March for HTCIA: Chapter meetings and other notable events

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. Our meetings and events this month:

March 1

Ontario HTCIA will be featuring a March Madness Double Bill Event! The first meeting on March 1 will feature two sets of speakers. First, Guidance Software, where Robert Ulke and Joseph Pizzo, Account Executives from Guidance Software, will review EnCase 7.0 features and give participants a sneak peek at the upcoming edition of EnCase Enterprise.

Next, chapter officers Eugene Silva and Ben Whittaker will offer their thoughts on the proposed Bill C-30 Investigating and Preventing Criminal Electronic Communications Act  (also known as the ‘lawful access’ legislation) or the Online Surveillance Bill (forcing Internet service providers to collect customer information) from their own perspectives — law enforcement and ISP.

Perhaps a real-life debate will break out, along the lines of the 1970s Point – Counterpoint (as seen on 60 Minutes or as parodied on Saturday Night Live). Audience participation is encouraged! Bring your ideas to Peel Regional Police, 180 Derry Road, Mississauga, Ontario from 7-9pm.

A full day of training will be available from Texas Gulf Coast HTCIA, presenting the US Secret Service Electronic Crimes Task Force (ECTF) Quarterly Meeting from 8:30 AM – 3:00 PM. A special invitation has been extended to members of the HTCIA Texas Gulf Coast Chapter.

Hosted by the Fort Bend County Sheriff Office and taking place at the Gus George Academy, 1410 Williams Way, Richmond, TX, this special meeting will introduce the task force members to Fort Bend County, get information on service needs, initiate mutual contacts between departments and corporate citizens, and to provide a unique educational opportunity.

Topics to be presented include cell phone forensics, real world hack attack case studies, and the ECTF fraud and cybercrime prevention programs. Most important this will provide an introduction to personnel who can assist in asset forfeiture, cybercrime forensics, and investigations and foster stronger ties with the Fort County Sheriff, as well as others in the local area.

For more information and to learn how to RSVP, click here.

March 8

From 11:30 AM to 1 PM at American InterContinental University, Atlanta HTCIA presents “Before You Touch that Cell Phone.” Crime scene processing may be second nature to law enforcement, but how do those of us in the private sector respond to and handle an incident that might later result in criminal charges? Are we using the proper standard of care during incident reponse involving electronic devices that could later stand up in court? The purpose of this presentation will be the proper processing of electronic devices including DNA and latent fingerprints.

Speaker Michael Barker, president of C4 Group, Inc. and Atlanta chapter president, is licensed by the State of Georgia as a Private Investigator and PI Classroom and Firearm Instructor. He holds a number of computer certifcations including the CISSP, CISA and A+. He is currently completing a Masters in Information Security through the Univesity of Fairfax.

March 9

The following week, the Texas Gulf Coast chapter will also host its regular meeting at the United Way Community Resource Center, 50 Waugh at Feagan (near Waugh and Memorial). Speaker and topic TBA; the meeting will run from 1:00 – 3:00 PM, with a networking lunch at JAX Grill starting at 11:30 AM.

March 13

Ottawa HTCIA will present “The Wonderful World of Microsoft Computer Registry Analysis”,  at Russell’s Lounge at the Ottawa Police Association. Greg Bembridge, a Senior Computer Forensic Instructor with the Technological Crime Learning Institute (Canadian Police College, Ottawa) will be speaking on the “gold mine” of forensic information found within registry files: software programs which have since been deleted, externally connected devices, wireless networks that were used, firewall exception rules in place, and much much more.

The meeting, which runs from 5:30 – 7:30 PM at 141 Catherine St. in Ottawa, will include a cash bar and grill. Members come free (cost is included in your annual dues); non-members may register for $15.00. To register, visit the event on the web site.

Southern California HTCIA will offer David Nardoni speaking about memory forensics. In this hands-on lab, we will cover the basics of live memory collection and its importance during an investigation, especially involving malware. Attendees will explore the differences between memory collection and analysis tools. In addition, this lab will cover basic malware triage, tips and tricks, and pitfalls. The meeting will take place from 8:30 – 11:00 AM at the USSS Los Angeles Electronic Crimes Task Force, 725 South Figueroa Street – Suite 1300 (Ernst & Young Building, 13th Floor). Please RSVP to socalhtcia@gmail.com.

March 14

HTCIA Asia-Pacific is hosting a special evening event in Singapore! As a part of our ongoing collaboration with SANS, HTCIA members are welcome to join the following interesting and informative presentation: SANS-HTCIA Community Night Presentation: Introduction to Windows Memory Analysis by Chad Tilbury, SANS Certified Instructor. From 6:30 – 7:30 PM at the Grand Copthorne Waterfront Hotel.

Mid-Atlantic HTCIA‘s meeting will see two speakers. Mark Morgan from Guidance Software will discuss the EnCase Enterprise Cyber Security Module & EnCase Command Center, including hardware requirements, webserver API function, and integration with ArcSight and other IDS tools.

Following his talk, Amanda Thompson, a GWU graduate student employed at the Department of Homeland Security, will present her analysis of how the Microsoft Windows 8 operating system, which is set to be released later this calendar year, will differ from previous versions of Windows. Based on research using the Windows 8 Developers Preview Edition, Thompson will talk about the noticeable differences within the file system (NTFS), where user data resides (such as My Documents, etc.), and the Windows Registry (Microsoft, 2012).

The meeting will run from 9:00 AM to 12 noon at the Department of Education, 550 12th Street S.W. in Washington DC.

March 15

Member Mike Wilkinson’s #DFIROnline virtual meetup will feature Hal Pomeranz speaking on Linux forensics for non-Linux users, and Corey Harrell on ripping volume shadow copies — tracking user activity. Access the meetings via WriteBlocked.org, and follow along on Twitter if you have an account!

March 16

Northeast HTCIA will hold an all-day meeting from 9:00AM-3:00PM at Pace University’s Butcher Suite, 861 Bedford Road, Pleasantville, NY. Speaker and topic TBA.

Washington HTCIA‘s monthly meeting, also with speaker and topic TBA, will take place from 10 AM to noon at the Edmonds Community College main campus, Snohomish Hall room 123.

March 20

San Diego HTCIA presents a LIVE WiFi hacking demonstration setup, with data gathering; WiFi forensics presentation; and WiFi Q&A, complete with luncheon. Starting at 11:00 AM, Gerry Brown, CISSP and the chapter treasurer, will begin with a live WiFi hacking demo. Lunch (free for all current members, $20 for guests, and $45 for new members with completed  HTCIA membership forms) will be served from 11:30 to 12:00 PM; then, Glenn Jacobs, a Senior Information Assurance Engineer at JTT and chapter president,  will give a presentation on WiFi forensics. The afternoon’s activities will end with a Q&A.

The meeting is located at the Admiral Baker Clubhouse, 2400 Admiral Baker Drive in San Diego. HTCIA members are welcome to attend the chapter board meeting beginning at 10:00 AM. If you’ll be joining the meeting, please RSVP ASAP to treasurer@htcia-sd.org!

March 21

Michigan HTCIA presents Mobile Device Forensics: A Case Study of Cell Phone Evidence Recovered in a Homicide Investigation, presented by Detective Wade Higgason of the Livonia Police Department. Det. Higgason has examined more than 700 cellular telephones and more than 170 computers since 2005, when he was assigned to the Michigan ICAC Task Force for foreign, federal, state and local police agencies. The meeting will take place at at 10:00 AM at University of Detroit Mercy – McNichols Campus. Click here to RSVP and register for the event.

March 29

Ontario HTCIA’s March Madness continues with BlueBear and their flagship product called LACE (“Law Enforcement Against Child Exploitation”) and Mr Robert Beggs of Digital Defence, who will update our membership on the latest trends on how criminals are making money on the Internet.

Platinum sponsor Cellebrite: Labs on mobile forensics best practices, and the latest tools

Do you know how that cell phone in your hand actually works? If not, how do you know your mobile forensic tool will get the data you expect? How about that iPhone or Android — do you know what’s really involved with a physical acquisition on these devices?

Cellebrite will be offering multiple mobile forensic labs, both on its own and in conjunction with training partner Sumuri Forensics, on these topics and more. We talked with instructors Keith Daniels, Ronen Engler, and Steve Whalen about what they’ll be offering in September:

Best Practices in Mobile Forensics

One of the most misunderstood aspects of mobile forensics, according to Cellebrite director of training Keith Daniels, is the need for investigators to understand the device from which they’re trying to retrieve data.

“Get the device’s manual from the FCC,” says Daniels. “Log on to an investigative community like [conference Bronze sponsor] Teel Technologies’ Mobile Forensics Central. That’s where investigators talk about phone features and limitations, the hoops you have to jump through to get the phone to communicate with the forensic device.”

Doing so can mean all the difference between getting the correct data in the correct way, and having to take the time to snap photos of each of the phone’s screens. But that’s not all that’s at stake. Daniels points to the Laci Peterson homicide, in which mobile device evidence was crucial.

“Scott Peterson is on Death Row. Fifteen years from now in a new trial, will the original investigators remember case details, or even be available to testify? But if they have the manual, they’ll be able to testify as to what phones could do in 2003, what his particular device was capable of, and why that evidence was relevant to the case.”

Other practices besides knowing the phone:

• Taking the phone off the network — and understanding the dangers of not doing so.
• Create the right folder structure. “Some investigators use more than one forensic tool, so the right folder structure will segment the evidence according to the tool that retrieved it,” says Daniels.
• Thinking outside the box. “The phone can be physical evidence as well as containing digital evidence,” says Daniels, referring to a homicide in which gunshot residue was found on a cell phone.

“Remember,” Daniels adds, “the defense will attack not the evidence itself, but the way it was obtained. Doing your due diligence will elevate your credibility and your position in court.”

Basic and advanced UFED work

Authorized Cellebrite trainer Steve Whalen, Managing Director and co-founder of Sumuri Forensics, will show how the UFED tool puts these best practices to work in his two introductory labs, one each on the UFED and the Physical Pro. “We’ll do a brief overview of each tool and its important features, with examples so that the students can learn hands-on how it all works,” he says.

But the training won’t only be about what buttons to push. Instead, it provides the background of why investigators push those buttons, the way the unit functions and how it applies to forensic methodology.

“So-called ‘push-button’ forensics is not a problem as long as the examiner understands the device’s basic functionality and what it’s doing to perform the extraction,” Whalen says. “It’s not about how hard or easy the tool is to use; tools can be validated.  It’s about following the basic forensic principles that everyone should follow.”

In fact, Whalen says, the UFED’s simplicity is a benefit toward this goal. “The basic UFED Logical lab will show how the UFED extracts information from within the device’s filesystem, such as the call logs, and interprets the directory structure.

“The Cellebrite Physical Pro lab will show how the device extracts both the logical filesystem, and the physical data — the bit-for-bit copy including unallocated space on the chip. We’ll also cover the variety of search functions in Physical Analyzer, including regular expressions, predefined search patterns like 7-bit SMS strings, and GREP,” Whalen says.

“Physical Pro simplifies the process of making a physical image of a mobile device, which significantly increases the amount of evidence that can be located,” Whalen adds. “Because Cellebrite takes the time to ensure its tools’ processes are as un-intrusive as possible, more users can acquire physical data without having to resort to non-forensic hacker tools like flasher boxes, which can ruin evidence if used the wrong way.”

What does all this add up to? Time saved, says Whalen, explaining that the UFED is a standalone unit and doesn’t rely on a good or bad installation of forensic software, or whether that software communicates properly with the device. “Debugging a comm port can take time and increases the chance of hair loss as the examiner troubleshoots the device and/or the computer,” he says. “The UFED saves that time.”

A deep dive into iPhone and Android physical extractions

The final block of Cellebrite instruction will be a “deep dive” into physical forensic exams, as students work with iPhones and iPads that have been locked without having to jailbreak the device. Cellebrite engineering product manager Ronen Engler and Daniels will demonstrate the Physical Pro’s password bypass, along with its data parsing capabilities and a newer feature – decoding for encrypted iPhones, including the iPhone 4.

Decoding will also be demonstrated for BlackBerry. “We showed this in June at the Mobile Forensics Conference,” says Engler, “and we will show it again in Indian Wells.” The decoding process is for physical data recovered during the chip-off process.

Finally, students will be able to see dumps of Android devices using four different methods, two of which, says Engler, are unique to Cellebrite. “We’ll also show how to bypass the pattern lock on an Android without modifying the device,” he adds. (These details are covered more in a recent blog post by mobile forensic tool reviewer Christopher Vance.)

And he and Daniels will discuss the ability to dump Chinese knockoff devices. “The UFED supports logical extractions from more than 150 Chinese clones,” says Engler. These include iPhone, Nokia, Motorola, Samsung and LG knockoffs.

Just getting into mobile device examinations, or want to take your exams further into physical extractions? Register for our conference and be eligible to sign up for these labs!

Platinum sponsor MSAB: A full spectrum of mobile forensics labs

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today — https://www.htciaconference.org/registration.html

Is your expertise a good fit for our conference?

It’s not too late to submit a proposal to speak at our conference! Recent blog posts have told you about the topics we seek, and also helped you justify speaking to your employer.

However, we also know that sometimes it can be a challenge to come up with good proposals. What if it looks too much like someone else’s? How much training on iPhone analysis do cell phone examiners really need? Hasn’t “the cloud” been done to death?

Here are a few tips to help you approach your proposal from another angle:

– Tell a story. Did you devise a particular methodology around a hard-to-capture piece of digital evidence? Develop an incident response strategy that saved your client time and/or money? Explaining how you solved a problem is not something that can be easily duplicated.

– What topics are being overlooked? Whether there are important aspects about iPhones, the cloud, cyber bullying, or other “hot” topics that the industry is missing out on, or other issues that get no play at all, tell us about them – and why your point of view is necessary.

– What lessons did you learn about practical, logistical issues like case management, reporting and documentation, training, court testimony, etc. that you want other investigators to know before they face the same issues?

– Talk about your relationships with other investigative professionals. Did you work together with an internal team, outside consultant, or task force to stop a threat or build a strong case? Tell us how you did it, and how we might do the same.

– What trends have you noticed in your region that may be applicable to others in your country and the world at large?

– Do you have a specialty that most other investigators don’t encounter, but should understand before they encounter it? Examples: printers and copiers, GPS devices, vehicles’ black boxes, digital video or images…

– What do people come to you for help with?

In short: don’t think so much about the topic, but rather the problems you can help other investigators solve. We look forward to seeing your proposal!

Jimmy Garcia
2011 Program Chair
jrgarcia@da.lacounty.gov

Finding the right tools for the job: Mobile Forensics Inc.’s Lee Reiber talks training

Teaching two of our cell phone labs in just two weeks is Lee Reiber, owner and lead trainer with Mobile Forensics Inc. One of the pioneers of cell phone forensics – he’s been involved with mobile forensics training since 2005, and bought MFI just as the industry started to take off the following year – Reiber will be presenting two 2-part labs in Atlanta:

• Cellular phone examination fundamentals using automated tools (with Chris Sanft of AccessData)
• Beyond the tool! Do you really care? And why you should

Details about these labs are on the MFI blog. Meanwhile, we talked with Reiber a little about his teaching style and also about AccessData’s new MPE+ scheduled to launch at our expo:

HTCIA: What do you like best about training, and why?

LR: I like the interaction as opposed to just standing up there and talking. I like the feeling that after the day or the week is done, I have contributed something to law enforcement. When you have done the research, and you have information to share with a class, and you see the lightbulb come on and students say things like, “I never thought of it that way before!” that is very gratifying.

HTCIA: What do you like to see from your audiences?

LR: Lightheartedness. Enjoy the class, don’t take everything too seriously. This is where interaction makes a class different from a lecture!

In fact, my favorite classes are often those where students are required to be there. They have this “Why am I here?” look on their faces – so I start making fun of them. This is what cops do and what they expect!

I do think I have an advantage from having a background in law enforcement. I was a sworn Boise officer for 15 years, 10 of which I worked in digital forensics, and that perspective – my personal experiences with investigations – helps law enforcement students especially relate to me better.

The key is to get them talking about their own experiences, so that we can all learn from each other. Even so, many times students do not want to talk. Sometimes, like in a foreign country, there’s a language barrier and they’re afraid of saying something the wrong way. Other times, they don’t want to sound stupid.

But I’ve found that treating students with respect and understanding, as peers rather than students, and in a way that shows I’m learning from them too, gets us over that hurdle.

HTCIA: How long have you been an HTCIA member? What do you like best about the organization?

LR: I’ve been a member since about 2004. I like the networking and the training opportunities I get through our local chapter. The Idaho chapter is very good about getting information to those members who cannot make their meetings, which helps.

I also appreciate the opportunities I have had to travel to other chapters, especially for teaching, and the knowledgeable people I’ve been able to meet as a result. That network becomes a pool of resources that will be invaluable if you use it!

HTCIA: Tell us more about Mobile Phone Examiner Plus and how it fits in the mobile examiner’s toolbox.

LR: I have always taught [AccessData’s Forensic ToolKit] FTK in my classes, teaching students how to take the data they get from BitPim or Cellebrite UFED or Susteen SecureView and forensically analyze it.

MPE+ makes all that easier. It’s not “married” to FTK, but it allows FTK to do things with file systems that it can’t with data acquired by other tools. Because MPE+ is such an easy fit with FTK, it allows for easier evidence parsing.

That’s important because it furthers our goal of changing examiners’ view of “push button” forensics. Some “push button” is necessary to make the job easier, of course. But we want to make people look beyond automation to find artifacts on different file systems – we want to take mobile forensics to the level of computer forensics, where you’re not just dumping data but also analyzing it to nail down that “smoking gun” data.

Right now MFI is offering one-day training on MPE+, just like we do on GPS forensics, BitPim, Oxygen and other tools. But we do plan to include it in a portion of our training alongside Cellebrite UFED, Paraben Device Seizure and Susteen SecureView.

Cloud forensics, social network investigations, and lots of labs

While we work on getting our speaker list finalized, we’re pleased to be able to announce a preliminary framework for our conference proceedings!

5 Lecture Tracks

• Networking Forensics
• Cloud Forensics
• Legal Issues
• Cell Phone /Mobile Device Forensics
• Social Networking Investigations and Related Topics

7 Hands-On Computer Labs

Hands-on computer labs will be provided for three full days by our sponsors:

• AccessData (Platinum)
• Mobile Forensics (Bronze)
• BlackBag (Bronze)

Be sure to bring your laptop — there will be one additional “Bring Your Own Laptop” room which various speakers will use for their labs. We’ll announce those topics very soon!

Our three remaining hands-on computer labs and their sponsors will be announced soon as well — along with details on specific topics and speakers who are driving the lecture tracks. We will be posting the full agenda on the conference site as well as this blog. Please be sure to subscribe to get the information first!