January HTCIA news and events

January 9, 2012

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

  • Fredericton New Brunswick at 64 Allison Blvd.
  • Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!


HTCIA joins the CDFS to help set digital forensics standards

December 22, 2011

Consortium of Digital Forensics SpecialistsWe are very pleased to announce that we’ve joined the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member! Established in 2008 to provide leadership and advocacy as the global representative of the digital forensics profession, CDFS offers the chance for HTCIA members, through their board representatives, to collectively help determine standards for digital forensics ethics, practice and professional licensing and certification, among other areas.

Our International President, Duncan Monkhouse, has this to say: “For 25 years, our members have contributed to the development of digital investigation as a science and a profession. Supporting the CDFS is a natural outgrowth of their contributions. We look forward to helping shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.”

Chris Kelly, CDFS’ president and a New England HTCIA chapter member, is likewise excited. “HTCIA’s membership is a welcome addition because of its members’ breadth of experience not just in digital forensics, but also in private investigation, prosecution, and other professions that affect the way digital forensics is perceived within the investigative community,” he says. “We look forward to their input and assistance in driving not just our association, but the entire profession forward.”

HTCIA joins two other nonprofit professional organizations, the International Association of Computer Investigative Specialists (IACIS) and the Association of Digital Forensics, Security and Law (ADFSL) as members of CDFS. We couldn’t be in better company, and we’re so grateful to CDFS for making our membership possible!

2012 HTCIA Conference Call for Speakers

December 14, 2011

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

  • Information security
  • Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
  • Computer forensics
  • eDiscovery
  • Legal issues
  • Courtroom testimony techniques
  • Financial crimes – tax evasion & money laundering
  • International trends – situations – experience
  • White collar & corporate investigations
  • Legal issues – civil & criminal
  • Legal mock trial
  • Report writing for forensic examiners
  • Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!

Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

August 24, 2011

AccessData HTCIA Platinum Star SupporterNo coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!

Movie Night, courtesy of Silver sponsor Vound

July 28, 2011

One of last year’s most popular conference sessions was Pizza Night, Vound Software‘s dinner-and-a-demo look at its Intella email forensics software. This year, they changed it up a bit. They’ll still hold a demo, but they’re also sponsoring some entertainment – not just for conference participants, but also for their families who come to Indian Wells with them.

We talked more with Vound about what will be involved and why:

HTCIA: “Movie Night” isn’t typical conference fare, at least in this industry. What made Vound decide to sponsor it?

Vound: We took a fly at doing something original  in Pizza Night last year and were impressed with its success and feedback. We wanted to keep it fresh and interesting this year so opted for Movie Night.

We will have treats, popcorn, candy, soda, and domestic beer for the enjoyment of those who can make it, and we hope everyone does. We are hoping attendees will see it as an opportunity to bring their partners and  chill out. Let’s also not forget we are in movie making territory.

HTCIA: Any word on what the movie will be?

Vound: No idea yet, but Peter [Mercer, Vound co-founder] insists on it having kangaroos or being about cricket.  [HTCIA note: our Conference Committee decided on “Source Code.” No kangaroos or cricket that we know of!]

HTCIA: What trends have you noticed in the last year with email investigations?

Vound: More and more cases are becoming “email only”. This is  where the case starts when the investigator is handed 50 PST files on a USB drive with  no image in sight and 2 days to complete it . This is exactly why we developed Intella and  where it more than pays for itself…

HTCIA: What’s new with Intella that you’ll be sharing during your lab session?

This year at HTCIA, investigators will see how their agencies can get the most out of their digital forensic investment by integrating Intella’s search and analytical abilities into their existing investigation and case management software.

A common problem is that the weight of digital forensic evidence is lost in translation when it is delivered to the analyst or officer who has no forensic background. Officers or analysts from outside of digital forensics may use completely different tools and methods to identify and organize useful information.

As a demonstration of how Intella solves that problem by augmenting existing software suites, this year at HTCIA the Vound team will demonstrate how Intella is used in conjunction with i2’s award winning Analyst’s Notebook and iBase. We’ll show how our customers can add Intella search results and forensic information to the investigation management software, the same way they add other pieces of information.

We’re proud to say that Intella has grown by leaps and bounds since Version 1.0 was unveiled in 2008 at the HTCIA Conference in Atlantic City.  Thousands of federal, state, and local law enforcement officers now rely on Intella every day for e-mail and data analysis. We’ve found that agencies where evidence is transmitted effectively between forensic and non-forensic officers see an exponential increase in the value of the forensic phase, leading to better results.

Come join us at the HTCIA Conference and let us tell more about how Intella can help you search data, analyze evidence, and close cases quickly.

HTCIA: Anything else you’d like us to share about your sponsorship?

Vound: Could some of the sponsorship money be invested in projects that will help with inventing teleportation? The 15 hour flight is killing Peter. 🙂

HTCIA: We’ll look into that. 🙂 Meanwhile, thanks so much for the scoop on your lab and Movie Night. We look forward to seeing you in September!

Not yet registered for the conference? Register at https://www.htciaconference.org/registration.html and be sure to mark your calendar for Sunday’s Vound Movie Night following the Exhibitor Reception!

Image: tvol via Flickr

A call for papers… from students

July 21, 2011

Following on its success with the Western Regional Collegiate Cyber Defense Competition, Cal Poly Pomona will be sponsoring something that’s normal for academic conferences, but new to trade shows: a student poster presentation, a way for students to connect with the professionals they’ll be working with following graduation.

What it is

Anna Carlin, a Cal Poly Pomona professor and 2nd Vice President of our SoCal chapter, is looking for 10 full-time students to present their work in our exhibit hall on Tuesday, September 13. We’ll provide a poster board for hanging the presentation, which can be as simple as PowerPoint slides. Posters will be displayed in the Emerald 4 Room, allowing all attendees to see the students’ work.

Not restricted to either Cal Poly students or HTCIA members, the presentation will allow students to connect with cyber security and computer forensics professionals from around the world. The work being presented must be new and current research and development in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted.

HTCIA student charters may present the activities performed by their charter. Student Charter posters may describe charter activities, events, and/or other involvement with cyber security and computer forensics professions.  A single representative should coordinate the submission of each Student Charter proposal.

The Academic Program Committee will be reviewing submissions based on the following criteria:

  • Relevance to the field of cyber security and computer forensics
  • Potential for practical impact
  • Degree of originality
  • Technical depth
  • The overall quality of the submission

Who can participate

We invite full-time undergraduate and graduate students to submit poster presentations on research and work in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted. The poster session can also showcase the activities of HTCIA Student Charters.

Why students should submit

The first 10 students whose poster presentation is accepted will receive FREE conference registration for all 3 days (a $395 value) and a one-year student membership to HTCIA (a $25 value)! Accepted abstracts will be printed in the program and posted on the HTCIA International Conference website.

In addition, five benefits to participating:

5. Obtain a critical review of your work by submitting a poster presentation, and meet potential sponsors of your work.

4. Expand your network of other students interested in cyber security and computer forensics.

3. Listen in on hot-topic panels and presentations and take home the most current research and solutions from industry leading experts.

2. Receive recognition and a Certificate of Participation.

1. Meet potential employers!

When and how to submit

The deadline for submission is July 29, 2011. Send a short 50 to 75 word abstract with three learner outcomes (not part of the word limit) that attendees are expected to gain from the poster presentation. You will be asked to indicate the target audience level (getting started, intermediate, or advanced).

Please email your abstract to the following e-mail address: acarlin@csupomona.edu. A student may submit only one abstract. Students will be notified about acceptance by Friday, August 5, 2011.

For more information, including specific submission guidelines, poster session guidelines and other prep work, see https://www.htciaconference.org/studentposters.html.

Want to see what students are up to in the community? Register for the conference now: https://www.htciaconference.org/registration.html

Image: carmichaellibrary via Flickr

International investigations: Digital forensics and social media

July 8, 2011

Several of our lectures this year will discuss international issues with high tech crime investigations. Among the presentations: a joint talk on Tuesday, Sept. 13 about international social media investigation, from members Cynthia Navarro and Andres Velazquez; and on Wednesday, a Latin American perspective on digital forensics from Andres Velazquez.

A Latin American perspective on digital forensics

Velazquez, a Mexican digital forensics expert who built the country’s first private digital forensics labs through his company MaTTica, says one of the key differences between the United States and Latin American countries is the legal system structures. “US judges rely mainly on precedent, but in Latin America, judges rely solely on codes,” he explains. “So, if the defendant’s conduct does not meet the law’s requirements, it won’t be a felony.”

For example, a denial of service attack does not qualify as a felony. Nor does identity theft, or theft of other data, because the codes are based on physical robbery — the theft of tangible items. “A robbery charge depends on the absence of goods,” Velazquez explains, “but when the data is still there, according to the law, how can it have been stolen?”

In addition, civil or tort laws’ requirements are difficult to meet because none of the laws cover e-discovery, so examinations as US investigators understand them are not possible. And although a law in Mexico was passed last year that covers privacy of personal information, legislators have yet to approve guidelines, so investigators still face difficulty in this area.

Meanwhile, because many Internet service providers are headquartered in the US, Latin American investigators face difficulties with getting data because of international agreements. “Currently, we have to get a court order through our Exterior Relationships Secretary [comparable to the US Secretary of State],” Velazquez explains. “That has to go through the embassy, then through the US federal government, to the state, and then finally to the company. By the time the process is complete, it can be up to two years, and then the data we needed are gone.”

Agreements similar to the Budapest Open Access Agreement would help, but even at that, few Latin American attorneys and judges understand computers. Velazquez recalls a search he coordinated in which investigators seized only keyboards and monitors — but not the actual computers. Part of his mission is to educate and assist law enforcement and other investigators in the region.

Yet decisions continue to be made by the very judges who don’t understand computers, and to whom investigators have no access. The answer: for investigators to find a way to be in what Velazquez terms “unofficial contact” to start meeting needs, such as collecting forensic images with which forensic examiners can practice, or working with vendors to obtain metadata if not content.

Investigation mechanics from across the world

Until the laws sort themselves out, investigators are left with doing the best they can with what they have. Fortunately, although investigations are never “easy,” certain tools — among them social media — make the task easier than it was even a few years ago.

Cynthia Navarro, a California-based private investigator who will be co-presenting with Velazquez on social tools, says: “I have always said that with the internet we have no boundaries…. I have a project to watch how the narco in Mexico is affecting a specific town (and the surrounding towns.) It’s been easy, their mayor uses Twitter to warn the townspeople of street closures due to shootings, murders and rival gang takeovers. They they tweet when things are back to normal. This is the most up to date tracking anyone could ask for!”

Because social networking is for the most part publicly available, investigators deal with few legal issues. Navarro says she has encountered few cultural conflicts, and as for language barriers, “Thank God for Google Translate!” she says. “While it is not a perfect translation, you can get the gist of what is being said. I have used it for Spanish, German, Chinese, and Vietnamese with great success.”

Perhaps surprisingly, Facebook is the #1 resource for online investigators not just in the US, but overall, thanks to its widespread adoption in Europe as well as in Asia. Orkut is #2, says Navarro (due largely to its overwhelming popularity in Brazil), followed by Qzone and then Twitter. V Kontakte and LiveJournal are the most popular in Russia; a network called Hi5 attracts the most users from Thailand, Romania, Peru and Portugal, while Lide draws Czech users. Other countries have their own preferred social networking sites.

“For other countries, censorship and blocking can be a problem,” says Navarro. “I’ve heard that Zing is #1 for Vietnam because some Vietnamese ISPs have blocked it.” Other countries that block content: China, Uganda, Egypt, Iran, Saudi Arabia, and the United Arab Emirates.

Navarro adds that between investigation and teaching, the quality she appreciates most is learning. “Teaching to me is learning, we have to keep up in order to teach effectively,” she explains. “I am [also] lucky enough that there are always different things I investigate so I don’t get stuck on the same thing day in and day out.”

Interested in hearing what Andres and Cynthia will have to say, along with our other presentations on international perspectives? Join us in Indian Wells and register here: https://www.htciaconference.org/registration.html

Image: caruba via Flickr