January HTCIA news and events

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

• Fredericton New Brunswick at 64 Allison Blvd.
• Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!

HTCIA joins the CDFS to help set digital forensics standards

We are very pleased to announce that we’ve joined the Consortium of Digital Forensics Specialists (CDFS) as an Organizational Member! Established in 2008 to provide leadership and advocacy as the global representative of the digital forensics profession, CDFS offers the chance for HTCIA members, through their board representatives, to collectively help determine standards for digital forensics ethics, practice and professional licensing and certification, among other areas.

Our International President, Duncan Monkhouse, has this to say: “For 25 years, our members have contributed to the development of digital investigation as a science and a profession. Supporting the CDFS is a natural outgrowth of their contributions. We look forward to helping shape the education and training of this particular facet of high tech crime investigation, which is just one of the many our membership serves.”

Chris Kelly, CDFS’ president and a New England HTCIA chapter member, is likewise excited. “HTCIA’s membership is a welcome addition because of its members’ breadth of experience not just in digital forensics, but also in private investigation, prosecution, and other professions that affect the way digital forensics is perceived within the investigative community,” he says. “We look forward to their input and assistance in driving not just our association, but the entire profession forward.”

HTCIA joins two other nonprofit professional organizations, the International Association of Computer Investigative Specialists (IACIS) and the Association of Digital Forensics, Security and Law (ADFSL) as members of CDFS. We couldn’t be in better company, and we’re so grateful to CDFS for making our membership possible!

2012 HTCIA Conference Call for Speakers

If you’ve considered presenting to other high tech crimes investigators in 2012, we hope you’ll submit a paper to us! As always, the 2012 HTCIA International Training Conference & Expo organizers seek to provide the best possible training on the latest topics in high technology crime by the best speakers available.

To this end we’re soliciting speakers for the conference in the following areas (not an exhaustive list):

• Information security
• Investigations (identity theft, child pornography, cyber crime, intellectual property theft, white-collar, and corporate)
• Computer forensics
• eDiscovery
• Legal issues
• Courtroom testimony techniques
• Financial crimes – tax evasion & money laundering
• International trends – situations – experience
• White collar & corporate investigations
• Legal issues – civil & criminal
• Legal mock trial
• Report writing for forensic examiners
• Report writing for investigations

The 2012 HTCIA International Conference & Training Expo will be held September 16-19, at the Hershey Lodge, Hershey, PA. If you would like to speak on any of the above topics, or have a topic of your own, please contact Jimmy Garcia, chair of the Program Committee – jrgarcia@da.lacounty.gov. We look forward to hearing from you!

Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

No coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!

Movie Night, courtesy of Silver sponsor Vound

One of last year’s most popular conference sessions was Pizza Night, Vound Software‘s dinner-and-a-demo look at its Intella email forensics software. This year, they changed it up a bit. They’ll still hold a demo, but they’re also sponsoring some entertainment – not just for conference participants, but also for their families who come to Indian Wells with them.

We talked more with Vound about what will be involved and why:

HTCIA: “Movie Night” isn’t typical conference fare, at least in this industry. What made Vound decide to sponsor it?

Vound: We took a fly at doing something original  in Pizza Night last year and were impressed with its success and feedback. We wanted to keep it fresh and interesting this year so opted for Movie Night.

We will have treats, popcorn, candy, soda, and domestic beer for the enjoyment of those who can make it, and we hope everyone does. We are hoping attendees will see it as an opportunity to bring their partners and  chill out. Let’s also not forget we are in movie making territory.

HTCIA: Any word on what the movie will be?

Vound: No idea yet, but Peter [Mercer, Vound co-founder] insists on it having kangaroos or being about cricket.  [HTCIA note: our Conference Committee decided on “Source Code.” No kangaroos or cricket that we know of!]

HTCIA: What trends have you noticed in the last year with email investigations?

Vound: More and more cases are becoming “email only”. This is  where the case starts when the investigator is handed 50 PST files on a USB drive with  no image in sight and 2 days to complete it . This is exactly why we developed Intella and  where it more than pays for itself…

HTCIA: What’s new with Intella that you’ll be sharing during your lab session?

This year at HTCIA, investigators will see how their agencies can get the most out of their digital forensic investment by integrating Intella’s search and analytical abilities into their existing investigation and case management software.

A common problem is that the weight of digital forensic evidence is lost in translation when it is delivered to the analyst or officer who has no forensic background. Officers or analysts from outside of digital forensics may use completely different tools and methods to identify and organize useful information.

As a demonstration of how Intella solves that problem by augmenting existing software suites, this year at HTCIA the Vound team will demonstrate how Intella is used in conjunction with i2’s award winning Analyst’s Notebook and iBase. We’ll show how our customers can add Intella search results and forensic information to the investigation management software, the same way they add other pieces of information.

We’re proud to say that Intella has grown by leaps and bounds since Version 1.0 was unveiled in 2008 at the HTCIA Conference in Atlantic City.  Thousands of federal, state, and local law enforcement officers now rely on Intella every day for e-mail and data analysis. We’ve found that agencies where evidence is transmitted effectively between forensic and non-forensic officers see an exponential increase in the value of the forensic phase, leading to better results.

Come join us at the HTCIA Conference and let us tell more about how Intella can help you search data, analyze evidence, and close cases quickly.

HTCIA: Anything else you’d like us to share about your sponsorship?

Vound: Could some of the sponsorship money be invested in projects that will help with inventing teleportation? The 15 hour flight is killing Peter. 🙂

HTCIA: We’ll look into that. 🙂 Meanwhile, thanks so much for the scoop on your lab and Movie Night. We look forward to seeing you in September!

Not yet registered for the conference? Register at https://www.htciaconference.org/registration.html and be sure to mark your calendar for Sunday’s Vound Movie Night following the Exhibitor Reception!

Image: tvol via Flickr

A call for papers… from students

Following on its success with the Western Regional Collegiate Cyber Defense Competition, Cal Poly Pomona will be sponsoring something that’s normal for academic conferences, but new to trade shows: a student poster presentation, a way for students to connect with the professionals they’ll be working with following graduation.

What it is

Anna Carlin, a Cal Poly Pomona professor and 2nd Vice President of our SoCal chapter, is looking for 10 full-time students to present their work in our exhibit hall on Tuesday, September 13. We’ll provide a poster board for hanging the presentation, which can be as simple as PowerPoint slides. Posters will be displayed in the Emerald 4 Room, allowing all attendees to see the students’ work.

Not restricted to either Cal Poly students or HTCIA members, the presentation will allow students to connect with cyber security and computer forensics professionals from around the world. The work being presented must be new and current research and development in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted.

HTCIA student charters may present the activities performed by their charter. Student Charter posters may describe charter activities, events, and/or other involvement with cyber security and computer forensics professions.  A single representative should coordinate the submission of each Student Charter proposal.

The Academic Program Committee will be reviewing submissions based on the following criteria:

• Relevance to the field of cyber security and computer forensics
• Potential for practical impact
• Degree of originality
• Technical depth
• The overall quality of the submission

Who can participate

We invite full-time undergraduate and graduate students to submit poster presentations on research and work in the field of cyber security and computer forensics. Work being done in conjunction with a professor is permitted. The poster session can also showcase the activities of HTCIA Student Charters.

Why students should submit

The first 10 students whose poster presentation is accepted will receive FREE conference registration for all 3 days (a $395 value) and a one-year student membership to HTCIA (a $25 value)! Accepted abstracts will be printed in the program and posted on the HTCIA International Conference website.

In addition, five benefits to participating:

5. Obtain a critical review of your work by submitting a poster presentation, and meet potential sponsors of your work.

4. Expand your network of other students interested in cyber security and computer forensics.

3. Listen in on hot-topic panels and presentations and take home the most current research and solutions from industry leading experts.

2. Receive recognition and a Certificate of Participation.

1. Meet potential employers!

When and how to submit

The deadline for submission is July 29, 2011. Send a short 50 to 75 word abstract with three learner outcomes (not part of the word limit) that attendees are expected to gain from the poster presentation. You will be asked to indicate the target audience level (getting started, intermediate, or advanced).

Please email your abstract to the following e-mail address: acarlin@csupomona.edu. A student may submit only one abstract. Students will be notified about acceptance by Friday, August 5, 2011.

For more information, including specific submission guidelines, poster session guidelines and other prep work, see https://www.htciaconference.org/studentposters.html.

Want to see what students are up to in the community? Register for the conference now: https://www.htciaconference.org/registration.html

Image: carmichaellibrary via Flickr

International investigations: Digital forensics and social media

Several of our lectures this year will discuss international issues with high tech crime investigations. Among the presentations: a joint talk on Tuesday, Sept. 13 about international social media investigation, from members Cynthia Navarro and Andres Velazquez; and on Wednesday, a Latin American perspective on digital forensics from Andres Velazquez.

A Latin American perspective on digital forensics

Velazquez, a Mexican digital forensics expert who built the country’s first private digital forensics labs through his company MaTTica, says one of the key differences between the United States and Latin American countries is the legal system structures. “US judges rely mainly on precedent, but in Latin America, judges rely solely on codes,” he explains. “So, if the defendant’s conduct does not meet the law’s requirements, it won’t be a felony.”

For example, a denial of service attack does not qualify as a felony. Nor does identity theft, or theft of other data, because the codes are based on physical robbery — the theft of tangible items. “A robbery charge depends on the absence of goods,” Velazquez explains, “but when the data is still there, according to the law, how can it have been stolen?”

In addition, civil or tort laws’ requirements are difficult to meet because none of the laws cover e-discovery, so examinations as US investigators understand them are not possible. And although a law in Mexico was passed last year that covers privacy of personal information, legislators have yet to approve guidelines, so investigators still face difficulty in this area.

Meanwhile, because many Internet service providers are headquartered in the US, Latin American investigators face difficulties with getting data because of international agreements. “Currently, we have to get a court order through our Exterior Relationships Secretary [comparable to the US Secretary of State],” Velazquez explains. “That has to go through the embassy, then through the US federal government, to the state, and then finally to the company. By the time the process is complete, it can be up to two years, and then the data we needed are gone.”

Agreements similar to the Budapest Open Access Agreement would help, but even at that, few Latin American attorneys and judges understand computers. Velazquez recalls a search he coordinated in which investigators seized only keyboards and monitors — but not the actual computers. Part of his mission is to educate and assist law enforcement and other investigators in the region.

Yet decisions continue to be made by the very judges who don’t understand computers, and to whom investigators have no access. The answer: for investigators to find a way to be in what Velazquez terms “unofficial contact” to start meeting needs, such as collecting forensic images with which forensic examiners can practice, or working with vendors to obtain metadata if not content.

Investigation mechanics from across the world

Until the laws sort themselves out, investigators are left with doing the best they can with what they have. Fortunately, although investigations are never “easy,” certain tools — among them social media — make the task easier than it was even a few years ago.

Cynthia Navarro, a California-based private investigator who will be co-presenting with Velazquez on social tools, says: “I have always said that with the internet we have no boundaries…. I have a project to watch how the narco in Mexico is affecting a specific town (and the surrounding towns.) It’s been easy, their mayor uses Twitter to warn the townspeople of street closures due to shootings, murders and rival gang takeovers. They they tweet when things are back to normal. This is the most up to date tracking anyone could ask for!”

Because social networking is for the most part publicly available, investigators deal with few legal issues. Navarro says she has encountered few cultural conflicts, and as for language barriers, “Thank God for Google Translate!” she says. “While it is not a perfect translation, you can get the gist of what is being said. I have used it for Spanish, German, Chinese, and Vietnamese with great success.”

Perhaps surprisingly, Facebook is the #1 resource for online investigators not just in the US, but overall, thanks to its widespread adoption in Europe as well as in Asia. Orkut is #2, says Navarro (due largely to its overwhelming popularity in Brazil), followed by Qzone and then Twitter. V Kontakte and LiveJournal are the most popular in Russia; a network called Hi5 attracts the most users from Thailand, Romania, Peru and Portugal, while Lide draws Czech users. Other countries have their own preferred social networking sites.

“For other countries, censorship and blocking can be a problem,” says Navarro. “I’ve heard that Zing is #1 for Vietnam because some Vietnamese ISPs have blocked it.” Other countries that block content: China, Uganda, Egypt, Iran, Saudi Arabia, and the United Arab Emirates.

Navarro adds that between investigation and teaching, the quality she appreciates most is learning. “Teaching to me is learning, we have to keep up in order to teach effectively,” she explains. “I am [also] lucky enough that there are always different things I investigate so I don’t get stuck on the same thing day in and day out.”

Interested in hearing what Andres and Cynthia will have to say, along with our other presentations on international perspectives? Join us in Indian Wells and register here: https://www.htciaconference.org/registration.html

Image: caruba via Flickr

Learning about solid state drives: 2 perspectives

In Indian Wells come September, our Cyber Investigations/Forensics lecture track will feature two presentations on the next major trend in data storage: solid state drives, which are much more like memory than they are like conventional hard drives, and therefore much more volatile for forensic examiners.

On Monday, Sept. 12, James Wiebe of CRU-DataPort/WiebeTech (Bronze sponsor of the conference along with the 1st annual HTCIA Golf Classic) will present “Solid State Storage for Forensic Investigators.” The following day, Scott Moulton of My Hard Drive Died, LLC will present “Solid State Drives & How They Work for Data Recovery & Forensics.” We talked a little with James and Scott about their presentations and what examiners can expect:

HTCIA: How is a SSD physically different from a hard drive, and what does this mean for forensics?

JW: SSD uses silicon chips (integrated circuits) and is neither organized nor erased like conventional rotating media. As a result, investigators have new challenges in obtaining information (evidence) from SSDs.

SM: The main difference between a USB thumbdrive and a Solid State Disk (actually they are both Solid State Disks but the term has lost some of it meaning like a Gateway and a Router have) is that a thumbdrive is a host based device meaning that it uses your CPU, where a SSD has its own processor.

There are many smaller differences such as where the responsibility lies for doing management functions. The SSD drive is responsible for processing this data with only power applied and since it has a processor it can, however, a USB thumbdrive can’t because it requires your host processor to accomplish the task. For forensics, this has a great impact on how data is handled because the SSD can start running software routines on the data when only power is applied.

HTCIA to JW: What is the advantage of a SSD over conventional platters? What are the disadvantages?

JW: SSD advantages include fast start, because the drive doesn’t have to spin up, and fast random access, because there is no physical search across the drive. Parallel reads and writes are possible. There are no moving parts, so it’s silent and doesn’t consume as much power. SSDs have immunity from both shock and magnetics, and they are much smaller than conventional hard drives.

Disadvantages are more complicated. The cells have a limited lifetime, so special file systems or firmware designs can mitigate this problem by spreading writes over the entire device, called wear leveling. However, this process introduces its own issues. Wear leveling on flash SSD has encryption implications, and causes fragmentation; defragmentation is harmful because it causes additional use of the drive, wearing it out with no benefit. And for forensic exams, wear leveled sectors are outside of accessible space.

Aside from issues with wear leveling, secure wipe is difficult or impossible on flash SSD. SSDs present significant asymmetric read and write performance. SATA SSDs have writing slowness amplification, because of large block sizes. Extra commands (EG: TRIM) require additional OS overhead for best support. And SSDs are expensive.

HTCIA: Mobile forensic examiners are using “chip off” techniques to recover data from NAND solid state memory. Will this technique become common as more SSDs are adopted for PCs as well?

JW: Probably!

SM: Removing NAND chips to recover the data, I believe, will become much more complex as we continue forward. I am already seeing a large number of chips starting to use encryption to store the data on the NAND.

It is more likely in the future that we will “convince” certain companies to add diagnostic functions to allow us to read raw data. Currently, since SSDs are in their infancy, we are running into a lot of “intellectual property” issues, which might diminish over time as several companies become the winners in the industry. [At that point] they will improve their techniques, allowing better results for higher end devices, giving access to the raw data.

[At this time] none of this is really possible, but I am doubtful we will be able to continue using the RAW read techniques in the future we are using now [owing to the wear leveling process described above].

I also think it is more likely that cell phone will start using more of the SSD technology.

HTCIA: What do you project as being the timeframe for widespread adoption?

JW: I expect to see SSDs in widespread use in almost all portable computing products within the next 18 months.

SM: I think that SSDs will take over all mobile platforms over the next two years. I think that desktops and servers will remain mostly the way they are, with little change in the direction to SSD. It makes sense that SSDs will move more towards complete laptop domination, just due to their resilience to movement that often damage laptop drives.

HTCIA: What is the best way for forensic examiners to prepare for these eventualities?

JW: Why, by attending my lecture, of course! 🙂 One big theme is that forensic examiners need to have the understanding that SSDs are far more easily erased than rotating media: Plan on acquisition quickly.

SM: My data recovery class is a great way for forensic examiners to prepare, but in addition to that I think that forensic teams will need to focus more on electronics and soldering techniques for future repairs and data collection. It is becoming very common to have to solder or desolder devices in order to repair or collect data from these devices.

HTCIA to SM: Your perspective is as a data recovery expert. Will computer forensic examiners need to take more of a “recovery” approach to data than “forensic,” as they do with mobile devices? Will this mean challenges to describe their methodology in court?

SM: I think that a forensic examiner can be greatly enhanced by understanding the media not only for acquiring the data, but for explaining it in court. I hear a number of times how much they think they know about the media and often are surprised when I start talking about items such as firmware and bad block tables how they work. These devices are completely misunderstood.

A second important fact is that most forensics begins with good data; however, without getting any data you have no case at all. Being able to acquire that data is extremely important or you are limiting your job in the future.

One example I can state is about all those forensic imaging software packages. FTK Imager or Encase will pad bad blocks with 0’s, but in data recovery we can often acquire some — if not all — of the content from a bad sector. Instead of having 0’s, we will get a more accurate image than forensic packages do.

It is very important to understand what a long read is, or what [error correction codes] do to the sector in order to get and use that data, but our result is much better than the current forensic tools that acquire images. Not understanding data recovery and relying on forensic only means puts forensic investigators at a distinct disadvantage.

As for the challenges in actual court cases, the truth of the matter is that anything we are describing is very difficult and I find that most of the time much of what we are doing will not be included in a case due to the complexity. Lawyers have often looked at the data, and the investigation components that point to how something occurred, but they will eliminate the items they think are too complex, only using the finest picture they can develop to be less confusing to make their case.

Thanks to both James Wiebe and Scott Moulton for your insights — we look forward to seeing your presentations in Indian Wells this coming September! Readers, to attend these lectures, please register for the conference here: https://www.htciaconference.org/registration.html

Image: Andres Rueda via Flickr

Going to ADUC? See you there!

Our Platinum Star Supporter AccessData has sponsored our international conference and our members for years, including this coming year. This year, we’re pleased to support them back.

Our SoCal Chapter President, Chris Curran, and SoCal member Dave McCain will be staffing our booth at the AccessData Users’ Conference (ADUC), running May 15-18 in Las Vegas. Focused on three hands-on lab tracks – eDiscovery; cyber security, incident response, and forensics; and a legal review – ADUC will also provide a “Hot Topics” lecture and discussion track.

“We are there to branch out and attract individuals who are not members to our organization” says Curran. “And there is no better company to pair with than one of the preeminent forensic software manufacturers. A company that is always at the forefront of finding the best, most effective ways to access data, conduct analysis, and report on it – keys for any forensic examiner.”

For $400, conference attendees will have their pick of a wide variety of tracked topics, in addition to meals and snacks, exhibit hall access, and of course the ACE or SCE preparatory workshop and certification exam. Guest speakers include the Honorable Judge Bill Riley, Chief Judge of the 8th Circuit Court of Appeals; Steve Williams of Cox Communications; Barry Murphy of eDiscovery Journal; Jesse Kornblum and Mike Viscuso of Kyrus Technology Corp.; and many others.

To register, visit www.accessdata.com/aduc; if you’re already registered, please look for our booth once you’re there!

Is your expertise a good fit for our conference?

It’s not too late to submit a proposal to speak at our conference! Recent blog posts have told you about the topics we seek, and also helped you justify speaking to your employer.

However, we also know that sometimes it can be a challenge to come up with good proposals. What if it looks too much like someone else’s? How much training on iPhone analysis do cell phone examiners really need? Hasn’t “the cloud” been done to death?

Here are a few tips to help you approach your proposal from another angle:

– Tell a story. Did you devise a particular methodology around a hard-to-capture piece of digital evidence? Develop an incident response strategy that saved your client time and/or money? Explaining how you solved a problem is not something that can be easily duplicated.

– What topics are being overlooked? Whether there are important aspects about iPhones, the cloud, cyber bullying, or other “hot” topics that the industry is missing out on, or other issues that get no play at all, tell us about them – and why your point of view is necessary.

– What lessons did you learn about practical, logistical issues like case management, reporting and documentation, training, court testimony, etc. that you want other investigators to know before they face the same issues?

– Talk about your relationships with other investigative professionals. Did you work together with an internal team, outside consultant, or task force to stop a threat or build a strong case? Tell us how you did it, and how we might do the same.

– What trends have you noticed in your region that may be applicable to others in your country and the world at large?

– Do you have a specialty that most other investigators don’t encounter, but should understand before they encounter it? Examples: printers and copiers, GPS devices, vehicles’ black boxes, digital video or images…

– What do people come to you for help with?

In short: don’t think so much about the topic, but rather the problems you can help other investigators solve. We look forward to seeing your proposal!

Jimmy Garcia
2011 Program Chair
jrgarcia@da.lacounty.gov