EARLY MORNING SESSION
A Forensicator’s Take on Cybercrime News Reporting
Ira Victor, CyberJungle
Often, the most interesting part of the news is part reporters leave out. This is especially true of cybercrime reporting. Ira Victor has been commenting on this news coverage for more than a decade, as co-host of his regular podcast, "The CyberJungle." Get his take on the latest cybercrime and litigation news.
About the speaker: Ira Victor has more than two decades of information security and digital forensics experience. Ira is named as co-developer on multiple U.S. patents related to information security, and currently has additional patents pending. Ira is an outgoing and dynamic speaker. His professional background includes work in electronic payment systems, email security, incident response, data forensics, and eDiscovery. Ira Victor is the co-founder and past President of the Sierra-Nevada InfraGard chapter. Ira has earned and maintained certifications from GIAC and ISACA.
EARLY MORNING SESSION
IoT Panel-What the future holds
Come and enjoy breakfast listening to the thoughts of some of the top experts on IoT forensics and security and where they think it will impact the future of the field.
Operation Underground Railroad Mission-Keynote
Assessing Malicious USB Devices
You already know that USB devices present a danger of infection to users, but how do you determine the level of risk? To make things harder, there are advanced USB devices and OS exploits that can infect even your examiner workstation if you don’t take the appropriate precautions. I will walk you through an investigative methodology and provide tools to both discover the threat quickly, and protect your assets in the process.
Critical change to Mac and iOS devices that every investigator needs to know
The latest release of Mac OSX and iOS devices utilizes a new file system called APFS. In this lecture, digital investigators will learn how the file system differs from prior Apple and Microsoft filesystems and how that will impact investigations. This session will cover how data storage and encryption has changed and what techniques can be used to insure you acquire an image you can successfully examine. In addition, students will learn why the new write on copy features used during the deletion process leaves more artifacts for examiners to trace than prior Mac file systems. Understanding these changes and the ability to identify these artifacts will be critical for all forensic investigators. At the end of this session forensic examiners will know the following: -how to identify a computer with APFS -what techniques to consider when acquiring APFS drives -the write on copy feature file history implications and how to locate that information -handling encrypted Macs.
IoT Wireless Network Forensics
Current attack vectors indicate that nefarious attacks are increasingly targeting IoT wireless infrastructures. 95% of IoT is wireless, yet most organizations lack a defense-in-depth strategy to address the growing wireless threat landscape consisting of a plethora of new protocols and frequencies including: Wi-Fi, ZigBee, Z-Wave, Bluetooth, P25, M2M communications, and more. This has generated a new wireless threat landscape, as these risks and threats target not only the enterprise network, but autonomous IIoT networks, as well as nearby threats from drones, spy cameras, and a plethora of other consumer priced surveillance devices. In this presentation we’ll explore the anatomy of these attacks to create a new foundation for wireless network threat detection and forensics. The goal is to develop an updated defense-in-depth strategy for this new evolving IoT wireless threat landscape.
Damaged Device Forensics
The Damaged Devices Forensics program is a series of separate research projects inflicting damage to mobile devices with scientific precision; then documenting the damage and remediation with the intention of publishing the results to the digital forensics community. This project, funded by the United States Department of Homeland Security, is identifying and defining the forensics best practices for the retrieval of data from damaged electronic devices. This research-based presentation will identify recent cases affecting law enforcement and investigators and examine the four areas of damage research including liquid, thermal, impact and ballistics damage. This presentation will follow the summer highlight project that includes a video and photos of the fire damaged car and the electronic devices included inside.
The Business Challenges In Digital Forensics
Running a digital forensics business has its own set of unique challenges. This talk will explore some of those challenges and offer a few lessons-learned to new DF professionals thinking about going out on their own. Some selected topics are: - What tools, equipment and resources are required to start up a DF firm? - How does one sell DF services? - How does one become profitable in the DF business? With over 11 years in business, we have learned a lot. We’d like to share some of what we have learned with the DF community.
5+/- Reasons to make use of VM’s for Forensics Exams
The prevalence of in situ forensics examinations represents increasing risks dealing with malicious code. Bother type 1 and type 2 VM ‘s offers considerable utility for professional examiners. A use case will be presented dealing with a case involving a violent non-state actor I.e. terrorist.
Using Paraben's E3 with Python
If you have experienced the power of the unified E3 Platform you get to amp that up with the use of Python to enhance and customize what you can do with this tool in your lab. No need to be a Python expert we get you going with the basics so you can turn the world upside down with new methods for processing your digital evidence.
Map All the Things: Geolocation for Mobile-Forensics Practitioners
One of the most important aspects of digital forensics is being able to determine the location history of a mobile or other digital device. With more and more devices using geolocation and wireless systems, this is more important than ever. There are hundreds of applications and built-in systems that use location services to function correctly, creating thousands of artifacts in the process. This lab will get right to showing how to discover and map a device’s position based on wireless artifacts and application information. Participants will learn to use free or low-cost tools, along with common automated tools, to discover, analyze, and map device location history. These tools will include online Application Programming Interfaces (APIs), custom-built software tools, the Python programming language, as well as commonly-used utilities. All software tools will be provided free of charge. Come make Google Maps your friend again!
Data Triage and File System Artifacts
There are many nuggets of data hiding inside the file system that can lead you down the path to your smoking gun of digital evidence. Learn how to find these nuggets using the E3 Platform to optimize your examination time.
Coordinated Rapid Reviews
Thinking outside the box you need to look for different methods to approach your examination. Bringing in the power of Truxton to bring multiple people and offices together to be able to rapidly review data and know where to take your next step can be critical. Truxton brings together this power and lets you drive to a new level of the investigative process.
IoT Data on Integrating Hubs
Have you ever wondered what happens with Alexa listens? How many other of the IoT devices out there are adding to your digital fingerprint, but you are missing that information because you are not looking. Come and go through a case looking for these hidden IoT fingerprints and understand how you can search for the new emerging tech on integrating hubs.
Automating Packet Analysis with PacketExaminer and Python
During incident response analysts will perform packet captures and analysis. These steps can be tedious and require advanced techniques. PacketExaminer is an open source project released under the GPL that’s goal is to automate both routine and advanced analysis. This tool is not only meant for DFIR but also for security analysts who need to determine where data is flowing and what that data is. The tool currently has the ability to perform data analysis including creating network maps, extract all DNS queries, all HTTP URLs, create reports on top IPs/flows/ bytes/more, perform automated file carving and geo location. By the time of the talk more features will be implemented. This lecture will also cover using python tools like ScaPY, NetworkX and others to perform advanced analysis and pen testing.