Abstracts for Cyber Crime Summit

Keynotes
Cybercrime:
A Unique Challenge Requiring An Innovative Response
By: Dic !ohnston
As our lives have become inexorably intertwined with the computer and other digital devices, Americans
have been slow to understand the magnitude of change both for the better and worse. E-everything has
brought new meaning to the term generation gap and without the competitive edge of technology,
businesses cannot begin to compete.
!e have not scratched the surface of understanding the impact of technology on deviant behavior both
criminal and non-criminal. !e do "now that computers, and the information in them, have expanded the
ability of criminals to perpetrate traditional crimes while posing huge hurtles to the criminal #ustice
community.
$t is important to loo" at how the challenge is distinct from other law enforcement challenges, to
recogni%e the macro issues involved, and to ensure that there is appropriate focus to addressing the long-
term problems as well as the immediate needs of the enforcement communities.
&uccessful response to these challenges re'uires new paradigms. (nes that can overcome many of the
obstacles that traditionally limit cooperation and collaboration amongst the sta"eholders. )riminal #ustice
systems at all levels, the academic community, private sector businesses, our schools systems, libraries,
and parent groups are all sta"eholders- and must be factored into the solutions.
*eveloping these new paradigms will be difficult because traditional decision processes will be applied to
suggested changes when, in fact, these processes themselves re'uire changing. +imited by laws,
regulations, tradition and historical thin"ing, post-incident response entities such as law enforcement,
prosecutors, and the #udiciary are ill e'uipped to carry a role in the long-term solutions.
(utreach to the other sta"eholders, forming true partnerships, and sharing successes will initiate changes
which can lead to solving the immediate challenges of identifying, investigating, and prosecuting
computer- related crimes and to the changes re'uired for long-term problem solving.
Cyber Security an" #ational Strategy to Secure Cyberspace
,y- .r. /oward A. &chmidt
0ice )hair, 1resident2s )ritical $nfrastructure 1rotection ,oard
3or the foreseeable future, two things will be true- !e will rely upon cyberspace to run our critical
infrastructure and the government will see" a continuing broad partnership to develop, implement and
refine a 4ational &trategy to &ecure )yberspace.
.r. &chmidt will discuss the various aspects of the strategy to secure cyberspace and the things that we all
can do to help secure it.
--A 4ational )yberspace 5esponse &ystem- a program to coordinate and strengthen government
and industry activities to analy%e, warn, share information, respond to incidents, and recover from ma#or
cyber events
--A 4ational )yberspace 0ulnerability and 6hreat 5eduction 1rogram- efforts lead by government
and critical infrastructure industries to identify and remediate vulnerabilities in "ey networ"s, as well as
activities to deter threats to cyberspace systems.
--A 4ational )yberspace &ecurity Awareness and Education 1rogram- activities to ma"e several
diverse audiences understand better the ris" of cyberspace attac"s and ways to ma"e them more difficult
programs to train cyberspace security professionals
--&ecuring 7overnment )yberspace &ystems- efforts to increase the security of government
systems and networ"s, including both the civilian systems for which (., is responsible and the national
security systems for which the &ecretary of *efense and the *)$ are responsible
--$nternational )ooperation and 4ational &ecurity- efforts lead by the &tate *epartment to
coordinate international cooperative efforts in cyber security, both bilaterally and multilaterally, and
efforts by other national security agencies.
$BI Infra%ar":
&he 'ervasive an" Crucial Role of the 'rivate Sector in Critical
Infrastructure 'rotection
,y- 1hyllis A. &chnec", 1h.*.
!e are a nation at war, with our greatest strength our freedom. 6o protect that freedom, American
business and private sector must be an active part of protecting our nation2s critical infrastructures,
including our business and economic infrastructure. Every company in America should have a role within
that ta"es on the responsibility of building trusted relationships and communication channels with
3ederal, &tate and local government and law enforcement. 8ust as every 3,$ field office in the country
has an 3,$ $nfra7ard )oordinator, every business needs to fill this role as well - to enable information to
be where it is needed -- immediately.
$nfra7ard, at 9:;; members and growing, is the premier public-private partnership critical infrastructure
protection. 6he establishment of the new *epartment of /omeland &ecurity provides a tremendous
opportunity for $nfra7ard to leverage the inter-agency information exchange facilitated by the *epartment
of /omeland &ecurity while still maintaining and continuing to grow the trusted relationships established
with 3,$ agents within local 3,$ field offices.
6his tal" will address the ways that are being explored by the $nfra7ard Executive ,oard, the 3,$ and the
*epartment of /omeland &ecurity to position $nfra7ard to achieve optimal benefit to members and to our
4ation. 6he tal" will explore current and pro#ected roles and responsibilities of the private sector and the
issues that every company, and every citi%en, must face as we are faced with a networ"ed nation where
cyber vulnerabilities affect all critical infrastructures -- ma"ing our vulnerabilities severe, not well-
understood, and global.
$nfra7ard is gaining strength by the minute - we are here to stay... not only as the premier public-private
critical infrastructure protection partnership, but as a concept and a culture of information exchange to
protect our country.
'resentations
Computer $orensics &ool &esting
(
&he #ational Soft)are Reference *ibrary
,y- *r. 8im +yle
6he 4ational $nstitute of &tandards and 6echnology <4$&6= has been around for over one hundred years.
$ts mission is to develop and promote measurement, standards, and technology to enhance productivity,
facilitate trade, and improve the 'uality of life. As a result of 4$&6>s integrity and ob#ectivity in meeting
its mission, 4$&6 has been re'uested to provide support in the area of electronic crime investigations and
computer forensic tools are a critical part of corporate and criminal investigations.
6he )omputer 3orensic 6ool 6esting <)366= pro#ect at 4$&6 has established the means to evaluate
software tools used in corporate and criminal investigations and provide the documentation that detail
capabilities of a particular tool when held to specified criteria. )urrently individual organi%ations or
agencies have been conducting testing on tools that are in use by their respective investigators. /owever,
these processes are random and due to time constraints and e'uipment may not cover the appropriate tool
attributes. 6hrough a national response, 4$&6 has ac'uired a list of the type of tools that should be
sub#ected to this testing and the specific tool version. 4$&6 has established a methodology for testing
computer forensic software tools by development of tool re'uirements specifications, test procedures, test
criteria, test sets, and test hardware. 6he results provide the information necessary for toolma"ers to
improve tools, for users to ma"e informed choices about ac'uiring and using computer forensics tools,
and for interested parties to understand the tool capabilities. 6his approach for testing computer forensic
tools is based on well-recogni%ed international methodologies for conformance testing and 'uality testing.
6o determine if your agency or corporation is utili%ing a software tool for the appropriate tas" it is
imperative that a review of the available reports are conducted. $nformation will be provided on where to
obtain the reports, which software tools have been tested, and the future direction of the pro#ect.
6he 4ational &oftware 5eference +ibrary <4&5+= contains over ?; million different validated computer
files in a 5eference *ata &et <5*&=, which is built on file signature generation technology that is used
primarily in cryptography. 6he selection of the specific file signature generation routines is based on
nationally gathered re'uirements and the necessity to provide a level of confidence in the reference data
that will allow it to be used in the @.&. )ourt system. 6he potential for use of the 4&5+ in the #udicial
process is extensive and has been sought out to aide in various types of investigations such as with
criminal and piracy issues. 4&5+ signatures can be used to trace a file signature to a specific software
manufacturer>s product. 6his can be useful for intellectual property cases and for other instances where
the investigator is loo"ing for something, rather than eliminating "nown files. )omparison of the
generated file signatures to files on a computer allows investigators to eliminate between A: and B:
percent of the total files on a computer, so that only those files that really might contain evidence need be
examined. 6he 4&5+ contains four different hashing algorithms for each software program. *etails will
be provided on how to utili%e and obtain the 4&5+ &tandard 5eference *atabase and the latest software
version of the program will be provided to offer an opportunity to use the pro#ect.
3unding for these pro#ects is through the 4ational $nstitute of 8ustice <4$8= and several other law
enforcement agencies and is managed by the 4$&6 (ffice of +aw Enforcement &tandards.
+anaging Se, -ffen"ers. Computer Use
,y- 8im 6anner, 1h.*.
.ost sex offenders are sentenced to probation and remain in the community. .any continue to have
access to the $nternet while on probation. 6his session details a uni'ue method of computer forensics
developed by C,&olutions for the management of sex offenders> computer use. 6his forensic approach
was developed in response to the needs of the )olorado 8udicial *epartment. *r. 6anner will describe the
software and step by step procedures utili%ed in this effective computer management program. !hile the
session focuses on sex offenders, the techni'ues are e'ually applicable to other types of cyber crime
offenders.
/arning0 &his class "iscusses information relate" to a"ult pornographic materials1 #o images )ill
be sho)n in this presentation 2 3o)ever the class shoul" no) )e )ill be taling about ho) se,
offen"er4s use the internet an" )ill be taling about pornography in a straight2for)ar" manner1
Kno) 5our 6nemy: 'atterns in A"ult /eb Sites
,y- 8im 6anner, 1h.*.
Adult web sites account for a huge portion of e-commerce. Almost daily we are faced with the challenge
of detecting and reporting the traffic"ing of individuals who visit these sites. *espite this fact, few
computer forensic specialists have a firm understanding of how the adult web industry operates. *r.
6anner has been trac"ing the adult web industry for more than a decade. 6his session will present the
results of his investigations. 6he patterns and format of sexually explicit material will be discussed. 6his
session is of value to individuals tas"ed with retrieving sex-related activity from suspect computers.
/arning0 &his class "iscusses information relate" to a"ult pornographic materials an" images may
be sho)n "uring the class that )oul" be offensive to some1
CA*6A Compliance for BellSouth
,y- 5on !eaver
)A+EA <)ommunications Assistance for +aw Enforcement Act= will be for law enforcement only on
both days and deals with past, present and future activitiesDissues involving ,ell&outh and )A+EA
compliance.
Because of the sensitive nature of this information only S)orn *a) 6nforcement )ill be allo)e" in
the class1
Court -r"ere" 6lectronic Surveillance ( Subpoenas
,y- /erb ,lanchard
1resentation will cover who we are, types of )ompetitive +ocal Exchange )arriers <)+E)= and what is
available via )ourt (rderD&ubpoenas. Explain )ourt (rder re'uirements to obtain information for 1en,
6E6, )aller $*, 6itle $$$, voice mail, etc. and various methods of retrieving information and types of
transmission of data to +EA. Explain what telephone records are available via subpoenas and how to
obtain said information.
Because of the sensitive nature of this information only S)orn *a) 6nforcement )ill be allo)e" in
the class1
Internet Safety
,y- &pecial Agent in charge &teve Edwards
6his bloc" of instruction is to provide and cover the issues related to $nternet &afety. 6he $nternet and
computers have become a mainstream in our way of life. .any people are becoming victims of crime via
the $nternet and computers. .any of our citi%ens are using the $nternet, but unfortunately many of these
citi%ens have not been educated to understand the dangers of the $nternet. $n the Attorney 7eneral>s ten
point outline to deal with America>s computer infrastructure, former Attorney 7eneral 8anet 5eno
included a mandate to provide $nternet safety training in the public schools and our communities. As a
result of this mandate the *epartment of 8ustice through the 4ational )ybercrime 6raining 1artnership
<4)61= funded the !est 0irginia /igh 6ech )onsortium 3oundation <!0/6)= to develop a curriculum
for $nternet safety training for the school systems across the country. &ub#ect matter experts including
educators, members of the criminal #ustice community, academia, and persons concerned with missing
and exploited children developed this curriculum. 6his curriculum is currently being used in public
schools in !est 0irginia and other parts of the country. $n 7eorgia we are trying to create a partnership
between members of our local criminal #ustice agencies and educators to present $nternet &afety in our
schools and community.
$orensics:
So you finally got something other than a /in"o)s machine to analy7e111
no) )hat8
,y- Andy 5osen
!hat do $ do with .acs, &olaris, 3ree,&* and other less traditional systemsF
Although comprising only an estimated GH of personal computers, .acintosh computer systems can pose
uni'ue challenges to forensic investigators and examiners. 6he same is true for many of the less
traditional systems. 6his course will discuss several IalternateI methodologies to assist in the ac'uisition,
preservation and analysis of these less traditional computer systems.
3o) a #et)or Analy7er Can Assist in Inci"ent Response
,y- Cevin ,eaver
6his presentation addresses tips on and tric"s for using a networ" analy%er as a tool in computer security
investigations. 6opics covered will include-
J @nderstanding the networ" analysis process
J 6echni'ues to separate the #un" pac"ets from what you2re really loo"ing for
J Ceeping networ" analy%er complexities to a minimum when you most need it
J +ive demonstration on using a networ" analy%er in a real-world scenario
-ay9 it.s the Internet1 /hat.s really going on out there8
,y- 1atric" 7ray
$&&2s Emergency 5esponse and 1enetration 6esting &ervices. 6he discussion will include what we see as
we respond to emergencies - is it /ac"ers or @sersF !hat we see within the hac"ing community, their
targets and techni'ues. !hat are they loo"ing for and how do they get it.
&he #e) 'ara"igm in Disaster Recovery:
&he #et)or that #ever9 Ever %oes Do)n
,y- 1hyllis A. &chnec" 1h.*.
!hile we cannot eliminate the potential for Idisaster,I the IrecoveryI is no longer needed. Kour entire
region may experience an earth'ua"e, but your business networ" will remain functional without
interruption. 7uaranteed. 6his disaster recovery architecture uses a combination of existing technology
as well as some new tric"s directly from the networ" fault tolerance research community as an enabler to
provide true business continuity, eliminating the traditional need for failover. Kour data are always
secure and always available. 6his discussion will provide and overview of what2s under the hood,
followed by an analysis of the many implications of this new capability, ranging from financial return on
investment to new options in the storage of forensic data. 3or decades, the $6 security community has
suggested that security be built into the networ" from the foundation and up. 6his discussion will present
the latest wor", and will encourage interactive participation as we explore ways to ma"e our
infrastructures stronger by building them smarter.
&he Intersection of &echnology an" the Constitution:
6,ploring the :
st
an" ;
th
Amen"ments
,y- .ar#ie 6. ,rit%, 1h.*.
)urrently, the most common #udicial challenges facing computer crime investigators include inconsistent
interpretations and applications of the ?
st
and L
th
to emerging advancements in technology. )onstitutional
challenges have been issued, for example, in cases where traditional, non-technology specific, statutes
have been utili%ed to combat the lethargy of legislative entities within a particular #urisdiction.
&ubse'uent appellate decisions, based largely on non-technology specific case law, have also come under
attac" with some displaying favoritism for law enforcement, others for civil rights, and still others,
drifting aimlessly with no apparent consistency in rationale or legality <e.g. B
th
)ircuit=. @nfortunately,
such legal capriciousness has not been alleviated even in those #urisdictions which have attempted to
incorporate technological innovations into traditional criminal statutes, due to the lac" of responsiveness
of the &upreme )ourt. 6hus, the very legislation which has been enacted to assist and guide law
enforcement in the mur"y world of technology where all traditional boundaries of legality, reality,
geography, and criminality are blurred have been all but negated by appellate courts une'uipped for the
sheer novelty of their language and the resulting ambiguities surrounding technological advancements.
6he resolute silence of the &upreme
)ourt has exacerbated the problem, leaving the country rudderless with lower courts floundering
contradicting one another and creating a patchwor" of constitutionality unintended by the framers.
1erhaps the most controversial legal issues involving the utili%ation of computer communication and
technological innovations concern the 3irst Amendment. (riginally considered to be outside the scope or
daily routines of patrol officers who were primarily concerned with issues arising from the L
th
and ?L
th

Amendments, 3irst Amendment challenges have "ept in pace with technological advancements
providing no easy answers while presenting a myriad of legal conundrums. &uch challenges include the
inviolability of electronically published materials, the sanctity of electronic communications, the
intersection of obscenity and community standards, and the necessary level of particularity and specificity
in emerging legislative acts. !hile lower courts have tended towards consistency on the first two issues
by reaffirming traditional case law, they have not even reached a semblance of consensus on the latter
two.
6his paper will explore the current state of the ?
st
and L
th
Amendments in the @nited &tates, with particular
emphasis on emerging case law. $t will review the recent &upreme )ourt decision in Ashcroft, et al. v.
3ree &peech )oalition, et al., and discuss the ramifications of same. $n addition, it will establish
parameters for individuali%ed searches.
&he USA 'atriot Act As Applie"
Cybercrime in %eorgia
,y- )assandra &chansman
6he $nternet and computers are an everyday part of life for many people. /owever, they have also
become effective tool for criminals. As a result of the events of &eptember ??, federal laws were changed
to give law enforcement more effective tools in the investigation and prosecution of computer related
cases. .uch of this was done via the @&A 1atriot Act. 6his presentation will focus on the changes most
important to the investigation of cybercrime via the @&A 1atriot Act and what those changes mean within
the context of 7eorgia law.
3omelan" Security:
'rotecting -ur #ation4s Critical Infrastructures
,y- *avid 3ord
6his presentation will provide an overview of homeland security issues related to cyber threats involving
our nation>s critical infrastructures. 6he presenter will discuss the identification and cataloging of critical
infrastructures, potential cyber threats from criminal and terrorist organi%ations, cyber terrorist
capabilities, and terrorist uses of cyberspace. $nstruction will include challenges facing the law
enforcement community, problems associated with protecting government and private sector systems, and
legal obstacles facing investigators. 6he presenter will cover potential acts of terrorism resulting from the
proliferation of new technologies and the global expansion of the $nternet. 6he presentation will conclude
with a discussion of law enforcement responses to infrastructure threats.
&he $e"s Are Coming:
!oint *a) 6nforcement 6fforts to A""ress Computer Crime
,y- *avid 3ord
6his presentation will provide an overview of the 3,$>s approach to fighting cyber crime and stress the
importance of law enforcement agencies wor"ing together to identify and prosecute criminal violations
related to computers. 6he presenter will address recent trends in computer crime, fre'uently used federal
statutes for cyber crime investigations, and investigative guidelines used to determine whether a criminal
investigation is warranted. $nstruction will also cover policies and techni'ues regarding the collection of
investigative information and when it is appropriate to open #oint investigations. 6he presenter will
discuss federal training and law enforcement assistance available to state and local investigators and
additional sources of information for cyber crime investigations.
I"entity &heft
< 3ours
,y 8ames 1iercy
$dentity 6heft is the fastest-growing crime in the @nited &tates. 6he B;-minute to two-hour class is
designed to teach individuals about the basics of $nternet &afety and some precautions on protecting your
personal information from identity thieves. &ome of the topics to be covered include-
Auction 3raud
www.stopidentitytheft.org
1rotecting Kour )hildren on the $nternet
6he $nternet and 6errorism
.y $dentity /as ,een &tolen, !hat *o $ *oF
.r. 1iercy has given this presentation to the 7A *//5, (ffice of $nvestigations, 7A *ept. of 1robation
(fficers, +a7range )ollege as well as numerous civic organi%ations.
Intro"uction to Computer $orensics
,y- 8eff )rabtree
6he discipline of computer forensics is a challenging and exciting field. Entry into the field offers the
digital sleuth unparalleled flexibility and learning opportunities to rival the most highly technical arenas in
the $6 industry.
6his presentation will provide an overview to the field of computer forensics and what methods and
resources the digital sleuth can expect to encounter. 6his will include an overview of the following-
A= )omputer 3orensic 1ractitioners <4ot totally who you expect=
,-= )omputer 3orensic /ardware and &oftware
)-= )omputer 3orensic @ses <4ot totally what you expect=
*-= )omputer 3orensic )areers and Applicable Education E 6raining
$orensic Cryptography
/oring )ith +icrosoft4s 6ncrypte" $ile System =6$S>1
,y- Eric 6hompson
6he presentation Forensic Cryptography is a technical lecture about wor"ing with encryption in a
computer forensics examination. 6he presentation will begin by reviewing the fundamental building
bloc"s used in encryption such as "eys, hash functions, symmetric encryption, and asymmetric
encryption, etc. 6he presentation wil then shift to a review of .icrosoft>s Encrypted 3ile &ystem and
what techni'ues can be used for accessing the encrypted data if passwords are un"nown. 6he
presentation has been designed for computer forensics examiners and other computer specialists. A basic
understanding of cryptography is helpful but not necessary.
Case +anagement
,y- *an .ares
*an .ares will be discussing one of many ways of managing a forensic process while reducing wor"load
for the computer forensic <lab= analyst. 6his process was originally developed and perfected by one of the
ma#or investigative agencies. 6he discussion will provide steps which, when implemented, can return
information to the field agent within a few days. 6he field agent then has the opportunity to advise the
forensic analyst where to place further emphasis on the electronic evidence.
Basic 62+ail Investigations
&racing Do)n 6mail 3ea"ers
,y- &teve &teelman
6he purpose of this class is to learn how to accurately locate and interpret email message headers. !hile
using different email clients, you will be able to locate the full message header and determine where the
email came from, as well as be able to identify forged headers. Kou will also learn how to trace the email
bac" to the $&1 in which it originated.
/ireless Insecurity
,y- .att )aldwell
#et)or $orensics
,y- .att )aldwell
Computer Inci"ent Response
,y- 8ames .oore
$ncident response is one of the most crucial processes to have at your disposal in a crisis. Addressing
business continuity, disaster recovery, and malicious activity response, the $ncident 5esponse 6eam is the
"eystone of any mature information security program. $n this :; minute presentation, .r. .oore will
cover the basics of the $ncident 5esponse 6eam including- charter, organi%ation, s"ill sets, training,
process development, and the Ivirtual teamI method. Additionally, practical applications of the $56 in
real world scenarios will be illustrated for clarity and example.
*og Analysis
,y- 8ames .oore
1ost incident response is a important method of evidence collection and analysis for countermeasures to
prevent similar incidents in the future. 5eviewing system logs provides the best method to ac'uire details
in an Iafter the factI investigation. *uring this :; minutes presentation, .r. .oore will present scenarios
in which log analysis is a component of an incident response specifically during an malicious activity
response. .r. .oore will address the correct methods of pre-incident log custodianship and proper
methods of collection.
3an"hel" Storage +e"ia
,y- 6homas 5ude
Dangers of %nutella #et)ors
='eer to 'eer #et)ors>
,y- )hris &mith
1eer to peer software is a growing concern, especially when considering the threats that are introduced
when these applications exist on machines within the enterprise. 6he threats include susceptibility to
viruses, malware and tro#ans, the sharing of sensitive data, possible corporate espionage, theft of
intellectual property, and the availability of resources. 6hese issues will be presented and some solutions
will be suggested that may be implemented in an attempt to address them. (ne particular file-sharing
program will not be focused on, so as not to give the false belief that one program is worse than any other.
!ithin the enterprise the sta"es are high and this presentations intent is to provide the average person with
an overview of the threats that exist if 1A1 software is allowed to reside within their networ".
Starting a Cybercrime Unit
,y- *avid ,enton
.any organi%ations are considering starting a cybercrime unit. 6his begs the 'uestion - so where do $
start. *avid ,enton from the 7eorgia ,ureau of $nvestigation2s )omputer Evidence 5ecovery 6eam will
discuss the following areas-
- 1urchasing E'uipment - do $ build it or buy itF
- 1ersonnel - where do $ find 'ualified people - how to tell a fa"er from a real examinerF
- 6raining - where can $ send my people for trainingF
- ,udgeting - how much does it cost to run a unitF
- /ow is a +aw Enforcement and a )orporate )ybercrime @nit differentF
6here will also be a lively 'uestion and answer session.
3acer Intervie)ing &echniques
,y- *r. ,ob !ynn
&he Computer that )ent Boom0
,y- 8oel )hriswell
$BI response to Cyber &errorism an" Cyber Crime
,y- 8erry ,ec"nell
6he 3,$ has been tas"ed with protection of the nation2s critical infrastructure. .uch of that responsibility
is being shifted into the new /omeland &ecurity *epartment.
&A ,ec"nell describes how that mission has been fulfilled by the 3,$ and how it will most li"ely continue
under the new agency. A large part of that mission has been accomplished via the $nfragard program.
$nfragard has given the private sector a large role to play in homeland security which continues to grow
day by day. &A ,ec"nell will explain how conference attendees can get involved in $nfragard and
participate in protecting the national critical infrastructure.
A-* $orensics
< 3ours
,y- !ade 7rant
6his presentation will discuss data recovery associated with America (nline <A(+=. &ome of the topics
of discussion will include 1ersonal 3iling )abinet Analysis, $nformation stored in the 5egistry, 6yped
@5+>s, )oo"ies, /istory, and 3avorites. 6he presentation will also cover what information may be stored
on the local computer and what information may be stored on the servers located at A(+ and how to
ac'uire this information to include timelines for how long this information may be available.
Internet 6,plorer Investigations
< 3ours
,y- !ade 7rant
6his presentation will discuss data recovery associated with $nternet Explorer to include where
information may be stored, how that information is stored and how to recover that information. &ome
areas of discussion with include the 5egistry, )oo"ies, 6emporary $nternet 3iles, /istory, and 3avorites.
3ar" Drive 'artition &ables an" Recovery
< 3ours
,y- !ade 7rant
6his presentation will discuss when partition tables are created and the different types of partition table
entries that can be created. &tudent will learn what information is available in each partition table entry.
6he presentation will include recovery of partition table information stored on a drive to rebuild a
partition table that has been overwritten
6,amining the /in"o)s ?, Registry
: 3ours
,y- !ade 7rant
6his 1resentation will discuss the registry for !indows B:, BG, and .E. *iscussion will include the
structure of the registry, the location of and the names of the files that create the registry and the bac"up
methodology. &tudents will learn how to ac'uire these files and how to access the data stored within for
specific information.
6,amining the /in"o)s #&, Registry
: 3ours
,y- !ade 7rant
6his 1resentation will discuss the registry for !indows B:, BG, and .E. *iscussion will include the
structure of the registry, the location of and the names of the files that create the registry and the bac"up
methodology. &tudents will learn how to ac'uire these files and how to access the data stored within for
specific information.
/in"o)s #&, %aining -perating System Access @ : hour
,y- !ade 7rant
6his 1resentation will discuss reasons why it may be necessary to obtain operating system access in a
!indows 46, A;;;, or M1 3orensic Examination. &tudents will be able to gain operating system access
by either changing passwords or recovering password and the advantages and disadvantages of each
method will be discussed.
Common Courtroom 'roblems for 6,perts
,y- *r. Cris &perry
Anyone involved in law enforcement or forensic sciences will find themselves in a courtroom eventually,
providing testimony to their findings. 6he court system in the @nited &tates is adversarial, with one goal
being to discredit the witness, or neutrali%e the testimony in some other way. 6his presentation will
address common problems that are encountered by the expert witness in the courtroom, including how to
prepare for testimony, how to present the information, findings and opinions in the most effective way,
and how to anticipate problems and prevent them from occurring. )ross examination is usually not an
en#oyable experience, but the expert can be prepared so that their findings and opinions are presented in a
cogent and forthright manner.
6,pert &estimony from the 'rosecutions 'oint of Aie)
,y- *avid .c+aughlin
6he prosecution role of an effective expert begins long before the trial of a case. 6oo often emphasis is
placed solely on the actual testimony, without regard to pre-trial events. &uccessful prosecutions can
hinge on the intimate wor"ing relationship that an expert has with the prosecutor and the investigation.
6his presentation will focus on ?= developing the necessary relationship between the expert and the case
investigation, trial preparation, and trial A= preparing the expert to testify in court and N= trial testimony.
6,pert &estimony from the Defense 'oint of Aie)
,y- &tevens .iller
6a"e a rare chance to find out what the defense lawyer has in mind when a defendant uses, or must cross-
examine, an expert computer witness. 6his seminar will be presented by defense attorney and fre'uent
expert witness &tevens 5. .iller, who will explain and demonstrate- how a defense witness ma"es use of
the reasonable doubt standard to good advantage how a prosecution expert can be caught on seemingly
small points in cross-examination <and what to do about it= how an expert can coach the attorney in
advance of testimony how to avoid or emphasi%e apparent sympathy for a distasteful defendant how a
defense expert2s testimony can avoid implications of police conspiracies <or be shown to imply them=.
@seful for lawyers, investigators, and witnesses, this seminar will reveal how a defense attorney sees,
uses, and copes with an expert witness.
Search an" Sei7ure
,y- 8im 1ace
6his presentation is an overview of the precautions and procedures re'uired in searching for and sei%ing
physical devices which may contain digital evidence, and related items needed to support the
investigation.
A"vance" 62+ail Investigations
,y- 6homas A"in
Email is one of the most used applications on the $nternet--everyone has an email address. 6he basic
email protocol, &.61, however wasn2t designed for security. &pammers to criminals are ta"ing advantage
of this fact to hide their true identities when send email. 6his presentation covers some of the advanced
techni'ues that are used to send spoofed and anonymous email and how to find out who really sent that
email.
Cisco Router $orensics
,y- 6homas A"in
5outers are increasingly becoming the target of attac"s. (nce an attac"er owns the networ", they own
everything. 6his presentation discusses how router forensics differs from normal computer forensics, what
evidence can be collected from a router, and capturing forensic evidence with a tool call )5EE*.

Cybercrime Case Stu"ies
,y- 6homas A"in
)ybercrime is no longer the domain of white collar criminals. *rug dealers, murders, and terrorists are
exploiting technology to find their victims, steal, and hide their trac"s. ,ut #ust as criminals can use
technology to their advantage, that same technology can be used to trac" them down. 6his presentation
details several actual cybercrime investigation and how technology helped bring criminals to #ustice.
Securing your Server Room1
,y- 8ohn ). Elliott, 8r. ).+ )1&
6he class participant will leave with a better understanding of the latest technology and products to secure
their computer rooms and or other areas that hold sensitive, secrete or other classified information.
!e will have several persons actually use and enroll themselves into a biometrics device. 6hese are
currently being used in Airports, and 3ederal buildings around the country and in other areas that re'uire
the highest form of protection possible. !hile they are still in usage, this will rule out hasp and padloc"s,
conventional loc"s and "eys, and mag stripe or prox cards, that offer little defense in prohibited
duplication. /igh security proprietary "ey systems with electronics in the "ey, providing both access
control capability as well as mechanical "ey usage will also be discussed.
&everal products and manufactures will be discussed and handouts will be provided to each person to
further their interests that will be brought out in the seminar. !e will NOT have a factory representative
on hand, however the products discussed will have their contact information and phone numbers listed in
the handouts provided should further material be re'uired at a later time.
-nline Investigative &echniques
,y- &andra 1utnam
6his bloc" presented by &pecial Agent &andra 8. 1utnam, 7eorgia ,ureau of $nvestigation. (n-+ine
$nvestigative 6echni'ues introduces participates to the impact of the computer literate criminal to the
private and business sector. 6his course will also introduce participates to researching on-line using
search engines, the invisible web and $nternet tools.
6merging +alicious Co"e &hreats
,y- 5oger 6hompson
6his presentation examines emerging trends in viruses, worms, remote access tro#ans, spyware, and
hac"ing tools.
'rivacy:
3o) "oes the %raham2*eech2Bliley Act 6ffect me an" my Company
,y- 1atric" Enyart E .atthew /arper
An information seminar concerning the 7raham-+eech-,liley Act <7+,A=, more commonly "nown as
the 1rivacy Act. )ommunicate the law>s definitions, re'uirements, rules, and regulations on how
financial institutions and other entities handle customer private information. *iscuss specific steps that
institutions are ta"ing to secure, manage, and share customer data to attain compliance. 6hough the act
was specifically written to regulate financial institutions, all business that share or process business data
relating to customers must have awareness of the re'uirements of the act.
Assessing 5our Security
,y- 6anya ,acam
Assessing allows you to identify vulnerabilities in your systems and networ"s before the attac"ers do.
Assessments are an essential part of any defense in depth strategy. 6his session will provide an
introduction to the tools that can assist in networ" assessments and the strategies that can be used to
complete a networ" assessment for your environment.
6lectronic 6vi"ence in Civil *itigation:
3o) to 3elp Attorneys +anage Discovery1
,y- 6roy +arson
3orensic computing consultants often find themselves assisting attorneys in )ivil discovery.
&upporting civil litigation, however, can be significantly different than computer crime related law
enforcement or investigating. 6his presentation will outline the four essential tas"s in civil discoveryO
Identify, Preserve, Process and ReviewOand demonstrate how the forensics practitioner can apply
common s"ills, techni'ues and tools to better assist his or her clients. 6he discussion will focus how
identify and process electronic evidence to prepare wor" product that is readily useful to attorneys. 6ime
permitting, the discussion can address strategies for assisting attorneys review and organi%e large
volumes of computer data.
&he /in"o)s <BBBCD' Comman" *ine:
Useful Built2In &ools1
,y- 6roy +arson
!indows A;;; and M1 come with an assortment of command line utilities, many of which have direct
application to forensic computing. 6his presentation will show participants how to get the most out of the
!indows command line and command line utilities. 6he discussion will begin with a brief guide to
customi%ing the !indows command line. $t will then move through a 'uic", systematic presentation of a
number of useful command line utilities that come with !indows A;;;DM1 or the !indows A;;;
5esource Cits. 6ime permitting, the discussion will turn to crafting useful, but simple, batch files.
&he Re" &eam 2 3ere.s 3o) /e Broe Into &heir Buil"ings0
=/ith their permission -f Course0>
,y- 8ac" !iles
*uring this entertaining and enlightening session, 8ac" will present some of the details of several threats
that he believes most companies are still at great ris" for exploitation. 6hese are 1hysical &ecurity
wea"nesses and &ocial Engineering unawareness. 6hat combination can leave a gaping hole in any
organi%ation2s defenses. 8ac" will share several war stories of how he taught his team to exploit both of
these vulnerabilities against company after company as his teams were hired to test their corporate
defenses. /e will also be bringing the most dangerous bag that he could bring into your buildings - you2ll
never guess what2s in it. <$f you thin" that you "now what2s in the bag, you2re probably !5(47P=
6,ploiting /eb Applications:
A Step2by2Step Attac Analysis
,y- )aleb &ima
!eb applications by nature are not static. )ontent is continually being altered and new features are added,
in some instances on a very fre'uent basis. Each time the !eb application is changed, a ris" is imposed
that the application will not be secure. Even the simplest of changes could produce a vulnerability that
may pose a ma#or threat to the assets of the company, or #ust as important, information about a company>s
customers.
,y ta"ing advantage of the public access to a company through port G; and LLN and using it to subvert
your applications, hac"ers can gain easy access into your company2s sensitive bac"end data. 3irewalls and
$*& will not stop such attac"s because hac"ers using the !eb application layer are not seen as intruders.
!atch and learn as our top security experts from &1$ *ynamics show you how to defend against attac"s
at the !eb application layer with examples covering recent hac"ing methods such as-
&Q+ $n#ection
)ross &ite &cripting
1arameter .anipulation
&ession /i#ac"ing
Basics of 'DA $orensics
,y Eric ,ramble
6his lecture will discuss the main forensic issues in dealing with different 1*A devices and basic rules of
sei%ure. Examples of ac'uisition and analysis of 1alm and !indows )E devices will be presented.
3o) to rea" partition &ables
,y- 8ohn .ellon
&he D-SC/in"o)s logical structure
,y- 8ohn .ellon
Research 'roEect Abstract ='ossible topic>
,y- .ichael ,urnette
6he computer recycling industry, in terms of returning donated 1)s to service, is coordinated almost
entirely by non-profits that owe their existence to public and private sector e'uipment cast-outs near end-
of-life. 6he effort, while noble, may soon be undermined by the need to protect the data privacy of the
same donors. 6he introduction of /$11A and the 7ramm-+each-,liley Act, which outline liability and
plainly dictate how financial and medical data must be protected by law through e'uipment end-of-life,
may re'uire recyclers to provide data destruction and certification services in order to continue to attract
pri%ed computer e'uipment to their cause.
6his presentation will describe the current state of a study being conducted on a random sampling of hard
drives collected using sound forensic techni'ues from a large computer recycling non-profit. 6he data
collection and cataloguing will support several uni'ue analyses starting with basic statistical evaluations
of the general nature of nature of data found. 6he final pro#ect deliverable will consist of definition and
statistical analysis of the existence of the following predetermined classes of liability in the data
catalogue- <i= 1rivacy <ii= &ecurity <iii= &oftware 1iracy <iv= $dentity 6heft <v= $nsurance <vi= )orporate
7overnance <vii= 1rofessional )odes of Ethics and <viii= Environmental.
$eatures
+oc &rial
,y- )assandra &chanman, &tevens .iller, Andy 5osen, and others
A .oc" 6rial will be held on the last day of the &ummit and will be presided over by the /onorable
8udge &teve ,oswell, )layton )ounty &uperior )ourt, 7eorgia. 6he 1rosecution will consist of two
prominent lawyers from the &tate of 7eorgia and an expert witness from A&5 *ata. 6he *efense attorney
will be the well "nown &tevens .iller from 4ova *ata +abs. Evidence will be created by .r. 8ohn
.ellon, Cey )omputer. 6he purpose of the .oc" 6rial will be to provide the audience with thought
provo"ing considerations when analy%ing computer evidence through various means of forensic
examination. 6he 6rial promises to be interesting, controversial and educational as well as entertaining.
,e sure to add this event to your schedule during the &ummit.
Intrusion an" Inci"ent Response Demo
*og $ile Analysis *ab
,y- 8ames .oore
$n this L hour presentation, examples of logs from various platforms will be reviewed and explained.
After careful review of these audit trails, several malicious attac"s will be conducted upon the same
platforms and a subse'uent analysis of the log files demonstrating the signatures of the attac"s will be
performed. !ith an understanding of the delta analysis, .r. .oore will go on to demonstrate the correct
methods for collecting and analy%ing the logs - building upon the concepts presented in the :; minute
+(7 3$+E A4A+K&$& presentation.
$ull 6,plosives Demonstrations
,y- 6he 7eorgia ,ureau of $nvestigations ,omb &'uad
6he 7eorgia ,ureau of $nvestigations ,omb &'uad will !(! you with a spectacular display of
controlled detonations. /omeland &ecurity is very important. ,ecause explosives can be hidden #ust
about anywhere, it is very important for everyone to be aware of the power behind explosives. 6his can
be a wa"e up call to all first responders. $t shows the power of explosives in a way that no one will soon
forget. $t will serve as a wa"e up call also to anyone who has ever had the urge to "ic" that suspicious
pac"age. 6his N;-:; minute presentation is sure to be the high point of your afternoon.
/arning: &his "emonstration uses live e,plosives an" )ith any "emonstration of this nature there
is a possibility of inEury1 Stay in the 7one in"icate" to observe the "emonstration1 It is set up for
your protection1 &he %BI bomb squa" has been "oing these "emonstrations for years )ith no
inEuries1
*abs
I*--K Investigator F *ab
; hours
,y- Celly 5hodes E .i"e 6oto
A hands-on presentation for experienced examiners wishing to learn the functionality2s $+oo" $nvestigator
R has to offer. +earn how to manage evidence files, carve unallocated space, import hash sets, do bul"
searches, create a forensic report and more.
$+oo" $nvestigator R is a forensic analysis tool used to analy%e images of computer hard dis" drives. 6he
software is provided free of charge to 'ualifying law enforcement agencies throughout the world. 6he
software is made available through the Electronic )rimes 1rogram of the $nternal 5evenue &ervice.
$+oo" is a tool to be used (4+K by those persons trained and s"illed in forensic data recovery. $t is not a
tool to be used by those inexperienced in computer forensics at any level. !ithout such a bac"ground of
"nowledge and 'ualifications, the findings produced from using $loo" to examine digital data may be
unreliable and cannot be sub#ect to verification.
$+oo" ma"es use of the /ash"eeper *atabase designed and maintained by ,rian *eering and the @.&.
*(8 4ational *rug $ntelligence )enter. $n addition, addendum hash tables from the 4$&6 4&5+ wor"ing
group are also supported where the format adheres to the hash"eeper table form. 6he user is re'uired to
provide any hash tables used in a form that meets the $+oo" table design criteria
'lease note 2 &he I*oo 6n" User *icense Agreement =6U*A> an" program registration restrict
the use of I*oo to la) enforcement agencies only1 &here are no e,ceptions1 Because of this
limitation only S)orn *a) 6nforcement or those in"ivi"uals meeting the gui"elines for using this
pro"uct )ill be allo)e" in the class1
AccessData $orensic &oolit
&+
=$&K
&+
> *ab
; hours
,y- Eric 6hompson E *avid ,enton
6he Access*ata 3orensic 6ool Cit <36C= offers law enforcement and corporate security professionals the
ability to perform complete and thorough computer forensic examinations. 6he 36C features powerful
file filtering and search functionality. 36C2s customi%able filters allow you to sort through thousands of
files to 'uic"ly find the evidence you need. 36C supports over AS; different file formats with &tellent2s
(utside $n 0iewer 6echnology. (ne of the most powerful features of the 36C is full text indexing
powered by dt&earchT yields instant text search results. 36C now supports 463&, 463& compressed,
3A6 ?AD?9DNA, and +inux extA E extN, and such image formats as Encase, &.A56, &napbac", &afebac",
and +inux **.
6he 36C wor"s great for analy%ing (utloo", (utloo" Express, A(+, 4etscape, Kahoo, Earthlin",
Eudora, /otmail, and .&4 e-mail, and it automatically extracts data from 1CU$1, !inUip, !in5A5,
7U$1, and 6A5 compressed files.
Intro"uction to AccessData $orensic &oolit
&+
=$&K
&+
> *ab
< hours
,y- Eric 6hompson
A software overview sutiable for those interested in the software. 6his lab is designed to let you explore
the basic features of Access*ata 3orensic 6ool"it
6.
<36C
6.
=, but it is not a full lesson on how to use all
the features.
6he Access*ata 3orensic 6ool"it
6.
<36C
6.
= offers law enforcement and corporate security professionals
the ability to perform complete and thorough computer forensic examinations. 6he 36C features powerful
file filtering and search functionality. 36C2s customi%able filters allow you to sort through thousands of
files to 'uic"ly find the evidence you need. 36C is recogni%ed as the leading forensic tool to perform e-
mail analysis.
ASR Data.s S+AR& for *inu, *ab
; hours
,y- Andy 5osen and 6homas 5ude
6oday2s forensic practitioner may be faced with numerous technologies- )omputer systems, 1*As, )ell
1hones, memory stic"s, &*, )3 and sim card storage, digital cameras, thumb drives... the list "eeps
growing.
6he &torage .edia Archival and 5ecovery 6ool <&...A.5.6.= is a Inext generationI forensic tool
designed to assist the cutting edge forensic practitioner in securing, ac'uiring, authenticating, analy%ing
and archiving many types of digital data.
&...A.5.6. leverages the awesome power and flexibility of +inux and presents the forensic practitioner
with a clean, intuitive graphical user interface that has been developed from the ground up to support the
uni'ue re'uirements of the forensic and law enforcement communities.
&...A.5.6. has been independently validated and is in use by numerous federal, state and local law
enforcement agencies throughout the world, and was selected as the tool of choice for wor" on one of the
largest computer forensic investigations in the world.
%ui"ance Soft)are 6nCase A ;1B *ab
; hours
,y- 7ary +owe
A hands-on presentation for examiners wishing to learn the functionality2s En)ase 0 L.; has to offer.
+earn how to manage evidence files, perform "eyword searches, create hash sets, create a forensic report
and more.
Award winning and validated by the courts, En)ase allows law enforcement and
$6 professionals to conduct powerful, yet completely non-invasive, computer forensic investigations.
En)ase features a intuitive 7@$ that enables examiners to easily manage large volumes of computer
evidence and view all relevant files, including IdeletedI files, file slac" and unallocated space.
6he solution effectively automates core investigative procedures, replacing archaic, time-consuming and
cost-prohibitive processes and tools.
6he integrated functionality of En)ase allows the examiner to perform all functions of the computer
forensic investigation process. En)ase2s En&cript, is a powerful macro-programming language and A1$
that allows investigators to build customi%ed and reusable forensic scripts.
Intro"uction to %ui"ance Soft)are 6nCase A ;1B *ab
< hours
,y- 7ary +owe
A software overview suitable for those interested in the software pac"age. 6his lab is designed to let you
explore the basic features of 7uidance &oftware2s En)ase 0 L.;, but it is not a full lesson on how to use
all the features. $f you are already a 0 N.; user get updated to the new features present in version L.;.
Award winning and validated by the courts, En)ase allows law enforcement and
$6 professionals to conduct powerful, yet completely non-invasive, computer forensic investigations.
En)ase features a intuitive 7@$ that enables examiners to easily manage large volumes of computer
evidence and view all relevant files, including IdeletedI files, file slac" and unallocated space.
6he solution effectively automates core investigative procedures, replacing archaic, time-consuming and
cost-prohibitive processes and tools.
6he integrated functionality of En)ase allows the examiner to perform all functions of the computer
forensic investigation process. En)ase2s En&cript, is a powerful macro-programming language and A1$
that allows investigators to build customi%ed and reusable forensic scripts.
*inu, for $orensics *ab
; hours
,y- 6homas 5ude
6he field of data forensics <2computer forensics2 as commonly referred to= is rapidly changing.
/istorically data forensics focussed on the imaging, analysis, and reporting of a stand-alone 1) hard
drive. /owever, due to rapid advances in technology as well as the reduction in cost of technology, data
forensics has begun an evolution from stand-alone 1)s to networ" servers, handheld devices, and
enormous volumes of data.
6he bits and bytes have not changed. ,ut the number of them certainly has. $t is not uncommon today to
have 9;7, hard drives in des"top 1)s. ,ut, even more pressing is the substantial increase in the number
of non-!indows based systems. $ncreasingly, forensic examiners are running across systems running
@4$M variants, +inux variants, and other operating systems <,e(&, .ac (&, etc.=. !hile home 1)s are
still primarily !indows machines, examiners entering the corporate wor" place are finding themselves
facing the Vnix variants on both des"tops and servers.
4ext 7eneration *ata 3orensics defined the process of imaging and analy%ing data stored in any
electronic format, for the purpose of reporting findings in a neutral manner, with no predisposition as to
guilt or innocence.
!hat is the next generation data forensics platform of choiceF +inux. !hy +inuxF +inux, as it stands by
itself as an operating system environment, has many features that ma"e it both very powerful and very
able to process data forensics. A stoc", out of the box +inux system already has built into it the ability to
image, authenticate, wipe, and search media. 3urthermore, there are a number of tools currently under
development that are being written specifically for data forensics on the +inux platform.
6he power of +inux
- filesystems support
- granular control of hardware
- device recognition
- scripting
- ability to review source code for most utilities
- redirect output to input
- ability to log and monitor processes and commands
- bootable media <floppies, )*-5(.s, etc.=
- ability to analy%e running systems in a minimally invasive manner
=RI+> Blacberry *ab
; hours
,y- .ichael ,urnette
6he 5$. ,lac"berry handheld wireless email device has become seemingly ubi'uitous among businesses
in corporate America. $ts uni'ue design and adherence to push, rather than pull, delivery technology has
allowed 5$. to carve a solid niche in the 1*A mar"et. /owever, the features that allow the ,lac"berry
to remain unmatched by competitors, such as long battery life and 'uic" processing speed, are the very
same features that result in a design conducive to effective mining of hidden data artifacts in the file
system.
6his lab will explore a first generation forensic investigation method for 5$. ,lac"berry models G:;DB:;
and G:SDB:S. Effective handling during sei%ure, model identification, file system review, unit simulation,
and data hiding will be discussed. 6he presentation portion will include an overview of a typical
corporate ,lac"berry infrastructure including the ,lac"berry Enterprise &erver and des"top software.
/owever, the focus of the instruction and hands-on lab will be on the physical ,lac"berry unit itself.
Chiefs Brunch
'rotecting the Critical Infrastructure
,y- .r. /oward A. &chmidt
0ice )hair, 1resident2s )ritical $nfrastructure 1rotection ,oard
Setting up a Cybercrime Unit
At the *ocal an" State *evel
,y- &teve Edwards
6his bloc" of instruction is to provide and cover the issues related to cybercrime investigations
and computer forensics for state and local law enforcement agencies and is designed for the command
staff level. 6he issues to be addressed include budgeting, human resources, and assets including
e'uipment, training, command structure and other aspects for managing such a @nit.
Infra%ar"
,y- 8erry ,ec"nell
$nfragard has given the private sector a large role to play in homeland security which continues to grow
day by day. &A ,ec"nell will explain how conference attendees can get involved in $nfragard and
participate in protecting the national critical infrastructure.