The preliminary CTIN 2017 Conference Agenda is currently being developed. It will be posted at so please visit our new web site for additional details.

Agendas are available for past years including: 20132014, 2015

SPEAKERS: Topics, Descriptions, and Biographies

CTIN16 speakers:



The Solo Practitioner       (second session)

Are you weary of the corporate world, politics in your office, your boss, or going to work for someone else every day? Or do you already work for yourself and want to learn some tips and tricks. Become fulfilled and excited about work again! The forming and growth of a small business designed specifically for the digital forensics specialist solo practitioner will be covered in detail. I invite you to learn from my mistakes and successes over the last decade.


Adam Kelly, a solo practitioner from Michigan, is a Certified Computer Examiner that has provided digital forensics and eDiscovery services to law firms, law enforcement, and small businesses over the past decade. Mr. Kelly has offered expert testimony in numerous State and Federal courts and takes great pride in our industry. His advocacy for the data and strong work ethic has made him a desirable expert. Mr. Kelly welcomes the opportunity to discuss small business ideas that have worked for him to construct his perfect job.



Office 365       (second session)

Learn about the different permissions required and the options that are available to do an Office 365 collection as well as the different log files that will help identify access to the data.


Allison Goodman is the President of eDiscovery Inc., a consulting firm that provides electronic discovery consulting and digital forensic services to law firms and corporate counsel nationwide.

With more than a decade of experience in the digital forensic industry and over two decades in electronic discovery, Allison brings a wealth of knowledge to the profession. She is a Certified Computer Examiner and is a board member of CTIN.

Allison has presented at numerous seminars on digital forensics and electronic discovery for various groups and agencies, including the Washington State and King County Bar Associations and has testified in both state and federal courts.



Digital Forensics and the Law: Creating Law at the Speed of Technology       (second session)

Technology changes constantly as do the devices we retrieve data from and the tools that we employ to accomplish that task. For the last few decades we have seen the need for laws that simply do not yet exist. What can we do to outpace the technology and create laws that will work for us in this burgeoning field? Come and see the challenges and possible solutions to this issue.


Dr. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with a BS in Astronautical Engineering and a BS in Archaeology. She recently earned her doctorate in Computer Security at the University of Alaska Fairbanks as an interdisciplinary degree.

After working as an engineer at the Jet Propulsion Laboratory and TRW, Amelia worked with e-commerce sites and began her training in digital forensics and investigations during the dot-com boom. She has designed certificate and AAS programs for community colleges in e-commerce, network security, digital forensics and data recovery. Amelia co-authored the textbook Guide to Computer Forensics and Investigations now in its fourth edition. This year the first edition of her next textbook E-Discovery – An Introduction to Digital Evidence was published. Amelia is program lead for the Network Security and Data Recovery/Digital Forensics for Highline Community College in Seattle. She was also the lead for Highline’s first Bachelor of Applied Science degree in Cybersecurity and Forensics which goes online in the Fall of 2014. Amelia is the Regional Director of the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) which Highline has hosted since 2010. The 7th annual event with be this March at Highline.

Amelia also is active in working with developing nations in e-learning, retention, network security, digital forensics and entrepreneurship. She is currently tenured at Highline Community College in Seattle, WA and is serving as the Chair of the Pure & Applied Science Division. Amelia was a visiting Fulbright Scholar at the Polytechnic of Namibia in 2005 and 2006.



Windows Event Log Forensics       (second session)

This talk will cover tools and techniques for analyzing windows event logs with an emphasis on using event log artifacts to support your next investigation.


Mr. Brandon Leatha is a Director at iDiscovery Solutions (iDS), an award-winning e-Discovery, expert testimony, and digital forensics firm headquartered in Washington, DC. Based out of Seattle, Washington, Mr. Leatha is an expert in e-Discovery, data analytics, and computer forensics. With over 13 years of consulting experience in the litigation support industry, Mr. Leatha advises clients throughout the e-Discovery lifecycle, providing guidance on data preservation, evidence collection, data reduction strategies, review methodology, and document production. He has extensive experience performing computer forensic investigations, structured data analytics, and assisting clients in the effective utilization of technology assisted review (TAR).

Mr. Leatha has been a corporate 30(b)(6) witness, a court-appointed neutral computer forensics examiner, and has testified on numerous electronic discovery and computer forensics issues. He has been an active member of the Sedona Conference Working Group on Electronic Document Retention and Production (WG1) since 2005, and he is an active member of the Computer Technology Investigators Network (CTIN). Mr. Leatha has provided training on electronic discovery and computer forensics for seminars, CLE courses, and industry training events. Prior to joining iDS, Mr. Leatha was the founder and owner of Leatha Consulting LLC and the Director of ESI Consulting and Data Analysis at Electronic Evidence Discovery (EED).



Breaking Anonymity       (second session)

How to identify anonymous Internet users.


Brett is a digital forensics examiner and author of two books (Placing the Suspect Behind the Keyboard and X-Ways Forensics Practitioner’s Guide). Brett’s forensic experience spans a law enforcement career in investigating cybercrime to the private sector as an expert consultant in civil litigation. He has over 1,000 hours of formal digital forensics training from many US federal agencies and forensic software companies. Brett is also a frequent speaker across North America in conferences and provides private consultation to government agencies in high tech analysis and covert acquisition methods.



Trust in the Professional Life of a Digital Examiner: A Pain or an Opportunity

Dr. Steverson is Professor of Business Ethics at Gonzaga University. He will discuss the social reliance on trust in our profession, the duties it creates for digital examiners and some of the unique ethical moments digital examiners face while carrying out our duties.



USB for Win10       (second session)


Colin Cree is a Director of a Vancouver based company, EFS e-Forensic Services Inc., a computer forensic and e-discovery services provider that also provides training and sells related software and hardware. His background includes serving in the RCMP for 25 years. While serving in the RCMP Colin spent 8 years investigating commercial crime and 5 years in the Tech Crime unit. Colin has been involved in computer forensics since 1997. His expertise includes commercial crime investigations, computer crime investigations and analysis, providing expert witness testimony and ensuring the highest teaching and professional practice standards are maintained throughout the courses and investigations for which he is responsible.



Forms of Production: Dealing with #$%^&*! Luddites!!

Forensic examiner and e-discovery service providers deal more with data than documents; yet, we are challenged to supply information to attorneys—and attorneys to opponents—in forms that mirror the utility, functionality and completeness of native ESI. This preserntation examines that challenge and posits ways to move lawyers out of the 19th century (no, that’s not a typo).


Craig Ball of Austin is a trial lawyer, computer forensic examiner, law professor and noted authority on electronic evidence. He limits his practice to serving as a court-appointed special master and consultant in computer forensics and electronic discovery and has served as the Special Master or testifying expert in computer forensics and electronic discovery in some of the most challenging and celebrated cases in the U.S. A founder of the Georgetown University Law Center E-Discovery Training Academy, Craig serves on the Academy’s faculty and teaches Electronic Discovery and Digital Evidence at the University of Texas School of Law. For nine years, Craig penned the award-winning Ball in Your Court column on electronic discovery for American Lawyer Media and now writes for several national news outlets. For his articles on electronic discovery and computer forensics, please visit or his blog,



CTIN Membership Meeting

All CTIN members are invited to attend our annual general membership meeting to discuss and nominate upcoming Board positions.


All CTIN members are invited to vote for the upcoming Board positions.


Raffle for:

One full license of Recon For Mac valued at $1,695.00

One full license of Forensic Examiner valued at $1,295.00

Two one year licenses of X-Ways Forensics valued at $779.00 each

Three six month full licenses of MailXaminer valued at $800.00 each

One Wiebetech USB 3.0 Writeblock device valued at $349.00

One 90-day dongle for Forensic Examiner valued at $295.00

Two military grade encrypted 1TB portable hard drives valued at $150.00 each




Electronically Stored Information – The Latest Issues in Electronic Evidence


David Matthews is the former Director of Incident Response for Expedia, Inc. He has facilitated three regional cyber event exercises. He is also the founder of the Cyber Incident Response Coalition and Analysis Sharing group.

Besides the CISSP & CISM he is a Digital Recovery Forensics Specialist (DRFS), and CyberSecurity Forensic Analyst (CSFA). He is the author of “Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval”, published in the summer of 2012. David was the recipient of the 2012 Information Security Executive of the Decade – West award.



Free and incredibly powerful—Utilities by Nir Sofer       (second session)

If you do live captures you will love the utilities by Nir Sofer at His programs provide information on the usual stuff: passwords, recent searches, autoruns… The good news is that they also do this stuff with command line versions that you can script… if you can find them.


Gordon has been around CTIN from the early days. He runs Future Focus, a company that does engineering design, debugging and computer forensics. Gordon’s background includes interesting jobs: flying for the US Navy a few wars back, work in big companies, and startups. He has the usual initials after his name; PhD, CPP, CISSP, CPS, GSEC, GCIH, GPen…



What’s new in Digital Forensic Hardware       (second session)


My role at Guidance software these past five years, as their “Forensic Evangelist”, is primarily a customer engagement, channel partner support and business development role. I travel far and wide (places like China, Japan, Canada, Mexico, Brazil, Australia, and New Zealand) to recruit & train our authorized resellers, and to make joint calls on key customers. I also frequently camp out in the DC area and spend a lot of time with the various and sundry alphabet soup Federal agencies. Many of them decide to like me, then trust me, then buy a bunch of our stuff, through one of our esteemed reseller partners.

I’ve been involved in the Technology Sector since 1983, and have worked in and around digital forensics since 2002. I like puppies, dark chocolate and long walks on the beach.



Hack-a-Shack       (second session)

This presentation is designed to demystify the world of hacking and response. Environment permitting, experience a hack into one computer from another to show just how easy it can be. From there, learn what can be done to secure networks, as well as to harden the biggest threat to every network – the accidental insiders (AKA employees). This is any network’s most vulnerable vector, and yet fewer resources are spent on this vector than any other. Bring your questions. This presentation is very fast paced and dynamic, but most importantly, it is presented in PLAIN ENGLISH!

Email Tracing       (second session)

This training session will give investigators the skills they need to trace an email from sender to receiver and back again. Learn how to expose and interpret email headers, and how to leverage little known tools to trace the components of these headers as close to the originator as possible. If this does not achieve a positive result, then you can use the rest of the techniques and knowledge in this presentation to go the last mile! Not every email can be traced to its originator. Some are simply hampered by money and time – the two most critical factors in email tracing. Use the time tested techniques of some of the top tracers in the world to maximize your success.

Creating Stellar Reports       (second session)

You have collected the evidence. You have spent countless hours analyzing it. You have found the smoking guns. But if you can’t communicate all of this effectively, it will have been in vain. How exactly do you show a video in a written report? In many cases, the written report is all the client sees for the big bill they have had to pay. This workshop will show you how to create a stellar report in an electronic format that will wow your clients. We explore many methods to get our evidence across in ways that will have the clients calling back time and time again. The attendee will be provided all the components necessary to create their own stellar reports.

Forensic Acquisition of Apple Products       (second session)

What happens when you encounter an Apple product? Some have normal hard drives, but most today do not. How do you get at the hard drive on these devices? How do you even identify the hard drive in a MacBook Pro Retina? Or a MacBook Air? Mac Pro? What happens if you remove the recognizable hard drive from a newer iMac and try to image it? You won’t get what you are expecting! This presentation will walk through acquisition methodologies specific to Apple. Drives, storage, Fusion, PCIe, RAM, we’ll cover it all! You know you are going to be seeing more and more of these, if you aren’t already. Be prepared!

End User License Agreements       (second session)

EULAs. Some would say synonymous with evil. Ubiquitous nonetheless. The bottom line is that we cannot compute without agreeing to them. But do you really know what you are agreeing to? This lecture will look at some of the more important things that are found in them, as well as discovering some of the more sinister paragraphs. Never fear, we will also look at some of the really silly ones too! This lecture will be interwoven around a story line that will catch you by surprise, and have you rethinking your position on privacy and data release. But not in the ways that you would think!


Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in many complex cyber-forensics investigations. Mr. Ripa can be contacted via email at



How Hackers (try to) Cover their Tracks       (second session)

We will introduce the methodology and intent behind penetration testing, with an emphasis on post-exploitation behavior. We will cover some common methods hackers use to cover their tracks after a successful exploitation, on both the attacking system and the victim machine. Though they may complicate a forensic investigation, we will dig into these anti-forensic methods and attempt to detect the malicious activity anyway.


Naomi Bornemann is an Information Security Analyst at Milliman, an international actuarial and consulting firm headquartered in Seattle. Naomi’s expertise includes web-application and network penetration testing, incident response, and enterprise vulnerability management. Before Milliman, Naomi comes from a strong career background working on Boeing’s security team and also co-founding a security consulting firm, Rhino Security Labs, in Seattle working on penetration testing and security operations.



Demystifying Email Investigations


Natasha Lockhart currently provides executive level business development strategy for SysTools Software. Her specific go to market strategy centers on forensic and legal review of electronic mail data sets to assist corporate, legal and law enforcement customers with successful education, use and data presentation with MailXaminer technology.

Natasha previously provided sales leadership and customer relations management for Vound Software, LLC. From 2009 to 2015, she has acted as liaison between system integrators, channel partners and multi-jurisdictional federal agencies to help them add to their forensic and electronic discovery tool sets.

Natasha was also a senior sales representative with AccessData Corporation in Lindon, UT. In 2002, she was one of the first two associates and is established in multiple territories – to include: Regional and International sales, Pacific Northwest, Northeast, Canada and Federal, Local and State Law Enforcement spanning North America. Natasha is familiar with all facets of the sales process and maintains knowledge of forensic, decryption, network capture, electronic discovery and enterprise software solutions, including distributed e-data, mobile device collection, and training solutions for Local, State, Federal and International Law Enforcement agencies as well as corporate entities involved in the prevention, investigation and prosecution of mobile device and high-technology crime.




Randall is the president of CTIN and will provide the conference’s opening remarks.



Attack & Detect: Red vs. Blue PowerShell       (second session)

Vignettes based in absolute reality: when organizations are attacked and a compromise occurs it may well follow scripts something like these. The most important lesson to be learned is how to assess attacks born of PowerShell, using in memory techniques as well as defensive PowerShell.

An attacker’s goal is to remain undetected, running in memory as often as possible, and limiting file system exposure whenever possible. We’ll explore defensive techniques for these dark arts.

Attack: Phishing, Veil, Metasploit, PowerSploit

Detect: WinPmem, Rekall, PowerForensics


Russ McRee, GSE, MSISE, directs the Security Response and Investigations team for Microsoft’s Windows & Devices Group (WDG). He writes toolsmith, a monthly column for information security practitioners, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, and Linux Magazine.

Russ also speaks regularly at events such as DEFCON, Derby Con, BlueHat, Black Hat, SANSFIRE, RSA, and others, and is a SANS Internet Storm Center handler. He serves in the Washington State Guard as a joint forces operator and planner on behalf of the Washington Military Department’s cyber and emergency management missions. Russ advocates a holistic approach to the practice of information assurance and, as such maintains IBM’s ISS X-Force cited Russ as the 6th ranked Top Vulnerability Discoverers of 2009.



Mac Log File Analysis

When was this user logged on the system? Where was this system on a given date? What devices were used on the system? How often was the system used? Is the system compromised? – These questions may be answered by viewing the logs provided by Mac OS X. This presentation will cover the variety of logs, tools to read them, and analysis of additional file system files to provide a clear picture of events. User, network, or software activities can provide a timeline that can be used to uncover the clandestine activity on the system – whether or not it was meant to be secret.


Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah’s research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC, Bsides*, Defcon and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the SANS Mac Forensic Analysis Course – FOR518.



Even Geeks can Speak – Level 2       (second session)

For professional technical specialists’ visual presentation and speaking are important and necessary skills. Developing excellent presentation skills along with an attendant ability to make a positive impression to not only one person but even more important to hundreds of people can truly set you apart from the crowd. Your ability to make that impression depends on your skills to convey organized thought.

Graphical Analysis of Structured and Unstructured Data       (second session)

Data Analytics to Support Investigations.


Steve Beltz has been in law enforcement directly or in support operations for over 28 years and is currently Assistant Director of the Federal, Recovery Operation Center in Washington DC. Steve manages a highly specialized technical workforce involved in financial analysis of fraud against the federal government. In the past he has also managed federal contracts that include network security, computer forensic and e-discovery operations located at the U.S. DoS, DEA, FBI, ICE and DOD. Steve had been employed by the Washington State Patrol for 16+ years where he spent most of his career as a detective specializing in major crime scene investigations, computer forensics and criminal intelligence. He has been teaching and giving presentations for over 30+ years to include several Washington State area universities, the Washington State Patrol and other county, city and federal agencies.



Mac Forensics – Timeline Analysis

Timeline Analysis is one of the most popular investigative trends in Digital Forensics. Timeline Analysis can recreate the history of a device’s usage step-by-step and second by second. Unknown to many, Mac OS X contains multiple time stamps in addition to the standard modified, accessed, and created time stamps. Combining all of the available Mac time stamps into a Timeline can greatly enhance any Mac investigation. Learn what Timestamps exist on a Mac, how they can be extracted, and how to interpret the results!

CARBON Forensic Suite Demo

MAC Forensics and Virtual Machine Forensics using CARBON Forensic Suite

Paladin:  Basic and Advanced Features

PALADIN 6, a FREE Linux-based forensic suite, contains over 100 forensic tools in 29 different categories in addition to the multifaceted easy-to-use PALADIN Toolbox.

In this demonstration you will learn about PALADIN and what it can do along with it’s basic and advanced features such simplifying Field Triage, tricks to image large data sets and even performing full forensic analysis for free!

PALADIN is provided free to the forensic community as a courtesy from SUMURI.


Steve Whalen, CFCE is the CEO for SUMURI, a leading provider of training and services relating to digital evidence and computer forensics worldwide. Steve’s experience in computer forensics dates back to 1997. Steve has developed and delivered forensic training to thousands of investigators and examiners around the world through organizations such as the International Association of Computer Investigative Specialists (IACIS), the High Technology Crimes International Association (HTCIA) and the US Department of State Anti-Terrorism Assistance Program. Steve is also the developer of the successful Macintosh Forensic Survival Course (MFSC), PALADIN, RECON and CARBON forensic software and co-developer of TALINO Forensic Workstations. Steve has provided training throughout North America, Central America, Asia, Europe, Middle East, Caribbean, Africa and Oceania.

Previously, Steve served over 15 years as a Delaware State Trooper. During that time, he worked as a detective with the Criminal Investigations Unit and served as their first full-time forensic examiner for digital evidence. Building off that experience, Whalen helped the Delaware State Police develop its first High Technology Crimes Unit in 2001, where he processed thousands of electronic items and devices containing digital evidence from hundreds of cases relating to intrusion, financial crimes, child sexual exploitation, narcotics, stalking and homicides.

Steve’s most current humanitarian project “Mission: No More Victims” will help to combat the sexual exploitation of children on a global level and bring sexual offenders and child pornographers to justice.



$MFT, $UsnJrnl and $Logfile analysis       (second session)

Windows NTFS file system is more than just a directory listing in the Master File Table. NTFS is a journaling system that records metadata information about file system changes in the $Logfile and $UsnJrnl files. This presentation will take a look at the $MFT, $Logfile, and $UsnJrnl files using forensics software tools. Live demonstrations will provide a look at a variety of methods that can help analyze the NTFS file system artifacts, Triforce ANJP NTFS Journal Parser, TZWorks NTFS tools, NTFS-Linker, TSK, and other resources for analyzing the NFTS file system and its metadata. No PowerPoint slides in this presentation, real software looking at real data.


Terry Lahman, Chief Digital Forensics Analyst at eForensicsPro, specializes in computers, tablets, GPS devices, and cell phones. He has over 35 years experience in the fields of computers and electronics, including 17 years at Microsoft. His software development background spans both Microsoft Windows and Apple iOS platforms, including developing software tests for the NTFS file system and Windows NT memory manager. His extensive knowledge of Windows and his expertise in software testing bring a valued skill to the digital forensics field.



Forensics of Windows Virtual Machines

In some very important ways, forensic examinations of virtual systems are no different from forensic examinations of physical machines. In other ways, there are important differences, especially around evidence acquisition. As more of the world’s computing moves to virtual systems, in the home, lab, data center, and cloud, forensics investigators will need to understand what obstacles and opportunities virtual systems impose on forensic acquisition and analysis.

This presentation will look at forensics issues involved with virtual machines based on Microsoft’s virtualization technologies, including cloud based systems. We will begin with a brief overview of Microsoft virtual systems, and then look some tools and procedures for collecting and analyzing memory and “disks” from Windows virtual machines.


Troy is a 12 year veteran forensic examiner with Microsoft. He is currently a Principle Digital Investigator specializing in the forensic investigations of virtual systems including Windows Azure.



Every Contact Leaves a Trace – But How Can Intricate Pieces of Evidence Be Forensically Retrieved?

Today’s technology is becoming much more sophisticated with the increase in storage volume and the use of encryption as a default. The demand by both investigators and the legal systems to recover truly deleted data from both traditional computer workstations and the array of digital devices, such as, mobile phones and GPS tracking devices has grown expeditiously. In this session, participants will be guided through what is practically possible, what is impossible and more importantly, what can realistically be achieved with today’s forensic computer and mobile investigative techniques and equipment.

Uncovering Hidden Secrets of VSS and Live Boot

Learn how a Volume Shadow Copy Service (VSS) can be swiftly investigated to uncover its hidden historic secrets, which are often forgotten or overlooked. The session will not only discuss a simple approach to the analysis of VSS but will also include data carving for specific metadata artifacts. Using Forensic Explorer (FEX) and the integrated virtual forensic computing of Live Boot, participants will be guided through the reconstruction of a subject computer. This simple approach allows an investigator to turn back the clock and witness the same experience as an original user as if they were sat at the actual computer.


John (Zeke) Thackray is the Vice President of GetData Forensics USA, based in Los Angeles and responsible for global forensic services and training. Zeke, as he is more commonly known throughout the industry, is a former British Police Detective who specialized in hi-tech crime from the early 1990’s. He was responsible for the establishment and development of the New Zealand Police Electronic Crime Unit based in Auckland. He has also been responsible for the establishment of corporate computer forensic facilities such as Ernst and Young in Australia and the IBM Global IT Security Incident Response Group. Zeke has been involved in many hi-tech, high profile investigations around the world and has delivered computer and cell phone forensics training globally for many years. Zeke considers himself an investigator first and an educator second. Hands-on practical investigative skills are key in keeping pace with technology to educate others. He has recently returned from active investigations and consultancy assignments in the Middle East, Latin America, Asia and the Oceania Region.

CTIN Conference Agendas for years: 2013 | 2014 | 2015| 2016

Comments are closed.