2014 Agenda

Agendas are available for past years including: 20132014, 2015, and 2016.

SPEAKERS: Topics, Descriptions, and Biographies

CTIN14 speakers:


KEYNOTE SPEAKER TROY LARSON

TOPIC and DESCRIPTION

Don’t Let Your Tools Make You Look Bad

Good tools help make good forensics work, while bad tools invite disaster. Even the best of tools, however, can make you look bad. Tools have limits. Tools have bugs. The solution is to better understand that systems and data that you investigate.

BIOGRAPHY

Troy Larson works in Microsoft’s Network Security Analytics team, where he conducts forensics investigations and serves as the technical lead for the Microsoft Network Security host analysis team. The Microsoft Network Security host analysis team provides digital forensics expertise and analysis in support of various security related investigations. Troy is a frequent speaker on Windows and Office incident response and forensics issues. Troy received his undergraduate and law degrees from the University of California at Berkeley, and has been working in the field of digital forensics since the late 90s.

‘Troy is the go-to guy for Windows forensic knowledge. WinFE, dozens of briefings on Windows, and practical experience doing investigations distinguish his career. We are fortunate to have him address the CTIN conference.’ – Gordon Mitchell


ALLISON GOODMAN

TOPIC and DESCRIPTION

Mac Forensics 101 (with RYAN KUBASIAK)

Most of us encounter one Mac for every 50 or more PCs. Learn some tips and tricks for imaging Macs as well as potential pitfalls in capturing data for ediscovery purposes. Also learn how the “pitfalls” for ediscovery can be gold mines for a forensics exam. Ryan Kubasiak is the author of Mac OSX, iPod and IPhone Forensic Analysis and his presentation will take over where this one ends.

BIOGRAPHY

Allison Goodman is the President of eDiscovery Inc., a consulting firm that provides electronic discovery consulting and computer forensic services to law firms and corporate counsel nationwide. She has served on the University of Washington’s Advisory Board for its computer forensics and electronic discovery programs, has taught computer forensics at Bellevue Community College and presented numerous seminars on the topics for various agencies such as the Washington State Bar, King County Bar and the University of Washington law school.


AMELIA PHILLIPS

TOPIC and DESCRIPTION

FIRST PRESENTATION
E-Discovery and International Law

Digital forensic investigations are growing in number not only in the United States but nations around the world. The activities of multinational corporations and cybercrime cross jurisdictional boundaries on a daily basis. The research presented lays the foundation by examining existing international laws and treaties, and then uses the three case studies to address constitutional issues, civil and criminal law as they pertain to digital evidence. By ascertaining where the similarities and differences lie, a grounded theory approach is used to provide digital forensic examiners, legal staff and investigators a basis that can be used to approach digital cases that come from or must be presented in foreign jurisdictions. As more countries struggle to establish their digital laws regarding investigations, the resulting approach will serve as a guide and reference.

SECOND PRESENTATION
Comparing E-Discovery Software

As with any new field, the options are endless. This presentation will look at three options and do a comparison of capabilities. It will also introduce you to some of the others and how they will affect your infrastructure moving forward. EDiscovery is expected to continue with double digit growth for the next 5 years. It is critical that all companies prepare for it before it costs them millions.

BIOGRAPHY

Dr. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with a BS in Astronautical Engineering and a BS in Archaeology. She recently earned her doctorate in Computer Security at the University of Alaska Fairbanks as an interdisciplinary degree.

After working as an engineer at the Jet Propulsion Laboratory and TRW, Amelia worked with e-commerce sites and began her training in digital forensics and investigations during the dot-com boom. She has designed certificate and AAS programs for community colleges in e-commerce, network security, digital forensics and data recovery. Amelia co-authored the textbook Guide to Computer Forensics and Investigations now in its fourth edition. This year the first edition of her next textbook E-Discovery – An Introduction to Digital Evidence was published. Amelia is program lead for the Network Security and Data Recovery/Digital Forensics for Highline Community College in Seattle. She was also the lead for Highline’s first Bachelor of Applied Science degree in Cybersecurity and Forensics which goes online in the Fall of 2014. Amelia is the Regional Director of the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) which Highline has hosted since 2010. The 7th annual event with be this March at Highline.

Amelia also is active in working with developing nations in e-learning, retention, network security, digital forensics and entrepreneurship. She is currently tenured at Highline Community College in Seattle, WA and is serving as the Chair of the Pure & Applied Science Division. Amelia was a visiting Fulbright Scholar at the Polytechnic of Namibia in 2005 and 2006.


ARNOLD GARCIA and BRANDON LEATHA

TOPIC and DESCRIPTION

Mobile Device Forensics: Application Analysis Tools and Techniques

There are hundreds of thousands of mobile device applications available, with more being created every day. It is impossible to predict which of these applications may require analysis in your next investigation. From chat logs to geo-location data, social media to file synchronization apps, this presentation will teach you innovative tools and techniques for forensic analysis of mobile device applications – giving you a leg up the next time you encounter a new source of electronically stored information.

BIOGRAPHIES

Mr. Arnold Garcia is a Senior Consultant in the Costa Mesa office of iDiscovery Solutions, Inc. (“iDS”). Mr. Garcia provides services in digital forensics, electronic discovery, technical support, and lab management. He has recorded, collected, and imaged over one thousand different data sources. He conducts examinations of all types of digital media, including computers, cameras, cell phones, PDAs, thumb drives, networking devices and other digital media. His experience includes cases dealing with theft of intellectual property, misappropriation of trade secrets, data recovery, embezzlement, and criminal matters. Mr. Garcia has worked with sensitive data involving major data acquisition efforts in Asia and Europe.

Mr. Brandon Leatha, a Director at iDiscovery Solutions, Inc. (iDS), is an expert in e-Discovery, data analytics, and computer forensics. With over 13 years of consulting experience in the litigation support industry, Mr. Leatha advises clients throughout the e-Discovery lifecycle, providing guidance on data preservation, evidence collection, data reduction strategies, review methodology, and document production. He has extensive experience performing computer forensic investigations, structured data analytics, and assisting clients in the effective utilization of technology assisted review (TAR). Mr. Leatha has been a corporate 30(b)(6) witness, a court-appointed neutral computer forensics examiner, and has testified on numerous electronic discovery and computer forensics issues. He has been an active member of the Sedona Conference Working Group on Electronic Document Retention and Production (WG1) since 2005 and is an active member of the Computer Technology Investigators Network (CTIN). Mr. Leatha has provided training on electronic discovery and computer forensics for seminars, CLE courses, and industry training events. Prior to joining iDS, Mr. Leatha was the founder and owner of Leatha Consulting LLC and the Director of ESI Consulting and Data Analysis at Electronic Evidence Discovery (EED). He is based in Seattle, Washington.


BRIAN MUCHINSKY

TOPIC and DESCRIPTION

Do the Right Thing: A Guide to Ethical Dilemmas and How to Address Them

BIOGRAPHY

Brian Muchinsky practices commercial litigation with Nold Muchinsky PLLC; including many cases on the cutting edge of electronic discovery.


DAVE MATTHEWS

TOPIC and DESCRIPTION

FIRST PRESENTATION
Electronic Evidence / Case Law

SECOND PRESENTATION
Exercising Your Incident Response Plan

THIRD PRESENTATION
Legal Considerations around Mobile Computing in the Workplace


DAVID STENHOUSE

TOPIC and DESCRIPTION

Mobile Device Forensics

This presentation will cover the forensic review of Apple iOS and Android mobile devices, what type of data can be recovered, where to search, and how to interpret the data once recovered.

BIOGRAPHY

David Stenhouse is the President of DS Forensics, Inc. Mr. Stenhouse is a former Special Agent in the United States Secret Service. From 1998 to 2000, he was assigned to the Electronic Crimes Special Agent Program (ECSAP) where he conducted investigations involving the use of electronic data in crimes. Prior to his time in the Secret Service, Mr. Stenhouse was a Trooper in the Washington State Patrol.

Mr. Stenhouse is a digital forensic examiner, and has performed hundreds of forensic examinations on multiple types of hardware and operating systems, in criminal cases and civil litigation. Mr. Stenhouse routinely provides expert guidance and training to attorneys and corporate clients faced with the task of electronic discovery. He has been appointed by the court as a neutral expert in numerous cases to create electronic discovery plans, capture and analyze electronic data and provide conclusions in regards to such electronic data. He has also been hired to act as a special advisor to the court, providing assistance in the understanding of technical concepts. He has testified in State and Federal court in numerous criminal and civil cases, and has testified in Federal court as an expert witness in computer-generated evidence.


GORDON MITCHELL

TOPICS and DESCRIPTION

FIRST PRESENTATION
JumpBag: what to have ready for that next job; and Timelines: generating logical information easily

Jump bag: Suggestions of what to carry to jobs, trying to avoid leaving that critical tool at home. Please email me your list of favorite tools before the conference.

Timelines: Avoiding the pain of doing it all by hand. Just looking through file dates and folding in browser events can easily take an hour of analysis per hour of activity. Tools like the timeline builder in X-Ways Forensics, Splunk, and even Excel can help.

SECOND PRESENTATION
Encryption: your friend and your enemy

How to protect images in transit, ways to get around whole disk encryption, suggestions for protecting your own data, caution adult material (math) will be discussed.

THIRD PRESENTATION
Expert Witness: Dumb Things That I Have Done in Court; and Photography: A great communication tool

Expert Witness: Dumb things that I have done in court: avoiding the obvious mistakes that experts make in the presence of lawyers. Full disclosure — attending this talk may turn you into a cynical wisecracking expert witness.

Photography: A great communication tool. How pictures can make your report human-readable, the secret value of pictures (compensating for inadequate notes), tricks for using little cameras to get great photos

BIOGRAPHY

Gordon has been around CTIN from the early days. He runs Future Focus, a company that does engineering design, debugging and computer forensics. Gordon’s background includes interesting jobs: flying for the US Navy a few wars back, work in big companies, and startups. He has the usual initials after his name; PhD, CPP, CISSP, CPS, GSEC, GCIH, GPen…


JOHN COTTON

TOPIC and DESCRIPTION

Defragging the Defrag

Defrag Forensics will take examiners through the ins and outs of the built in Windows Defrag program. We will go through how the defrag works, the different ways it can be run and what effect it has on a data set. The main focus throughout the presentation will be on proving or disproving user input in the execution of the Defrag program, which can mean the difference between intent/spoliation, or not.

BIOGRAPHY

John Cotton has been conducting computer forensic investigations for 5 years, and has a strong background in Network Security and Intrusion Mitigation. John has been accepted as an expert in court proceedings, and routinely gives lectures on Social Media Evidence to judges and attorneys. He is currently serving as lab coordinator with Computer Evidence Recovery, Inc, where he continues to hone his craft.


KEVIN RIPA

TOPICS and DESCRIPTION

FIRST PRESENTATION
Data Recovery (Beyond the Software)

Data recovery is probably one of the most misunderstood technologies in the computer world. Myths abound about how to recover data, with freezing your hard drive being a very common one of these myths. This presentation will get down to the nuts and bolts of data recovery, including the actual internal workings of the drive, what to do when a drive motor fails, when read/write heads fail, and when programming turns the hard drive into a brick. This is presented in layman’s terms so it is very easy to understand. We will be showcasing the best software to use for easier recoveries, as well as live demonstrations of some of our lab equipment for advanced data recovery! By the end of this lecture, you will be much more knowledgeable on how hard drives work, how data lives, and how to recover it when all seems lost.

SECOND PRESENTATION
Why The Bad Guys Win

How frustrating is it when another pedophile skates on a possession charge? How many times has your evidence been successfully challenged? This can make any anyone question why they should even bother. This lecture will look at the three biggest mistakes made by LE and Prosecutors, and how to ensure they are no longer made. As well we will look at two of the biggest sham defenses used in court, and how to successfully defeat them! This is a must attend for LE, Prosecutors, Attorneys, and anyone that might end up in a court room.

THIRD PRESENTATION
Computer Forensics in the Court Room—1.0-1.5 Hours

This presentation will give instruction on how computer forensics can be used in testimony. It discusses the differences between civil and criminal matters, as well as addressing dealing with attorneys, courts, judges, and juries. We will also discuss in detail, the art of testifying in court. This is a very informative lecture for anyone that may find themselves in a court room.

FOURTH PRESENTATION
Fly Away Kits – 1.0 Hours

Many of us get quite used to being surrounded by an entire lab full of equipment when we are conducting an acquisition and analysis. But what about when you have to fly 1000 miles to gather the evidence, and must create your image “on site”? There is nothing more frustrating that showing up with the wrong equipment, wrong adapters, etc. It makes you look unprofessional, and costs money. This presentation will explore tried and proven fly away kits, their contents, hands on examples, as well as what to have, why to have it, where to get it, and how to keep it compact. As a bonus, attendees will see first hand, a forensic computer built into a briefcase. This is a full blown, “as-powerful-as-the-lab” unit with all the bells and whistles. There is no compromise on speed or attachments, you can build it yourself, and most importantly, no hefty multi thousand dollar price tags!

FIFTH PRESENTATION
Web Page Reconstruction – 1.5 Hours

Online activity. It is a ubiquitous part of computer use, but is amazingly misunderstood by many investigators. This presentation will address how web pages work, how they get to be on your computer, how they are stored, and most importantly, how to rebuild them without expensive software! In many investigations, the internet artifacts can be something much different in context than they appear to be when they are viewed out of context. Beyond this, we will look at ways of finding how a website used to look, as well as how to find historical whois information on a particular website. This lecture will focus on Internet Explorer and Firefox.

BIOGRAPHY

Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in many complex cyber-forensics investigations. Mr. Ripa can be contacted via email at kevin@computerpi.com.


MICHELLE MULLINEX

TOPIC and DESCRIPTION

An Analysis of Microsoft Event Logs         (Second Presentation)

Microsoft Windows event logs are central to conducting an investigation when determining whether or not a virus has been installed on a targeted system. However, there was very little substantial research about Windows event logs and how they are used in conducting an investigation. This research explores forensic artifacts recovered during an investigation to determine whether virus activity may be involved. The research describes the relevance of the event logs and discusses various techniques used for investigators to collect and examine the logs. Three viruses, Fizzer, Zeus, and MyDoom were installed and run in virtual machines to determine what events will populate in the logs. This research also explains best practices regarding the use of Windows event logs in an investigation. Keywords: Cybersecurity, Professor Christopher Riddell, Professor Cynthia Gonnella, Security, Application, System, Malware.

BIOGRAPHY

Michelle Mullinix currently works at Department of the Army, Network Command (NETCOM), 7th Signal Command (Theater), 106th Signal Brigade, Network Enterprise Center (NEC), in the Cyber Security Risk Management Branch. She is a Graduate of DeVry University in Computer Information Services (CIS) – Computer Forensics Track and recently completed her Master of Science in Cybersecurity Intelligence and Forensics at Utica College. She has over 16 years of service in the US Army as in Intelligence Analyst and Combat Medic. She served in Desert Shield and Desert Storm, supported Bosnia and Operation Iraqi Freedom. She currently has her Security + Certification and MCITP in Windows 7. She has 4 years experience in Computer Forensics and Risk Management for her former employer, CECOM, Software Engineering Center, Field Support Division based at Joint Base Lewis McChord in Tacoma, WA. She is currently writing Technical Process documents for her current employer to process evidence requested in Litigation Hold orders. Additionally, in her current duties, she performs risk management for military units connecting to the Department of Defense (DoD) Global Infrastructure. She is married for 26 years, has four children, 3 of which have served or is serving in the military and has 3 grandchildren. Her final project for her Master’s Degree was an Analysis of Windows Event Logs.


RUSS MCREE

TOPIC and DESCRIPTION

FIRST PRESENTATION
Understanding Web Application Security Attacks for Investigators

Web and application logs can be analyzed with specific attention to web application security attacks, allowing investigators to recognize the nature of these attacks as defined by the OWASP Top 10. Investigators therefore need to understand how the OWASP Top 10 covers the most critical web application security flaws and how they’re exploited. Via web application specific examples this discussion will cover analysis of attacks and exhibit traits, trends, and tendencies from attacker and victim perspectives. Investigators will leave enabled with resources and ways and means to identify when and if a compromise may have occurred.

SECOND PRESENTATION
C3CM – Defeating the Command, Control, and Communications of Digital Assailants

C3CM is a means with which to identify, interrupt, and counter the command, control, and communications capabilities of our digital assailants. Each of these three phases (identify, interrupt, and counter) will be described with tooling and tactics, complete with demonstrations and methodology attendees can put to use in their environments.

Based on the three part ISSA Journal Toolsmith Series: http://holisticinfosec.blogspot.com/search?q=c3cm&max-results=20&by-date=true
Virtual machines will be available in advance for attendees who wish to review in advance or interact in real time

BIOGRAPHY

Russ McRee directs the Threat Intelligence & Engineering team for Microsoft’s Online Services Security & Compliance organization. He writes Toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security and Linux Magazine. Russ also speaks regularly at events such as DEFCON, SANSFIRE, BlueHat, and Black Hat, and is a SANS Internet Storm Center incident handler. His work includes service in the Washington State Guard as the Cybersecurity Advisor to the Washington Military Department.


RYAN KUBASIAK

TOPIC and DESCRIPTION

FIRST PRESENTATION
Mac Forensics 101 (with ALLISON GOODMAN)

SECOND PRESENTATION
Mac Forensics 201

Ryan Kubasiak of BlackBag Technologies has literally written the book on Mac OS X Forensics. As a former NY law enforcement officer, Ryan will be using his investigative experience and Apple expertise to provide a comprehensive look into solutions for the ever-evolving challenges associated with Apple Forensics, including new system, architecture, user interface and encryption implementations.

THIRD PRESENTATION
iOS Digital Forensics and iCloud

This presentation will show just how interconnected Apple’s latest technologies have become, and explain how the failure to fully understand the relationships between these components can end an analysis early. Covering a range of topics from pairing certificates and iOS backups to iCloud sync data, Ryan Kubasiak of BlackBag Technologies will help investigators learn to make informed decisions when searching for essential data in the Apple ecosystem.

BIOGRAPHY

Ryan Kubasiak joined the New York State Police Department in 1998. He served as an investigator in the Computer Crime Unit and was assigned to high profile cases including crimes against children, homicides, network intrusion, and server analysis. Mr. Kubasiak joined BlackBag Technologies in 2012 as a Forensic Analyst and Instructor. Ryan is motivated by curiosity and a quest for knowledge, and his enthusiasm in the classroom is inspiring. This enthusiasm is shared with all through his website, AppleExaminer.com.

Besides the official presentations, Ryan will be at the conference for all attendees. Ryan wants to get to know the attendees and the attendees get to know him. He will also be available to talk about specific topics.


TERRY LAHMAN

TOPIC and DESCRIPTION

FIRST PRESENTATION
Observation Skills: I Spy With My Little Eye

Digital Forensics relies on the ability to visually notice anomalies and patterns. In this engaging, interactive, workshop participants will learn some of the challenges associated with processing visual information, including many of the clever ways our eyes and brains trick us. Skills will be taught that the participant can easily learn and practice to improve their performance in identifying relevant information.

SECOND PRESENTATION
Cell Towers GPS Technology

With cell phones playing a key role in more and more court cases, the importance of understanding GPS technology is increasing rapidly as it is being built into more and more devices.

Cell phone tower locations are identified using GPS coordinates. Cell phone records indicate which towers are used during phone calls. In this workshop, participants will learn how to read cell tower information from call detail records, and how to utilize the longitude, latitude, and orientation of a cell tower to plot the cell tower and orientation of the antenna.

BIOGRAPHY

Terry Lahman, Chief Digital Forensics Analyst at eForensicsPro, specializes in computers, tablets, GPS devices, and cell phones. He has over 35 years experience in the fields of computers and electronics, including 17 years at Microsoft where, among numerous other projects, he helped develop software tests for the NTFS file system and Windows NT memory manager. His software development abilities span both Microsoft Windows and Apple iOS platforms, and his extensive knowledge of Windows and expertise in software testing bring valued skills to the digital forensics field.


TROY LARSON

TOPIC and DESCRIPTION

Digital Forensics and Incident Response—Mastering the Battle of Attrition

Investigating a suspected computer compromise or intrusion can be difficult. In a sense, that is by design. Malicious actors can go to great lengths to conceal their activities. A computer compromise investigation can easily become a battle of attrition between the investigator’s skill and knowledge and the trace evidence left an attacker on a computer. To effectively investigate a sophisticated compromise, forensics investigators must be prepared to exhaust the available evidence. This presentation looks into the goals and methodologies involved in compromise investigations and discusses the sorts of evidence that an investigator might consider in trying to answer the what, when, who, how, and why questions of a computer compromise investigation involving Windows.

BIOGRAPHY

Troy Larson works in Microsoft’s Network Security Analytics team, where he conducts forensics investigations and serves as the technical lead for the Microsoft Network Security host analysis team. The Microsoft Network Security host analysis team provides digital forensics expertise and analysis in support of various security related investigations. Troy is a frequent speaker on Windows and Office incident response and forensics issues. Troy received his undergraduate and law degrees from the University of California at Berkeley, and has been working in the field of digital forensics since the late 90s.

‘Troy is the go-to guy for Windows forensic knowledge. WinFE, dozens of briefings on Windows, and practical experience doing investigations distinguish his career. We are fortunate to have him address the CTIN conference.’ – Gordon Mitchell


WALTER HART

TOPIC and DESCRIPTION

Potential for Volatile Memory Persistence

RAM is known to potentially contain many forensic artifacts related to investigations such as incident response, child exploitation, and almost all other computer forensic cases. These artifacts can include evidence such as images or partial images, malware code or partial malware code, passwords or password hashes, port and process data, and words used in a variety of computer applications.

This presentation will examine scenarios when RAM appears to persist after shutdown, re-boot, and removal of power. Testing is done where RAM is captured when it is known to be clear then after using the computer in a variety of shutdown scenarios including, but not limited to; normal shutdown, pulling the plug, normal shutdown followed by pulling the plug, those scenarios and removing the RAM modules from the computer, etc. These tests are also performed on a laptop computer which adds the element of battery power to the above scenarios.

BIOGRAPHY

Walter T. Hart, Senior Manager, Professional Services, Western Region
Currently the Senior Manager for AccessData Group Professional Services for the Western Region, Walter has been active in Digital Forensics and investigations since the early 1990s for the United Stated Government. In that capacity, Walter was involved in investigations related to all manner of crimes involving digital media including cyber security, terrorism, theft of intellectual property, identify theft, Racketeer Influenced and Corrupt Organizations Act (RICO), homicide, and child exploitation, to name a few. Walter supervised a local digital forensics lab for the Department of Homeland Security, Homeland Security Investigations Special Agent in Charge, San Francisco. Walter has performed and/or supervised hundreds of digital forensics examinations.

Walter has Certified Information Systems Security Professional (CISSP), Certified Forensic Computer Examiner (CFCE), GIAC Security Essentials (GSEC), GIAC Information Security Professional (GISP), AccessData Certified Examiner (ACE), and CompTIA A+ certifications and is a member of the American Academy of Forensic Sciences (AAFS), the High Technology Crime Investigation Association (HTCIA), the High Tech Crime Consortium (HTCC) and the International Systems Security Association (ISSA). Walter is an Airline Transport Pilot, a certified aircraft mechanic and inspector and a trained aircraft accident investigator.


CTIN Conference Agendas for years: 2013 | 2014 | 2015 | 2016

Comments are closed.