January HTCIA news and events

Before we run down the list of January chapter events, we’d like to draw your attention to two new chapter website redesigns. HTCIA Asia-Pacific will contain all-new and updated content, having migrated from the old htcia.org.hk. Visit President Frank Law’s blog post to read more details, and be sure to follow HTCIA-APAC in its various social site locations!

Meanwhile, our Midwest chapter is building out its site with new content weekly, including Tips of the Week, listings of forensic tools, and of course updates on chapter meetings and events.

Visit the new sites, subscribe to their RSS feeds and learn from what they offer!

Upcoming January HTCIA meetings

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got two upcoming special events as well as regular chapter meetings this month. Where available, we’ve posted meeting details; if none are available, we encourage you to visit the chapter website (linked below) and get in touch with the officers to learn more.

January 11

HTCIA Atlantic Canada Chapter Meeting, 5:30pm – 7:30pm. Eric Jones of Absolute Software (maker of LoJack and Computrace computer tracking software) will be focusing on the use of these tools for geolocation, forensics, and law enforcement.

The Atlantic Canada chapter meets in two physical locations:

• Fredericton New Brunswick at 64 Allison Blvd.
• Dartmouth Nova Scotia, 45 Alderney Dr.

There’s also a telephone conference line and a WebEx conference for those who can’t make it to the physical locations. Contact the chapter for more information!

January 12

Atlanta HTCIA will be holding Log2Timeline open source tool training from 11:30AM – 1:00PM at American InterContinental University’s Dunwoody, GA campus. Log2Timeline is used to create a “SuperTimeline” to help determine the sequence of events based on logs and artifacts found in a forensic image of a Windows based system.

Speaker Rodger Wille has been working incident response and forensics within the Federal Government for over 10 years.  Rodger is currently the Digital Forensic Services Team lead for a Federal Agency based in Atlanta, where he is responsible for conducting digital forensic and malware analysis in response to computer intrusions and malware incidents.

January 13

Texas Gulf Coast HTCIA will be holding an “overview” type meeting from 1:00 PM – 3:00 PM (following an 11:30 a.m. social networking lunch at JAX Grill) at the United Way Community Resource Center. This meeting will focus on the meetings for 2012 and will include possible topics, speakers and training session(s). Please come with lots of ideas!

January 17

San Diego HTCIA is teaming with the city’s Information Systems Security Association (ISSA) chapter this month! Between 11:30 – 1:00 PM PST at the Admiral Baker Clubhouse, Mr. Robert Capp II, Senior Manager of Trust and Safety at StubHub, will be presenting on the results of an online fraud investigation against StubHub. Learn the limitations of traditional investigative methods for international crimes and how StubHub overcame these limitation to work effectively with various international law enforcement to arrest the criminals and seriously reduce company fraud.

Ottawa HTCIA will be meeting from 5:30-7:30 p.m. Their meetings are held in Russell’s Lounge at the Ottawa Police Association, 141 Catherine Street, Ottawa, Ontario.

Central Valley (CA) HTCIA will be meeting at 11:30 a.m. at 250 E Hackett Road, Room 152 in Modesto. Lunch will be provided, and the topics for the day include chapter goals for 2012, and interpreting hex code.

January 18

Florida HTCIA welcomes speaker Randall Huff, Security Director of TLO.com, from 9:00-11:00 a.m. at the IRS-Criminal Investigation 7850 SW 6th Court, Plantation, FL. Mr. Huff will be speaking on TLO as an organization, TLOxp used by and available to law enforcement as well as other tools developed by the the inventor of Autotrack and ACCURINT.

Michigan HTCIA will be meeting the same day at 10:00 AM at the Walsh College Novi Campus room #511. The presentation will be an overview of using social networks as an investigative tool. HTCIA members Mr. Steffan Gaydos and Wayne County Sheriff Deputy Erin Diamond will present issues affecting law enforcement, as well as private sector investigations. The presentation will conclude with a discussion on tools and methodologies for collecting online evidence.

January 19

DFIROnline, run by HTCIA member Mike Wilkinson of our New England chapter (though separately from chapter meetings), is a virtual meeting that brings together digital forensics and incident response professionals from all locations and all disciplines. Beginning at 2000 and running for about an hour, this month’s meeting will feature Harlan Carvey looking at malware detection on an acquired image and Eric Huber covering APTs.

January 20

Washington state HTCIA will offer a presentation on managing incident response investigations, given by Michael Panico of Stroz Friedberg, from 10:00 AM-12:00 PM.

January 26

Ontario HTCIA will be at the Toronto Police College 7 – 9 p.m.

Special Training Events: Atlanta, GA & Los Angeles, CA

On January 27, 2011, Atlanta HTCIA will be offering a special presentation on Understanding and Investigating Microsoft Volume Shadow Copy. This event will run from 10:00AM – 2:00PM; Christopher L. T. Brown, CISSP and the founder and CTO of Technology Pathways, will be presenting.

Field investigators often need to find information fast in the field.  Recovering deleted files and performing advanced searches are often time consuming and thus prohibitive for field investigators.  Both live system triage and analysis of off line images containing Microsoft VSC “Volume Shadow Copy” snapshots can often net a wealth of information to investigators who know how to process it.

Learn more and register at the Atlanta HTCIA chapter website!

February 6-11: SANS COINS is coming to Los Angeles! Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs.

HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10” Register now!

Rob Lee’s Super Timeline Analysis: A joint HTCIA/SANS COINS webcast

We are very pleased to announce a new joint event between us and and SANS’ Community of Interest for Network Security (COINS): a one-hour webcast on Super Timeline Analysis featuring Rob Lee! The webcast, part of SANS’ complimentary series, will expand on the lab material Rob presented in Indian Wells, delivering an exciting and valuable webcast both for those who attended the labs as well as those who were unable to attend.

Over the past year investigators have started to use timeline analysis to help solve challenging cases.  Learn how to create and analyze automatic file system and artifact timelines during incident response and criminal investigations.

There is no cost to attend this event, but you do need to register at: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

Webcast Details

Date:           Wednesday, October 26, 2011

Time:           8:00pm – 10:00pm (EDT)

Title:            Super Timeline Analysis

Featuring:  Rob Lee, SANS Faculty Fellow

For complete details and to register, please visit: https://www.sans.org/webcasts/htcia-coins-pleased-present-super-timeline-analysis-94739

For more information on the webcast contact Andrea Hogan: ahogan@sans.org.

Learning from the next generation: Student research at #HTCIACon

Jon Ford describes his Virtual Desktop research

Before the HTCIA conference, we blogged about a new style of presentation: student poster presentations, which would give graduate and undergraduate college students the chance to talk to professionals about their research.

Six students were on hand in Indian Wells, presenting on a wide range of topics from information security to law enforcement volunteer jobs:

Infosec and e-government

Tim Perez is a doctoral student at Dakota State University and is working on a dissertation entitled “E-Government Security Concerns for Municipal Government Entities.” Having worked for eight years as an information technologist for a local law enforcement agency, Perez sees that communities with small budgets and few regulatory requirements tend to focus less on security.

However, measures like online bill pay, which increase both efficiency and convenience, make security necessary because they deal with personally identifiable information. Perez’ research focuses on how to communicate these issues in a way that municipal managers will understand.

Learning incident response by doing

Another project that brought together law enforcement, security, and education was a Cal Poly Pomona Senior Project. Chris Curran, at the time a college professor and SoCal HTCIA Chapter President, approached students to design an entire scenario, from players to the crime to the resulting analysis.  The completed project would then be used as a final exam for other forensic students.

Student Steve Gabriel came up with the scenario involving a fictional disgruntled university IT employee, who had “stolen” critical source code and hidden it in a System 33 file when he went to a new job. Gabriel utilized multiple web browsers, along with Trillian instant-messaging and Outlook email software. Several other students played the other fictional roles, communicating and using digital media that was later imaged and provided as “suspect” evidence.

To find the evidence and create an answer key for Curran, Gabriel and the others used FTK, EnCase, AccessData’s Registry Viewer, and a SQLite database viewer. Gabriel said the project received good feedback for being an incident response-type case with multiple exploit layers and 25 gigabytes of evidence.

Security vs. performance with supercomputing

On the preventive side of network security was work that Cal State-San Bernardino students Kyle Sandoval, David Warner and Estevan Trujillo had done for the 2011 Computer System, Cluster and Networking Summer Institute at Los Alamos National Laboratories. Their research broke ground on the cost of deploying firewalls on each node of a supercomputing cluster, rather than on the 4,000-node cluster as a whole.

The reason: security measures should always be installed on each separate computer, but supercomputers are so expensive to power that even a five percent drop in computational performance – such as what a firewall might result in – can exponentially add to their cost.

Thus in their project, Sandoval, Warner and Trujillo used a Linux cluster and created multiple IPTables rule sets. They used these to run a series of benchmarking tools that measured bandwidth, latency, and MPI job performance. They wanted to determine what performance implications IPTables firewall had on a cluster.

With just 10 test machines and a 6-week period, the research concluded simply that more research was needed – and the students anticipate that the lab will continue their work.

Virtualization for mobile device management

Jonathan Ford is a student at Cal State University and a volunteer for a nearby sheriff’s department, which was starting to provide official-use iPads to its officers. A number of issues presented themselves with that initiative:

First, the iPads’ remote access to a virtual machine would work for 10 to 20 users, but large numbers – the kind that would be seen on an average shift – made the virtual machine unstable and caused it to crash. Second, different users would need different levels of access to records depending on their role. Finally, to minimize the risk from vulnerabilities – not just on iPads, but also on the other 3,000 or so disparate devices in use – the agency needed a way to manage a variety of operating systems, software and users.

Ford’s answer: a Virtual Desktop, which would save both time and money by enabling:

• upgrades and patches to occur just once rather than for each system
• data to be stored on a server
• administrators to keep a list of which users had access to which software applications

The second part of Ford’s research shows law enforcement agencies the benefits of integrating academic research into their everyday operations. “Many agencies cannot hire full-time employees, but they still need support with computer forensics and security – the fields students want experience in,” he says. “Writing grants for research means each can get what they need.”

How law enforcement can benefit from student volunteers

Cal State-Sacramento student Alex Krepelka had earned a GCFA and wanted to use it. But he didn’t just stop at volunteering for the Butte County District Attorney’s Office – he turned it into research, the better with which to help law enforcement develop their own computer forensics and security volunteer programs.

Krepelka thinks it would help if agencies could fall back on a set of national standards for forensic investigations that will go to trial – from county to county, some agencies allow for volunteers while others do not, but many agencies have backlogs of hundreds of cases. He also thinks that if students knew they could get valuable real-world experience from organizations that needed their expertise, more would study computer security and forensics.

The value of HTCIA student affiliations

Krepelka believes that organizations like the HTCIA can help – and that’s where the final research project comes in. Austin Pham, a student at Cal Poly Pomona, presented on the Forensic and Security Technology (FAST) organization, HTCIA’s student charter at that school. FAST affords students the opportunity to take workshops on data acquisition, analysis and reporting – as well as on industry standard forensic tools, including EnCase and FTK.

This is thanks to its affiliation with the HTCIA SoCal chapter and the forensic professionals who are members there. “We hold six meetings a quarter and some training workshops throughout the year,” says Pham, “and we always get great turnout.” During the student charter’s first signing, in fact, 25+ students expressed interest in membership, and the organization has grown ever since.

Pham added that he and other FAST students had all volunteered to assist with our conference, because of all that HTCIA had invested in them. They registered participants, directed attendees to lecture and lab rooms, and assisted presenters with equipment and other needs.

All six student presenters told us that they had seen a good amount of foot traffic, which resulted in some good comments and questions – especially those for whom the topics hit home. The feedback will help them validate and refine their research, ultimately making it stronger for the entire community.

Anna Carlin, the instructor who coordinated the presentation, adds that the students themselves benefit in a variety of ways: not just with the ability to conduct more credible research, but also with exposure to the very professionals who are in a position to give them jobs or grants.

Did you meet our students in Indian Wells? Want to see future research presented at our conferences? Leave us a comment and let us know what you think!

Platinum sponsor AccessData: Cross-pollinating with digital forensics, e-discovery and infosec training

No coverage about our conference would be complete without a mention of our longtime Platinum-level sponsor, AccessData. Not only are they holding a one-hour showcase on the latest version of their lab solution, which provides massive distributed processing and a web-based environment for collaborative analysis – they also have a range of diverse topics on digital forensics, information security and e-discovery.

“With the fast changing cyber landscape, more and more forensic examiners find themselves assisting with incident response and litigation support for their employers. Likewise, law enforcement is faced with a growing number of cybercrime cases involving hacking and malware,” says Keith Lockhart, AccessData’s vice president of training. “That’s why we’re providing a good selection of educational content on those topics, specifically geared toward forensic examiners who need this type of continuing education in order to keep up with the ever-changing demands of this industry.”

Social media, Macintosh analysis, decryption and Windows 7

On Monday morning, Sept. 12, AccessData’s Nick Drehel, senior instructor and curriculum manager, and Michael Staggs, senior consulting engineer, will present “The Realities of Investigating Social Media.” This lab will discuss myths in the marketplace and demonstrate the value of network forensics when it comes to a comprehensive social media investigation. Participants will learn what is possible using host analysis solutions versus packet analysis.

Tuesday morning, Drehel will also discuss “Next Generation Decryption,” in which participants will learn how to maximize their chances of success when attacking encrypted files. Attendees will learn best practices, ways to access “low hanging fruit”, and utilize PRTK and the AccessData “Art of War” methodology to recover passwords from files, user logon passwords and Intelliforms decryption.

Chris Sanft, another senior instructor with AccessData, will present two labs on Macintosh analysis and Windows 7 forensics. Sanft’s Mac analysis lab, which will take place Monday afternoon, will focus on using FTK and FTK Imager to examine HFS drive structure to image, examine, and report on Macintosh evidence.

On Wednesday afternoon, Sanft returns for a hands-on presentation about Microsoft Windows 7 operating system artifacts and file system mechanics. He’ll discuss the BitLocker Full Volume Encryption (FVE) technology and the new BitLocker To Go, along with the techniques that should be employed during evidence seizure and acquisition. Students will also review the changes in the Windows 7 registry and recover forensic artifacts from the registry.

E-discovery for forensics examiners, social media, and early case assessment

David Speringo, a senior e-discovery consultant for AccessData, will cover three e-discovery-related topics between Tuesday and Wednesday.

On Tuesday, he’ll present the lectures “What Every Forensic Investigators Should Know about eDiscovery and the Process” and “Social Media and eDiscovery.” The first will discuss e-discovery’s critical requirements which a forensic examiner must understand while getting to know a task that frequently falls outside their comfort zone. Participants are encouraged to ask questions about the nuts and bolts of the electronic discovery process!

“Social Media and eDiscovery,” meanwhile, will explore the need for organizations to have a social media policy in place – and to effect a proper e-discovery plan to capture and secure social media interactions over the network. Speringo will take participants through a discussion of policy creation, usage and those technologies which can facilitate either the collection or preservation of data, as well as the analysis of that data.

Wednesday’s lab, “Early Data Assessment and Early Case Assessment,” will teach participants how to quickly sort and filter through data before it goes into final review, making it easier for a legal team to determine probabilities of success for either a defense or settlement for a given piece of litigation. The lab will take the user through a case study using AccessData’s ECA software to analyze metrics, keywords, and file categorization.

Memory analysis, man-in-the-middle attacks, and handling advanced exploits

Rounding out AccessData’s labs will be three presentations on information security topics. On Monday, AD’s director of forensics training Ken Warren and NCFI network forensics instructor Rob Andrews will cover memory analysis fundamentals, including options for memory capture both in the field and in the lab. They’ll look at the artifacts that can be easily parsed from memory, along with techniques for searching memory and even retrieving graphics, unencrypted versions of text, passwords and more.

Warren and Andrews will return on Tuesday to present “Hands-On Hacking Investigation: Man in the Middle Attack,” which is a type of attack brought against unsuspecting users under many different situations. Warren and Andrews will discuss the techniques used to investigate this type of breach and discover the artifacts left behind after the attack.

On Wednesday morning, Michael Staggs and senior global security engineer Tom Wong will talk about “New Technology for the Improved Handling of Advanced Exploits.” In this session, attendees will learn about technological advancements that dramatically enhance an organization’s ability to detect, analyze and remediate threats. They will see how the integration of host analysis, network analysis and data auditing will arm organizations to better handle network exploits, data theft or even HR policy violations.

AccessData tools presentations

On Monday evening, Nick Drehel will return for a Happy Hour FTK Transition Workstation. The objective of this lecture-only presentation is to introduce attendees to the AccessData Forensic Toolkit 4.0 software. The lecture will cover the new enhancements to the program and database, and attendees will get the opportunity to ask questions about the new database.

On Wednesday morning, mobile forensics trainer Lee Reiber will cover extraction techniques for iPhone, iPad and Android devices using Mobile Phone Examiner Plus (MPE+) and FTK. Learn which tools extract the most data logically, and also learn how to physically image an Apple iOS device, including the iPad.

Interested in attending any of these labs? Register now so that you can sign up – seats are going quickly!

Beyond marketing, an explanation of Advanced Persistent Threat

Advanced Persistent Threat is one of the most talked-about topics in the information security field – and one of the least understood. On Tuesday, September 13, Peter Morin – a member of our Atlantic Canada chapter, and conference treasurer – will discuss the anatomy of Advanced Persistent Threats including the various stages of attack, common attack vectors used, and examples of high-value targets (i.e. SCADA).

We asked Peter to elaborate on his topic, as well as to tell us a little more about his HTCIA experiences:

HTCIA: Why did you choose this topic — what about APT is misunderstood or needs better dialogue?

PM: Although attendees may not be with the government or a top secret facility or popular .com website, that they are at risk. It is important that people realize that the threat landscape has changed dramatically over the last couple of years. Attacks are being carried out with very specific goals and for very different reasons than before (i.e. “hacktivism”). We now have to focus more on concepts such as intellectual property theft, disclosure of stolen data by attackers, attacks that may be conducted over a long period of time, the role of malware in APT attacks, etc.

HTCIA: What do you want participants to know or be able to do when they go home?

PM: What are the various attack vectors and phases of a typical APT campaign? What security-related indicators to look for and how to improve the defenses they may already have in place? Also, tips, tools and techniques used in performing incident response related to some of the common attacks being seen today.

HTCIA: What you want to see out of students during the class?

PM: Interaction would really make the class worthwhile. I try not to provide a speech to students or simply read PowerPoint slides; hearing about their experiences, comments, etc. really makes for an enjoyable interactive session.

HTCIA: On a slightly more personal note, what do you enjoy about teaching?

PM: I enjoy the interaction with others, being able to mentor and share experiences and meet interesting people.

HTCIA: You’re volunteering as conference Treasurer as well as webmaster. How do you make time for everything?

PM: I think balancing work, family and volunteering is important. The people that make up the various committees, board, etc are fabulous and well worth the time!

[In general] the HTCIA has always been an important organization for me [because of] the interactions with other forensic and incident response communities. I am not in the law enforcement field, but because of the HTCIA, I am able to interact with members of law enforcement to share experiences, processes, tools, etc. So, when I was asked to return as conference treasurer, I jumped at the chance!

Questions for Peter? Please comment below, or better yet – come see him in person in Indian Wells next month!

Going to ADUC? See you there!

Our Platinum Star Supporter AccessData has sponsored our international conference and our members for years, including this coming year. This year, we’re pleased to support them back.

Our SoCal Chapter President, Chris Curran, and SoCal member Dave McCain will be staffing our booth at the AccessData Users’ Conference (ADUC), running May 15-18 in Las Vegas. Focused on three hands-on lab tracks – eDiscovery; cyber security, incident response, and forensics; and a legal review – ADUC will also provide a “Hot Topics” lecture and discussion track.

“We are there to branch out and attract individuals who are not members to our organization” says Curran. “And there is no better company to pair with than one of the preeminent forensic software manufacturers. A company that is always at the forefront of finding the best, most effective ways to access data, conduct analysis, and report on it – keys for any forensic examiner.”

For $400, conference attendees will have their pick of a wide variety of tracked topics, in addition to meals and snacks, exhibit hall access, and of course the ACE or SCE preparatory workshop and certification exam. Guest speakers include the Honorable Judge Bill Riley, Chief Judge of the 8th Circuit Court of Appeals; Steve Williams of Cox Communications; Barry Murphy of eDiscovery Journal; Jesse Kornblum and Mike Viscuso of Kyrus Technology Corp.; and many others.

To register, visit www.accessdata.com/aduc; if you’re already registered, please look for our booth once you’re there!

Is your expertise a good fit for our conference?

It’s not too late to submit a proposal to speak at our conference! Recent blog posts have told you about the topics we seek, and also helped you justify speaking to your employer.

However, we also know that sometimes it can be a challenge to come up with good proposals. What if it looks too much like someone else’s? How much training on iPhone analysis do cell phone examiners really need? Hasn’t “the cloud” been done to death?

Here are a few tips to help you approach your proposal from another angle:

– Tell a story. Did you devise a particular methodology around a hard-to-capture piece of digital evidence? Develop an incident response strategy that saved your client time and/or money? Explaining how you solved a problem is not something that can be easily duplicated.

– What topics are being overlooked? Whether there are important aspects about iPhones, the cloud, cyber bullying, or other “hot” topics that the industry is missing out on, or other issues that get no play at all, tell us about them – and why your point of view is necessary.

– What lessons did you learn about practical, logistical issues like case management, reporting and documentation, training, court testimony, etc. that you want other investigators to know before they face the same issues?

– Talk about your relationships with other investigative professionals. Did you work together with an internal team, outside consultant, or task force to stop a threat or build a strong case? Tell us how you did it, and how we might do the same.

– What trends have you noticed in your region that may be applicable to others in your country and the world at large?

– Do you have a specialty that most other investigators don’t encounter, but should understand before they encounter it? Examples: printers and copiers, GPS devices, vehicles’ black boxes, digital video or images…

– What do people come to you for help with?

In short: don’t think so much about the topic, but rather the problems you can help other investigators solve. We look forward to seeing your proposal!

Jimmy Garcia
2011 Program Chair
jrgarcia@da.lacounty.gov

Get to know some of our expert speakers!

Our speakers are a diverse lot comprising both HTCIA members and non-members, people from North America as well as overseas, public and private sector, and from various walks therein. Many of them have blogs and podcasts, and we invite you to get to know them before you attend their presentations!

Davi Ottenheimer, a security and PCI expert, blogs at http://www.flyingpenguin.com/ – not just about infosec, but also on a wide variety of topics including energy, food, and sailing. He’ll be presenting “Anatomy of a Breach” on Wednesday, along with “No Patch for Social Engineering” and “Cloud Investigations and Forensics,” both on Monday.

Ondrej Krehel, Identity Theft 911’s information security officer, has a brand-new infosec blog at Credit.com. At the conference, Ondrej will be lecturing on Tuesday about forensic investigations of hacking incidents, which are more complex than often given credit for.

Jeff Carrell, a network systems and security instructor for HP Networking, has designed thousands of systems that are in use all over the world; learn more at http://www.networkconversions.com/. On Monday, Jeff will be teaching Networking 101, a look at network components and how they fit in an overall systems.

Dave Hull, a community instructor with the SANS Institute, editor of the SANS Forensics Blog, and a member of a Fortune 500 Computer Incident Response Team, is well known in the industry. His blog has some interesting discussions about infosec issues and SANS, and you can find him on Twitter too. Hull will be teaching the hands-on Super Timeline Analysis over two sessions on Monday.

Gary Kessler isn’t just a networking and digital forensics genius – he’s also a SCUBA divemaster and critical incident stress debriefing (CISD) team member, among other facets. Find out more at www.garykessler.net. Gary is teaching about TCP/IP protocol analysis as well as cryptography on Tuesday.

Don Jackson, Secure Works’ Counter Threat Unit director, has blogged extensively about malware, cyber attacks, and their impact on global finance. He’ll be lecturing on malware profitability on Wednesday.

Dean Gonsowski, vice president of e-discovery services at Clearwell Systems and a licensed attorney in the states of California and Colorado, contributes to a group blog about e-discovery. He’ll be presenting on Monday about the implications of compliance on e-discovery in the cloud.

Renato Opice Blum will be co-presenting with Cedric Laurant on legal developments and court decisions in Latin America. Cedric blogs about security, privacy, and the law at http://blog.security-breaches.com/ and http://blog.cedriclaurant.org/. Meanwhile, follow Renato on Twitter for related news at twitter.com/opiceblum.

Robert Shullich, who will be presenting Monday on demystifying the Microsoft Extended File System, blogs his research at http://rshullic.wordpress.com/.

Craig Ball, an Austin attorney who is presenting a game show-style “Computer Forensics Jeopardy” (with prizes!) contributes to a group blog on e-discovery, as well as providing many of his writings on his website www.craigball.com.

Marc Goodman of the Cybercrime Research Institute will talk virtual world crimes on Monday, discussing both virtual worlds and multimedia roleplaying games. In addition to his website futurecrimes.com and tweeting at twitter.com/futurecrimes, Marc graciously provided more details about his lecture and his keynote in an interview on our blog – read it here!

If you’re interested in aviation, you might enjoy James Wiebe’s blog. As we noted a little while ago, James will be giving three presentations on encryption, BitLocker, and a history of the use of ciphers for crime fighting.

Also don’t forget our interview with private investigator Cynthia Navarro, who is presenting on social networking and where it fits in an investigation on Wednesday, and with Heather Steele of the Innocent Justice Foundation, whose trainers are presenting several classes on mental health for investigators of child pornography.

Plan to connect with them in Atlanta this month — conference registration closes at midnight on Monday, Sept. 13!

What to Do When You’ve Seized an Apple Product: Bronze Sponsor BlackBag Talks Mac and iPhone Forensics

Any technology’s popularity increases the likelihood that it will be used for illicit purposes. Apple’s mobile devices – the iPhone, iPad and various iPod iterations – are no different. However, because the way they store data is structured differently from other mobile devices, investigators need specialized training to learn how to deal with them.

Enter BlackBag Technologies, specialists in Apple Macintosh forensic tools. We talked with Drew Fahey, director of forensics, Paul Jordan, vice president of corporate development, and Derrick Donnelly, chief technology officer, about the labs they’re offering in Atlanta: “iPhone Analysis: What’s Really in that Backup File, Anyway?” and “Mac Analysis for the Windows Forensic Examiner.”

HTCIA: What level of investigative experience are your classes geared for?

DF: While the classes are available and accessible to all levels of experience, they are ideally suited for experienced Windows forensic examiners who are looking to understand the Mac platform and apply their experience within a new technical context.

HTCIA: What tools and processes will you be covering?

DF: These labs will focus on forensically handling iPhones and iPads. Adoption rates and market penetration of both devices are at levels unseen for previous Mac based software and hardware. As a result these devices are turning up in numerous investigative scenarios and acquisition and analysis requires a different approach then historically applied to simpler cell phones.

PJ: Forensically analyzing an iPhone or iPad is more like traditional computer forensics because these devices’ operating systems and storage capacities are more like a Mac’s than like a cell phone’s. The latest devices run basically a lighter version of OS X. They capture traditional phone data such as call history and SMS, but also capture huge amounts of media, documents, email and other rich data.

DF: Classes will also cover the challenges / opportunities of creating a lawfully sanctioned image as well as how to develop a forced backup file. Instructors will talk to the unique data structures of these devices and show analysis simulations.

HTCIA: Can you talk about the scenarios you’ll be taking students through?

DF: We will be running the students through an intellectual property theft case involving three individuals. All three used iPhones and Mac laptops to commit a theft. We will walk the students through the initial discovery all the way to the arrest.

HTCIA: Your background: how did you get into Mac / iPhone forensics? What do you enjoy most about forensics, and teaching?

DF: I was forced into it 😉 Seriously though, I have been conducting computer forensics for 15 years and over that time I have seen Macs continue to become more prevalent. Using a Mac every day for the last four years it made sense to jump right in and focus on Mac forensics. iPhone forensics was a natural progression as it is just an offshoot of Mac OS X.

The best part about teaching forensics is watching the reaction of students as they learn something new.

HTCIA: What do you like to see from your lab attendees?

DF: Active participation. Looking to discuss real cases and address actual field challenges faced by examiners. Come prepared to share scenarios and learn ways to improve future technique.

HTCIA: How is Mac forensics different from Windows forensics? Why are there so few tools for HFS/HFS+?

DF: Historically the market for Macs has been much smaller and therefore the opportunity to create tools for a large market has not existed. That is slowly changing with record levels of corporate adoption for the iPhone and iPad.

DD: Many companies are buying iPhones or partially paying for employee iPhones. Employees might be getting company e-mail on the iPhones and many companies are starting to use iPads. We have received many calls in the past 6 months of companies needing to do full forensics or e-discovery on company iPhone/iPads, or personal systems where employees have consented to data collections.

SMS, MMS, Twitter, Facebook, MySpace, social networks, e-mail can contain a lot of data that might have evidentary value in civil or criminal cases especially when a group of employees might be communicating via SMS on a specific project.

Also many companies are starting to allow their employees to choose their favorite platform for work (Windows, Mac, Linux, etc…) and Macs can now dual boot with Windows and Mac OS X installed on the same system. People are now starting to do two analysis investigations because both OSs are installed on the same system.

HTCIA: The iPhone is so new that reference to a “history” of forensic processes is kind of funny. 🙂 Talk a little about its evolution?

DF: Like anything else, you have to start somewhere. The iPhone is now in its fourth year and the understanding of the data which exists on iOS devices like the iPhone are still being learned. With each new iteration of the devices and software forensics tools need to adapt.

This is not unlike typical forensics software which have to adept to newer operating systems and programs. The difference is the rate at which iPhone forensics changes.

PJ: Apple’s pace of innovation seems to have set a new standard in the technology industry. They continue to push new devices and features, which creates challenges for investigators who cannot rely on older forensic tools to handle these devices.

It will always take time to react, but we hope that our deep expertise in Mac systems allows us to quickly build tools to properly equip law enforcement to work with these new devices.

Questions for the BlackBag team? Please leave us a comment!