| Accelerating Incident Response With Network Forensics Techniques |
| Skill Level: |
Intermediate |
| Presenter: |
Edward Schwartz NetWitness |
| Abstract: |
State-sponsored hackers, organized crime and terrorists have deep offensive cyber threat capabilities requiring a higher level of situational awareness, forensics analysis, and incident management. This session describes the requirements for an enterprise network investigative infrastructure based upon the concept of pervasive network data capture, resessionization, and modeling of application-layer traffic characteristics. This session outlines the essential technology components, operational requirements, and critical success factors. It will cover specific threat scenarios, and how network forensics techniques integrate into the incident response and operations lifecycle permitting organizations to track down the causes of difficult problems and exploits and reduce the time to resolution. |
| Track / Date / Time: |
Lecture
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| Advanced EnScript Programming Techniques |
| Skill Level: |
Advanced |
| Presenter: |
Howard Williamson Guidance Software |
| Abstract: |
In this lab we will cover making better use of LEFs from an EnScript perspective. We will also cover how to add entries, record and other items to the LEFs. |
| Track / Date / Time: |
General Lab III
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| Advanced RAID Analysis |
| Skill Level: |
Advanced |
| Presenter: |
Howard Williamson Guidance Software |
| Abstract: |
This lesson will cover manually analyzing hardware RAID members to determine the characteristics of the array without the RAID controller settings. Students would be shown how to manually do this and then an EnScript program would be demonstrated that would facilitate this analysis. |
| Track / Date / Time: |
Forensics Lab
Tuesday, April 29, 2:00pm - 3:30pm |
| |
|
| Advanced Remote Forensics: Full Speed Imaging and Analysis of remote Systems without a Corporate LAN |
| Skill Level: |
Advanced |
| Presenter: |
Andrew Sheldon Evidence Talks |
| Abstract: |
There are many scenarios where target systems and media are not connected to a corporate LAN but access to intelligence or imaging and analysis of the data is required urgently. Border crossings, scenes of crime, combat zones etc. Even in corporates, target systems may have been removed from the network if infected with malicious code.
This practical session discusses remote forensics methods and demonstrates how integrated case management, authorisation and dynamic network creation systems can enable full speed forensic imaging and analysis to be performed on any media from anywhere. Even via a mobile phone! |
| Track / Date / Time: |
Fundamentals Lab
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| Advanced Tips and Tricks of Forensics |
| Skill Level: |
Advanced |
| Presenter: |
Chris Pavan 42-Consulting, Nick Ringold 42-Consulting |
| Abstract: |
This lab will be focused on a variety of often overlooked artifacts which can be very useful in determining what has occurred on a computer. The artifacts covered will include: registry keys including User Assist and Streams / StreamMRU, Prefetch files, and the System Restore Folder. Different computer and EnCase settings will be covered as well to help aid stability and usability. |
| Track / Date / Time: |
Forensics Lab
Monday, April 28, 10:30am - 11:30am
Forensics Lab
Tuesday, April 29, 11:45am - 12:45pm |
| |
|
| The Analysis-powered Internal Investigation: How Analytics Can Find the Smoking Gun |
| Skill Level: |
Basic |
| Presenter: |
Jason Reeve Solutions Consultant Manager, Clearwell |
| Abstract: |
Security and forensics teams are under tremendous pressures. The number of investigations continues to grow and deadlines are increasingly aggressive. Advances in information analytics are helping investigators accurately solve more investigations in less time—in a forensically sound way. Attend this hands-on lab learn how these new technologies can improve your investigative process. |
| Track / Date / Time: |
General Lab III
Sunday, April 27, 3:00pm - 4:30pm
Monday, April 28, 7:30am - 8:50am |
| |
|
| Anti (Computer) Forensics: Is There Such a Thing? |
| Skill Level: |
Advanced |
| Presenter: |
Scott Mann Dimension Data Australia |
| Abstract: |
If Locard was right when he proposed his 'interchange theory -- “every contact leaves a trace” -- then is there really such a thing as "Anti" Forensics. Investigating a crime where the perpetrator has attempted to conceal the crime, obscure, hide, manipulate or destroy evidence is not new. The topic of 'Anti Forensics', particularly as it relates to computer crime investigation has been receiving a lot of attention among academics, subject matter experts and through the media, but is there sound investigative logic being applied when seeking to account for the current 'demonstrated' exploits. Much of the current information available on the topic would have us believe that performing the perfect computer crime is as simple as running a few scripts, but is this the truth and is Locard’s theory now irrelevant? This session will use scenarios to help computer crime investigators better understand what some of the latest so called anti forensics tools and methods actually do, what, if any, trace evidence is available and what this means to an investigation. |
| Track / Date / Time: |
Most Popular Lab Track
Tuesday, April 29, 11:45am - 12:45pm
General Lab III
Tuesday, April 29, 2:00pm - 3:30pm |
| |
|
| Authenticated Whitelisting and Software Reputation: Information Assurance and Desktop Lockdown |
| Skill Level: |
|
| Presenter: |
Doug Cahill Bit9 |
| Abstract: |
The huge amount of unknown, and thus unmanaged, software resident on the typical endpoint represents multiple problems and poses challenges for digital forensics investigations. Since unknown software is, by definition, unapproved and unmanaged, it also not patched to address security vulnerabilities, are often not known by anti-malware software, and alter standard configurations. In addition to the security, compliance, and cost of ownership issues, this mass of unidentified files greatly slows the digital investigations process when time is truly of the essence.
Whitelisting, only allowing the “good” to prevent the “bad”, is an approach that has been successfully employed to address the flood of spam email as well as in firewalls to control network access. This session evaluates how whitelisting can now be leveraged to identify and authenticate software to establish its reputation. Moving the unknown to either the black or white list accelerates a forensics investigation and can allow organization to implement pragmatic desktop lockdown to effectively allow only approved and authorized software to be installed and executed. |
| Track / Date / Time: |
General Lab I
Tuesday, April 29, 11:45am - 12:45pm |
| |
|
| Automating Event Log Forensics |
| Skill Level: |
Advanced |
| Presenter: |
Dr. Rich Murphey White Oaks Labs |
| Abstract: |
Techniques for recovering and correlating Windows XP and Vista event logs may provide significant value to forensic analysis where they indicate chronological traces of user activity. This hands-on lab explores case studies using new tools and techniques to automate various steps required for event reconstruction. We will explore the impact of Windows Vista's new features and event log encoding in order to show how these changes may enhance opportunities for forensic analysis. |
| Track / Date / Time: |
General Lab I
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Basic Investigator Skills: How to Not Spend Your Life Sorting Through Search Hits |
| Skill Level: |
Basic |
| Presenter: |
Matt McFadden Clovis Police Department |
| Abstract: |
Searching through information is a fundamental aspect of any investigation. Knowing how and where to look are critical aspects of finding that proverbial needle in the data haystack. It's one thing to search, while it's another to search smartly. Learn how to use GREP to narrow down your keywords list and create powerful search terms that reduce the amount of false positives and ensure discovery of critical keywords buried in the data. |
| Track / Date / Time: |
Fundamentals Lab
Sunday, April 27, 3:00pm - 4:30pm |
| |
|
| Basic RAID Acquisition and Analysis |
| Skill Level: |
Basic |
| Presenter: |
Simon Key Guidance Software |
| Abstract: |
RAID (redundant array of independent disks): what are they and what does it mean to the forensic investigator? The topic of acquiring and analyzing RAIDs generally invoke much discussion. This session gives you an understanding of the different types of RAIDs, how to acquire and analyze them. Attendees gain the knowledge necessary to understand what to do when faced with a case containing RAID devices. |
| Track / Date / Time: |
Fundamentals Lab
Monday, April 28, 7:30am - 8:50am |
| |
|
| Best Practices Using the Clearwell eDiscovery Platform® |
| Skill Level: |
Intermediate / Advanced |
| Presenter: |
Jason Reeve Solutions Consultant Manager, Clearwell |
| Abstract: |
The Clearwell E-Discovery Platform® is used by Fortune 1000 companies for legal e-discovery, to solve corporate investigations, and respond to regulatory inquiries. This in-depth lab session details key characteristics of several different case types and demonstrates best practices for case setup, ongoing case management, evidence review, and evidence delivery to internal business sponsors and external regulators. |
| Track / Date / Time: |
General Lab III
Monday, April 28, 10:30am - 11:30am
Monday, April 28, 4:00pm - 5:30pm |
| |
|
| Building a Successful Corporate Team and Partnership with IT & Legal |
| Skill Level: |
All Skill Levels |
| Presenter: |
Jack Halprin Guidance Software |
| Abstract: |
eDiscovery is a complex problem that all organizations face whether or not they are involved in litigation. This session will give a brief overview of the eDiscovery process and discuss the challenges organizations have in implementing a successful eDiscovery plan. Participants will learn how and why Legal and IT, among other stakeholders in the organization, must work together to be successful. |
| Track / Date / Time: |
eDiscovery Track
Monday, April 28, 10:30am - 11:30am |
| |
|
| Building an In-house eDiscovery Process: How to Approach the Challenges of eDiscovery |
| Skill Level: |
Intermediate |
| Presenter: |
Scott Steiner Cox Communications |
| Abstract: |
|
| Track / Date / Time: |
eDiscovery Track
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| Case Studies of Botnet Infection, Propagation and Control |
| Skill Level: |
Intermediate |
| Presenter: |
MJ Staggs FireEye |
| Abstract: |
Three case studies of actual infection, propagation and control will be examined. Live network capture files will be used as the basis of our examination. Malware exploits and botnet command and control will be examined in detail at the packet and executable level. Tips and techniques for suppression and control will be examined and discussed, along with limitations and the often unwanted side effects that each technique produces. |
| Track / Date / Time: |
Lecture
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| Case Study Firefox® Artifacts and Unallocated Space |
| Skill Level: |
Basic |
| Presenter: |
Brent Duckworth USAID, Salvatore Montemarano USAID |
| Abstract: |
During this case study, we will discuss the configuration options of the popular Mozilla Firefox Web browser software and how they affect the location of evidence on the subject system. Settings exist within Firefox that determine if and how Internet artifacts are stored within a given user's profile. As a result, these configuration settings impact the most likely evidence location and must be documented and tested to ensure appropriate understanding of what the evidence is telling the examiner. In situations where the browsing activity is configured to be "cleared" upon closing the browser, artifacts are then lost to unallocated space. This presentation will review one of our recent cases and will show how testing and understanding Firefox settings played a key role. |
| Track / Date / Time: |
Fundamentals Lab
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| Cell Phone Forensics |
| Skill Level: |
Intermediate |
| Presenter: |
Brad Montgomery WI DOJ/DCI |
| Abstract: |
|
| Track / Date / Time: |
General Lab III
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Condition Series, Part I: Understanding Conditions and How They Lead You to Success |
| Skill Level: |
Basic |
| Presenter: |
Brent Botta Guidance Software, Daniel Smyth Guidance Software |
| Abstract: |
Explore the first and most important phase of the eDiscovery collection: setting up the Simple Inclusive and Exclusive File Type Collections to coincide with current legal standards even when the keywords and specifics aren’t known. We will also learn how to test Simple Inclusive and Exclusive File Type Collections locally in EnCase. |
| Track / Date / Time: |
eDiscovery Track
Monday, April 28, 2:00pm - 3:30pm
Most Popular Lab Track
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| Condition Series, Part II: Advance Condition Utilization |
| Skill Level: |
Intermediate |
| Presenter: |
Brent Botta Guidance Software, Daniel Smyth Guidance Software |
| Abstract: |
Part two in a series, this workshop covers more specific conditions including some major “gotchas” with a review of the most common condition sets and the reasoning behind them. |
| Track / Date / Time: |
eDiscovery Track
Monday, April 28, 4:00pm - 5:30pm |
| |
|
| Conducting Enterprise Investigations |
| Skill Level: |
Basic |
| Presenter: |
Scott Steiner Cox Communications |
| Abstract: |
Too often investigations solely rely on computer forensics, which are a reactive measure. Many cases involve real time monitoring, Internet data sources, and correlation of data. Learn how to conduct a successful investigation when forensics alone will not provide all the answers. |
| Track / Date / Time: |
Enterprise Lab
Tuesday, April 29, 11:45am - 12:45pm |
| |
|
| Corporate Investigations in the 21st Century |
| Skill Level: |
Basic |
| Presenter: |
James Doyle Guidance Software |
| Abstract: |
This session will discuss the convergence of physical and cyber techniques for incident response, corporate crime scene investigations, eDiscovery and loss prevention. After attending this presentation you will 1) understand the importance of sharing information across different sectors and the impact each sector has on the resilience of the other sectors; 2) learn how information security, physical security and crisis management are converging as a result of blended threats; 3) gain practical insights on how to improve enterprise preparedness against risks, threats and incidents involving multiple disciplines, and 4) acquire knowledge that can be applied to your everyday business practices to reduce risk and better protect your organization. |
| Track / Date / Time: |
Lecture
Sunday, April 27, 4:45pm - 6:00pm |
| |
|
| Covert Remote Examinations |
| Skill Level: |
Intermediate |
| Presenter: |
Walker Johnson Guidance Software |
| Abstract: |
Have issues with your information technology Department or is something too sensitive to risk getting Out? Don't want to involve network operations or firewall administrators? Using the new features in EnCase Enterprise 6, the Professional Services Division can assist you without a presence onsite and can develop strategies for a covert investigation with a minimal network and system footprint. |
| Track / Date / Time: |
Enterprise Lab
Monday, April 28, 2:00pm - 3:30pm |
| |
|
| Creating Total Visibility by Linking Network and Host Forensics |
| Skill Level: |
Intermediate |
| Presenter: |
Edward Schwartz NetWitness |
| Abstract: |
Both host and network-based forensics individually provide powerful features and functions within their own domains for threat management. But when paired together, the two technologies provide amazing end-to-end visibility into the actions and behaviors of users and both authorized and rogue processes on the network. This session provides the specific case studies demonstrating the benefits of complete integration between host and network based forensics, and how the technologies are used together within enterprises to achieve total network knowledge and threat management. The session demonstrates situations including malware activity detection, insider threat management, data leakage prevention and I/T asset misuse. |
| Track / Date / Time: |
Lecture
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| CyberChild Exploitation - Part I: Investigations in the Workplace IT Focus (Lecture) |
| Skill Level: |
Intermediate - Lecture |
| Presenter: |
Robert Monsour |
| Abstract: |
With the growth of the Internet, crimes such as child pornography, online enticement of minors, and child sex tourism have exploded. Many corporate forensic examiners will work one or more such cases during their careers, often with little or no related training. This session will help fill that gap, teaching I.T. investigators employed by corporations and government agencies how to work effectively with law enforcement on child exploitation cases. Attendees will learn how to identify computer-based child exploitation through digital forensics, present findings to law enforcement, and support personnel action. Proactive detection and EnCase Enterprise techniques will be discussed. |
| Track / Date / Time: |
General Lab I (Lecture)
Monday, April 28, 10:30am - 11:30am |
| |
|
| CyberChild Exploitation - Part II: Computer Forensics and Child Rescue, Law Enforcement Focus |
| Skill Level: |
Basic |
| Presenter: |
Matt McFadden Clovis Police Department |
| Abstract: |
This course will focus on computer forensic techniques used to investigate crimes against children. The computer forensic investigative techniques will cover child victim identification and rescue, child victim sexual exploitation image analysis, overview of offenders and image purpose and distribution, case studies of child erotica and child victim exploitation images, prosecution routes, image obscurement, and computer forensic analysis techniques. The bulk of this lab will focus on the computer forensic analysis techniques for cyber child exploitation cases using Encase. Other items will include hash analysis of known child victims and comparison to the National Child Victim Identification Project, use of LTU Technologies Image Seeker for Encase, C4P Image Review, and the concepts of fuzzy hashing. This is directed towards a law enforcement audience. |
| Track / Date / Time: |
General Lab I
Monday, April 28, 11:45am - 12:45pm |
| |
|
| Defeating Advanced Hiding Techniques |
| Skill Level: |
Intermediate |
| Presenter: |
Dave Shaver US ARMY |
| Abstract: |
This session will demonstrate a proven methodology for locating malicious software on a computer, despite a hacker's best efforts to hide it.. |
| Track / Date / Time: |
General Lab II
Tuesday, April 29, 7:00am - 8:30am
Most Popular Lab Track
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Detecting Malicious Code: The Next Generation of Physical Memory (RAM) Analysis |
| Skill Level: |
Intermediate |
| Presenter: |
Rich Cummings HBGary, Jim Butterworth Guidance Software |
| Abstract: |
This session is ideal for computer intrusion responders, information assurance professionals, and traditional computer investigators and will provide an overview of physical memory (RAM) acquisition, analysis, and the diagnostic capabilities available to the computer investigator. This presentation will demonstrate why memory acquisition and analysis is important, how it works and the wealth of information that is now available to investigators. This talk will provide a historical perspective on physical memory analysis as part of computer investigations, how it's being done today, and some thoughts on the future of RAM analysis and diagnosis. |
| Track / Date / Time: |
Enterprise Lab
Sunday, April 27, 3:00pm - 4:30pm
Sunday, April 27, 4:45pm - 6:00pm
Tuesday, April 29, 2:00pm - 3:30pm
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
| Developing an Effective Collection Strategy and Ensuring Your ESI is Admissible in Court |
| Skill Level: |
All Skill Levels |
| Presenter: |
Scott A. Carlson Seyfarth Shaw LLP, Patrick E. Zeller Guidance Software |
| Abstract: |
An appropriate collection strategy can only be developed when one considers the ultimate purpose for the collection. In some instances, a complete forensic image must be performed with meticulous attention paid to chain of custody. In other cases, an image may not be required, and a targeted search and collection of relevant data may be all that is needed. This session will explain the practical and legal issues surrounding proper data collection in a variety of contexts such as criminal investigations, governmental inquiries, civil litigation, and internal investigations. Additionally, methods of getting the collected ESI admitted into evidence for purposes of trial in federal court will be examined, including authentication and chain of custody issues and appropriate witness testimony. |
| Track / Date / Time: |
eDiscovery Track
Sunday, April 27, 4:45pm - 6:00pm |
| |
|
| Digital Forensic Triage |
| Skill Level: |
Basic |
| Presenter: |
Jennifer Hicks ADF Solutions |
| Abstract: |
With the number of digital seizures on the rise, it is vital that first responders and investigators be able to quickly and accurately triage suspect material. This presentation demonstrates how digital forensic investigations are conducted today and looks at alternative ways to improve the process. The workshop will also focus on the promising potential of triage during digital forensic investigations. |
| Track / Date / Time: |
Fundamentals Lab
Monday, April 28, 10:30am - 11:30am |
| |
|
| e-Admissibility: The Intersection of Technology and Pretrial Civil Litigation |
| Skill Level: |
Basic |
| Presenter: |
Joshua Gilliland, Esq CT Summation |
| Abstract: |
Today’s proliferation of electronic discovery creates many challenges in preparing a case for trial, particularly in the areas of document review and production. The Jack Abramoff case alone produced 467,747 emails from one individual. Of those half million documents, counsel offered only 260 at trial. In this ocean of discoverable data, how does one isolate key information?
“e-Admissibility" will explore
· Recent case law on e-Discovery and current trends in addressing the admissibility of electronically stored information.
· Text messages have evolved into a new language of abbreviations that can contain exceptions to the hearsay rule;
· Video exhibits may carry a prejudicial effect that outweighs its prohibitive value;
· Blogs might contain party admissions that contradict deposition testimony.
Everyone on a litigation team has new risks to consider in preparing their case. “e-Admissibility” addresses these developing legal issues and more. |
| Track / Date / Time: |
Lecture
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| eCrime and Steganography |
| Skill Level: |
Basic |
| Presenter: |
Chet Hosmer WetStone |
| Abstract: |
Because computers are increasingly becoming the tools and the targets for crime, it is imperative to have multiple lines of protection. Network IDS, host-based IDS, antivirus scanners and firewalls are not enough. More sites are adopting the ecommerce model and with purchasing and banking being done electronically it is critical to protect the hosts and servers involved. Trojans, keyloggers, and other malicious software have been prominent in the news and are no longer attacking just home based systems, but are setting their sites on systems hosting important Web sites. Online banking, 401(k), and loan application sites are all ideal targets for malicious software. Beyond the outsider threat, corporations need to be concerned with the malicious software being used internally as well as externally. Steganography one of many tools used internally that takes advantage of human and software weaknesses to see embedded data. Learn to protect your hosts against malicious software and insider infiltration and see what embedded data is floating through your networks. |
| Track / Date / Time: |
Lecture
Tuesday, April 29, 2:00pm - 3:30pm |
| |
|
| eDiscovery Workshop: Collection and Processing Strategies for Email using EnCase® eDiscovery |
| Skill Level: |
Intermediate |
| Presenter: |
Geoff Black Guidance Software |
| Abstract: |
This workshop will review the current standards of processing the most common mail file types (PSTs, NSFs, etc.). Experienced email processors will demonstrate the limitations and expectations in conducting an email extraction. |
| Track / Date / Time: |
eDiscovery Track
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
| The EDRM: Electronic Discovery Reference Model and the Future of eDiscovery |
| Skill Level: |
All Skill Levels |
| Presenter: |
George Socha Socha Consulting, Tom Gelbman Socha Consulting |
| Abstract: |
The Electronic Discovery Reference Model, or EDRM, is about to embark on its 4th year. With the XML load file being used as a standard format for the transfer of electronic data between eDiscovery software and service providers, the EDRM is on the cutting edge of eDiscovery. Founders and subject matter experts George Socha and Tom Gelbmann will discuss the EDRM’s accomplishments to date and look towards the future of both the EDRM and eDiscovery. |
| Track / Date / Time: |
eDiscovery Track
Monday, April 28, 11:45am - 12:45pm |
| |
|
| EDS/Encryption |
| Skill Level: |
Basic |
| Presenter: |
Dominik Weber Guidance Software |
| Abstract: |
EDS module? And how do I use it? Buckle up for a guided tour through the Enterpries Decryption suite! We also will take a look at EFS, users and the secure storage. |
| Track / Date / Time: |
General Lab II
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| Email Investigations |
| Skill Level: |
Intermediate |
| Presenter: |
James Habben Guidance Software |
| Abstract: |
Investigating email is becoming more challenging everyday. Many times it’s the single most critical component of any investigation—criminal or civil. This lab covers the most common email types, where they’re found and how to properly investigate them. |
| Track / Date / Time: |
Most Popular Lab Track
Monday, April 28, 4:45pm - 6:00pm
Fundamental Lab
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
| Email Lab: What You Can Do With Gmail® |
| Skill Level: |
Intermediate |
| Presenter: |
James Habben Guidance Software |
| Abstract: |
Gmail has become one of the most popular web based email services around. Finding artifacts for this web based email format proves challenging and elusive for most forensic examiners. Nevertheless, finding artifacts is crucial to criminal and civil investigations. Do you know what Gmail leaves behind? |
| Track / Date / Time: |
Fundamental Lab
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| EnCase® Data Audit and Policy Enforcement |
| Skill Level: |
Basic |
| Presenter: |
Gus Quiroga Guidance Software |
| Abstract: |
Organizations are frequently required to search their data on servers, desktops, laptops, email servers, email archives and data repositories for various business purposes, including identifying the location of sensitive data, mergers and acquisitions, inquiries into antitrust matters or suspected malfeasance. This presentation will discuss how EnCase’s new Data Audit and Enforcement product can be used to perform these audits and remove data that is a liability. We will talk about the advantages of the EnCase solution over traditional data leakage solutions and the unique way that EnCase solves this ever growing business problem. |
| Track / Date / Time: |
Enterprise Lab
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| EnCase® eDiscovery Roadmap & The Future of eDiscovery |
| Skill Level: |
All Skill Levels |
| Presenter: |
Jack Halprin Guidance Software |
| Abstract: |
EnCase eDiscovery is the market-leading eDiscovery product for search, identification, collection, preservation, and processing of electronic data. Along with our partners, we provide an end-to-end eDiscovery solution, covering all steps of the process as outlined by the EDRM. This session will focus on the future development plans and roadmap for EnCase eDiscovery. Additionally, participants will learn about other advances in technology and what they mean for eDiscovery in the future. |
| Track / Date / Time: |
eDiscovery Track
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| EnCase® Information Assurance |
| Skill Level: |
Basic |
| Presenter: |
Gus Quiroga Guidance Software |
| Abstract: |
Information assurance (IA) and security officers are faced with the constant challenge of responding to a broad range of unknown threats, such as hackers, foreign intelligence activities, terrorists and even unintentional misuse of government information. They also have the continuous need to ensure and demonstrate adherence with various government regulations and best practices such as specified by NIST, FISMA, FOIA and IAVA among many others. In this session we’ll present an overview of EnCase Information Assurance and how it can be used to combat the IA challenges within an organization by offering system and data audit capabilities, vulnerability and threat analysis and even a hook to Bit9 the world’s largest hash database. |
| Track / Date / Time: |
Enterprise Lab
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| EnCase® Lab Edition |
| Skill Level: |
Intermediate |
| Presenter: |
Jason Frederickson Guidance Software |
| Abstract: |
The traditional model of one investigator/one case is breaking down. Cases are becoming more complex and the loads are becoming larger. There simply aren’t enough trained forensics investigators to go around. Fortunately, it isn’t necessary for trained forensics investigators to conduct all phases of an investigation. Experts in other fields can – and often must – collaborate with forensics investigators to analyze and review evidence and build the case. The problem has always been that these untrained investigators don’t understand forensics tools and can’t interface well with the data. EnCase Lab Edition allows a forensics lab to distribute the case load among a variety of experts according to their specific skills and offers them a controlled, easy way to collaborate on the investigation. This enables efficient and effective review and reporting but ensures no damage is done to the data. Come see how collaborative forensics can extend the capabilities of your trained forensics investigators and how EnCase Lab Edition makes your entire group of investigators more powerful. |
| Track / Date / Time: |
Forensics Lab
Monday, April 28, 4:00pm - 5:30pm
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| EnCE® Workshop |
| Skill Level: |
Intermediate |
| Presenter: |
Kirk Hunter Los Angeles Police Department |
| Abstract: |
The EnCase Certified Examiner (EnCE) program certifies both public and private-sector professionals in the use of Guidance Software's EnCAse computer forensic software. Attendees are provided an over of the EnCE testing process and suggested study areas to successfully complete the certification process. Registering for the Workshop does not include registration for the EnCE Phase 1 test. |
| Track / Date / Time: |
General Lab II
Sunday, April 27, 3:00pm - 4:30pm
Monday, April 28, 11:45am - 12:45pm |
| |
|
| EnScript Part I: Using Projects and the DeBugger |
| Skill Level: |
Advanced |
| Presenter: |
Shawn McCreight Guidance Software |
| Abstract: |
In this class you will learn to use the new EnScript debugger to step through your code. You will learn how to set breakpoints and watch variables. You will learn how to walk up and down the call stack of a running script, using the Stack window. Multi-threaded concepts will be discussed briefly, and the threads window will be explained. |
| Track / Date / Time: |
General Lab III
Tuesday, April 29, 11:45am - 12:45pm |
| |
|
| EnScript Part II: Creating Plug-ins |
| Skill Level: |
Advanced |
| Presenter: |
Shawn McCreight Guidance Software |
| Abstract: |
In this lab you will learn how to create and maintain Enscript plug-ins to EnCase. We will cover basic techniques for adding custom menu items and dialogs boxes to EnCase. We will also cover more advanced techniques like running another EnScript from within your plug-in, and hooking into the hash value descriptor interface. |
| Track / Date / Time: |
General Lab III
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
| EnScript Part III: Creating Packages and Licenses |
| Skill Level: |
Advanced |
| Presenter: |
Shawn McCreight Guidance Software |
| Abstract: |
In this lab you will learn how to create and maintain Enscript packages and license files. You will learn how to use the packaging facility to create executable version of your scripts without revealing your source code. You will also learn how to license your packages to other EnCase users. |
| Track / Date / Time: |
General Lab III
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| Essential Macintosh® Forensics |
| Skill Level: |
Intermediate |
| Presenter: |
David York Guidance Software |
| Abstract: |
Computer forensic analysis is a method of studying and acquiring digital evidence in a manner that ensures the data's integrity. The duty to perform such an analysis often falls upon a police officer or forensic consultant, and it’s their goal to gather the valuable evidence of a crime or lawsuit. The purpose of this class is to describe sound forensic data collection and acquisition techniques as they pertain to the Macintosh. Using different techniques in Encase and other tools available, I will show how the Macintosh is unique, but can also be user friendly to the investigator. What data can be recovered , and where on the Macintosh it can be found, with the ultimate goal of using the techniques to find the data quickly and efficiently. I will follow this up with a specific outline of how to perform the proper analysis of a Macintosh computer system using an OS X based system as the analysis machine. The result of this mini class will be a useful reference to those people who may be required to perform a computer forensic analysis on a Macintosh, and to get the target data fast. Topics: Acquisitions - the different methods (target mode, encase enterprise, acquisition); Analysis on a Macintosh, finding the spots where the evidence lives (Safari, Mac Mail); Tools to convert Mac mail to search it in dtSEARCH or Encase; Conditions - writing and applying conditions on Macintosh data; Write blocking - Macintosh uses Shawdow Mount to write block data (its built-in to the Macintosh). |
| Track / Date / Time: |
Most Popular Lab Track
Sunday, April 27, 3:00pm - 4:30pm
Forensics Lab
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| The Etiquette of Being Deposed |
| Skill Level: |
Basic |
| Presenter: |
Andy Spruill Guidance Software |
| Abstract: |
If you are a practitioner of Digital Forensics, there will come the day when you are handed a subpoena. Soon thereafter you will find yourself being deposed as to your part in the litigation that is underway. This session is designed to prepare you for what to expect during that deposition. There is a distinct etiquette in how depositions proceed and how you should interact with the other participants in both verbal and non-verbal ways. The better you understand this etiquette, the more you will find yourself able to focus on the matter for which you were subpoenaed. This lecture is based on Andy's first hand experiences in being deposed over several of his past criminal and civil forensic assignments. |
| Track / Date / Time: |
Lecture
Sunday, April 27, 3:00pm - 4:30pm |
| |
|
| Examining the Windows® Registry |
| Skill Level: |
Intermediate |
| Presenter: |
Dan Purcell Seminole Sheriffs Department |
| Abstract: |
This presentation focuses on the offline examination of the Windows Registry. Topics to be covered include the logical and physical structure, interpresting Registry data, locating and recovering relevant investigative and forensic information and forensic tools used to examine the Registry. |
| Track / Date / Time: |
Most Popular Lab Track
Tuesday, April 29, 7:00am - 8:30am
Forensics Lab
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| File Identification and Recovery Using Block-Based Hash Analysis |
| Skill Level: |
Intermediate |
| Presenter: |
Simon Key Guidance Software |
| Abstract: |
The identification of files using digital fingerprints (or hash values) is a well-established technique of immense value to the forensic examiner. This session will explain how hash analysis can be used to identify known deleted files in unallocated clusters, unused disk areas or slack space even when those files are fragmented and/or partially overwritten. Files such as these are often beyond the reach of traditional signature-based, data-trawling techniques but the hash-based methodology detailed during this session may be able to locate data from such files and, if all of the data is still available, recover them. |
| Track / Date / Time: |
General Lab II
Monday, April 28, 4:00pm - 5:30pm
General Lab III
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| First Looks at Windows® 2008 Server |
| Skill Level: |
Basic / Intermediate |
| Presenter: |
John Marsh Guidance Software |
| Abstract: |
First Looks: Basic Investigations of Windows® 2008 Server |
| Track / Date / Time: |
General Lab II
Monday, April 28, 7:30am - 8:50am |
| |
|
| Foreign Language Challenges |
| Skill Level: |
Intermediate |
| Presenter: |
Dominik Weber Guidance Software |
| Abstract: |
What make foreign language investigations complex? How does EnCase cope with this? Prepare to delve into Unicode and scritps, text styles and codepages. |
| Track / Date / Time: |
General Lab I
Monday, April 28, 7:30am - 8:50am |
| |
|
| Forensic and Digital Investigations in EMEA |
| Skill Level: |
Intermediate |
| Presenter: |
Dr. Professor John Walker Secure Bastion LTD. |
| Abstract: |
Covering Corporate insecurity, lack of awareness of the issues, and how security has slipped. Focusing on recent events, and looking at where both Commercials, and Public Sectors need to be to meet the international challenge posed by eCrime, eFraud, and the potential emergence of eTerror. |
| Track / Date / Time: |
Lecture
Monday, April 28, 2:00pm - 3:00pm |
| |
|
| Forensic Investigation 101: Where to Start Looking |
| Skill Level: |
Basic |
| Presenter: |
Chris Hapsas Guidance Software |
| Abstract: |
Forensics is as much art as it is science. A very technical person trained in the use of a forensic tool isn't likely to be as powerful as an investigator trained in the use of forensics. The reason; technical knowledge, although important, is no substitute for investigative knowledge. Knowing what to look for based on the particulars of a case is the single most powerful differentiator between one investigator and the next. This lab details the nuances of investigations and the basics of knowing where to look based on the particulars of a case. |
| Track / Date / Time: |
Fundamentals Lab
Sunday, April 27, 4:45pm - 6:00pm |
| |
|
| The Future of EnCase® Software |
| Skill Level: |
Basic |
| Presenter: |
Gary Ulaner Guidance Software |
| Abstract: |
The Future of EnCase EnCase® Forensic and EnCase® Enterprise have changed significantly over the past five years. EnCase Enterprise has moved from the most powerful forensics tool to an enterprise investigative platform capable of providing solutions in the areas of eDiscovery, data audit, incident response and information assurance. During the same period EnCase® Forensic and the forensic line of products have broadened to support more platforms, more automation, disk encryption, memory analysis, more devices and better workflow. This pace of rapid evolution is set to continue. This presentation discusses the likely direction we expect EnCase Forensic and EnCase Enterprise to go and the meaningful innovations that are just around the corner. |
| Track / Date / Time: |
Lecture
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| GPS Forensics |
| Skill Level: |
Basic |
| Presenter: |
Amber Schroader Paraben |
| Abstract: |
The device frontier has changed to higher capacity and fuller operating system devices. How does an investigator deal with these new hurdles and what data will be retrieved? Review of new devices in market, including the iPhone, will be done and broken into primary evidence stores and pitfalls in examination. |
| Track / Date / Time: |
Lecture
Monday, April 28, 4:00pm - 5:30pm |
| |
|
| Guidance EnCase® eDiscovery & the Clearwell eDiscovery Platform®: Real Cases from Identification to Review |
| Skill Level: |
Intermediate |
| Presenter: |
Jason Reeve Clearwell, Jack Halprin Guidance Software |
| Abstract: |
Due to the growth of electronically stored information, rapidly investigating the relevant case data across the enterprise is a key requirement for today’s e-discovery process. If performed incorrectly or inefficiently, e-discovery steps such as identification, collection, processing, analysis, and review can raise costs and increase the risk of court sanctions. Attend this hands-on lab to learn how to use Guidance Enterprise E-Discovery and the Clearwell E-Discovery Platform to streamline and reduce the risk of e-discovery. |
| Track / Date / Time: |
General Lab III
Monday, April 28, 2:00pm - 3:30pm
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| Hacking Malware |
| Skill Level: |
Intermediate - Advanced |
| Presenter: |
Yogesh Khatri Guidance Software |
| Abstract: |
This will be an advanced lab involving malcode and malware analysis on selected samples of malware obtained in the wild and also some synthesized malware. We shall detect, attack and thwart malware with some code-foo of our own. |
| Track / Date / Time: |
Enterprise Lab
Monday, April 28, 4:00pm - 5:30pm
General Lab I
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| Hardware Write Blocking Best Practices |
| Skill Level: |
Intermediate |
| Presenter: |
Greg Dominguez Forensic Computers, Tableau |
| Abstract: |
Hardware write blockers are a key component of every forensic practitioner’s toolkit. But not all write blockers are created equal. This session will help you understand the technology behind Tableau’s forensic bridges, how to select the proper write-blocker, and how to correctly use write-blockers as part of the forensic investigative process. |
| Track / Date / Time: |
Lecture
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
| How to Create and Perform Effective Keyword Searches |
| Skill Level: |
Advanced |
| Presenter: |
Daniel Smyth Guidance Software |
| Abstract: |
Searching through data is a fundamental aspect of any investigation. Knowing how to look and where to look are critical to finding that needle in the haystack of Gigabytes of data. Its one thing to just search it's another thing to search smartly. Learn how to narrow down your keywords list and leverage the latest search capabilities of the EnCase's indexer and GREP that reduce the amount of false positives and ensure you don't miss the critical keyword buried in the data. |
| Track / Date / Time: |
Forensics Lab
Sunday, April 27, 7:30am - 8:50am
General Lab II
Monday, April 28, 10:30am - 11:30am |
| |
|
| How to Forensically Acquire Data Using Software and Hardware Write-Block Solutions |
| Skill Level: |
Intermediate |
| Presenter: |
Chris Hapsas Guidance Software |
| Abstract: |
Is it forensically sound? Did I acquire it the right way? Will they question the way I did my acquisition? Some like hardware write blockers from XYZ company. Comeone else prefers using a custom version of Linux, while another just likes to use good old disk duplicators. This session details the best practices for acquiring computer evidence. There are a number of different ways to forensically acquire data. It all comes down to documentation, repeatable process and using trusted tools. Learn from the experts on what it means to forensically acquire data and ensure your tools and techniques are never called into question. |
| Track / Date / Time: |
Forensics Lab
Sunday, April 27, 3:00pm - 4:30pm |
| |
|
| How to Spot Packet Forgeries and Spoofing |
| Skill Level: |
Advanced |
| Presenter: |
MJ Staggs FireEye |
| Abstract: |
We have all been relatively well inoculated against the many techniques of anti and counter-forensics that have been developed for host level forensic analysis. Unfortunately, the same cannot be said about our skill level as investigators relative to network spoofing and packet forging techniques. This class will remedy that situation by exposing the student to examples of spoofing, editing and other network forgeries. The student will be taught how to accomplish these forgeries themselves and in the process, become adept at spotting the tell-tale signs of forgery in their own work and the work of other, less ethical,parties. |
| Track / Date / Time: |
General Lab II
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Imaging Macs® without Macs |
| Skill Level: |
Basic |
| Presenter: |
Nicole Donnelly FTI Consulting |
| Abstract: |
With the growing popularity of Intel-based Macintosh systems, what can you do to image them if your organization has not yet adopted the use of Macintoshes or Macintosh-based utilities? This session will briefly highlight Macintosh based imaging tools and focus on using Windows systems to image Macintoshes. The following topics will be covered: target disk mode (TDM); common troubleshooting techniques for TDM in Windows; EnCase to image Macintoshes in TDM; FTK Imager and live Linux distributions for imaging; areas to be aware of when imaging Macintoshes, and performing examinations from the Windows platform. |
| Track / Date / Time: |
General Lab I
Monday, April 28, 4:00pm - 5:30pm |
| |
|
| Information Gathering and Data Correlation |
| Skill Level: |
Intermediate |
| Presenter: |
Chris Pavan 42-Consulting, Nick Ringold 42-Consulting |
| Abstract: |
"Society is becoming more and more reliant on computers and new technologies making the investigator's job more complex. There are several systems and information sources that can often be overlooked during an investigation. Seldom are alternate data sources collected and analyzed to correlate evidence and validate findings. The focus of this lecture is to help investigators and examiners identify those sources to leverage the information they contain." |
| Track / Date / Time: |
Fundamentals Lab
Tuesday, April 29, 8:45am - 10:00am |
| |
|
| International eDiscovery / eDisclosure: The Asia-Pacific, European Union and United Kingdom Comparative |
| Skill Level: |
All Skill Levels |
| Presenter: |
Seamus Byrne eDiscovery Tools |
| Abstract: |
As the courts continue to embrace the electronic age, legal practitioners, global organizations must play catch-up to maintain a ‘dynamic equilibrium’ in order to comply with the current law. This presentation addresses the rapid evolution and transformation of the law in relation to the eDiscovery process in the Australian, Asia-Pacific, selected European Union, and United Kingdom jurisdictions.
The presentation will provide an overview of current discovery rules and court practice guidelines in the relevant jurisdictions; provide a clear comparative of such rules and guidelines to the United States’ Federal Rules of Civil Procedure (FRCP), provide an overview of recent case law that has identified new hurdles and resulted in changes to the e-discovery and wider e-litigation process in the relevant jurisdictions, and discuss the implications that recently revised discovery rules and court practice guidelines (e.g. Federal Court of Australia forthcoming PN, UK CPR Part 31; PN 31) will have for legal practitioners and litigation support personnel who must comply with its (proscriptive) rules. This session will also highlight the predicted international e-discovery themes and trends for 2008-09 and include at least one e-discovery case study dealing with multinational data collection, cross-border transfer of personal information, and privacy issues. |
| Track / Date / Time: |
eDiscovery Track
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Introduction to Common File Systems and their Structure |
| Skill Level: |
Basic |
| Presenter: |
Larry Sewell Guidance Software |
| Abstract: |
Using EnCase Field Intelligence Model, Live Forensic Examinations
Under the terms of many parole agreements, local law enforcement retains the right and obligation to ensure parolees don’t use their computers to conduct illegal activity. This is particularly true for sex offenders and child molesters. Unfortunately, it’s often difficult, time consuming and expensive to enforce these restrictions. Visiting paroles, imaging their computers and bringing them back to the lab for analysis is often prohibitive on multiple levels. The Field Intelligence Model offers a solution to this problem. This lab demonstrates how the FIM can be used to investigate the computers of parolees and probationers quickly, easily and over the network.
Included is a review and demonstration of FIM’s new features for V6. Check-in (Phone Home) Servlet, redirect evidence file to another machine on the network, and exciting developments for previewing and acquiring Physical Memory, both RAM and Process Memory. |
| Track / Date / Time: |
Fundamentals Lab
Monday, April 28, 2:00pm - 3:30pm |
| |
|
| Introduction to EnCase® eDiscovery Suite v3 |
| Skill Level: |
Basic |
| Presenter: |
Brent Botta Guidance Software, Frank Lin Guidance Software |
| Abstract: |
This workshop will demonstrate how the automated collections and processing features of the latest version of the EnCase eDiscovery Suite enhance productivity. |
| Track / Date / Time: |
eDiscovery Track
Sunday, April 27, 3:00pm - 4:30pm |
| |
|
| iPhone® Forensics: New Handheld Devices, New Issues |
| Skill Level: |
Basic |
| Presenter: |
Amber Shroader Paraben |
| Abstract: |
GPS devices have become more than a guide to people in their travels. Data from the locations people have been are stored and are waiting as a new realm of forensic evidence. Learn the rules for handling and processing this new digital store. |
| Track / Date / Time: |
General Lab I
Monday, April 28, 7:30am - 8:50am
General Lab I
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| LAB: Strategy for Creation of Filtering Criteria for Collection and Processing of ESI |
| Skill Level: |
Advanced |
| Presenter: |
Brent Botta Guidance Software, Geoff Black Guidance Software |
| Abstract: |
Facilitators will share their experiences and expertise, and the thought processes behind the collection of electronic documents and email by designing full subjects with multiple criteria in real-world scenarios. |
| Track / Date / Time: |
eDiscovery Track
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| Large-scale EnCase® Enterprise Development Best Practices |
| Skill Level: |
Intermediate |
| Presenter: |
Daniel Smyth Guidance Software |
| Abstract: |
|
| Track / Date / Time: |
Enterprise Lab
Tuesday, April 29, 10:30am - 11:30am |
| |
|
| Learning to Love the Records Pane |
| Skill Level: |
Advanced |
| Presenter: |
Jon Stewart Guidance Software |
| Abstract: |
Version 6 consolidated v5's Email, Internet History, and Webmail tabs into a single pane, but the transition hasn't necessarily been easy. In this lab, we will discuss how Records handles these artifacts, perform hands-on work with Records to accomplish basic searching and filtering tasks, and then explore more advanced usage to reveal the hidden power of Records that will make you a more effective investigator. |
| Track / Date / Time: |
Forensics Lab
Tuesday, April 29, 7:00am - 8:30am |
| |
|
| Lessons Learned in E-Discovery and Corporate Investigations: A Panel Discussion |
| Skill Level: |
Intermediate |
| Presenter: |
Richard Cannon, Chief Investigator, Experian
Don McLaughlin Esq., President, Falcon Discovery
Joel Yusim, IT Project Manager - Corporate Security Programs Organization, Cisco |
| Abstract: |
Description: Whether it’s a lawsuit, regulatory inquiry, or an internal HR investigation, a team of professionals are engaged to solve or assess the case, accurately determine risk, and potentially begin a long and winding e-discovery process. Through real experiences and case studies, this panel will discuss the lessons we’ve learned, the hurdles to expect in 2008, and practical best practices in e-discovery and corporate investigations. |
| Track / Date / Time: |
General Lab III
Sunday, April 27, 4:45pm - 6:00pm
Monday, April 28, 11:45am - 12:45pm |
| |
|
| "Live" Malware Analysis for the Incident Responder and Corporate Information Security Professional |
| Skill Level: |
|
| Presenter: |
Rich Cummings HBGary |
| Abstract: |
|
| Track / Date / Time: |
General Lab II
Wednesday, April 30, 9:45am - 11:00am |
| |
|
| Lose the GeekSpeak: Creating Client Friendly Forensic Reports |
| Skill Level: |
Intermediate |
| Presenter: |
Jerry Hatchett Evidence Technology |
| Abstract: |
A brilliant forensic examination's loses its value if a client and/or juror can't understand the findings. This session explores the creation of layperson-friendly forensic reports through the use of common tools, templates, and powerful analogies. |
| Track / Date / Time: |
Forensics Lab
Sunday, April 27, 4:45pm - 6:00pm |
| |
|
| Malicious Artifact Identification and Analysis |
| Skill Level: |
Intermediate |
| Presenter: |
Jim Butterworth Guidance Software |
| Abstract: |
As system compromises become more sophisticated and intruders become more adept at hiding their tracks, half of the battle for forensic investigators is determining where to find malicious files and knowing the tell tale signs for which to look. The other half is the analysis of their capabilities so that a proper response and remediation can be implemented. Attendees will learn multiple techniques for identifying malicious files such as timeline and binary analysis and determining functionality by utilizing a variety of reverse engineering tricks. |
| Track / Date / Time: |
Fundamentals Lab
Wednesday, April 30, 8:00am - 9:30am |
| |
|
| Malware Analysis Workshop |
| Skill Level: |
Basic / Intermediate |
| Presenter: |
Yogesh Khatri Guidance Software |
| Abstract: |
This workshop will demonstrate the techniques of reverse engineering malware a.k.a. malicious/unknown code analysis. How to identify packed executables? How to quickly determine capabilities of unknown binaries? We shall look into behavioral analysis, code analysis, disassembly and debugging. |
| Track / Date / Time: |
Enterprise Lab
Monday, April 28, 11:45am - 12:45pm
Most Popular Lab Track
Tuesday, April 29, 4:00pm - 5:30pm |
| |
|
|