 |  | 11/02/09 - Solitude Ski Resort
Opens Nov 6th
10/02/09 - Park City gets the first
snow of the season!
9/29/09 - Blackbag Forensic Lab
added to the schedule.
9/24/09 - Casino Night details are
available
9/17/09 - Conference Hotel is almost
full. Reserve your room now.
6/30/09 - P2 Commander Bootcamp:
FREE 4 Hour Class
4/21/09 - Keynote Speaker:
Eoghan Casey
12/16/08 - PFIC 2009 Dates and
Venue Announced as November
8-11, 2009 at the Park City Marriott
12/16/08 - Registration is Only
$199.00 | |
PFIC 2009 Abstracts
Sunday Nov 8, 2009
Mac Forensics for First Responders
This 2-hour lab is aimed at forensic professionals with no prior experience working in a Mac environment. During this brief session designed specifically for the first responder, participants will gain a limited understanding of a handful of Mac forensic tools and processes. The class includes scenario and lecture instruction to help students better understand, as context for potential evidence retrieval, how suspects use and store Mac files on their Macs. Additionally, participants will learn how to conduct forensically sound previews of Mac systems to decide whether there is a need for further analysis or not.
Presenter: Ryan Chapin, Blackbag Technologies
Paraben P2 Commander Bootcamp
Chances are, you've used at least one of our specialized hard drive forensic tools. P2 Commander is the culmination of years of tried and true hard drive forensic software combined into one comprehensive forensic analysis program. With powerful features such as a Firebird back end database and true multi-thread processing, P2 Commander can quickly process through vast amounts of data without requiring a major equipment overhaul or a major budget increase. P2 Commander combines the specialized disciplines Paraben is famous for such as e-mail and chat analysis into one automated forensic tool.
This session will introduce you to the powerful functionality, interface, and reporting features of P2 Commander. You'll learn how the architecture of the program lends to faster processing, large scale data management, focused processing engines, and much more. You'll also be introduced to supporting products such as Forensic Replicator and P2 eXplorer.
Presenter: Sam Norris, Paraben Corporation
Monday Nov 9, 2009
Innovation Track
What Goes Bump in the Night: The e-Discovery Cases You Never Saw Coming
Web 2.0 and new technology has changed the way lawyers practice law, and the changes are surprising. e-Discovery cases are no longer limited to parties battling over the form of production of TIFF or Native File. Some of the recent cases include personal jurisdiction over blogging, marriage fraud cases involving Match.com and cell phone accident photos. Attorneys are challenged with pleading requirements for online torts and applying traditional causes of action to activity they never considered before. This seminar will examine the new strategies for e-discovery requests, various issues to discuss with your clients and how to surpass the unexpected.
Presenter: Joshua Gilliland, D4
Hiding in Plain Site
Plausible deniability. Some other guy did it. The malcode did it. Wasn't me. A whole new dimension of communications is often overlooked when analyzing a hard drive. Different online storage websites, web forums, and blogs will be presented with the focus of finding traces of them on hard drives.
Presenter: Ryan Washington, Crucial Security
The Best Practices for the Destruction of Digital Data
This session is a high level summary of a best practice Guide that I published in conjunction with Dr. Gordon Hughes of the UCSD Center for Magnetic Recording Research. The purpose of the paper is to provide security practitioners and compliance directors with the guidance needed to define best practice for absolute destruction of digital data stored on hard drives.
This paper had been based on a review of all available guidance from government, academic, and vendor sources. All papers reviewed were validated for accuracy, and quality, with all valid and current guidance being incorporated in the paper. The paper presents technical considerations of hard drive operation, as well as, a review of various accepted practices, as well as guidance for defining appropriate sanitization practice by data classification.
The guide has been reviewed by a number of respected industry security, and storage specialists for validity and accuracy, and is currently in use by various departments 6 national governments for policy guidance, and is currently being translated for use as policy guidance for the province of Quebec.
Presenter: Ryk Edelstein, Coverge Net Inc.
Modern Tactics to Catch Financial Fraud
Financial fraud is on the rise and investigators need to stay a few steps ahead of the criminal minds. Ms. Bocra's presentation will provide an understanding of our financial markets and will demonstrate current techniques used in financial investigations.
Presenter: Nicole Bocra, Infinity Investigative Solutions
Use of P2 Commander in E-Discovery
Over time many experienced computer examiners go from doing straight computer forensics to being pulled into more eDiscovery scenarios. While computer forensics has some similar aspects to eDiscovery, there are several distinct differences. However, many of the tools that they use may not be easily utilized in that endeavor. This presentation will cover several aspects of P2 Commander that make it useful for conducting electronic discovery, especially with regard to discovery of Microsoft email archives.
Presenter: Joseph J. Schwerha IV, Trace Evidence
Technology: The Ultimate Digital Acquisition Tool to Aid in the Fight Against Computer Crime
Today Digital Evidence Labs and Computer Investigators in the field face new challenges and have a very strong need to keep up with the overwhelming amount of computer crime. The requirements are broad and can range from quickly and securely previewing or acquiring digital evidence to the proper preservation, storage, and transportation of this digital evidence. More than ever, Law Enforcement and Government Agencies are turning to technology to solve these problems and are recognizing the crucial key it plays in overcoming the challenges they face everyday. However, in times that require getting the most "bang for the buck" from shrinking budgets, how can Digital Labs and Computer Crime Investigators be assured that they are choosing the tools that can provide the best functionality as well as those which will help them maximize time and resources?
In this session, you will learn the latest technologies in Forensic Imaging available today. Learn the easiest ways to store and manage your digital evidence images, and how to effectively protect your sensitive data during handling or transportation. Additionally, you will learn how to overcome the day to day in-house and in-the-field challenges of the data acquisition process and how to automate and facilitate your forensic imaging projects.
Presenter: Neil Broom, Intelligent Computer Solutions
Forensic Track
Into the Frying Pan, the Acquisition of Volatile RAM, System Processes and Hard Drive Imaging Using Firewire
Password protected? No problem if the machine has firewire or an accessible PCMCIA/PCExpress Slot. Cytech Services has developed the ability to bypass password protected machines, whether they are Linux, Windows or Mac OS X, in order to forensically image the live volatile memory, capture the current processes and image the system hard drive. This presentation will demonstrate and outline the techniques utilized to perform these acquisitions.
Presenter: Ben Cotton, CyTech Services
Mac OS X SQLite Files, Exposed!
This 1-hour session is aimed at forensic professionals with no prior experience working in a Mac environment. During this brief session, participants will gain a limited understanding of how to import files into SQLite Database Browser to discover the wealth of knowledge inside. The class includes lecture instruction to help students better understand what a suspect's data looks like inside a SQLite database file.
Presenter: Ryan Chapin, Blackbag Technologies
Case Study P2 Enterprise in Active eDiscovery & Forensics
This case study will review the process and methods used in a eDiscovery deployment in a mid-size commercial network spanning several states. The presentation will focus on 250 workstations and the use of Paraben's P2 Enterprise. Discussion will center on statistics of the costing of the deployment, speed of the data gathering and overall issues and conclusions.
Presenter: Greg Kipper, General Dynamics-AIS
A Beginner's Guide to Mobile Forensics & Investigations
This presentation is geared to the investigator new to Mobile Device Investigations and Forensics. This presentation touches on the proper handling and seizing methods for first responders and how evidence from mobile devices can provide crucial information on a case. Faraday and other "shielding" techniques from the point of seizure through the exam will be explored. Attendees will learn the differences in the common networks, as well as what ICCID, IMSI, ESN, MEID and IMEI numbers are and why they can be important. Also, a brief rundown of the "pros and cons" with smart phones (Blackberry & iPhone). This presentation will also include a brief summary of the main differences in a Logical versus Physical acquisition of the device\'s memory, and what data can typically be acquired via both methods.
Presenter: Jeff Shackelford, SEMO Cyber Crimes Task Force
Intelligence and Evidence Collection Using Battlefield Digital Triage Forensic Processes
The use of first responders is becoming critical in our information overloaded world. First Responders have the technical capability and assets available to be able to gather pre cursor or evidential data from digital media devices. Most people recognize this as a needed change to the current models for the recovery of Digital Evidence but few have taken the steps necessary to accomplish the task of Digital Triage Forensics. I will discuss the need, training and use of this new procedural model.
Presenter: Stephen Pearson, HTCI
Mobile Forensics: Testing tools and making right choices and covering your butt
Testing is one of the primary areas of support for an examiner when it comes to the validity of their tools used in the examination process. Learn the basics of a test plan and how to go through and create the best approach for your organization to process mobile devices in your lab.
Presenter: Amber Schroader, Paraben Corporation
Lab Track
How the Acceptance of Anonymous Surfing and Tor in Communications has Changed the Evidence Landscape (LAB)
This presentation will explore how the acceptance of anonymous surfing and Tor in communications has changed the way investigators look for browsing and IP address evidence. It will begin by explaining how these technologies are currently used and then move on to a demonstration of several of programs with the intention of fostering discussion on the use of these programs as they become more main stream. It will then demonstrate some of the programs. This presentation will be followed by a lab that will show how to find evidence of remnants and discuss the best way to find evidence when these types of programs are used.
Presenter: Diane Barrett, UAT
Vista Registry Analysis (LAB)
Presentation will highlight the main differences between the Windows XP and Windows Vista registry including a brief hands-on exercises. Topics will highlight data related to dates & times, USB storage devices and Internet Explorer artifacts.
Presenter: Charles Giglia, Digital Intelligence
iPhone Forensics (LAB)
This lab will cover the logical backup of the iPhone using Paraben's Device Siezure. Attendees will be able to walk through artifact retrieval and reporting.
A limited survey was conducted of iPhone users, 64% of those polled had jailbroken thier iPhone. A walkthrough of such a phone will be conducted using Device Siezure.
Presenter: Sean Morrissey, Computer Forensic Analysis US Department of State
Firefox Browser Forensics (LAB)
Estimates indicate that the Firefox browser is employed by over 20% of Internet users, but little forensic documentation exists. Long thought to be more secure and sensitive to user\'s privacy, security professionals are often shocked to learn that more forensic artifacts can be gleaned from Firefox than Microsoft Internet Explorer. This lab will delve into those artifacts and introduce several free tools that greatly simply Firefox forensics.
Presenter: Chad Tilbury, SANS
Using Virtual Machines in Forensic Investigations (LAB)
Virtual machines have been used in forensics for some time, but they are also underutilized. With the improved functionality of virtual machine software, the use of virtual machines should be commonplace in computer forensics. Jay Varda will lead you through the process of creating a virtual machine and booting the operating system, from an imaged hard drive. The lab utilizes the open source program "liveview" as well as disk mount utilities from VMware.
Presenter: Jay Varda, US Customs and Immigration Enforcement
HTCI Lab-Digital Triage Forensic Tools
In the Triage process new tools need to be developed and used to allow the first responder to collect and perform initial analysis of the evidence container. These tools will also include isolation devices that can be used to in the triage process. I will discuss the possibilities and challenges of hardware and software tools being employed to gather evidence.
Presenter: Stephen Pearson, HTCI
Paraben Lab Track
Cell Phone Devices (LAB)
Mobile devices are everywhere and knowing how to work with them can be crucial to an examination. This lab will go through acquisition using both Device Seizure and Paraben's new Deployable Device Seizure software. You will then go through the analytics of where the key pieces of evidence reside in the phone.
Presenter: Paraben Corporation
Incident Response (LAB)
Network response and forensics has grow in recent years to be one of the largest emerging areas in the investigative process. This lab will go through the deployment and use of Paraben's P2 Enterprise forensic tools, gather data on the network and show basic analytics of what to look for in an incident.
Presenter: Paraben Corporation
Chat Archives (LAB)
"brb gtr to class. lmao @ franks last fb post. ssdf." If you don't know the latest lingo and can't keep up in the IM then you might be missing valuable information in your examination. Being able to investigate chat archives in a "dead box" forensic environment as well as knowing how to gather live chat data can be the keys to make or break a case. This lab will go through both offline and live techniques for collection and analysis.
Presenter: Paraben Corporation
E-mail Archives (LAB)
E-mail is the life blood of communication in modern times and it has become the largest obsession for most consumers. Knowing the types of archives to look for as well as how to parse the archives for valuable information is a critical skill for any forensic examiner. Both local and network archives will be reviewed and parsed for examination in this course.
Presenter: Paraben Corporation
Hybrid & PDA Devices (LAB)
The new portable laptop is not a laptop at all, but a handheld device that can do it all. E-mail , call, text, and even show live TV are all components of the new hybrid devices. Knowing the seizure, acquisition, and analysis options is a primary skill for all forensic examiners. Learn why they call the BlackBerry device a "CrackBerry" and how to find the primary areas for analysis.
Presenter: Paraben Corporation
Live E-mail Forensics (LAB)
E-mail is the primary area of interest in any discovery collection as well as a forensic examination, and it can be the most troublesome part of the examination when the mail server cannot be taken offline. Learn the latest techniques using Paraben's P2 Enterprise technology to gather live mail files from both a server as well as local PST files.
Presenter: Paraben Corporation
Tuesday Nov 10, 2009
Innovation Track
Child Sexual Exploitation Law Update
The session will review new court decisions and new statutes on child pornography crimes from across the nation. The class topics depend on developments in the law during the next several months. However, I would anticipate covering issues such as search and seizure, discovery, the Adam Walsh Act and other areas of law.
Presenter: Richard Whidden, National Law Center for Children and Families
Optimizing IT and Security Operations for Success in Discovery
In discovery, cookie-cutter approaches do not exist. However, this session provides forensic, security and IT professionals with methods and techniques to employ quality assurance and control throughout a response for production. This session prepares your team with the necessary toolkit to better understand your organization, initiate a just-in-time discovery process, implement that process, and present your findings to key stakeholders. This session provides you the ability to employ a defensible discovery program while avoiding the common pitfalls associated with discovery. Useful checklists and templates will be provided as a take-away from this session.
Presenter: Karen Schuler, Intelligent Discovery Solutions
Dinosaur Forensics-In a Petabyte world do we need to worry about Megabytes?
This show and tell lecture will discuss:
- conducting forensics on legacy devices,
- where to look for and how to identify these items,
- what to expect,
- how to overcome challenges and
- some suggested methods for conducting modern forensics on ancient
- computer artifacts.
The 1 hour lecture will talk about best practices with regards to:
- hard drives that modern write blockers will not mount or recognize,
- what to do with those pesky floppies,
- sources to find legacy data storage devices and media and
- tips and tricks for securing evidence without damaging old equipment.
The class will also touch on the importance of maintaining defensible backup
plans for evidence preservation and some tips to use when modern methods
fail. A review of the defensible PACE method of forensics will also be
conducted.
- Primary
- Alternate
- Contingency
- Emergency
Presenter: Thomas Williams, NK State SPCA Law Enforcement Division
Textual Relations-Text Messages and the Law
Textual Relations is everything you wanted to know about text messages, but were afraid to ask. 95.4 billion Text messages were sent in 2008. Text messages are one of the most abundant forms of electronically stored information on the planet, with smart phones being able to also send email, Twitter updates and Facebook postings from the palm of your hand. Politicians have ruined their carriers and everyday people have lost jobs because of Text messages.
"Textual Relations" addresses requests for production, privacy issues, expert testimony and admissibility concerns of Text messages. The material covers both recent civil and criminal cases where text messages were key evidence.
Presenter: Joshua Gilliland, D4
Major Breach Perspectives
Jim will highlight "lessons learned" from recent intrusion investigations. He will describe the approaches used to identify the hacker's point of entry, the actions taken by the hackers in the network, and the exfiltration techniques used. He will also highlight the network security vulnerabilities exploited by the intruders and remediation actions to restore network security and prevent similar attacks. Finally, Jim will discuss cooperation with law enforcement, and recent arrests and indictments.
Presenter: Jim Jaeger, General Dynamics
Breakthrough Performance and Features with Tableau's New Imaging Software
Hard disk size and performance have reached the point where the traditional software imaging tools have become a bottleneck in the acquisition process. Tableau is using knowledge gained from building high-performance forensic bridges and duplicators to create the next generation of PC-based imaging software. TIM - for Tableau IMager - combines sophisticated multi-threaded design, high-performance algorithms, an in-depth knowledge of the I/O patterns favored by Tableau's write-blockers, and a world-class user interface to re-define the performance of PC-based forensic imaging. Robert Botchek, Tableau's President, will introduce TIM and demonstrate the real-world benefits of this next-generation tool
Presenter: Robert Botchek, Tableau
Forensic Track
Data After Forensics:: Analysis and Data Mining to Improve Law Enforcement
After completing forensic analysis of a suspect/defendant's computer system for a particular case, most forensic professionals move onto the next matter. There develops over time, however, a significant volume of data that could be analyzed for the purposes of understanding crimes and predictive knowledge that can be matched to operational support systems. Historically, this type of analysis and knowledge was the basis of "experience" and was the foundation of investigative judgments in response to crime. With the advent of powerful computers and the explosion of data mining techniques, electronic evidence can be analyzed to develop crime matching and predictive knowledge that support operational response systems. The results can dramatically improve law enforcement by profiling offender types, offender behavior pre and post crime and predicting post crime behavior in a manner that enhances the likelihood of arrest within your unique geographic, social/cultural community. This presentation will introduce attendees to some of the types of knowledge that can be obtained by analyzing data in a combination of data mining techniques and forensic sciences.
Presenter: Donald Wochna, Vestige Digital Investigations
P2 Commander in Battle Field Forensics
P2 Commander and other Paraben products have successfully been used in the past few years by the War Fighters in Iraq to bring insurgents to justice in the Counter-Improvised Explosive Device (IED) fight. Soldiers, Sailors, Airman and Marines are being trained By HTCI staff at the U.S. Army's Weapons Intelligence Course (WIC) to conduct site exploitation of both post and pre-blast IED scenes and cache finds where computers and cell phones are being used by insurgents and discovered in day to day combat operations by coalition forces. HTCI has taught Battlefield Forensics Triage since 2006 and has demonstrated battle proven techniques. With the aid of Paraben's products, War Fighters have been able to obtain actionable intelligence, decisive to battle commanders and special warfare operators.
Presenter: Rich Watson, HTCI
Freakin' Fantastic Forensic Foo For Forensic Folks
This presentation will highlight neat tools, tips, and techniques to help investigators and analysts. This will help out new forensic analysts as well as seasoned veterans. Don't be afraid to offer up information during the presentation.
Presenter: Ryan Washington, Crucial Security
Mobile Device Synchronization: What to look for on the desktop
Mobile devices are not limited to having evidence just on the device itself. Many of the devices have become co-dependent on the desktop systems as the mother ship of their information. Learn where to look for data on the desktop and how to parse that data to provide it as evidence in your investigation.
Presenter: Amber Schroader, Paraben Corporation
GPS Forensics
The sales of portable navigation devices are at an all time high. In 2008, more than forty-one million portable GPS devices were sold worldwide. The United States accounted for fifty-two percent of those sales with an average cost of two hundred and fifty dollars per unit. The wide availability of these devices has meant a significant increase in the number of GPS devices associated with criminal acts. In response to this, the law enforcement community is faced with the challenge to examine GPS devices in a manner consistent with the best practices of handling digital evidence. This presentation will provide an overview of GPS forensics and discuss acquisition, examination and analysis techniques as well as available commercial and freeware tools. It will focus mainly on the major manufactures; Garmin, TomTom, and Magellan and how operators in the field, forensics examiners in the lab and intelligence analysts can leverage this type of data to support investigations.
Presenter: Ben Lemere, GPSForensics.org
iPhone Forensics Overview
Since 2007 and the release of the Apple iPhone. Cell Phone forensics was given a new challenge. The iPhone is for all intensive purposes, a mobile computer. Gathering information from the phone has sparked serious debate. Two camps have evolved those that support Jailbreaking, and those that see it as an illegal and often destructive act. This discussion will cover non destructive means of recovery and analysis.
Presenter: Sean Morrissey, Computer Forensic Analysis US Department of State
Lab Track
iPhone Forensics (LAB)
This lab will cover the logical backup of the iPhone using Paraben's Device Siezure. Attendees will be able to walk through artifact retrieval and reporting.
A limited survey was conducted of iPhone users, 64% of those polled had jailbroken thier iPhone. A walkthrough of such a phone will be conducted using Device Siezure.
Presenter: Sean Morrissey, Computer Forensic Analysis US Department of State
Live RAM & Collection Tools (LAB)
You have the tools to capture data and create digital forensic images… however are there other tools that you should be using?
This presentation will teach you how to collect evidence data from a variety of media sources using new and emerging tools from around the world. Some of the methods you will be familiar with, others will be new. You will learn how to find this data, how to extract this data, and how to create a detailed report. You will participate in this demonstration of tools and see what steps a Digital Examiner and Forensics Investigator needs to know when performing data collection tasks.
This presentation is for Intel Teams, First Responders, and Forensic Investigators.
Real life examples and actual cases will be discussed. Several tools will be utilized as we reexamine the steps that solved various cases. These include examples from around the world, including China, Japan, Singapore, Malaysia, New Zealand, Australia, Fiji, United Kingdom, Mexico and the United States.
Each attendee will receive a copy of those tools that are freely distributed and the examination steps and methods discussed.
Presenter: Jon Hansen, H11
Using Virtual Machines in Forensic Investigations (LAB)
Virtual machines have been used in forensics for some time, but they are also underutilized. With the improved functionality of virtual machine software, the use of virtual machines should be commonplace in computer forensics. Jay Varda will lead you through the process of creating a virtual machine and booting the operating system, from an imaged hard drive. The lab utilizes the open source program "liveview" as well as disk mount utilities from VMware.
Presenter: Jay Varda, US Customs and Immigration Enforcement
GUID Partition Table (LAB)
Presentation will detail the GUID partition table structure including a brief hands-on exercise. Topics will highlight how to create and identify a GPT, review of the GPT structure and note the registry artifacts related to the GPT.
Presenter: Charles Giglia, Digital Intelligence
Finding Evil in Memory, Solving the Crime, Putting the Bad Guys Away (LAB)
Can't find the bad guys on disk? Ever think to look in memory? This session will discuss how investigators can properly collect the contents of memory, process memory for analysis and ultimately find the bad guys in memory. There are many tools that allow users to collect memory but not every tool collects memory properly. MANDIANT MemoryzeT is a tool that collects memory properly and also allows users to process it. Processing memory involves enumerating processes, listing all network ports, outputting strings in memory, showing all kernel modules and identifying all drivers. Analyzing the amount of data produced through processing can be daunting, a challenge that can be easy solved using MANDIANT AuditViewerT. AuditViewer
is a tool that allows you to find the evil residing in memory, points you to the smoking gun and allows you to put the bad guys away for a long time. During this presentation, Mr. Tietjen will demonstrate how to use Memoryze to find a key logger in memory and how to pinpoint the activity even if it has been hidden on disk.
Presenter: Kelcey Tietjen, Mandiant
How to pull logs and correlate events to produce quality digital evidence (LAB)
Follow a web-based attacked through a system by correlating log entries and find out what to do when information is sparse or overwhelming. Analyze the fallout to gain insight into an attack and learn where you can turn when logs neglect to reveal what happened or timestamps have been modified.
IIS logs contain a wealth of information, but they may not be the best place to start an investigation. We'll cover a frequently overlooked Windows feature that can reveal valuable information on an attack and demonstrate how something as simple as a batch file can be used to expand an investigation.
Presenter: University of Advancing Technology
Paraben Lab Track
Live E-mail Forensics (LAB)
E-mail is the primary area of interest in any discovery collection as well as a forensic examination, and it can be the most troublesome part of the examination when the mail server cannot be taken offline. Learn the latest techniques using Paraben's P2 Enterprise technology to gather live mail files from both a server as well as local PST files.
Presenter: Paraben Corporation
Hybrid & PDA Devices (LAB)
The new portable laptop is not a laptop at all, but a handheld device that can do it all. E-mail , call, text, and even show live TV are all components of the new hybrid devices. Knowing the seizure, acquisition, and analysis options is a primary skill for all forensic examiners. Learn why they call the BlackBerry device a "CrackBerry" and how to find the primary areas for analysis.
Presenter: Paraben Corporation
Cell Phone Devices (LAB)
Mobile devices are everywhere and knowing how to work with them can be crucial to an examination. This lab will go through acquisition using both Device Seizure and Paraben's new Deployable Device Seizure software. You will then go through the analytics of where the key pieces of evidence reside in the phone.
Presenter: Paraben Corporation
E-mail Archives (LAB)
E-mail is the life blood of communication in modern times and it has become the largest obsession for most consumers. Knowing the types of archives to look for as well as how to parse the archives for valuable information is a critical skill for any forensic examiner. Both local and network archives will be reviewed and parsed for examination in this course.
Presenter: Paraben Corporation
Incident Response (LAB)
Network response and forensics has grow in recent years to be one of the largest emerging areas in the investigative process. This lab will go through the deployment and use of Paraben's P2 Enterprise forensic tools, gather data on the network and show basic analytics of what to look for in an incident.
Presenter: Paraben Corporation
Chat Archives (LAB)
"brb gtr to class. lmao @ franks last fb post. ssdf." If you don't know the latest lingo and can't keep up in the IM then you might be missing valuable information in your examination. Being able to investigate chat archives in a "dead box" forensic environment as well as knowing how to gather live chat data can be the keys to make or break a case. This lab will go through both offline and live techniques for collection and analysis.
Presenter: Paraben Corporation
Wednesday Nov 11, 2009
Innovation/Forensic Track
Digital Forensics in the Future
Technology and social change are invariably interlinked. As the future unfolds, technology will change and society will change in response to this new technology. What will this future bring for the crime fighter of tomorrow, the investigator, the security professional? In this presentation Greg Kipper will explore new trends and technologies on the horizon; what they will look like and how these new technologies will impact the way we live, the way our children grow up, and how we will fight crime in the future.
Presenter: Greg Kipper, General Dynamics
Mobile Forensics Panel Discussion
Panel Moderator: Amber Schroader, Paraben Corporation
Panel Members:
- Sean Morrissey
- Jay Varda, US Customs and Immigration Enforcement
- Bill Teel, Teel Technologies
- Jeff Shackelford, SEMO Cyber Crimes Task Force
Enterprise Forensics Panel Discussion
Panel Moderator: Amber Schroader, Paraben Corporation
Panel Members:
- Jim Jaeger, General Dynamics
- Karen Schuler, Intelligent Discovery Solutions
- Joshua Gilliland, D4
Lab Track
How the Acceptance of Anonymous Surfing and Tor in Communications has Changed the Evidence Landscape. (LAB)
This presentation will explore how the acceptance of anonymous surfing and Tor in communications has changed the way investigators look for browsing and IP address evidence. It will begin by explaining how these technologies are currently used and then move on to a demonstration of several of programs with the intention of fostering discussion on the use of these programs as they become more main stream. It will then demonstrate some of the programs. This presentation will be followed by a lab that will show how to find evidence of remnants and discuss the best way to find evidence when these types of programs are used.
Presenter: Diane Barrett, UAT
Finding Evil in Memory, Solving the Crime, Putting the Bad Guys Away (LAB)
Can't find the bad guys on disk? Ever think to look in memory? This session will discuss how investigators can properly collect the contents of memory, process memory for analysis and ultimately find the bad guys in memory. There are many tools that allow users to collect memory but not every tool collects memory properly. MANDIANT MemoryzeT is a tool that collects memory properly and also allows users to process it. Processing memory involves enumerating processes, listing all network ports, outputting strings in memory, showing all kernel modules and identifying all drivers. Analyzing the amount of data produced through processing can be daunting, a challenge that can be easy solved using MANDIANT AuditViewerT. AuditViewer
is a tool that allows you to find the evil residing in memory, points you to the smoking gun and allows you to put the bad guys away for a long time. During this presentation, Mr. Tietjen will demonstrate how to use Memoryze to find a key logger in memory and how to pinpoint the activity even if it has been hidden on disk.
Presenter: Kelcey Tietjen, Mandiant
ProDiscover Lab
The Prodiscover lab is designed to introduce intermediate computer forensic examiners to Prodiscover. Students will utilize Prodiscover to conduct computer forensic examination on live media. At the end of the course students will have a basic understanding of Prodiscover and its functions.
Presenter: Anthony Reyes, ARC Group NY
| | |
