Speakers

Mobile devices can contain millions of forensic artifacts both machine and user generated. Being able to determine which of these were generated by the user and when can mean the difference between justice served and justice denied. In this presentation you will learn how to:

• Identify pattern of life data sources both in iOS and Android. • Use open source tools, Apollo & Artemis, for analysis. • Use Axiom Timeline for analysis of custom and Axiom supported artifacts. • Filter Axiom Timeline events to create a visual that includes only pattern of life artifacts.

A case study on how these techniques helped solve a real life triple murder case will also be presented."

Mobile devices can contain millions of forensic artifacts both machine and user generated. Being able to determine which of these were generated by the user and when can mean the difference between justice served and justice denied. In this presentation you will learn how to:

• Identify pattern of life data sources both in iOS and Android. • Use open source tools, Apollo & Artemis, for analysis. • Use Axiom Timeline for analysis of custom and Axiom supported artifacts. • Filter Axiom Timeline events to create a visual that includes only pattern of life artifacts.

A case study on how these techniques helped solve a real life triple murder case will also be presented."

With the increasing usage of cryptocurrencies and blockchains in today's world, eDiscovery professionals need to understand how these emerging technologies should be considered and investigated as part of data discovery and legal discovery processes. This session will highlight both cryptocurrencies and blockchains and provide attendees with fundamental information that will help them understand how to examine and investigate these technologies and the electronically stored information that results from their usage.

"Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always going to be used for ethical purposes?” The answer is definitely, NO! Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc. The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS, whether used as a desktop or server. Topics covered are:

1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
3. Understanding EXT4 file system and learning how to analyze it using TSK
4. Perform log analysis on different system and activity logs.

"Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always going to be used for ethical purposes?” The answer is definitely, NO! Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc. The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS, whether used as a desktop or server. Topics covered are:

1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
3. Understanding EXT4 file system and learning how to analyze it using TSK
4. Perform log analysis on different system and activity logs.

Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always going to be used for ethical purposes?” The answer is definitely, NO! Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc. The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS, whether used as a desktop or server. Topics covered are:

1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
3. Understanding EXT4 file system and learning how to analyze it using TSK
4. Perform log analysis on different system and activity logs.

As investigators we are always striving to find more evidence. We look to disk and memory as staples of our investigations. Adding the network can be a huge benefit to all investigations, from AUP violations to incident response. The network is full of rich amounts of data, waiting to be explored.
This presentation will focus on elements of network forensics from packet capture analysis, to extraction of files, emails and other data important to investigations. It will cover tools necessary and the steps to integrate the data into your favorite tools for further analysis.

One of the biggest handicaps to device acquisition and analysis is getting information from devices that are not geographically feasible, or time is not on the investigator’s side. In the past, the only method of collecting mobile devices was either through on-site collections or through various cloud management solutions. This gives a person-of-interest time to coordinate potential deletion of objects prior to the collections. However, due to new technological advancements in both Forensic tools and techniques, more options may be available. By demonstrating these remote capabilities for both iOS and Android devices, an investigator can provide much more concise approach to device collection – thereby potential cost savings and/or legal ramifications.

I am the Director of the St. Joseph County, IN Cyber Crimes Unit. The unit consists of ten college students, one high school student, and myself. We’ve all heard the horror stories about this generation of workers, which currently accounts for over 50% of the workforce. Among other things, they are entitled, lazy, unmotivated, disloyal, and selfish. Combine that with the fact that I am a terrible manager and it sounds like a recipe for disaster. But it hasn’t been. The unit has been successful beyond imagination. We analyze over 500 devices a year. Our case backlog is zero cases. Our turnaround time is routinely same day. This talk will discuss a new paradigm in the workforce and our forensics lab. When I became the Cyber Crimes Director, I had no formal training or experience as a manager. So I bucked the convention wisdom of management and decided not to manage at all. Instead, I took the approach of being a leader. What I’ve learned through leadership is that if you take care of the people taking care of the work, the people taking care of the work will excel beyond expectations. This simple concept that you manage things, but you lead people, will be discussed. Lessons from this talk can be applied by anyone in any industry to usher in a new area of the end of management and a focus on leadership at every level.

Police investigations today are shaped by the digital world. With the increasing availability of technology, digital evidence is now considered in every case and often holds the incriminating or exonerating evidence. Cell phones, computers, social media accounts, IoT devices, and other digital-enabled devices are now considered crucial evidence, and the ability to retrieve this information is more valued than ever. With this influx of digital information, police agencies everywhere are struggling to analyze the sheer volume of digital evidence with which they are presented. Additionally, finding qualified investigators who are well versed and educated in the field of technology has become more important than ever. This talk will discuss how the St. Joseph County’s (Indiana) Cyber Crimes Unit found a solution that addresses the influx of digital evidence in law enforcement. By forming a unique partnership with the University of Notre Dame, the Cyber Crimes Unit has recruited and educated undergraduate students to serve as sworn investigators. The sworn-in student investigators use Magnet Forensics AXIOM, GrayKey, and open source investigation among other forensic tools to keep up with increased demand for digital evidence analysis. In fact, by swearing in student investigators, the county has reduced digital case backlog from 30 days to down to zero since the beginning of the partnership.

Police investigations today are shaped by the digital world. With the increasing availability of technology, digital evidence is now considered in every case and often holds the incriminating or exonerating evidence. Cell phones, computers, social media accounts, IoT devices, and other digital-enabled devices are now considered crucial evidence, and the ability to retrieve this information is more valued than ever. With this influx of digital information, police agencies everywhere are struggling to analyze the sheer volume of digital evidence with which they are presented. Additionally, finding qualified investigators who are well versed and educated in the field of technology has become more important than ever. This talk will discuss how the St. Joseph County’s (Indiana) Cyber Crimes Unit found a solution that addresses the influx of digital evidence in law enforcement. By forming a unique partnership with the University of Notre Dame, the Cyber Crimes Unit has recruited and educated undergraduate students to serve as sworn investigators. The sworn-in student investigators use Magnet Forensics AXIOM, GrayKey, and open source investigation among other forensic tools to keep up with increased demand for digital evidence analysis. In fact, by swearing in student investigators, the county has reduced digital case backlog from 30 days to down to zero since the beginning of the partnership.

Malicious documents in the form of email attachments have and continue to wreak havoc on individual users, the private business sector as well as local and federal government. According to Verizon's 2018 Data Breach report, 32% of all data breaches derived from phishing attacks. Avanan email security reports that 1 in 25 branded emails is a phishing email of which 42% of all malicious email attachments pose as Microsoft. Symantec reports that 48% of all malicious malware attachments are crafted as Microsoft Office documents. Malwarebytes reports that in 2018 there was a significant rise in Emotet and Trickbot malspam campaign, and that as of Q1 2019 Emotet and Trickbot have contributed to 61% of all malicious email payload deliveries.

This presentation will focus on malicious document analysis as it relates to Adobe PDFs and Microsoft Office documents. The presentation will cover the use of numerous open source tools which will allow the forensic examiner to identify, extract and analyze malicious content embedded within Adobe PDF and Microsoft Office documents. During the presentation I will discuss and illustrate how malware authors take advantage of macros within Microsoft Office documents by implementing malicious Java and or VBA script as well as provide analysis techniques for analyzing these malicious scripts. With living off the land techniques on the rise this presentation will cover how to locate and decode base64 encoded and obfuscated PowerShell scripts which have been embedded within malicious documents. During this analysis process I will discuss how to identify whether the malicious document is a dropper or a downloader and what threat intelligence can be obtained and used from the data. lastly I will illustrate how to locate, extract and analyze embedded shell code from within malicious documents as well as explain how and why shell code is used for malicious intent.

This presentation will use current malware and malicious document samples such as Emotet and Trickbot to provide the attendants with techniques for analyzing malspam incidents with many freely available open source analysis tools. The outcome of this presentation is to further enhance the participants data breach investigations, identify methods for building YARA rules or IOC’s to harden and defend their network and or implement these analysis techniques into their existing incident response tools and automation processes.

It’s fair to say that many Digital Forensic & Incident Response (DFIR) practitioners would love to get their hands on a GrayShifts; GrayKey but are we turning a blind eye to the benefits of jailbreaking? This lecture will explore the various use cases for jailbreaking an iOS device, the risks and legal implications associated with jailbreaking an iOS device, how to acquire a jailbroken iOS device with Magnet ACQUIRE, how to process a jailbroken iOS device with AXIOM, and some of the forensic artifacts that are parsed as a result.

It’s fair to say that many Digital Forensic & Incident Response (DFIR) practitioners would love to get their hands on a GrayShifts; GrayKey but are we turning a blind eye to the benefits of jailbreaking? This lecture will explore the various use cases for jailbreaking an iOS device, the risks and legal implications associated with jailbreaking an iOS device, how to acquire a jailbroken iOS device with Magnet ACQUIRE, how to process a jailbroken iOS device with AXIOM, and some of the forensic artifacts that are parsed as a result.

Ransomware attacks can present an existential threat to a targeted organization, and over time they have morphed and changed, becoming ever more sophisticated. With global ransomware attacks estimated as high as 204,000,000 incidents in 2018, this is not only a problem that is not going away soon, but one where prevention efforts are widely missing the mark. This presentation will look at the evolution of ransomware attack methods, and will focus on successful response and investigation strategies as well as emerging approaches to more effective prevention methods.

Learn how Canada is working with ProjectVic, and Magnet Forensics to protect children and combat online Child Sexual Exploitation (CSE). As well, a case study how to export identifiers into other intelligence systems to find the truth in how your suspect is communicating with other CSE offenders and perhaps targeting children.

Have you ever considered using the Internet of Things as evidence in your case? This session will provide the audience a hands-on experience focusing on the identification, collection and analysis of Internet of Things artifacts. The audience will work through case scenarios and gain practical experience all while having fun with one the world's leading experts on Internet of Things forensics.

Prerequisite homework before attending this session is to review this TedX video - How the IoT is Making Cybercrime Investigation Easier - https://www.youtube.com/watch?v=9CemONO6vrY

Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:

• How did the attacker get in?
• How long did the attacker have access to system(s)
• What files/folders did the attackers access?
• Was there any data exfiltration?

A majority of ransomware now does ""cleanup"" after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together ""what had happened was...""

The Voice Memo app on iOS can be used to capture important information. Device and cloud storage make long term preservation, and future access, a trivial task. With ease, one can access the minutes of a business meeting, a portion of a class lecture, or conversation between friends. With the same ease, though, a recording can be modified. The recording takes on a new form, and new meaning - depending on the modification.

Using both artifact and timeline views within Magnet AXIOM, an investigator can analyze the twists and turns a voice memo file has taken. Add in a small amount of hex-view analysis, and the tale of a voice memo file starts to take shape.

This presentation is based on test data that can be applied to real-world scenarios. Attendees will follow the path of a voice memo file from original creation, through modification, and rebranding. The fragments of information left behind will be highlighted through timeline analysis.

So, you wanna do mac forensics, but your department won't buy the mac forensics tools? You have a mac with the T2 chip and can't image with conventional imagers? Or T2 + FileVault/Encrypted APFS? Not to worry! Contrary to popular belief, you don't need expensive specialist tools to perform mac forensics. We explain the internals and show you how it's done with open source tools. From creating your own forensic boot disk to imaging and analysis of APFS on T2 macs, empower yourself with open source, and complement your existing forensic toolset! We'll showcase some new artifacts too.

So, you wanna do mac forensics, but your department won't buy the mac forensics tools? You have a mac with the T2 chip and can't image with conventional imagers? Or T2 + FileVault/Encrypted APFS? Not to worry! Contrary to popular belief, you don't need expensive specialist tools to perform mac forensics. We explain the internals and show you how it's done with open source tools. From creating your own forensic boot disk to imaging and analysis of APFS on T2 macs, empower yourself with open source, and complement your existing forensic toolset! We'll showcase some new artifacts too.

Incident Response, like juggling flaming dumpsters or swallowing swords, is not for the faint of heart. When was the last time you did a collection where everything went exactly right? Or your analysis didnʼt encounter a massive hitch? Join your ringmasters, Heather and Shelly, on an exciting trip to the IR Circus! Weʼll share tip and tricks to help you juggle your sanity with collection and analysis tasks sure to impress your customers and your team!

Incident Response, like juggling flaming dumpsters or swallowing swords, is not for the faint of heart. When was the last time you did a collection where everything went exactly right? Or your analysis didnʼt encounter a massive hitch? Join your ringmasters, Heather and Shelly, on an exciting trip to the IR Circus! Weʼll share tip and tricks to help you juggle your sanity with collection and analysis tasks sure to impress your customers and your team!

Data volumes are exploding as are potential data sources requiring analysis for investigations. Wading through such volumes can take time that corporations don't have and have unnecessarily high costs. For corporate investigations and compliance, growing data volumes creates a pressing need for methods, technologies and processes which can be used to quickly analyze massive amounts of communications and information.

One such technology is conceptual analytics, which has been used by corporations and government agencies to assist with document review, e-discovery and data management. Now, organizations are realizing that analytics has tremendous potential to improve efficiency and accuracy in data-intensive inquiries. Keyword searches can be very useful when you know exactly what it is that you are looking for, but no one calls a bribe a bribe. Shifting our approach toward analytics allows us to describe the ideas and activities at issue with in a collection of exemplar paragraphs, and then let the analytics engine find and report the correlations and connections. Organizations facing investigations, or simply developing compliance assurance protocols, can include conceptual analytics in their initiatives to prioritize collection efforts, proactively audit corporate document populations, and identify priorities in the areas of training, monitoring and policy development. In today's presentation we will discuss the foundations of analytics, and explore exciting new developments in workflows, methods, and applications - all of which can be leveraged in compliance initiatives and investigations of all kinds.

Data volumes are exploding as are potential data sources requiring analysis for investigations. Wading through such volumes can take time that corporations don't have and have unnecessarily high costs. For corporate investigations and compliance, growing data volumes creates a pressing need for methods, technologies and processes which can be used to quickly analyze massive amounts of communications and information.

One such technology is conceptual analytics, which has been used by corporations and government agencies to assist with document review, e-discovery and data management. Now, organizations are realizing that analytics has tremendous potential to improve efficiency and accuracy in data-intensive inquiries. Keyword searches can be very useful when you know exactly what it is that you are looking for, but no one calls a bribe a bribe. Shifting our approach toward analytics allows us to describe the ideas and activities at issue with in a collection of exemplar paragraphs, and then let the analytics engine find and report the correlations and connections. Organizations facing investigations, or simply developing compliance assurance protocols, can include conceptual analytics in their initiatives to prioritize collection efforts, proactively audit corporate document populations, and identify priorities in the areas of training, monitoring and policy development. In today's presentation we will discuss the foundations of analytics, and explore exciting new developments in workflows, methods, and applications - all of which can be leveraged in compliance initiatives and investigations of all kinds.