2013 Agenda

Agendas are available for past years including: 20132014, 2015, and 2016.

SPEAKERS: Topics, Descriptions, and Biographies

CTIN13 speakers:

The agenda for the 2013 conference was extensive, seen below.

Auto-Validate your forensics results using NIST test vectors, civil or criminal, with an emphasis on Linux Ext 4 handhelds (Nathan Watt)
There is a new wave afoot and that is androids 100 percent adoption of Ext 4, not to mention the new laser disks 20-40-60 TB’s will have a much broader buy In in business systems due to the inability of windows to currently cope with those systems using only ntfs. The linux kernel changed ext 4 in some giant ways just in the past 2 weeks getting ready for more mainframe uses as well as new webserver topologies.

Investigating APT A Methodology for Incident Response (Michael Panico)
In 2011, the public witnessed a number of critical information security incidents as they played out in the press. In addition to the high profile attacks perpetrated by the likes of Anonymous and Lulzsec, Advanced Persistent Threats continued to compromise countless enterprise networks, stealing vital intellectual property. Furthermore, these attacks are no longer restricted to the defense industrial base and are now targeted at companies in multiple sectors of the economy. Drawing on his recent experience in investigating APT incidents, our speaker will outline a methodology of responding to these threats, including a review of some of the network and host based artifacts that may be left behind by attackers.

Case Studies and Current Trends (Ivan Orton)
A presentation of several case studies from one of the most respected cybercrime prosecutors in King County, Ivan Orton. Be prepared to be not only to hear about the trends of cybercrime over the past decades, but also be entertained by a great speaker.

Data recovery for forensic examiners (Richard Leickly and David Angell, Circle Hook Data Recovery)
Every digital forensic examiner will – sooner or later – find their examination stymied by a hard drive that they cannot image. David and Richard will demonstrate the problems that beset hard drives: problems that can make them difficult or impossible to examine. They will demonstrate their techniques for diagnosing unreadable hard drives and will show how these problems can be overcome.

Eating the Elephant! Critical Infrastructure Protection: Context, Process & Priorities (Bruce Beebe)
In October of 1997 the President’s Commission on Critical Infrastructure Protection (CIP) published its report Critical Foundations, Protecting America s Infrastructures detailing what was new and unique about the infrastructure problem and, in broad terms, pointing a way ahead. This presentation outlines the development of Critical Infrastructure Policy since before that October report. Furthermore, it addresses the impact of culture and other organizational influences on the development of national policy (using CIP as the vehicle), it explains the state of current CIP policy and it recommends an alternative approach to that used today, a network-centric approach more in keeping with the recommendations of the October report’s authors.
Recommended Audience,Anyone holding a position related to the development of CIP policy (politicians, strategic planners, or those supervising policy development for CIP) and first responders or those with front line responsibilities for safeguarding infrastructure who should understand how developing the wrong CIP policy, one that focuses on them, will likely increase both their costs and their workload.

Electronic Evidence ( Dave Matthews)
In this presentation David will talk about the electronic data that surrounds all of us in an ever deepening fog. He will enumerate all of the different types of data, their sources and where and how they are stored. He will give real life examples and leave you with concrete advice on how to better understand, recover, and manage your electronic identity and the data that you create every day whether you know it or not. This presentation will be equally valuable for the forensics professional, legal or management staff, HR, or just the lay person who want to better understand the world of electronically stored information in which we all live.

Evidence Analysis and Reporting using Internet Examiner (John Bradley)
The ability to efficiently, thoroughly and effectively investigate internet evidence will be illustrated using Internet Examiner (formerly CacheBack). Attendees will be shown how to discover, collect, import, bookmark, extract, decode and report on a wide variety of internet artifacts. Advanced examination topics that will be covered include and are not limited to: Bookmark, Exclude, and Quarantine record filtering (queries); picture analysis using aspect ratio filtering; movie frame-by-frame storyboard reporting; rebuilding web pages; time zone configuration; rich HTML reporting and disclosure techniques.

Evidence Discovery Using NetX Triage (John Bradley)
Attendees will learn how to recover internet artifacts from Windows, Mac, and Unix-based systems using the SiQuest new forensic discovery tool: NetX Triage. A particular focus on GREP expressions, proximity searches and data carving in unallocated space will be covered. Recovery techniques for internet artifacts such as social networking, online chat, email, peer-to-peer, mobile device data, and multimedia will be discussed in detail. This presentation sets the pace for the next presentation: Evidence Analysis and Reporting using Internet Examiner.

Expert Testimony (Christopher K. Steuart)

FTK by Accessdata (Glynn LeBlanc)
A demonstration of the latest features in Forensic Tool Kit (FTK). Virtualization, Cerebus, Making Thumbnails for Videos and many others.

Data Hiding (How to hide data on hard drives which is undiscoverable by conventional forensic software) (James Wiebe)
In this presentation, James Wiebe will present some new thoughts on how data may be hidden on hard drives. Covering old concepts first, (such as Host Protected Areas), James will also present alternative methods for hiding information on hard drives, such as in supervisory areas. These areas are never visible through standard drive commands, and are also are not visible to any operating system. Also discussed will be a hypothetical examples of how drives may be tampered by sophisticated bad guys in order to provide facade characteristics to a forensic investigator.

Macintosh Artifacts (Glynn LeBlanc)
Have you encountered FileVault Encryption? How about the new Full Volume Encryption provided in Lion and Mountain Lion? In this module we will discuss and demonstrate how to defeat File Vault and File Vault II encryption using the Password Recovery Tool Kit from Access Data. A lot of data on a Macintosh is stored in Property List or Plist. There are two versions of Plist, XML and Binary. We will discuss issues with carving Plist from unallocated space. XML Plist are easily carved automatically while the binary Plist have to be carved manually due to the footer being different for each Plist. Setting up automated carvers and manually carving the binary Plist will be demonstrated with FTK.

Memory Analysis with Volatility (Russ McRee)
This discussion will cover the complete life cycle of memory acquisition and analysis for forensics and incident response, using Volatility.
Volatility has been referred to as the Python version of the Windows Internals book, given how much can be learned about Windows by reviewing how Volatility enumerates evidence. We’ll conduct real-time analysis and examine Volatility’s plug-in capabilities.
The Volatility project shortens the amount of time it takes to put cutting-edge research into the hands of practitioners, while encouraging and pushing the technical advancement of the digital forensics field.
Join us and learn more about this outstanding tool.

Mobile Device Forensics (Dave Stenhouse)
This presentation will cover the forensic review of Apple iOS and Android mobile devices, what type of data can be recovered, where to search, and how to interpret the data once recovered.

How to Succeed When Facing Challenges in your Forensic Examinations (Bill Nelson)
Are you prepared to deal with increase cost of forensic software tools, or keeping up with the latest training because of major O/S releases? This along with the constant challenge of limited budgets to acquire the latest tools and to keep up with training will be the topic of discussion for this presentation by Bill Nelson. What will be discussed are such things as identifying your comfort level when using other tools that you may have had little or no training in their use. Determining what problem solving skills you have and how to improve them to create work-a-rounds when you find yourself in a situation without the proper tools to do an acquisition and an analysis.

Forensics on a Shoestring , “Open Source Forensics” (Brett Shavers)
Open Source Forensics Tools: The practice of digital forensics is changing rapidly to match the ways that we use digital technologies and the threat landscape we face. This presentation will show how incident responders and forensic practitioners can add live memory collection and analysis as well as registry analysis to their professional repertoire using Open Source tools.

“New Digital Forensics on New Digital Devices” (Gordon Mitchell)
Electronic evidence from phones, security systems, cameras, web sites, toasters… can be critical to investigations. They all include computers that will yield clues to your skills and common forensic techniques. This talk will illustrate techniques that worked in actual cases to recover clues and to validate observations for court testimony.

Placing the Suspect Behind the Keyboard (Brett Shavers)
Instruction in a workflow process to identify and place the suspect behind a keyboard in civil litigation or criminal investigation cases. Methods to expose suspect knowledge and intention along with case presentation to be discussed. A door prize of the new book, Placing the Suspect Behind the Keyboard, to be given during the presentation.

Predicting Violence through Forensic Examinations of Computers (Gordon Mitchell)
After a big investigation we often sit back and wonder what could have been done to prevent the problem. Of course, anyone who is involved in forensics can see the obvious answer…. Except in earthquakes, few situations are triggered by unexpected events. Crimes are usually planned and sometimes even rehearsed. This activity generates observable clues which can be used to predict violence. Gordon will think through a few interesting cases using them to illustrate some of the signs of impending violence.

Raw Data Carving (Kevin Ripa)
You have used all of the utilities in EnCase, FTK, and other programs to carve files from unallocated file space. Do you think you have found everything? If you answered yes, guess again. The only way that carving utilities are able to recover deleted data automatically is through file header and footer identification, and this recovers an intact file. In other words, a file has been deleted, but not yet overwritten by new data.
What happens if part of the deleted file is now overwritten, but some of the old data still exists? What about file fragments from slack space? This informative and easy to follow lecture will show the attendees how they can manually carve data from unallocated files space, and also what to do with it so that it is useful. We will also be discussing data recognition. This means being able to not only see the search hit, but identify the context in which it is being seen. This alone has solved many cases in our lab!

Registry Forensics (Terry Lahman)
The Windows Registry is full of artifacts that can benefit a computer forensics investigation. Attendees will be shown various hardware, software, configuration, network, and usage artifacts. Open source tools RegRipper and Registry Decoder along with commercial tools Registry Recon and Registry Viewer will be utilized to demonstrate the extraction and analysis of registry artifacts.

Social Network Investigations (Ron Godfrey)
Obtaining online open source information as evidence in civil litigation or criminal investigations. Advanced searching techniques, deep web demonstrations, capturing and preserving online evidence using open source/free software utilities. Beneficial to civil and criminal cases, the online world has a wealth of information to beneift your cases. This presentation includes getting into the Dark Web, where anything and everything you never wanted to know exists.

The very latest on Solid State Drives and forensic practice (James Wiebe)
In this presentation, James Wiebe will provide an updated presentation on how Solid State Drives function, with a specific focus on forensic practice. The forensic examiner will understand how to approach the investigation of a Solid State Drive, in order to ensure highest quality of evidence collection. Covered topics include wear leveling; internal compression; Logical to Physical address translation, all with a strong forensic focus.

Tips and Tricks on utilizing the new features of EnCase Version 7 (William Sutter)
This presentation will include: The case backup application; The case review package; Importing multiple hash values, legacy hash sets and reporting on the contents of the hash library; The new direct preview function of EnCase, and the ability to examine and image a live compromised computer system; Special purpose EnScripts.

Tracking USB Devices (Colin Cree)
The ease of USB thumb drive use, in transferring and storing data has led to its use for nefarious purposes. Subjects have used thumb drives to hide the artifacts of their online habits, store illicit data, spread malicious code and steal proprietary data. Investigators are increasingly called upon to cull digital evidence for signs of USB storage devices. This session will provide methodologies for forensic investigation of USB attached storage devices, including USB hard disks, with a focus on Windows 7. This presentation is a detailed examination of the devices and their artifacts.

Why The Bad Guys Win (Kevin Ripa)
How frustrating is it when another pedophile skates on a possession charge? How many times has your evidence been successfully challenged?
This can make any anyone question why they should even bother. This lecture will look at the three biggest mistakes made by LE and Prosecutors, and how to ensure they are no longer made. As well we will look at three of the biggest sham defenses used in court, and how to successfully defeat them! This is a must attend for LE, Prosecutors, Attorneys, and anyone that might end up in a court room.

Windows Forensics Environment, WinFE (Brett Shavers)
An overview of Linux and Windows forensics bootable operating systems with an emphasis on the Windows Forensic Environment (WinFE). A focus on building a customized WinFE will be demonstrated.

Visualization Forensics (Ron Godfrey)
The computer you examine today might not be one computer! Technology allows multiple computers to reside on one physical device in the form of virtual computers. Identifying these systems, and more importantly how to extract evidence from the virtual machine is critical. Forensic imaging, mounting, and extraction of virtual machine data will be covered in this presentation.

Windows 8 Forensics (Troy Larson)
The newest, most up to date, never seen before information on Windows 8 Forensics. Windows 8 is here and if you want to keep up to date and even be ahead of the field, this is one of those presentations to experience.

Windows Time Stamp Forensics (Randall Karstetter)
The time associated with an event or artifact of evidence on a computer is an important and sometimes critical piece of information in a computer investigation. It is the basis of timeline analysis. And yet, the understanding, evaluating and validation of time stamp evidence is not an area that is well investigated and published. In fact, some of what is written can be misleading and inaccurate. This presentation looks at the fundamentals of time creation and maintenance on the hardware level, the interaction of the Windows operating system with the hardware time systems, the function of the operating system maintaining and updating system time, and known factors such as viruses that can alter system time.
Methods of validating system time before and after a critical time event are provided. A review of published literature is explored and then results of original research is presented on the function and factors involved with the operating system assigning and changing time stamp information on files created, moved, modified and accessed. The goal is to provide a take-away of fundamental rules for examiners to use and further test in their practice. And then the use of the dreaded anti-forensic program TIMESTOMP is analyzed and evidence presented to detect and uncover its use to alter time stamps.

X-Ways Forensics (Pete Donnell and Brett Shavers)
Two sessions covering X-Ways Forensics. Session 1 covers an introduction to X-Ways Forensics, the interface and basic case flow process. Session 2 covers detailed metadata extraction, advanced data carving and use of scripts.

CTIN Conference Agendas for years: 2013 | 2014 | 2015 |2016

Comments are closed.