Wednesday September 15

8:00 AM to 9:00 AM

Session Title

New Digital Evidence in Review Computers, Smartphones, IoT

Data has been in an evolutionary cycle with our digital fingerprints getting larger and larger. Each year marks a new level that our digital investigations must strive to for the capture of the elusive information. Take a moment to review some of the new data sources that can impact your investigation and potentially make or break your case. 

Speaker Bio

Amber Schroader, CEO & Founder, Paraben Corporation
Throughout the past two decades, Ms Schroader has been a driving force for innovation in digital forensics. Ms. Schroader has developed over two-dozen software programs designed for the purposes of recovering digital data from mobile phones, computer hard drives, email, and live monitoring services. Ms. Schroader has taught and designed the established protocols for the seizure and processing of digital evidence that has been used by numerous organizations throughout the world. Ms. Schroader has coined the concept of the “360-degree approach to digital forensics” as well as started the momentum and push to the “Forensics of Everything-FoE” with her focus to unique problems in digital evidence and solutions. Ms. Schroader has been a huge industry influence in pushing for a big-picture consideration of the digital evidence and the acquisition process and analysis techniques used. An accomplished curriculum developer and instructor; Ms. Schroader has written and taught numerous classes for this specialized field as well as founded multiple certifications. Ms. Schroader continues to support through book contributions and other industry speaking engagements.

9:00 AM to 10:00 AM

Session Title

Introduction to Hacking Web Applications & Pen Testing

Unless you’ve worked as a professional penetration tester, the actual process of testing an application and generating and delivering a
report is probably a mystery to you. Some web applications are quite big – where do you even start?

As a Security Consultant, I test new applications every week or every other week while maintaining a high level of consistency and quality. This is not something I was able to do when I started, and it was developed through effective training and experience.

In this talk, I’ll describe how to approach a professional web application penetration test, including where in the application to start, what kinds of tests to do, and how to know when to stop. I’ll talk through several tools and processes that help me to focus my efforts on certain parts of the application without losing significant coverage on the rest of it.

By the end of this talk, you should have a good foundation for becoming a penetration tester and understanding why applications fail and how to find the issues about which your clients care most.

Speaker Bio

Scott Miller, Accenture
Scott Miller is a Security Consultant at Accenture and performs vulnerability assessments and penetration tests for Accenture’s clients, with his favorite domains being network and web. He enjoys traveling and attending conferences and recruiting events related to security and/or diversity and inclusion.  Scott also enjoys fitness and doing activities like kayaking, hiking, and boxing.

10:30 AM to 11:30 AM

Session Title

Windows 11 Forensics

With every new upgrade/update to Windows, forensic artifacts also change.   In this 50-minute class, we will cover a few new artifact locations in Windows 11 to assist you in your examinations. Learn what you might be missing in the next evolution of Windows. 

Speaker Bio

Dave Shaver, Digital Forensic Examiner

Dave Shaver has been a digital forensic examiner since 1999. He currently is working for the U.S. Government. 

11:30 AM to 12:30 PM

Session Title

Social Engineering in 2021

• Introduction
• Case Studies
• Potential Victims of Social Engineering
• The Dangers of Successful Social Engineering Campaigns
• Types of Social Engineering Attacks
• Preventive Measures Against Social Engineering
• Reactionary Steps for Victims of Social Engineering
• Prognosis of Social Engineering in 2021

Speaker Bio

Christopher Salgado

Christopher Salgado is a highly accomplished and trusted security and investigations leader with more than 19 years in cyber and physical investigations as well as security. Throughout his career, he has effectively assisted several companies, including Fortune 50 companies, in various capacities, including via the installation of numerous innovative and efficient processes in the topics of investigations, security, brand protection, threat management, business continuity, intelligence, operations, recruiting, customer service, employee morale, and leadership. The companies that have benefitted from his services span across the spectrum of industries, including social media, pharmaceutical, luxury brands (clothing, jewelry, etc.), consumables, automotive, electronics, film production, streaming services, entertainment, and insurance. He has also assisted investigations firms and law firms across the globe. Christopher Salgado is a contributing author to PI Magazine on cyber and social media investigations and a member of the London Speaker Bureau.

• Co-Founder of All Points Investigations, LLC, a global cyber and physical investigations firm.
• Former managing investigator at Facebook.
• Featured in multiple interviews and articles on effective cyber and physical investigations.
• Christopher Salgado has trained numerous investigators, members of law enforcement, corporations and law firms globally on effective cyber and physical investigations.
• Christopher Salgado currently offers aggressive cyber investigations training to investigators and companies across the globe.

1:30 PM to 2:30 PM

Session Title

Reviewing Data for Beach Notifications

Join James and Warren as they discuss the process surrounding data mining and review following a cyber incident. The conversation will cover data collection post forensic analysis, the use of technology to identify sensitive material as well as strategies to reduce populations requiring review. Additionally, the panel will discuss review strategies focused on creating efficiencies in downstream workflows such as jurisdictional analysis and notification.

Speaker Bio

Warren Kruse, Consilio

Warren Kruse is a vice president with Consilio, an eDiscovery and document review service provider. He has spent the last thirty years between law enforcement and as a consultant supporting various agencies with incident response, computer forensics, and eDiscovery.

Warren, co-author of “Computer Forensics: Incident Response Essentials”, is the past International President of the High Crime Investigative Association (HTCIA) and Past President of the Digital Forensics Certification Board (DFCB).

He has supported projects across a wide range of major U.S. corporations and agencies. In addition, he led a team of computer forensic experts in a three-year engagement in support of a fraud investigation task force at the world’s largest international cooperative organization. Recipient of the HTCIA “High Tech Case of the Year” award, Kruse was recognized for his forensic analysis conducted on a case surrounding the theft of intellectual property and trade secrets on the billion-dollar “Comtraid” matter; was a court-appointed expert, and testified as a computer forensic expert for the US Securities and Exchange Commission (SEC).

He has a Master of Science, Digital Investigation Management and a Bachelor of Science, Digital Forensics from Champlain College.

Speaker Bio

James Jansen, Consilio

James Jansen leads Cyber Incident Response Services at Consilio, a global leader in eDiscovery and consulting services.

As the Global Lead of Cyber Incident Response Services and senior member of Consilio’s Client Services team, James focuses on helping clients and their counsel develop and implement effective strategies based on the needs of their matter.

With more than a decade of legal and eDiscovery experience, James has consulted on and managed highly complex engagements for clients across a range of industries including the financial, insurance and technology sectors.  As the Global Lead for Consilio’s Cyber Incident Response Services, James uses this expertise to assist clients impacted by a range of cyber incidents including Business Email Compromise, Ransomware and Data Exfiltration. Working hand in hand with clients, their breach counsel, and cyber forensic firms, James and his team offer clients a range of services when responding to a Cyber Incident including data collection and hosting, analytics driven data mining, document review, and notification report generation.

Additionally, James is an adjunct professor at Wake Forest University School Law where he teaches a course on Electronic Discovery. He is also a frequent CLE panelist on topics relating to both Cyber Incident Response and eDiscovery.

James received his undergraduate degree from the University of North Carolina at Chapel Hill and his law degree from Wake Forest University School of Law in Winston Salem, NC. He is based in Raleigh, NC and has maintained an active license to practice law in North Carolina since 2007.

3:00 PM to 4:00 PM

Session Title

DFIR Toolmarks: Extending detection, analysis, and attribution

Typical CTI products do not delve into DFIR toolmarks, and typical DFIR business models and training obviate analysts from developing toolmarks.  However, DFIR toolmarks have been leveraged to enable higher fidelity detections, further analysis, and develop more granular attribution.

Speaker Bio

Harlan Carvey

Harlan Carvey has been a DFIR practitioner for over two decades and been engaged in information security practices for another decade beyond that.  After leaving active duty, Harlan was leading teams conducting vulnerability assessments and “war dialing” in the private sector before moving into DFIR full time.  During his time, Harlan has engaged in a wide range of analysis and response, from malware eradication to AUP violations to targeted, nation-state threat hunting and response. Harlan is an accomplished public speaker and a prolific published author.

4:00 PM to 5:00 PM

Session Title

ForensICS | Breach Investigation in ICS/SCADA

It has been a big challenge when Industrial Control Systems got compromised due to the limitations of skillful professionals in the OT environment.

In Generation IV, the ability to conduct both live analysis and memory acquisitions has opened the door for Forensicators who have an understanding of ICS/SCADA systems.

In this talk, it will be demonstrated how to acquire a memory dump in a system running under Windows OS in a forensically sound manner when a breach is assumed..

KET TAKEAWAY

1. Gain a fundamental understanding of the OT environment.
2. Learn the practical steps of memory acquisition for forensics investigation from a compromised OT system.
3. Equip the CERT/DFIR/CSIRT team of the applied forensics in ICS/SCADA.
4. Formulate Incident Response playbook in OT.

Speaker Bio

Art Rebultan Principal DFIR, Envision-Digital International

Art Rebultan has more than 18 years of experience combined as an IT and OT professional with a background in PCI-DSS audit management, Unix/Linux security and systems administration, R&D, VAPT, TVM, Risk Management, Counterintelligence, and currently leading the global Digital Forensics and Incident Response program in an AIoT/IIoT/ICS/OT/Edge Computing company. Holding a master’s degree in IT with a concentration in E-Commerce security. He has also a professional graduate diploma in Digital Forensics and Cyber Security as continuing education. Specializing in Computer Forensics, Network Intrusion, Data Breach, Cybercrime Investigation, Malware Analysis, and Reverse Engineering. Security content writer and public speaker as past-time hobby and uncovered 7 zero-day malware during IOC extractions from Forensics analysis. Krav Maga practitioner, Judoka, and a license level 2 Freediver.

Thursday September 16

8:00 AM to 9:00 AM

Session Title

Mobile Device Management & Stalking & Surveillance

This seminar will explore the interpretation ( and misinterpretation) of common Mobile Device Management artifacts resident on electronic devices.  The presenters have experienced several cases throughout the past year in which individuals have turned to forensic analysts to explain the existence of MDM artifacts resident upon their electronic devices without their knowledge or consent.  In many cases, the artifacts can be traced to the interdependence of, and data sharing capabilities of, apple and android products.  In at least one case, the inaccurate explanation of MDM artifacts led one client to initiate legal action against the client’s spouse’s employer.

Speaker Bio

Don Wochna, Wochna Law Office

I am one of a few experienced litigators in the United States to have been certified as a Computer and Mobile Device Forensic Examiner and to have testified in federal and state courts.  Beginning in 1999, I focused the Wochna Law Firm on criminal defense cases in which evidence is found on computers, cell phones, and/or networks. Leveraging my 37 years practicing law and my 20 years as a consulting and testifying digital forensic expert, I accept engagements from Criminal Defense attorneys and law firms in the United States looking to leverage a strategic insight into electronic evidence that can only be delivered by an attorney who is also an electronic evidence expert.

In 1983, I obtained my law degree from Law School, the University of Chicago where I first observed the need for simple and effective explanations of complicated technical concepts that underlie many criminal defense matters in the modern electronic society. I strive for explanations that are understood by attorneys, judges, clients, and jurors that do not have significant technical backgrounds. Contact me today to give your case the edge it needs. 

Hayden Pritchard

Director of Information Security and Data Privacy Law. Providing strategic leadership of global information security and data privacy within cloud-hosted and geographically dispersed regions. Experience mostly centered on the healthcare industry with some energy sector consultancies.

Born and educated in England. I hold dual UK and USA Citizenship. My professional career has included living and working for five years in Tokyo, Japan. Plus lived and worked in Europe, Asia, and now in North America. Relevant professional certifications include CISM, CIPM & HICCSP & CDPSE. 

9:00 AM to 10:00 AM

Session Title

Multi-INT Enabled Discovery: Digital Forensics at Cloud Scale

Multi-INT Enabled Discovery (MINTED) is a platform developed by the Microsoft Azure Special Capabilities, Infrastructure, and Innovation (ASCII) team. It enables users to extract intelligence using state-of-the-art AI models, quickly identify trends and anomalies, and visualize actionable results. In the world of Digital Forensics, this provides new insights into raw data by showing analysts these trends and anomalies across data types. In this presentation, I will walk through how MINTED, combined with cloud, can empower analysts everywhere with the critical information they need to succeed in their mission.

Speaker Bio

Joel Day

Joel Day is a Technology Strategist focused on Intel Community and DoD Accounts.  He has been with Microsoft since 2011, where he started as an Application Development Consultant, working on digitally transforming the IC. His current focuses include building Cloud Native applications, deploying Internet of Things solutions, bringing AI to the Edge, and implementing DevSecOps. He lives dangerously by constantly installing beta software on his production laptop, and he always normalizes his data sets.

Speaker Bio

Chris Sanchez

Chris is honored to have served within the military Special Operations community of the US Navy SEALs over the last 20 years.  As a SEAL he led teams ranging in size from 16 to 200+, in missions ranging from unconventional warfare to counterinsurgency to Presidential protection and SOF strategy development.  His favorite role was leading a fusion team consisting of SEAL operators and cross-disciplinary analysts charged with developing US resources in denied areas of the world.  

Most recently Chris was the Head of Analytics at a non-profit organization dedicated to supporting Special Operations veterans transitioning from the military to corporate roles, where he provided decision and analytics support to the CEO and her staff.  He is now working on a cleared data science team at Microsoft, building solutions for government customers in the national security sphere.  

Chris has a Masters in Data Science from the UC Berkeley MIDS program and is a big fan of Python dictionary comprehensions.  

10:30 AM to 11:30 AM

Session Title

Tools and Techniques for Linux Skeptics

WindowsOS is your preferred platform (understandably). But you can turbocharge your forensic work by adding Linux innovations to your toolbox. Two dynamic Forensicators will show you how.

In this session you will learn how to:
* Add Linux to your workbench can save you time and money
* Validating results uncovered from Microsoft Windows tools
* Use Linux on your existing computer(s)
* Better leverage file systems
* Use Linux outside your lab
* Use Linux in court

Speaker Bio

Ira Victor

Ira Victor has more than 25 years of information security and digital forensics experience.  Ira first installed Linux on a “WinTel” computer at about the time RedHat Linux v3 (stable) became available. Ira is named as co-developer on multiple U.S. patents related to information security. His professional background includes work in messaging, incident response, digital forensics, and eDiscovery. Mr. Victor coauthored ground-breaking legislation on information security, privacy and digital forensics in his home state of Nevada. Ira has earned and maintained certifications from GIAC and ISACA.

Kevin Fisher 

Kevin Fisher has been a foundation in the Paraben support team for 10 years. Kevin’s dedication to the Paraben customers goes well beyond work hours with volunteering to help them in his free time as well. Kevin has had a love of computers for many years and that love and passion come through with all of his time and effort he puts into Paraben. Kevin loves all the Paraben tools, but E3:DS has a special place in his heart because of the challenge it is as no two devices are the same.

11:30 AM to 12:30 PM

Session Title

Coffee, Tea or NVMe

On March 1, 2011 the NVM Express (NVMe) specification was released. Though not as long a history as mechanical or SSD hard drives, NVMe touts faster read and write speeds, somewhat easier to install, and bypasses the SATA bus completely. With all of this, NVMe is poised to make a significant impact on computing. This presentation explores NVMe for the digital forensics lab. How can we use it, how can we collect from it, and can it make a significant enough impact to encourage more of its use in our labs.

A comparison has been made between SATA III mechanical hard drives, SATA III SSD hard drives, and NVMe storage. Standard benchmarking software has been used, and also the processing of a suspect hard drive has been run using all three different media. An examination of how we can collect data from a suspect drive in a forensically sound manner is also part of this talk.

Speaker Bio

Tim Carver, The University of Alabama, Huntsville

Prof. Timothy A. Carver holds a Bachelor of Science in Computer Science and Electronics Engineering, a Master of Science in Computer Science, and is ABD on his Ph.D. Over the years, he has designed and programmed video games, consulted at General Electric Aircraft Engines, and run his own business, He fell in love with teaching and has served in various faculty positions at The University of Cincinnati and other universities.

Currently, Prof. Carver teaches at The University of Alabama in Huntsville. He is a practicing Forensic Computer Examiner, a member of the International Society of Forensic Computer Examiners (ISFCE) and is a member of the Board of Directors for the High Tech Crime Consortium (HTCC). Because of his research on Bitcoin Forensics, Prof. Carver has been asked to consult on several cases and provide training to quite a few law enforcement organizations in recent years. He has also been referenced by the National Security Agency for his knowledge of Bitcoin.

1:30 PM to 2:30 PM

Session Title

Forensic Analysis of Fake Multimedia

In this session, we’ll focus on the media aspects of fake news, disinformation campaigns, and fake intel with deep analysis of altered images, audio, and video to uncover methods used to twist narratives and mislead perceptions. We’ll dive into the taxonomy of fake photos, deepfakes, phishing audio fraud attacks, fake rallies, nation-state fake intelligence, and media-generated to inspire mass hysteria. We’ll then further categorize these threats by their TTPs and provide methods for enhancing detection and response strategies. We’ll also demonstrate our Python Machine Learning-based media analysis tool to demonstrate detection of fake media gathered from news sites and social media, and provide deep and tangible insights into this systemic problem.

Speaker Bio

Mike Raggo, SilentSignals Inc. 

Michael T. Raggo (Co-Founder, SilentSignals, Inc.) has over 20 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. His research has been highlighted on television’s CNN Tech, and numerous media publications including TIME, Forbes, Bloomberg, Dark Reading, TechCrunch, TechTarget, The Register, and countless others. Michael is also the author of Mobile Data Loss: Threats & Countermeasures and Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols for Syngress Books co-authored with Chet Hosmer and is a contributing author to Information Security the Complete Reference 2nd Edition. His Data Hiding book is also included at the NSA’s National Cryptologic Museum at Ft. Meade. A former security trainer, Michael has briefed international defense agencies including the FBI, Pentagon, and Queensland Police; is a former participating member of FSISAC/BITS and PCI Council, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon Norway, and SANS. He was also awarded the Pentagon’s Certificate of Appreciation.

Chet Hosmer, Python Nation

Chet Hosmer is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language.   Chet has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio’s Kojo Nnamdi show, ABC’s Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine.

Chet is the author of five recent Elsevier/Syngress Books:

• Passive Python Network Mapping,
• Python Forensics,
• Integrating Python with Leading Computer Forensic Platforms,
• Data Hiding which is co/authored with Mike Raggo,
• and Executing Windows Command Line Investigation, which is co/authored with Joshua Bartolomie and Ms. Rosanne Pelli

Chet serves an Assistant Professor of Practice at the University of Arizona in the Cyber Operations program where he is teaching Violent Python, Using Python for Advanced Cyber Analytics (ML) and Cyber Deception.

Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.  He is also well-known as the Co-Founder of WetStone Technologies, Inc. a renowned cyber security organization developing malware and steganography solutions in use by Law Enforcement, Defense and the Private sector world-wide.

3:00 PM to 4:00 PM

Session Title

The cat and mouse game with iOS Forensics

iOS forensics has been a hot topic over the last few years. Apple is constantly strengthening its security measures on their devices such as iPhones, iPADs, Apple TV, Apple Watch etc.  This was designed to prevent hackers and by doing so law enforcement investigators access to its devices, Things like remote phone wiping, not allowing the passing of data through lightning cable, requests to enter a PIN after potentially suspicious actions (like changing a SIM card), 6-digit PIN by default etc, make digital investigations much more difficult.

There are, however, some breakthrough advances in the field of Apple device forensics, such as checkm8, unc0ver and checkra1n jailbreaks, as well as advances in agent-based acquisition. These advances gave investigators the forgotten possibility to acquire so-called “full file system copy”, which has far more data than a regular iTunes backup. Under some circumstances, there is a possibility to acquire data and keychain even without a jailbreak!

Speaker Bio

Jared Luebbert , Belkasoft

Jared Luebbert is a Digital Forensics Expert and Litigation Support Professional with years of experience performing digital forensic collection and analysis worldwide. He is the Forensic Sales Engineer for Belkasoft in North America and the founder and lead examiner of Gateway Forensics, a veteran-owned digital forensics company located in Maryland. Jared has worked on cases from a variety of industries including Energy, Manufacturing and High Technology, Medical, and Real Estate. He has assisted clients with patent infringement damages assessments, financial fraud, civil and criminal law matters, mobile device & computer forensics, intrusion detection, and incident response.

4:00 PM to 5:00 PM

Session Title

A Holistic Approach to Combatting Ransomware AI

The ever-evolving digital age affects every critical infrastructure on a global scale. IoT devices leverage the Internet to enable on-demand control and data feed to transform innocuous devices into powerful smart tech. IoT has transcended into a movement, shifting to what is now referred to as the Internet of Everything. The implications of IoE on the cybersecurity landscape are vast. Threat actors will continue to invest heavily in the exploitation of new technologies to advance the efficiency and decisiveness of their criminal operations. Experts estimate that in 2021 global ransomware attacks will reach a total of $6 trillion in damages, and it is forecasted that the sophistication of disruptive methods of attack will only increase. The methods of attack are beginning to include machine learning AI’s which allow threat actors to stealthily traverse an environment and attack specific targets autonomously, resulting in attacks that are more difficult to detect, prevent, and investigate. The uptick in deepfake technology over the last two years has also provided additional capabilities for threat actors to leverage, including elaborately convincing fabricated voice, image and video content. Faced with the threat of increasingly advanced ransomware attacks, sophisticated protections must be implemented. AI powered threat detection tools can identify patterns of malicious behavior and autonomously prevent intrusions and pacify deepfakes. Organizations must adopt a holistic approach when combatting AI ransomware, leveraging machine learning neural networks, to keep up with the advancing threat landscape.

Speaker Bio

Richard D’Souza, CyberClan

Richard D’Souza is the Owner and CEO of CyberClan. CyberClan has been providing cybersecurity services since its inception in 2006. Richard brings over 20 years of comprehensive cybersecurity experience in areas including incident response, computer forensics, secure architecture, security assessment, auditing, cyber extortion, and dark web investigation. Richard has conducted hundreds of vulnerability assessments and penetration tests, as well as business transformation computing efforts and architecture decisions in various IT environments including the gaming industry, government, foreign embassy, insurance, critical infrastructure, telecommunications, and engineering.  His deep knowledge in identification and prioritization, in addition to authorship of critical cloud security architecture decisions, requirements, guidelines, policies, and procedures across multiple domains provide expertise to lead in any complex security enterprise. In addition, Richard was the Managing Director of Operations and Head of Information Security at UK based Accredited Test Facility (ATF) where he established the ATF’s Canadian operations with particular emphasis in security auditing, compliance testing, sales and business development.

End of Event-Recordings will be made available by the following week.