 |
|
|
10 Things You Overlooked In Your Last Examination - NEW - Yogesh Khatri, 42 LLC
Advanced Techniques Lab
As a forensic examiner, there is never enough time to look at every possible artifact. Many artifacts are never looked at because its too laborious to do so manually and there are no automated tools available. Sometimes there hasn't been sufficient research into an artifact to prove it usability. We present our research about some *new* artifacts, some lesser known and infrequently used ones, along with free scripts and applications we developed to automate their processing.
Accrediting the Tradecraft: Academia's Perspective – Moderator: Chuck Cobb, Guidance Software, Panel Discussion: Anna Carlin, California State Polytechnic University, Christopher Curran, Huntington Beach Police Department – Basic
General Learning Topics Lab 1
The purpose of this session is to provide an open forum for the discussion of how successful the academic world has been in introducing the new forensic discipline of Digital Forensics into their classrooms. What has worked? What has not? Where were the stumbling blocks? How were the programs structured? Insights and guidelines for handling these questions and more will be discussed. If your institution has already implemented, or is considering such a program, you are invited to come and share in the free flow discussion of this topic. If you are interested in taking part in one of these academic programs, here is your chance to learn who has such a program, or who is considering one, and add your thoughts to their future development.
Acquisition & Analysis of Physical Memory – Michael Webber, BitSec Forensics, Inc – Intermediate
Digital Acquisition Lab
Participants will learn to recognize and properly seize the contents of physical memory (RAM) then analyze it using both open source and commercially available tools. Several practical exercises will be conducted in order to present several different real-life scenarios giving the investigator a chance to practice with the tools in a controlled environment. Emphasis will be placed on how useful information can be extracted from the collected data as well as how to correlate that information with the future static forensic process. This includes information from volatile system data and memory dumps, including: running processes, MFT records, documents, instant message chats, internet history, network information and communications, logged on users, open file handles and encrypted containers.
Adobe Flash Cookies - NEW – Eric Huber, Honeywell Global Security – Basic
General Learning Topics Lecture 1
With the increasing use and availability of “private” browsing options in popular web browsers, digital forensic examiners need alternatives in how they track user activity. One way of doing this is through the examination of Adobe Local Shared Objects also known as Adobe Flash cookies. Flash is a pervasive multimedia platform whose cookies can provide an examiner with valuable information about a user’s behavior. These cookies can not only help identify what sites a user is visiting, but can sometimes include information such as IP address, time stamps, browser type and version, search queries, usernames and email addresses. These cookies are not stopped by “private” browsing features. This lecture will provide examiners with an overview of Flash technology and Adobe Flash cookies.
Advanced RAID Analysis – Manfred Hatzesberger, Guidance Software, Inc – Advanced
General Learning Topics Lecture 2
This lesson will cover manually analyzing hardware RAID members to determine the characteristics of the array without the RAID controller settings. Students will be shown how to manually do this and then an EnScript program will be demonstrated that facilitates this analysis.
Advanced Reporting in EnScript - NEW – Shawn McCreight, Guidance Software, Inc – Advanced
Advanced Techniques Lab
You will learn how to use the more advanced reporting features of EnScript. Create and display charts to show numeric results. Use HandlerClass and ContextClass to create and display sorted tables of data. Use ExportClass to write reports to RTF and HTML formats. Work with pictures and icons. We will also cover how to create XPS or PDF reports directly using drawing commands.
Advanced Search and Retrieval Technologies - NEW – Albert Barsochinni, Guidance Software, Inc., George Socha, Socha Consulting and Tom Gelbmann, Gelbmann & Associates
eDiscovery Lecture Lab
AIRS Reloaded: The Future of Automated Integration - NEW – Jim Butterworth, Guidance Software, Inc
General Learning Topics Lecture 2
Anti-Forensics and Encryption Challenges in Forensic Investigations – Christopher Andrews, Kroll Ontrack
General Learning Topics Lecture 2
It is crucial to understand how to properly manage anti-forensics and encryption challenges when they necessarily become part of a forensic investigation. It is equally important to understand the implications of both, especially in the security environment. This session will discuss; the common methods of hiding data, falsifying timelines, ways in which users can pretend to be someone they are not, common methods for destroying information, modus operandi and ways to prove intent, the most common signs of anti-forensic tools you may come across, and encryption-breaking best practices.
Attack Attribution - a Cyber Forensic Perspective – Moderator: Bill Crowell, Former Deputy Director, NSA - Panel: Melissa Hathaway, Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy's School Belfer Center, Ian West, NATO, Director NCIRC, Bruce Wynn, Retired Brigadier General, Royal Air Force & Deputy CIO Royal Air Force, Cord Chase, USDA
Cybersecurity Lab
The Automated Investigation: How Automated Analysis Streamlines Digital Investigations - NEW - Jason Reeve, Clearwell - Beginner
General Learning Topics Lab 2
Security and forensics teams are caught between a rock and a hard place. On one side, the number of digital investigations continues to grow. On the other, resources are constant while deadlines are increasingly aggressive. However, advances in data analytics are helping investigators accurately solve more investigations in less time. Attend this hands-on lab learn how automated analysis can streamline your investigative process.
Automated Reverse Engineering of Malware with HBGary Responder Pro and Recon – Rich Cummings, HBGary
Cybersecurity Lab
Basic RAID Acquisition and Analysis – Simon Key, Guidance Software, Inc – Intermediate
Digital Acquisition Lab
RAID (redundant array of independent disks): what are they and what does it mean to the forensic investigator? The topic of acquiring and analyzing RAIDs generally invokes much discussion. This session gives you an understanding of the different types of RAIDs and how to acquire and analyze them. Attendees gain knowledge necessary to understand what to do when faced with a case containing RAID devices.
Being An Effective Corporate Investigator – Craig Newell, Direct Energy – Intermediate
General Learning Topics Lecture 2
Let’s face it, most corporate investigators aren’t ex-cops. Most of us are geeks form the IT side of the organization who have taken forensics and investigation on as an additional workload. However, there is more to conducting efficient corporate investigations than doing a keyword search with EnCase software. Form ensuring you have obtained the proper approvals to begin the investigation to distributing the report, each step is critical in the corporate world. Things like losing the chain of custody is enough to get a negative ruling in a lawsuit which could cost your organization dearly. This seminar will cover: establishing the corporate groundwork to start investigations properly through policy and governance, developing an investigation “procedure,” making sure your infrastructure supports, not hinders the forensic process, pulling the results together and creating reports that HR and management can understand.
Bit Torrent: A Forensic Review – Andy Joyce, Forensic Data Recovery Inc. – Intermediate
General Learning Topics Lab 1
This session will cover the basics of how the Bit-torrent protocol works and how users can share files. The session then looks at the forensic artefacts that are created when the user uploads, downloads an shares files with some of the most popular Bit-torrent client software and using EnCase how we can recover and analysis the Bi-Torrent artefacts.
Blended Enterprise Investigations – John Grancarich, Paul Hastings Janofsky and Walker LLP – Basic
General Learning Topics Lecture 1
Today’s corporate investigations cannot rely on digital evidence alone. In an enterprise setting, an investigator must combine digital forensic techniques with physical evidence collection and analysis (such as building access logs and video surveillance) to determine the who, what, when, where, why, and how of an incident. Increasingly complex investigations have made honing your 'big picture' skills more critical than ever before. This lecture will contain details of an actual corporate investigation using blended investigation techniques and provide a blueprint for attendees to use in their own practice.
Boosting Incident Response Preparedness with EnCase CyberSecurity – David Wood, Guidance Software, Inc. – Intermediate
Cybersecurity Lab
This session details using EnCase CyberSecurity pro-actively to prepare for security incidents. It covers the following topics:
- Using EnCase Profile Analysis to construct baseline images
- Tuning Bit-9 as a Filter for Desirable Applications
- Constructing Known Good File Databases to couple with Bit-9 for filtering hash analysis noise
- Using the DISA Stigs to validate security configurations and identify intrusion through comparitive scans
- Using Snapshot Analysis to define profiles and identify potential intrusion
BotNets: A Case Study & Lessons Learned – Ryan Pittman & Dave Shaver, US Army CID – Intermediate
Cybersecurity Lab
A recent case of a BotNet created and managed by an international perpetrator will be examined, to include the basics of BotNets and BotNet investigation methodology, the particular malware and modus operandi utilized by the suspect, the methods used to investigate the case, and lessons learned from the investigation.
Cloud Computing and its potential impact on Digital Forensic Investigations - NEW - Moderator: John Marsh, Guidance Software, Inc., James Valentine, NetApp, Albert Barsocchini, Guidance Software, Inc.
General Learning Topics Lecture 1
Discussion topics will include: Cloud Computing Architectures like the difference between Software as a Service (SaaS) and Platform as a Service (PaaS); Legal issues: what part of the "cloud" belongs to the owner of the data and what part belongs to the service hosting the data?
Conducting Enterprise Investigations - NEW – Intermediate
Digital Analysis Lab
Too often investigations solely rely on computer forensics, which are a reactive measure. Many cases involve real time monitoring, Internet data sources and correlation of data. Learn how to conduct a successful investigation when forensics alone will not provide all the answers.
Creating EnScript Plugins - NEW – James Habben, Guidance Software, Inc
Advanced Techniques Lab
Customized SQL Reporting - NEW – David Wood, Will Chesher, Guidance Software, Inc
eDisovery Legal Lab
The creation of detailed and customized reporting from SQL. This will give the users standard templates to work from and then be exposed to some of the advance features that are possible when designing reporting for your environment. This will include web based reporting and automatic emailed status updates.
Cyber Threat Management Strategies: Meeting the Challenges of the Trusted Insider Threat- NEW – Michael Theis, Raytheon
Cybersecurity Lab
Databases & EnScript®: Storing and Querying Structured Data - NEW – Jason Fredrickson, Guidance Software, Inc
Advanced Techniques Lab
Working with very large data sets – such as hash baselines or known file sets – can bring any system to its knees. Transferring the data into a database in a structured manner can improve performance dramatically – as well as allow other applications access to the data. In this hands-on lab we will walk through the basics of configuring and connecting to standard database engines, such as SQL Server Express; inserting data into the database; and leveraging the SQL language to extract relevant information efficiently. We will also briefly discuss more advanced database questions, such as indexes, joins, data types, and stored procedures.
We recommend attending the “Using COM” session beforehand.
Decoding Prefetch Files for Forensic Purposes - NEW – Mark Wade, Harris Corporation – Intermediate
Digital Analysis Lab - This session is a Lecture
How many times was that executable or program run? Where was it run from, and when? Did he defrag the hard drive once or was it scheduled to run every week? What was the last program run? These questions can be answered by interrogating the prefetch files. This presentation reveals the immense hidden and often overlooked forensic value of the prefetch file. Prefetch files, a staple for computer forensic investigations, were developed to speed up the operation system’s boot and application startup times. While the contents of prefetch files provide information to the operating system for daily operations, it also provides forensic investigators with key digital artifacts. This presentation provides real case examples of how different tools can be used to extract valuable artifacts from prefetch files. Valuable insight can also be obtained from not only analyzing a recovered prefetch file; but also identifying the manner in which it was deleted.
Defeating Advanced Hiding Techniques – Dave Shaver, US Army CID – Intermediate
Cybersecurity Lab
This session will demonstrate a proven methodology for locating malicious software on a computer, despite the hacker's best efforts to hide it.
Defeating the Trojan Virus Defense – Ryan Pittman, US Army CID – Intermediate
General Learning Topics Lab 2* This session is a Lecture
As computer forensics gets greater recognition in legal circles, defense attorneys are finding it more and more difficult to attack the science or methodologies behind computer exams. As a result, there has been a trend toward admitting surface facts (e.g., “The contraband pictures were on my client’s hard drive.”), while claiming the suspects should be absolved of guilt due to Trojan virus infection (e.g., “A Trojan virus downloaded those files without my clients knowledge or approval.”) This session will discuss some of the aspects of this defense as well as techniques an examiner can use to combat (or in rare cases, substantiate) these claims.
Digital Forensic Reporting - NEW – Andy Spruill, Guidance Software, Inc
General Learning Topics Lecture 2
Over the years Andy has had the opportunity to read numerous digital forensic reports, both as a peer and as an opposing expert. In doing so he has noticed that there is a lack of understanding of what is required when creating these reports. The biggest reason he has heard is that there is no standard in this area for the digital forensic discipline. Well, that’s simply not true.
The Forensic Sciences has been around for quite awhile and there are clearly established standards when it comes to the reporting of forensic analysis and opinions. The digital forensic discipline brings to the table its own challenges, but every forensic discipline does. Andy will walk you through the established reporting standards within the three basic areas you must consider as a Digital Forensic specialist (Computer Sciences, the Law, and Forensic Methodology). He will then wrap it up with examples of sound forensic reporting.
Early Case Assessment and Optimizing Criteria - NEW – Will Chesher, Brent Botta, Guidance Software, Inc
eDiscovery Legal Lab
The session will be focused on utilizing EnCase’s FirstLook to perform early case assessment and data sampling to create optimized collection/culling criteria. By ensure the quality of the criteria, there is a direct reduction on the timeline and financial expense of the matters.
eDiscovery Case Law Update - NEW – Mark Sidoti, Gibbons P.C., George Socha, Socha Consulting, Tom Gelbmann, Gelbmann & Associates, Conor Crowley, Law Offices of Conor R. Crowley
eDiscovery Legal Lecture
eDiscovery for Law Enforcement (Criminal Investigations) - NEW – Kenneth J. Withers, Federal Judicial Center and The Sedona Conference, Karl Heisler, Katten Muchin Rosenman LLP
eDiscovery Lecture Lab
eDiscovery In-House Case Studies - NEW – Glenn O'Brien, Liberty Mutual, Matthew Miller, Forsythe, Jedd Fowler, O'Melveny & Myers.
eDiscovery Legal Lecture
Email Case Study - NEW - Brent Botta, Nick Torrecillas, Joe Murin, Guidance Software, Inc
eDiscovery Legal Lab
Given a description of an expected outcome, the following will be completed: document expected email locations, craft effective email collection and email processing criteria, export data in an industry standard format.
Email Investigation - NEW - Peter Mercer, Vound Software
General Learning Topics Lab 1
Email investigations are increasing in importance and becoming more time consuming. This 90 minute session will highlight common issues that can speed up email review and lessen the workload of forensic investigators. Students will be shown how to understand and take advantage of email metadata, content and attachments to understand and find useful evidence.
The training will cover theory and practical exercises to help the students
- Understanding the email metadata
- Tracing a email header back to the point of origin
- Understanding how email threading works
- Threading in relation to list server email
- Understanding the date structure in a PST file.
- Detect hidden images in MS Word documents
- Identifying possibly spoofed emails
- Statistics on email investigations.
Email Investigations – Manfred Hatzesberger, Guidance Software, Inc – Intermediate
Digital Analysis Lab
Investigating email is becoming more challenging every day. Many times it's the single most critical component of any investigation - criminal or civil. This lab covers the most common email types, where they're found and how to properly investigate them.
EnCase Focus - Difference Between Indexing and Keyword Searching – Daniel Smyth, Guidance Software, Inc
Digital Analysis Lab
EnCase for Anyone - Collections in the Field using EnCase Portable - NEW - Jamey Tubbs, Guidance Software, Inc
Digital Acquisition Lab
EnCase Forensic Roadmap – Moderator: Steve Salinas, Panel: Ken Basore & Ashley Stockdale, Guidance Software, Inc
General Learning Topics Lecture 1
Do you want to know how EnCase version 7 is going to help you jumpstart your case investigations? How about what enhancements we have in store for investigating email? We are excited to share with you how we’ve focused our powerful features to help you find what you are looking for faster.
EnCase Tips & Tricks – Chris Pavan & Nick Ringold, 42 LLC – Intermediate
Advanced Techniques Lab
Thanks to the overwhelmingly positive feedback we received from last year’s session, The Tips and Tricks of Forensics lab is back by popular demand.. This year we are going to dive deeper into the Windows and EnCase environment settings, as well as some of the often overlooked capabilities of EnCase. Overall, the session is designed to make the EnCase Examiner’s life easier. We will also include a quick reference sheet that covers the key information presented in the session, as well as some EnScripts. This is a basic to intermediate session that will repeat some, but not all, of the information from last year. If you are new to using EnCase, need a refresher on optimizing Windows and EnCase performance, or just want to see EnCase from our perspective, then this is the session for you. For those of you who are advanced Windows users and EnCase Ninjas you may find this session repetitive.
EnCE® Last Minute Review – Nathen Langfeldt, Guidance Software, Inc – Intermediate
General Learning Topics Lab 1
Encryption for the Forensic Professional - NEW - James Wiebe, CRU-Dataport - All Skill Levels
Digital Acquisition Lab
In this session your will learn how can the forensic professional anticipate and capture evidence where encryption is involved.
EnScript 101 – Kimberly Stone-Kaplan, Guidance Software, Inc – Basic/Intermediate
Advanced Techniques Lab
This class is targeted toward EnCase users who are interested in learning more about the uses and capabilities of EnScript. We will cover unique aspects of the language, explore what’s available in the EnScript development environment (including a preview of new features), and go over the various uses of EnScript within EnCase.
EnScript Debugger – Howard Williamson, Guidance Software, Inc
Advanced Techniques Lab
Entropy - NEW – Guidance Software, Inc – Intermediate
Digital Analysis Lab
exFAT (Extended FAT) - NEW – Jeff Hamm, Paradigm Solutions – Intermediate
Digital Acquisition Lab
exFAT is a new file system designed by Microsoft to be used with large capacity volumes and large media files. This file system is the default file system for large removable media with Vista (SP1 and later). New media devices utilizing the memory card format SDXC will use exclusively the exFAT file system. The file system is not seen logically by current forensic tools and Jeff Hamm has done extensive research in to the forensic implications of the file system.
Expert Witness Panel: Making It Stick - NEW - Moderator: Andy Spruill, Guidance Software, Inc Panel: Larry Daniel, Guardian Digital Forensics & Lynita Hinsch, Forensics Consulting Solutions
General Learning Topics Lecture 2
File Identification and Recovery Using Block-Based Hash Analysis – Simon Key, Guidance Software, Inc – Intermediate
Digital Analysis Lab
The identification of files using digital fingerprints (or hash values) is a well-established technique of immense value to the forensic examiner. This session will explain how hash analysis can be used to identify known deleted files in unallocated clusters, unused disk areas or slack space even when those files are fragmented and/or partially overwritten. Files such as these are often beyond the reach of traditional signature-based, data-trawling techniques but the hash-based methodology detailed during this session may be able to locate data from such files and, if all of the data is still available, recover them.
Follow the Money - NEW – John Grancarich, Paul Hastings Janofsky and Walker LLP – Basic
General Learning Topics Lecture 1
Increasingly sophisticated technology and techniques are continuously being developed to perpetrate financial fraud. Annual losses resulting from fraudulent activities of various types are staggering and measure in the billions of dollars. Embezzlement, fraudulent statements, check forgery and altered checks, and money laundering are on the rise with no sign of slowing down. The fight against financial fraud is an ongoing battle which requires not only strong technical skills, but an understanding of the financial underpinnings of fraud. Understanding and being able to spot the red flags of financial fraud is a key element of the fraud investigator’s skill set. This presentation will provide a foundation for investigators and examiners who want to learn more about the growing business of fraud and be able to better manage their fraud cases and provide appropriate technical advice to their clients and stakeholders.
Forensic Investigation 101 - Where to Start Looking – James Habben, Guidance Software, Inc – Basic
Digital Analysis Lab
Forensics is as much art as it is science. A very technical person trained in the use of a forensic tool isn’t likely to be as powerful as an investigator trained in the use of forensics. The reason; technical knowledge, although important, is no substitute for investigative knowledge. Knowing what to look for based on the particulars of a case is the single most powerful differentiator between one investigator and the next. This lab details the nuances of investigations and the basics of knowing where to look based on the particulars of a case.
Forensic Technologies in Incident Crisis Management - NEW – Ondrej Krehel, Identity Theft 911, LLC – Intermediate
General Learning Topics Lecture 1
Data breach cases technical level requires incident handler and his team using multiple technologies in the investigation process. Investigation team often founds compromised system still under attack with dynamic libraries making calls to normally looking websites, time scheduled malware running in the memory, data being ex-filtrated through encrypted channels, and commands transmitted via web masked reverse traffic, anti-forensic techniques used for covering tracks and changing timestamps, or other challenging situations. This session will cover the incident handler selection of the team members, different forensic and security technologies used in the investigation. It will present different artifacts examination from combined network forensic solutions, volatile and live evidence, and the artifacts found with advanced digital media examination. Combination of different technologies will empower investigation team work more efficiently in data breach engagements.
Forensic Triage Programs, Risk Assessment Factors - NEW – JJ Wallia, ADF Solutions, Inc – Basic
General Learning Topics Lecture 1
This presentation reviews the recent success of “Forensic Triage Programs” and is intended for all persons involved in the direct or indirect management of high tech crime units. Recently implemented programs have resulted in drastic reductions in forensic backlogs and record conviction times of suspects. The presentation addresses all the factors that need to be considered in the development of a successful forensic triage program. This includes defining goals & expectations; training requirements of field detectives and child protection officers; internal policies (example: internal communication, evidence handling, etc.); and other critical factors.
Forensic Tracking of USB Devices – Colin Cree, e-Forensic Services Inc – Intermediate
Digital Analysis Lab
The ease of use of the ubiquitous USB thumb drive in transferring and storing data has lead to its use for nefarious purposes. Subjects have used thumb drives to hide the artifacts of their online habits, store illicit data, spread malicious code and steal proprietary data. Investigators are increasingly called upon to cull digital evidence for signs of USB storage devices. This session will provide methodologies for forensic investigation of USB attached storage devices including USB hard disks with a focus on Windows 7. This presentation is a detailed examination of the devices and their artifacts.
Get Schooled in Mobile Forensics - NEW – Amber Schroader, Paraben - Basic
General Learning Topics Lecture 1
Mobile devices can be your biggest triumph of evidence and your biggest challenge as far as collection. There are many different thoughts on which tools to use and how to validate, so come and get your questions answered. Learn the latest tips and tricks to get data, parse, and review the information without losing your sanity in the process. Get the outline you need to write a valid test plan to process your tools through and protect yourself in court.
Gone Without a Trace? Finding Evidence of ESI Destruction Software to Support a Claim of Wrongdoing - NEW – Christopher Andrews, Kroll Ontrack
General Learning Topics Lecture 1
More and more crime scene investigations are taking place on hard drives, and the desire to eliminate the evidence of civil or criminal malfeasance with “wipe” or other common data destruction software grows alongside the availability of such programs. Computer forensics analysis professionals must understand how to recognize the clues data destruction software leaves behind and how to determine what data was actually destroyed. Recognizing what data was destroyed and how is only the first step. Proving that the destruction was intentional can result in severe civil and criminal penalties for those who attempt to destroy evidence. This presentation will discuss:
• The ways to locate the presence of common “wipe” and other data destruction software
• Reverse-engineering destructive software to determine what evidence they leave behind
• How to locate forensic evidence to show the specific intent to destroy data
• Methods to determine what data was destroyed
• How to author a comprehensive report of your findings
• Investigation differences between criminal and civil matters
• Testimony do’s and don’ts
Government and Corporate Cybersecurity - NEW - Joe Riggins, Guidance Software, Inc
Cybersecurity Lab
How Federal Rule of Evidence 502 affects Best Practices Regarding ESI - NEW - John Rosenthal, Winston & Strawn, Patrick Oot, Electronic Discovery Institute, John Patzakis, Digital Compliance Consulting
eDiscovery Lecture Lab
How to Create and Perform Effective Keyword Searches (Advanced Searching) - NEW – Daniel Smyth, Guidance Software, Inc - Advanced
General Learning Topics Lab 2
Searching through data is a fundamental aspect of any investigation. Knowing how to look and where to look are critical to finding that needle in the haystack of Gigabytes of data. It’s one thing to just search, it’s another thing to search smartly. Learn how to narrow down your keywords list and leverage the latest search capabilities of the EnCase’s indexer and the GREP that reduce the amount of false positives and ensure you don’t miss the critical keyword buried in the data.
How to Spot Packet Forgeries, Spoofing, Tunneling and Other Rogue Network Activity – Jamie Levy, Guidance Software, Inc – Advanced
Cybersecurity Lab
Digital investigators all have been relatively well inoculated against the many techniques of anti and counter-forensics that have been developed for host level forensic analysis. Unfortunately, the same cannot be said about their skill level relative to network spoofing, packet forging, tunneling and firewall/IPS/IDS evasion techniques. This class will remedy that situation by exposing the student to examples of spoofing, editing, other network forgeries and evasion methods. The student will be taught how to accomplish these methodologies emselves and in the process, become adept at spotting the tell-tale signs of clandestine behavior in their own work and the activities of other, less ethical, parties.
Identifying and Addressing Exceptions - NEW – Nick Torrecillas, Dave Erban, Guidance Software, Inc
eDiscovery Legal Lab
Taking real life examples of data that is very difficult to process. The session will explore different methods of identifying exceptions and different methods to process them. Everything from password protected word documents to PST files. During the session, workflow will be address to most efficiently identify, report to the legal teams and process selected exceptions.
The Impact of Multi-core and Multi-threading Architectures on Forensic Imaging Applications Performance - NEW - Robert Botchek, Tableau LLC
Digital Acquisition Lab
Today’s forensic computer systems are built with the latest in modern processor architectures. Yet the number of CPU cores does not always translate to increased forensic imaging performance. Join Robert Botchek, Tableau President and Founder, to explore the latest developments in forensic imaging software. This workshop will help you understand system architectures, factors that impact HDD imaging performance and understand why all imaging applications are not created equal.
International eDiscovery: Data Protection, Privacy & Cross-Border Issues - NEW – Dominic Jaar, Ledgit Consulting Inc., Patrick Burke, Guidance Software, Inc., M. James Daley, Daley & Fey, LLP eDiscovery, George Rudoy, Shearman & Stearling, LLP
eDisovery Legal Lecture
Intro to Network Forensics - Gary Golomb, Netwitness - Basic
General Learning Topics Lab 2
Judicial Perspectives on Electronic Discovery - NEW – Honorable Andrew Peck, US Magistrate Judge, Southern District of New York, Senior Master Steven Whitaker, Senior Master of the Queen's Bench Division, Royal Courts of Justice, United Kingdom, Judge Donald Shelton, Chief Judge, Washtenaw County Trial Court
eDiscovery Lecture Lab
Know Your Enemy - The Advanced Persistent Threat (APT) Tactics Techniques and Countermeasures - NEW – Rich Cummings, HBGary
General Learning Topics Lecture 2
Large-scale EE Deployment Best Practices – Daniel Smyth, Guidance Software, Inc – Intermediate
General Learning Topics Lab 1
Learning the Digital Forensics Backlog and Creating Highly Effective Investigations - NEW – Suresh Sundarababu, Global Solutions Strategy Manager, Dell
Gerneral Learning Topics Lab 2
In recent years, there has been an exponential rise in the volume, velocity, variety, and sophistication of digital activity by criminals and terrorist groups worldwide. Most crimes today have a digital component and the growth has been exacerbated by dramatic advances in the diversity and capacity of readily-available consumer electronic devices. From PCs to laptops, mobile phones to thumb drives and even game consoles, security and law enforcement officials are pushed to the limit to clone, ingest (or image), index, and analyze growing amounts of suspect data while preserving the digital chain of custody and protecting citizens. Given the demand for help to support these challenging, inherently governmental tasks, Dell has developed an approach to Digital Forensics that maximizes technology and preserves the required information to support criminal investigation. Join this session and learn more about how to use a practical, serial process that applies the principles of Cloud Computing to enable simultaneous parallel processing of digital evidence.
Linux Imaging with Linen - NEW – John Casteel, IRS
Digital Acquisition Lab
Live Forensics: What to Do if You Catch a Cyber Criminal in the Act - NEW– Robert Monsour, Forensics3 – Intermediate
General Learning Topics Lab 1
Performing live, remote forensic analysis of a computer that is actively being used by the subject of an investigation is very different from analyzing a static hard drive in a laboratory. What should you preserve first if you catch a cyber criminal in the act? How do you investigate a subject who never stays online for more than a few minutes, making a full remote acquisition of his or her hard drive impossible?
This session is designed for information security investigators and other individuals tasked with conducting live, remote digital investigations using enterprise forensic tools. The instructor will share tips for handling various live forensic scenarios. Methods will be discussed for dealing with issues such as establishing chain of custody for remotely acquired evidence and quickly preserving data that is at risk of being overwritten. Participants will be presented with a framework to help them decide what data to preserve first, and will learn techniques for quickly zeroing-in on pertinent evidence.
Mac Forensics for First Responders - NEW – Ryan Chapin, Blackbag Technologies – Basic
General Learning Topics Lab 1
This 90 min lab is aimed at forensic professionals with no prior experience working in a Mac environment. During this brief session designed specifically for the first responder, participants will gain a limited understanding of a handful of Mac forensic tools and processes. The class includes scenario and lecture instruction to help students better understand, as context for potential evidence retrieval, how suspects use and store Mac files on their Macs. Additionally, participants will learn how to conduct forensically sound previews of Mac systems to decide whether there is a need for further analysis or not.
Mastering Conditions 1 - Joe Murin & Liz Hall, Guidance Software, Inc – Intermediate
Advanced Techniques Lab
Please note: This is a 2 part series. You must attend part 1 to attend part 2. The ability to use conditions effectively is the mark of an EnCase Enterprise pro. In this interactive lab, we will review creating and using simple conditions, discuss some case management best practices related to their use, introduce some tips and tricks for debugging complex conditions with extensive Boolean logic and dig deep into EnCase with conditions covering security permissions, bookmarked files and more.
Mastering Conditions 2 - Joe Murin & Liz Hall, Guidance Software, Inc – Intermediate/Advanced
Advanced Techniques Lab
Please note: This is a 2 part series. You must attend Part 1 to attend Part 2. The ability to use conditions effectively is the mark of an EnCase Forensic pro. In the interactive lab, we will review on creating and using simple conditions, discuss some case management best practices related to their use, introduce some tips and tricks for debugging complex conditions with extensive Boolean logic, and dig deep into EnCase with conditions covering security permissions, bookmarked files, and more.
Mastering Criteria - NEW – Joe Murin, Brent Botta, Guidance Software, Inc
eDiscovery Lab
Exploring template criteria for eDocs and Email and learning advance methods/capabilities while utilizing the EnCase eDiscovery solution. This will span from normal eDiscovery request to the off the wall needle in the haystack hunting.
Mini-Series Part 1 - Information Management/Retention Policy - NEW – Liz Hall, Will Chesher,Guidance Software, Inc
eDiscovery Legal Lab
In this interactive lab we will discuss Information Management / Retention Policy, it’s implications on the eDiscovery process specifically Litigation Hold including identification preservation and collection. You will learn how to plan and resource eDiscovery events and get hands on experience with the EnCase Legal Hold product. We’ll give and pointers on how to effectively identify custodians and Electronically Stored Information (ESI) through Custodian Interviews. You will use information gained through Custodian Interview and Preserve and Collect ESI using EnCase Command Center.
Mini-Series Part 2 - Data Mapping and Sampling to Locate, Clarify, and Refine Info - NEW – Nick Torrecillas, Dave Erban, Guidance Software, Inc
eDiscovery Legal Lab
The second part of the series focuses on data mapping and sampling to locate, clarify and refine information gained from Custodians in order to conduct a complete and comprehensive preservation and collection. You will identify sources of ESI and configure EnCase Command Center to target that ESI. You will get hands on practice applying criteria to collect ESI from identified targets and appropriately preserve the evidence.
Mini-Series Part 3 - Processing ESI and Electronic Documents - NEW – David Wood, Dave Erban, Guidance Software, Inc.
eDiscovery Legal Lab
The third part of the series focuses on preparation for Processing ESI and the processing of electronic documents. We will discuss appropriate key term identification, sampling and refinement. You’ll identify appropriate filetypes for searching and exception processing. You’ll learn to identify and configure output and conduct appropriate quality control and documentation.
Mini-Series Part 4 - Processing of Email Records - NEW – Nick Torrecillas, Brent Botta, Guidance Software, Inc.
eDiscovery Legal Lab
The fourth and final part of the series focuses on the processing of email records. We will prepare email for processing, convert of edoc criteria to email criteria, and conduct further sampling and refinement. You’ll identify appropriate records for searching and exception processing. You’ll learn to identify and configure output and conduct appropriate quality control and documentation.
Mobile Physical Extractions - The Missing Link? - NEW – Adrian O'Leary, London Metropolitan Police
General Learning Topics Lab 2
Advanced Techniques & Methodology for deleted data recovery
New Technologies and New Problems for eDiscovery - NEW – David Benton, Home Depot and The American Society of Digital Forensics & eDiscovery, Browning Marean, DLA Piper, Guidance Software, Inc.
eDiscovery Lecture Lab
*NIX Environments – Chris Pavan & Gordon Stephens, 42 LLC – Basic/Intermediate
General Learning Topics Lab 2
On The Outer RIM of your Network... Blackberry Forensics – Andy Spruill, Guidance Software, Inc.
General Learning Topics Lab 2
Packing EnScript Applications - NEW – James Habben, Guidance Software, Inc
Advanced Techniques Lab
Performing Attack Attribution of Malicious Code with Entropy - NEW - Jim Butterworth, Guidance Software, Inc.,
Cybersecurity Lab
Planning for a Successful eDiscovery Matter - NEW - Liz Hall, David Wood, Guidance Software, Inc.
eDiscovery Legal Lab
The session will focus on correctly identifying the Custodian’s available data sources and different methods to successfully collect and cull that data into a more reasonable size. The communication between Legal, IT, NETSEC, Custodians and the consultants will make or break the matter, in addition to setting up realistic deadlines and expectations up front. You will learn how to identify these pitfalls and avoid decisions made based on poor information that can be very costly down the road. Properly identifying and planning a streamlined data workflow is critical for any matter to be successful - starting from the point of collection to how the data is migrated to a review platform. But, let’s not forget the unforeseen obstacles that plaque every collection/culling project. We will discuss the tell-tale signs to identify these items before they snowball out of control and options to quickly resolve the problem with little to no slippage on the timeline.
Preparing eDiscovery 30(b)(6) Witnesses - Albert Barsochinni, Chad McManamy, Guidance Software, Inc., Thomas A Lidbury, Mayer Brown, Edward Han, Howrey, LLC.
eDiscovery Lecture Lab
Proactive Cybersecurity-Reduce the Attack Surface with Application Whitelisting - NEW – Doug Cahill, Bit9
Cybersecurity Lab
Cyber criminals are threatening information systems now more than ever. They are taking advantage of a growing attack surface that is increasing due to the dependency on remotely distributed networks, the proliferation of Internet-based applications and the globalized environment for information transfer. To truly secure an environment, information security professionals must be able to identify all of the artifacts on any given system and quickly locate any malware or programs in violation of policy. This presentation will explain the proliferation of cyber crime and resulting initiatives by solution providers to combine forces and prevent cyber threats.
Remote Analysis/Acquisition Considerations and Options - Rodney Smith & Daniel Smyth - Guidance Software, Inc – Basic
Digital Acquisition Lab
Repurposing eDiscovery Solutions to Meet Expanding Compliance Challenges - NEW - Mary Frantz, Enterprise Knowledge, Keith Chval, Protek International, Inc., Suellen Galish, Baker Robbins & Company
eDiscovery Lecture Lab
Searching for PII and IP in Your Organization - NEW - Dave Erban & Jeff Danielson, Guidance Software, Inc – Intermediate
Cybersecurity Lab
Using EnCase Cybersecurity, users will learn how to audit end systems for PII and IP as well as remediate the files from the system.
Social Media Investigations - NEW – Frank Zeller, Inland Direct – Basic
General Learning Topics Lab 2
This session will focus on investigations dealing with social media including: Facebook®, Twitter™, & a new site, Humaniplex (adult social networking).
Spy vs. Spy: Is there a stranger in your house? – Joe Riggins, Guidance Software, Inc
General Learning Topics Lecture 1
Most security efforts put great focus on perimeter network protection and little on the insider threat. Technologies are great to provide indications of insider threat, but this briefing will delve into the characteristic traits of an insider and indications of their activity. As a culmination of many counterintelligence and cybersecurity investigations, the profile of an insider can be apparent. We discuss different types of insiders, their behaviors, and even ways to combat the threat. Further, we reveal closely guarded tradecraft, to attribute activity of the insider and identify where you are losing (or have lost) critical information.
Super Timeline Analysis - NEW - Rob Lee, SANS Institute, Mandiant
Digital Analysis Lab
Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated attackers advance rapidly through your network. Forensic investigators must master a variety of operating systems, investigation techniques, and incident response tactics to solve challenging cases. Temporal data is located everywhere on a computer system. File system MAC times, log files, network data, registry data, internet history files and file metadata all contain time data that can be correlated into critical analysis to successfully solve cases. While utilized first by my team in AFOSI in 2001, timeline analysis has become a critical investigative technique to solve complex cases. Until recently, timeline analysis frameworks have not existed to easily allow multiple examinations of time based data into a single framework that is easily analyzed by investigators. Learn via this hands-on practical that will permanently change your approach to forensic cases.
Technology Forum - Shawn McCreight, Ashley Stockdale & Kim Stone-Kaplan, Guidance Software, Inc
General Learning Topics Lecture 1
Have a burning technical question that only an EnCase expert can answer? Join us for a moderated question and answer forum with our lead developers and architects answering your common, and not-so-common, technical questions. Participants can submit questions in advance and there will be an open Q&A period at the end. If you have a specific topic you'd like covered please email Ashley.Stockdale@guidancesoftware.com.
Testing, Sampling and Quality Control in eDiscovery - NEW – Scott Carlson, Seyfarth Shaw, Andrew Drake, Nationwide, Monica Palko, Rosetta Stone
eDiscovery Lecture Lab
Textual Relations - NEW - Josh Gilliland, D4 Discovery – Intermediate
General Learning Topics Lecture 2
Textual Relations is everything you wanted to know about text messages, but were afraid to ask. 1 Trillion Text messages were sent in 2008. Text messages are one of the most abundant forms of electronically stored information on the planet, with smart phones being able to also send email, Twitter updates and Facebook postings from the palm of your hand. Politicians have ruined their carriers and everyday people have lost jobs because of Text messages. “Textual Relations” addresses requests for production, privacy issues, expert testimony, spoliation, 4th Amendment protections and admissibility concerns of Text messages, including hearsay and authentication issues. The material covers both recent civil and criminal cases where text messages were key evidence.
Triage Your Data for Forensic Analysis with EnCase eDiscovery - NEW – David Wood, Brent Botta, Guidance Software, Inc
eDiscovery Lab
There are many usages of the eDiscovery solution outside of normal litigation. For larger forensic investigation, the data can be mass culled with the EnCase eDiscovery solution to triage your analysis. This and many other usages will be demonstrated with a hands on lab.
Using COM in EnScript - NEW - Stephen Pascual, Guidance Software, Inc – Intermediate
Advanced Techniques Lab
COM (Microsoft Component Object Model) is the primary mechanism through which you can integrate 3rd party software with your EnScript applications. In this session we will cover:
• Quick overview of COM and Automation
• Learn how to discover and import COM type libraries so that they can be used with EnScript
• Learn about differences between using Automation through EnScript v other scripting languages like VBScript
• Learn to develop sample programs using COM for
o Browsing Active Directory
o Working with email
o Working Microsoft Office APIs for interfacing with Excel and Word
• Limitations, Gotchas, etc.
Using Data Mapping Techniques to Prepare Proactive Case Templates and Manage Records Retention - David Wood, Liz Hall, Guidance Software, Inc – Intermediate
Advanced Techniques Lab
This session details the use of EnCase as a Data Mapping tool to provide means to proactively prepare for common regulatory and litigation case types as well as manage records retention. It includes a discussion of using EnCase eDiscovery, coupled with interviews, business analysis to perform one-time identification of data for collection given common case types and allow for more direct estimation of collection and processing costs. Providing push button collection capabilities. It also includes a case study of a nationwide insurance provider that uses customized data mapping capabilities within EnCase eDiscovery framework and SQL Reporting Services to identify data for collection and/or remediation.
Using Virtual Machines - NEW – Dave Shaver, US Army CID – Intermediate
General Learning Topics Lab 1
This lecture will discuss the proven methodology to convert an EnCase image to a workable Virtual Machine. Then using common tools against the Virtual Machine to give up its secrets to complement your forensic examination.
An Uninvited Guest (Who Won't Go Home) - NEW– Bill Blunden, San Francisco State University – Advanced
General Learning Topics Lecture 2
While there are a multitude of battle-tested forensic tools that focus on disk storage, the domain of memory analysis is still emerging.
In fact, even the engineers who work at companies that sell memory-related tools have been known to admit that the percentage of investigators who perform an in-depth examination of memory is relatively small. In light of this, staying memory resident is a viable strategy for rootkit deployment.
The problem then becomes a matter of remaining inconspicuous and finding novel ways to survive a system restart. In this presentation I'll look at rootkit technology that tackles both of these issues on the Windows platform.
Webpage Reconstruction - NEW - John Cotton, Kevin Ripa, Computer Evidence Recovery, Inc. – Basic
Digital Analysis Lab
Online activity. It is a ubiquitous part of computer use, but is amazingly misunderstood by many investigators. This presentation will address how web pages work, how they get to be on your computer, how they are stored, and most importantly, how to rebuild them without expensive software! In many investigations, the internet artifacts can be something much different in context than they appear to be when they are viewed out of context. Beyond this, we will look at ways of finding how a website used to look, as well as how to find historical who is information on a particular website. This lecture will focus on Internet Explorer and Firefox.
What to Do When All Hope is Gone - Acquiring Data Off a Dead Drive - John Wiechman & Eddie Wiechman, TLSI, Inc – All Skill Levels
General Learning Topics Lecture 2
PowerPoint and hands-on lab presentation for doing diagnostics and data recovery on crashed hard drives, flash drives, etc. Includes the uses of tools, software, hardware, etc. Students will take back to their labs the ability to diagnose crashed drives. They will also know what to look for when trying to obtain the parts they needs for data recovery. At the conclusion of the course, they should be able to do all work not requiring a full cleanroom and platter readers.
Windows® 7: What's new in Windows Forensic - NEW - John Marsh, Guidance Software, Inc.
General Learning Topics Lab 1
|
|
|
|
|
|
|
|
 |
