect for CBTS, a technology services provider in the Cincinnati area – consulting with the firm’s enterprise customers in developing vulnerability management, incident response, and endpoint & network defense programs. He is a frequent speaker at information security community events, a SANS mentor, and holds a GCIH, GCFA and GPEN.

Following Mr. Hall’s presentation, lunch will be provided and the chapter’s business meeting conducted.

Also on Friday, our Kentucky chapter will meet at 1:oopm at Boone County Sheriff’s Office. Tom Webster will present about Internet Evidence Finder.

February 29

San Diego HTCIA will meet at the Admiral Baker Clubhouse in San Diego. Lunch will be served at 11:30, with the presentation (yet to be determined) running from 12:00-1:00 p.m. HTCIA members are also welcome to attend the 10 a.m. board meeting that day.

Lunch is free for all current members, $20 for guests, and $35 for new members with completed  HTCIA membership forms. RSVP is required, so please RSVP ASAP to treasurer@htcia-sd.org! This will assist in planning for seating and food requirements.

Northern California HTCIA will also be meeting on February 29. Topic and location to be determined.

Special Training Events

February 6-11: SANS COINS event coming to Los Angeles!

Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10”! Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs/

February 15

ISSA Ottawa and Women in Defence & Security will be co hosting a National Capital Security Partners’ Forum Event featuring Marene Allison, VP & CISO of Johnson and Johnson. The opening speaker will be Rennie Marcoux, Assistant Secretary to the Cabinet (PCO); the closing speaker will be Carol Osler, VP Physical Security TD Bank. For more information and to register, see http://www1.carleton.ca/npsia/upcoming-events/4409-2

February 20-24

Free law enforcement training! Minnesota HTCIA is advertising “Fighting Cyber Crime”, 40 POST credits’ worth of courses at the St Cloud State Campus. The training is a response to the increased ease with which people can access the Internet to commit crimes, as well as the increased emphasis on issues of homeland security. Participants will learn ways to uncover, protect, and exploit digital evidence to respond to crimes. Register via the course flyer at http://www.mn-htcia.org/documents/Cybercrimecourseflyer.pdf.

February 27-March 1

The New York District Attorney’s Office has partnered with the National White Collar Crime Center to offer Cybercop 101 – Basic Data Recovery & Acquisition (BDRA) to qualified members. This 4 day course teaches the fundamentals of computer operations and hardware function, and how to protect, preserve and image digital evidence.

This class introduces participants to the unique skills, best practices and methodologies necessary to assist in the investigation and prosecution of computer crime. It includes presentations and hands-on instruction on such topics as Partitioning, Formatting, Data Storage, Hardware and Software write blockers, the Boot Up process, and Duplicate Imaging. Register here for this and future courses!

REMEMBER: To get discounts or free training (where applicable), you must be a member.  Please join or renew your 2012 membership today!

Learning about solid state drives: 2 perspectives

In Indian Wells come September, our Cyber Investigations/Forensics lecture track will feature two presentations on the next major trend in data storage: solid state drives, which are much more like memory than they are like conventional hard drives, and therefore much more volatile for forensic examiners.

On Monday, Sept. 12, James Wiebe of CRU-DataPort/WiebeTech (Bronze sponsor of the conference along with the 1st annual HTCIA Golf Classic) will present “Solid State Storage for Forensic Investigators.” The following day, Scott Moulton of My Hard Drive Died, LLC will present “Solid State Drives & How They Work for Data Recovery & Forensics.” We talked a little with James and Scott about their presentations and what examiners can expect:

HTCIA: How is a SSD physically different from a hard drive, and what does this mean for forensics?

JW: SSD uses silicon chips (integrated circuits) and is neither organized nor erased like conventional rotating media. As a result, investigators have new challenges in obtaining information (evidence) from SSDs.

SM: The main difference between a USB thumbdrive and a Solid State Disk (actually they are both Solid State Disks but the term has lost some of it meaning like a Gateway and a Router have) is that a thumbdrive is a host based device meaning that it uses your CPU, where a SSD has its own processor.

There are many smaller differences such as where the responsibility lies for doing management functions. The SSD drive is responsible for processing this data with only power applied and since it has a processor it can, however, a USB thumbdrive can’t because it requires your host processor to accomplish the task. For forensics, this has a great impact on how data is handled because the SSD can start running software routines on the data when only power is applied.

HTCIA to JW: What is the advantage of a SSD over conventional platters? What are the disadvantages?

JW: SSD advantages include fast start, because the drive doesn’t have to spin up, and fast random access, because there is no physical search across the drive. Parallel reads and writes are possible. There are no moving parts, so it’s silent and doesn’t consume as much power. SSDs have immunity from both shock and magnetics, and they are much smaller than conventional hard drives.

Disadvantages are more complicated. The cells have a limited lifetime, so special file systems or firmware designs can mitigate this problem by spreading writes over the entire device, called wear leveling. However, this process introduces its own issues. Wear leveling on flash SSD has encryption implications, and causes fragmentation; defragmentation is harmful because it causes additional use of the drive, wearing it out with no benefit. And for forensic exams, wear leveled sectors are outside of accessible space.

Aside from issues with wear leveling, secure wipe is difficult or impossible on flash SSD. SSDs present significant asymmetric read and write performance. SATA SSDs have writing slowness amplification, because of large block sizes. Extra commands (EG: TRIM) require additional OS overhead for best support. And SSDs are expensive.

HTCIA: Mobile forensic examiners are using “chip off” techniques to recover data from NAND solid state memory. Will this technique become common as more SSDs are adopted for PCs as well?

JW: Probably!

SM: Removing NAND chips to recover the data, I believe, will become much more complex as we continue forward. I am already seeing a large number of chips starting to use encryption to store the data on the NAND.

It is more likely in the future that we will “convince” certain companies to add diagnostic functions to allow us to read raw data. Currently, since SSDs are in their infancy, we are running into a lot of “intellectual property” issues, which might diminish over time as several companies become the winners in the industry. [At that point] they will improve their techniques, allowing better results for higher end devices, giving access to the raw data.

[At this time] none of this is really possible, but I am doubtful we will be able to continue using the RAW read techniques in the future we are using now [owing to the wear leveling process described above].

I also think it is more likely that cell phone will start using more of the SSD technology.

HTCIA: What do you project as being the timeframe for widespread adoption?

JW: I expect to see SSDs in widespread use in almost all portable computing products within the next 18 months.

SM: I think that SSDs will take over all mobile platforms over the next two years. I think that desktops and servers will remain mostly the way they are, with little change in the direction to SSD. It makes sense that SSDs will move more towards complete laptop domination, just due to their resilience to movement that often damage laptop drives.

HTCIA: What is the best way for forensic examiners to prepare for these eventualities?

JW: Why, by attending my lecture, of course! 🙂 One big theme is that forensic examiners need to have the understanding that SSDs are far more easily erased than rotating media: Plan on acquisition quickly.

SM: My data recovery class is a great way for forensic examiners to prepare, but in addition to that I think that forensic teams will need to focus more on electronics and soldering techniques for future repairs and data collection. It is becoming very common to have to solder or desolder devices in order to repair or collect data from these devices.

HTCIA to SM: Your perspective is as a data recovery expert. Will computer forensic examiners need to take more of a “recovery” approach to data than “forensic,” as they do with mobile devices? Will this mean challenges to describe their methodology in court?

SM: I think that a forensic examiner can be greatly enhanced by understanding the media not only for acquiring the data, but for explaining it in court. I hear a number of times how much they think they know about the media and often are surprised when I start talking about items such as firmware and bad block tables how they work. These devices are completely misunderstood.

A second important fact is that most forensics begins with good data; however, without getting any data you have no case at all. Being able to acquire that data is extremely important or you are limiting your job in the future.

One example I can state is about all those forensic imaging software packages. FTK Imager or Encase will pad bad blocks with 0’s, but in data recovery we can often acquire some — if not all — of the content from a bad sector. Instead of having 0’s, we will get a more accurate image than forensic packages do.

It is very important to understand what a long read is, or what [error correction codes] do to the sector in order to get and use that data, but our result is much better than the current forensic tools that acquire images. Not understanding data recovery and relying on forensic only means puts forensic investigators at a distinct disadvantage.

As for the challenges in actual court cases, the truth of the matter is that anything we are describing is very difficult and I find that most of the time much of what we are doing will not be included in a case due to the complexity. Lawyers have often looked at the data, and the investigation components that point to how something occurred, but they will eliminate the items they think are too complex, only using the finest picture they can develop to be less confusing to make their case.

Thanks to both James Wiebe and Scott Moulton for your insights — we look forward to seeing your presentations in Indian Wells this coming September! Readers, to attend these lectures, please register for the conference here: https://www.htciaconference.org/registration.html

Image: Andres Rueda via Flickr