Académique Documents
Professionnel Documents
Culture Documents
Con f e re n Ce org an i z e r
Table of Contents
ConferenCe Hyatt Regency Atlanta Map .................................................................................. 2 General Information............................................................................................... 3 Welcome ................................................................................................................ 5 Thanks to the Sponsors .......................................................................................... 7 Hours of Operation ................................................................................................ 7 Pre-Conference Training Agenda (FridayMonday) .......................................... 810 Classified Training Session: Cyber Counterintelligence (CI) Briefings ................... 10 Pre-Conference Training Planner .......................................................................... 11 Digital Signatures and Hash Set Summit Agenda ................................................. 22 Conference Agenda (TuesdayFriday) ............................................................ 1321 Breakout Session Locator Map ............................................................................. 22 Breakout Session Planner ..................................................................................... 23 Birds of a Feather Sessions............................................................................. 2425 Open Meeting Rooms .......................................................................................... 25 DC3 Tool Expo ...................................................................................................... 26 Session Descriptions....................................................................................... 2749 Pre-Conference Training Descriptions .................................................... 2728 Plenary Session Descriptions........................................................................ 28 Track Session Descriptions ..................................................................... 2849 Speaker Biographies....................................................................................... 5173 Plenary Speakers.................................................................................... 5153 Breakout Speakers ................................................................................. 5573 exposiTion and speCial evenTs Special Event Listing ...................................................................................... 7475 Exhibit Hall Raffle ................................................................................................ 76 Silent Auction ....................................................................................................... 77 Cyber Crime Olympics 2011 ................................................................................. 78 DC3 Digital Forensics Challenge Award Presentation........................................... 79 Exposition Floorplan and Exhibitor Listing ..................................................... 8081 Company Profiles ........................................................................................... 8288
geneRal InFoRmatIon
dress/aTTire
Business Casual
aTTendee CerTifiCaTes
Cyber Crime conference certificates will be e-mailed to all conference attendees who have turned in their surveys. These certificates qualify you for training credit for certifications you may have (such as the CISSP), and are also valid to use as proof that you attended the conference.
fedex offiCe
The Hyatts FedEx Office is located on the Lobby Level. Business hours: Mon.-Fri. 0700 to 1900, Sat. 0900-1700, Sun. 0900 to 1300 Services include photocopying, printing, facsimiles, word processing, shipping, high-speed internet access, and moreall at very affordable prices.
pre-ConferenCe TraininG
Each person attending a pre-conference training course receives a detailed lesson on the topic they have chosen. The majority of the hands-on training rooms are equipped with computers so students can learn in a lab atmosphere. Students must attend a full training session in order to receive a certificate of attendance.
Weapons
Weapons can be checked in a safety deposit box or secured in your guest room. If weapons are not checked or secured in your guest room, please place a Do Not Disturb sign on the guest room door so the room will not be serviced.
press
Press are invited to attend the conference all day Tuesday until the reception ends at 1900. Press must wear a press ribbon and may use the Greenbriar Room for interviews
eMerGenCY nuMbers
Dial (703) 740-1980 to reach the conference emergency phone, which is located at Conference Registration in the Grand Hall Foyer. Messages received on that number are posted on the message board by the Registration Desk.
QuesTions
Please contact one of our conference staff members if you have questions during the conference. Staff are easily identified by either their Technology Forums or DC3 STAFF badge. During conference hours there is always someone at the Registration Desk in the Grand Hall Foyer to assist you.
surveY
After the conference you will be e-mailed a website link where you can provide feedback about the conference. We are eliminating paper surveys to save precious natural resources. Your input is very valuable, so please take a moment to comment and help us make the conference the best it can be.
badGes
You must wear your conference badge at all times (while attending sessions or functions of the conference). Badges are bar-coded and contain the same information that is listed on your business card (name, title, organization, address, phone, fax and e-mail). Allowing your badge to be scanned by an exhibitor is the same as giving someone your business card.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
Welcome
Welcome to the Department of Defenses 10th Annual Cyber Crime Conference and Exposition, sponsored by the DoD Cyber Crime Center (DC3). This years Conference theme is Cyber Hunters: Predators and Prey. Last year, almost 1,100 personnel attended this event. This year, we have a packed agenda in store for all attendees which includes more than 40 pre-conference, hands-on digital forensics training courses, 20 concurrent track sessions, and a plenary session with the movers and shakers in the business. The purpose of the conference is to bring together government digital forensic examiners, prosecutors, law enforcement/ counterintelligence investigators, systems administrators, and information assurance personnel, as well as to provide an opportunity for all Federal, State and Local law enforcement personnel to address issues surrounding the proliferation of cyber crime. This is the only DoD/Federal/State Government event that brings all these personnel together in an open and interactive forum to explore ways to work together to ensure successful prosecutions through unbiased digital forensics media analysis, investigative support, and counterintelligence operations. This years conference theme, Cyber Hunters: Predators and Prey., explores the ever-increasing ways criminals prey on personal and institutional security and how individuals and organizations can combat and prevent these threats. Come learn from the experts about the most sophisticated tools and techniques available for exposing and preventing cyber crime and how the investigators can better hunt down cyber predators. Well also export a 250-300 node network and provide over a dozen hands-on digital forensics courses to help you make sure youre the predator and not the prey. Our goal is to provide you with focused sessions that afford ample opportunities to ask questions and engage in dialogue with the subject matter experts. In addition, you wont want to miss the many special events that occur throughout the week. Please read through the program guide for details. I would like to make specific mention of two of these events: the Cyber Crime Olympics and the Silent Auction, both of which raise funds for the National Center for Missing and Exploited Children (NCMEC). The Cyber Crime Olympics, taking place in the Centennial Ballroom, offers fun activities where conference attendees can compete while networking with peers. The events include the CD Toss and the Floppy Disk Throw. First round participation is free. Extra tosses requires a small donation to NCMEC. The Silent Auction, located in the Exhibit Hall, our second event and also raises funds for NCMEC. Some of the 80-plus exhibitors participating in the Conference will be auctioning their products or services, so dont miss it! Refer to page 77 of this guide for Silent Auction details. I would like to quickly congratulate all of the 2010 DC3 5th Annual Digital Forensic Challenge winners. DC3s Digital Foreniscs Challenge encourages innovation from a broad range of individuals, teams, and institutions to provide technical solutions for computer forensic examiners in the labas well as in the field. Approximately 25 different challenges ranging from basic forensics to advanced tool development were provided to all participants. The challenges were single based challenges and were designed to be unique and separate from one another. The objectives of DC3s Annual Digital Forensics Challenge are to establish relationships; resolve technological issues; and develop new tools, techniques, and methodologies for the digital forensic community. As we begin the 2011 event, encouragement to express ideas, collaborate with one another, and take full advantage of the extensive resources offered has been afforded to each attendee. These resources will assist in gaining knowledge and experience that is necessary to successfully fight the ever-growing cyber crime challenges that the digital forensics community faces. Finally, I wish to thank you for supporting our program, and also thank the cast of the TV show NCIS and their Technical Advisor Leon Carroll (retired NCIS Special Agent) for their tremendous support for the conference.
Jim Christy Special Agent (Retired) Director, Futures Exploration, Department of Defense Cyber Crime Center
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
hours of operaTion
aTTendee & exhibiTor reGisTraTion The registration desk is located in the Grand Hall Foyer on the Exhibit Level. Thursday, January 20 1600 2000 Friday, January 21 0730 1630 Saturday, January 22 0700 1700 Sunday, January 23 0730 1800 Monday, January 24 0600 1630 Tuesday, January 25 0700 1700 Wednesday, January 26 0730 1700 Thursday, January 27 0700 1700 Friday, January 28 0730 1200 exhibiT hall Tuesday, January 25 Lunch: Afternoon Break Reception Wednesday, January 26 Morning Reception Morning Break Lunch Afternoon Break Reception 1100 1900 1130 1300 1445 1530 1700 1900 0730 1900 0730 0830 1030 1100 1200 1330 1430 1500 1700 1900 0730 1330 0730 0830 1030 1100* 1200 1330** 1330
(not open during General Session)
openinG reCepTion
noTepad/folio
ConferenCe baGs
ConferenCe lanYards
CYber Caf
ConferenCe Mouse-pads
Media sponsorship
Thursday, January 27 Morning Reception Morning Break and Raffle Closing Lunch and Silent Auction Exhibit Hall Closing
CYber Caf The Cyber Caf is located in the Grand Hall Foyer on the Exhibit Level. Monday, January 24 1000 1700 Tuesday, January 25 0700 1900 Wednesday, January 26 0730 2100 Thursday, January 27 0700 1700 Friday, January 28 0700 1200
ConferenCe pens
Wednesday Tuesday & Thursday
* Raffle winners will be announced at 1045 ** Silent Auction closes at 1250
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
Pre-ConferenCe Training
fridayMonday
Pre-conference training include handson classes where attendees can earn continuing education credits. Geared towards a smaller teacher to student ratio, these classes are limited to only 20 to 40 people in each training session. All training sessions (except the SAnS and nW3C classes) earn Defense Cyber Investigations Training Academy Credit Hours.
friday, January 21
07301630 07300830 08301630 Conference registration Morning reception pre-ConferenCe TraininGday 1
TraininG session TiTle repeaTinG sChedule
REPEATS MONDAy REPEATS SuNDAy - MONDAy REPEATS MONDAy REPEATS MONDAy REPEATS MONDAy REPEATS SuNDAy - MONDAy REPEATS SuNDAy - MONDAy REPEATS SuNDAy - MONDAy REPEATS MONDAy REPEATS SuNDAy - MONDAy NO REPEAT SESSION REPEATS SATuRDAy - SuNDAy
loCaTion
Pre-ConferenCe TrainingDaY 1
Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north
Analysing Malicious Carrier Files Introduction to Malware Analysis Windows 7 Forensics Snort for network Analysis Follow the Script Please! Wireless Technology Workshop Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks Windows Incident Response Online Anonymity Mac Forensics - 2011 SAnS Metasploit Kung FU nW3C TUX4n6
09301015 14001445
loCaTion
pre-ConferenCe TraininGdaY 2
Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north
Introduction to Botnets Introduction to Malware Analysis (Cont.) Pen Testing 101 Advanced network Intrusion Traffic Analysis Introduction to EnCase for Prosecutors and Case Agents Wireless Technology Workshop (Cont.) Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks (Cont.) Windows Incident Response (Cont.) network Exploitation Analysis Techniques Mac Forensics - 2011 (Cont.) SAnS Metasploit Kung FU (Cont.) nW3C TUX4n6
Morning Coffee break afternoon Coffee/refreshments break Training receptionits 5 oclock somewhere
Forget the winter blues and put on your favorite Hawaiian shirt! you may purchase a Hawaiian shirt at Conference Registration.
sunday, January 23
07301800 07300830 08301630 Conference registration Morning reception pre-ConferenCe TraininGday 3
TraininG session TiTle repeaTinG sChedule
NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION REPEATS MONDAy
loCaTion
Pre-ConferenCe TrainingDaY 3
Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north
Introduction to Botnets Introduction to Malware Analysis Pen Testing 101 Advanced network Intrusion Traffic Analysis Introduction to EnCase for Prosecutors and Case Agents Wireless Technology Workshop Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks Windows Incident Response network Exploitation Analysis Techniques Mac Forensics - 2011 SAnS Metasploit Kung FU nW3C TUX4n6
09301015 14001445
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
Grand hall foyer Grand hall foyer Conference level foyer offsite from hotel (Transportation provided)
The briefings center around tactics, techniques, and procedures (TTPs), along with updates on current policies, investigations, and operations from the services and national-level agencies. Due to the sensitive nature of its content, the session is classified as Secret//nOFORn. Below are the briefing topics and descriptions: Cyber CI Policy both at the National and DoD levels Cyber CI training both at the National and DoD levels What the DoD services are seeing from State and Non-State actors in terms of Cyber CI What the DoD services are doing in regards to Cyber CI National level program with a Cyber CI focus
important information Classified Session attendees must register and pick up a conference badge at the Conference Registration Desk at the Exhibition Level prior to arriving at the clearance checkpoint on Monday morning. Conference Registration is open Sunday until 1800 and opens Monday morning at 0600. On Monday morning, meet at the clearance checkpoint in the hotel (Grand Hall East) at 0630. Please arrive early due to the large number of people attending this session. DC3 staff will verify your conference registration, your clearance, and your government-issued picture ID prior to allowing you to board the bus. noTe: Please DO nOT carry cell phones or other PDA devices to the classified session. Cyber CI Briefing registration was limited and restricted to U.S. citizens who possess a SECRET clearance with the United States.
pre-ConferenCe TraininGday 4
TraininG session TiTle
loCaTion
pre-ConferenCe TraininGdaY 4
Analyzing Malicious Carrier Files Introduction to Malware Analysis (Cont.) Windows 7 Forensics Snort for network Analysis Follow the Script Please! Wireless Technology Workshop (Cont.) Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks (Cont.) Windows Incident Response (Cont.) Online Anonymity Mac Forensics - 2011 (Cont.) The digital signatures and hash set summit [For the complete agenda for this session, see page 12]
Morning 0830-1130: Executive Session (Invitation Only) Afternoon 1230-1630: Open Session
Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox Learning Center
09301015 14001445
10
fridaY, JanuarY 21
TI ME E vE n T PLACE
saTurdaY, JanuarY 22
TI ME E vE n T PLACE
sundaY, JanuarY 23
TI ME E vE n T PLACE
MondaY, JanuarY 24
TI ME E vE n T PLACE
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
11
exeCuTive session (inviTaTion onLy) 0830 introductions by MC: brian havens, dC3
Key players What are the goals of the summit?
0900
1000
brainstorming solutions
NRDFI Demonstration | Dr. Mark Weiser, Oklahoma State University Presentation by Dan Mares Maresware Hashing Programs Massaging of the nSRL data files
lunch generaL session (oPen To aLL aTTendees) introductions overview of identified problems overview of proposed solutions
NRDFI Demonstration | Dr. Mark Weiser, Oklahoma State University Presentation by Dan Mares Maresware Hashing Programs Massaging of the nSRL data files
12
Tuesday, January 25
07001700 07001900 07000745 11301700 Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue exhibit hall opensnot open during sessions Grand hall foyer Grand hall foyer Centennial foyer exhibit hall
(LoCaTion: CenTenniaL BaLLrooM 1-4)
generaL session
07450815 opening presentation
Master of Ceremonies: Bill Eber, Director Defense Cyber Crime Institute (DCCI) national Anthem: U.S. Army Ground Force Band, Fort McPherson, Georgia
Morning Coffee break | Sponsored by bae systems Cyber skills Matter: findings from the Csis Commission on Cybersecurity for the president
Alan Paller, Director of Research, SAnS Institute
Centennial foyer
exhibit hall
announcements
Master of Ceremonies: Bill Eber, Director Defense Cyber Crime Institute (DCCI)
dessert social | Sponsored by bae systems pursuing Cybercrime Targets around the World
Mr. John Lynch, Principal Deputy Chief (CCIPS), U.S. Department of Justice
exhibit hall
17001900
exhibit hall
Sponsored by: CsC; Reception Beverages Sponsored by: i2 All attendees are invited to a special reception inside the Exhibit Hall. Dont miss this opportunity to connect with colleagues and learn about the IT products and service solutions that our exhibitors have to offer. Hors doeuvres and drinks will be served.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
13
Wednesday, January 26
07301700 07302100 07300830 07301900 08301150
loCaTion
Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue exhibit hall open Morning breakout sessions
08300920 09301020 10301100
Grand hall foyer Grand hall foyer exhibit hall exhibit hall
11001150
de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Grand Hall C Automated Wireless Pentesting with SILICA-U
REPEAT SESSION
Amnesia Live CDHaving no Memory Of your Surfing MORnInG COFFEE BREAK Exhibit Hall sponsored by: adobe Securing Web 2.0 Are your Web Applications Vulnerable? Data Exfiltration: Detection and Defense
REPEAT SESSION
new Lab, new Cocom, new network, new Challenges Responding to Advanced Persistent Threat Intrusions; Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations
REPEAT SESSION
Courtland
Auburn
for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Grand Hall A SUSE Studio Reverse Engineering Obfuscation and Communications Damaged Media Recovery A Review of All Cell Phone Forensics Tools
CONTINuED
A Review of All Cell Phone Forensics Tools and HOW they Work A Cell Phone and GPS Forensic Tool Classification System CD/DvD On-Disk Structures Photo ForensicsThere Is More to a Picture than Meets the Eye MORnInG COFFEE BREAK
Grand Hall B
MAC Analysis in the Windows Environment Applying Reforms From the Intelligence Community to Computer Forensics F-Response to the Rescue Advancements in Android Forensics Malware Analysis (just about anyone can do ) Introduction to True Crypt
SEE LEGAL TRACk
The Whiddler X-Ways, The Other White Meat Advanced SQLite in Forensics
i n for MaTi on a ssur a n Ce Grand Hall D Security For the network Administrator MORnInG COFFEE BREAK 10 Mistakes Hackers Want you to Make
14
LaW e n for Ce Me n T Hanover A-B Officer Safety in a Digital Environment A More Strategic Approach to Cyber Crime The Wild, Wild, Web: Knowing the Basics for Online Investigations
REPEAT SESSION
Firefox Plug-ins Useful for Online Investigations Splunk as an Enterprise Incident Response and Forensic Tool
SEE RESEARCH & DEVELOPMENT TRACk
Intelligence Law in a Cyber World Password Cracking Applying the Science of Similarity to Computer Forensics
Blogs, Tweets & the Law: The First year of DTM 09-026
SEE FORENSICS TRACk
r e se a r Ch & d e ve LoPMe n T Russian Souvenirs Shadow volume Link Manager and virtualBox; Tools for Accessing Shadow volume Data iPhone Forensics MORnInG COFFEE BREAK Solid State Drives nokia Series 40 Physical Acquisition and Analysis Internals italian lunch in the exhibit hall afternoon breakout sessions
13301420 14301500 15001550 16001650
12001330 13301650
exhibit hall
loCaTion
Responding to Advanced Persistent Threat Intrusions; Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations
REPEAT SESSION
breakouT sessionsdaY 1
Grand Hall C
Courtland
Fairlie
for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Windows Memory Forensics and Direct Kernel Object Manipulation Mac Triage - Do you Know What You Are Missing? Browser Forensics: Advanced Discovery & analysis of Internet Artifacts AFTERnOOn BREAK Exhibit Hall Lifting the Lid on Cyber Espionage and Tracking Insider Threats Using Forensic Triage for Document and Media Exploitation
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
15
for e n si Cs Centennial Ballroom 2-3 Grand Hall A Dunwoody Grand Hall B Edgewood Where Did My Data Go? Deploying EnCase Enterprise to a Snap Server Deploying Advanced Features of the Cellebrite UFED Live Device Acquisition and Analysis And Why you Should Care FTK Imager, Triage and Beyond AFTERnOOn BREAK Exhibit Hall sponsored by: adobe Centers for Digital Forensics Academic Excellence (CDFAE) Technology as a Force Multiplier in the Processing of Crime Scene Collaborative Forensic Analysis: Reducing Case Load Through Division of Labor Mobile Tagging or Tag youre IT! Is Your Cellphone Talking? i n for MaTi on a ssur a n Ce Understanding The Security Concerns Associated with virtualization mIRC LaW e n for Ce Me n T Hanover A-B Hanover C-D Intelligence Gathering Through Twitter national Repository for Digital Forensic Intelligence (nRDFI) Financing Terrorists and Criminals; the Impact of nontraditional Monetary Systems and the Internet on Homeland Security Technology Advancements at nCMEC Le g a L Baker Effective Expert Witness Testimony AFTERnOOn BREAK 20+ Ways to Improve Digital Evidence & Cyber Crime Trials AFTERnOOn BREAK Espionage: A System Dynamics Model of Crimes Against Our national Security Wireless Investigations Cisco network Devices Incident Response
SEE INFORMATION ASSuRANCE TRACk
Do You See What I See? Strategies to Streamline Explicit Image Identification. Classification, and Reporting Practical Host-Based Malware Detection Using Run-Time Features
Hanover F-G
First Thing We Do, Lets Kill all the Lawyers; a Criminal Investigators Guide To Working With Those Pesky Prosecutors
SEE RESEARCH AND DEVELOPMENT TRACk
Auburn
re se a r Ch & d e ve LoPMe n T Inman Cloud Computing Forensics Open Source vs. Closed Source. Which is More Secure?
SEE LAW ENFORCEMENT TRACk
AFTERnOOn BREAK
Computer, Identify that Individual; ITS ALREADy 2011 and I Still Dont Have Any Cool Facial Recognition Software! Hard Drive Forensics: Diagnostics & Understanding a Broken Drive
SEE INFORMATION ASSuRANCE TRACk
The Many Thumbs of Megan Fox Password Cracking with Graphics Processors Russian Souvenirs exhibit hall
19002100
16
This is an unique opportunity to view and provide feedback on over a dozen tools developed specifically for Cyber Crime Investigators and Digital Forensic Examiners, and Analysts. See page 26 for more information.
08301150 10301100
Morning breakout sessions Morning Coffee break and raffle drawing | Break Sponsored by: bae systems
Win Fabulous Prizes in the Raffle. Raffle Winners will be Announced at 1045.
exhibit hall
loCaTion
08300920
09301020
10301100
11001150
de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Grand Hall C Wireshark, not Just A Pretty Interface Operation Coredump: Countering the Afcore Botnet Threat Learning Web Application Attacks, Defense and Forensics with OWASPBWA
REPEAT SESSIOn
Malware Analysis For non-Coders/ Developers Advanced Command and Control Channels
REPEAT SESSIOn
Courtland
Learning Center
Configuring vMs
Remediating Compromised Environments: Case Studies From Large and Small Enterprises Cyber Threats to the Defense Industry Simple MySQL Data Extraction for Forensic Analysts MORnInG COFFEE BREAK Cryptanalysis for Incident Responders, c20.11
SEE LAW ENFORCEMENT TRACk
Centennial Ballroom 1 Hanover E Grand Hall A Centennial Ballroom 2-3 Dunwoody Grand Hall B Fairlie
DC3 Digital Forensics Challenge 2010 Solutions Presentations by Winners Introduction to Malware Analysis With Immunity Debugger Linux EXT File Recovery via Indirect Blocks Introduction To non-Standard Digital Evidence Wireless Incident Response, Investigating a Wireless Breach Shadow Warriors - A Tour of vista/Windows 7 volume Shadow Copy Introduction to TUX4n6: nW3Cs Digital Triage Tool
SEE LAW ENFORCEMENT TRACk
i n for MaTi on a ssur a n Ce Grand Hall D near Real Time Audit Data Analysis Comes of Age Deep Packet Inspection: Protecting Federal Agency networks Against the next Generation of Cyber Threats Feeding Incident Response into your Detection Systems Threat Auditing: Identifying Malicious Code and Other Anomalies The Hidden Joys (& Benefits) of Running a Continuous Monitoring Program
Fairlie
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
17
LaW e n for Ce Me n T Hanover A-B Photo ForensicsThere is More to a Picture than Meets the Eye Firefox Plug-ins Useful for Online Investigations
REPEAT SESSION
Forensics Data Extraction (FDE) Triage Tool iPhones and Androids: Data Extraction and Controversy MORnInG COFFEE BREAK Exhibit Hall sponsored by: bae systems
Using Deepnet as a Covert Channel for Communication The Morphing of Peer to Peer Apps Usenet newsgroup Investigations Adobe Photoshop Digital Imaging and Law Enforcement PAnEL: Delivering Electronic Crime & Digital Evidence Tools, Technologies & Resources to the Criminal Justice Community
CONTINuED
breakouT sessionsdaY 2
The Wild, Wild, Web: Knowing the Basics for Online Investigations
REPEAT SESSION
PAnEL: Delivering Electronic Crime & Digital Evidence Tools, Technologies & Resources to the Criminal Justice Community Le g a L
Baker
r e se a r Ch & d e ve LoPMe n T Inman Borderless networks visualization of Mobile Forensics Data: Techniques and Case Studies network Traffic Analysis - Sipping From the Firehose The Evolution of Cyber Analysis in the Cyber Security Revolution Exploring Font Based Steganogrphy with a Focus on Tool Development Fuzzy Hashing and the False negative Rate exhibit hall
Kennesaw
12001330
13301420
breakouT sessionsdaY 2
loCaTion
de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Protecting Against PDF-based, Modern Malware Attacks Internationalized Domain names
REPEAT SESSION
Cloud Computing Basics How To Deal With Instant Messengers In A Forensic Investigation The Metasploit Wireless Suite
REPEAT SESSION
Grand Hall C
Courtland
18
for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Get Down and Dirty With your Mobile Media nTFS On-Disk Structures Android - A Forensic Primer A Malware Analysis Case Study: Analysis of the {TDL3, Tidserv, TDSS, Alureon} Kernel Mode Rootkit Introduction to Malware Analysis Windows 7 Artifacts Combating Spear-Phishing: Convergence of Intel, Ops, and Forensics Chasing Down a Spillage Incident: Pll and Classified Data Spills External, Transparent Malware Analysis and its Applications AFTERnOOn BREAK AFTERnOOn BREAK Conference Level Foyer sponsored by: bae systems Stick Around: Persistence Mechanisms in Recent APT Compromises SSDs and Forensics: A Good Mix?
The Malies: An Award Show for Epic Fail and Great Success in Malicious Software Timeline Analysis Using Open Source Tools Introduction to Manual Unpacking with OllyDBG/Immunity Solid State Disk Data Recovery: Dead Disk Analysis is Dying Why I Dont Care How you Got Hacked Is This Normal? The ABCDEs of Registry Analysis Forensic Training in a Digital Battlefield
breakouT sessionsdaY 2
i n for MaTi on a ssur a n Ce Grand Hall D Fairlie Government IT Security Strategies Defeating APT Through Capabilities-Based Security Operations The Common Credentials Dilemma Internet Isolation using a virtualized Hardened Browser
LaW e n for Ce Me n T Hanover A-B Hanover C-D Hanover F-G Over Anti-virus, Through the Firewall and Out your network the Data Goes Using Gmail for Data Mining Web 2.0 for Cyber Investigators Le g a L Baker AFTERnOOn BREAK re se a r Ch & d e ve LoPMe n T Inman Kennesaw Smart Phone Forensics Screening national Security Applicants for Digital Dirt AFTERnOOn BREAK Assessing the Benefits of network Security Systems Ubuntu 10.04 LTS - First Look The DoD Banner: Development Over the Past year AFTERnOOn BREAK Subject Identification Undercover Operations-Proactive Techniques Black Ice: The Invisible Threat of Digital Steganography Botnets, Modern Distributed Threats Showdown with the Shodanhq Search Engine
17001830
birds of a feather see pages 2425 for the complete list of birds of a feather sessions and locations
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
19
Grand hall foyer Grand hall foyer Centennial foyer Centennial ballroom 2-3
09001150
loCaTion
10001050
11001150
2011 Cyber Threats and Trends Threat Intelligence Knowledge Management for Incident Response
REPEAT SESSION
Courtland
Predictive Analytics
for e n si Cs Learning Center If Appliances Could Talk Mobile Technologies in a Digital Battlefield Investigation of the Windows Media Player Database Automated Audio and video Analysis
Developing Process for the Extraction and Documentation of Cell Phone Evidence Agent Based Forensics-Options, Pitfalls, & Triumphs Accredidation as Only the First Step Profiles of Antivirus Scans: A Comparison of Eight Av vendors virus Scan Effects on Last Accessed Times An Overview of Location-Based Services (LBS)
Computer Forensics in the Linux Environment When did it Happen? Are You Sure About That? Exploiting Facebook Artifacts
Security 101 is DeadCompliance is the Living Dead Real Security Techniques for Todays Environments LaW e n for Ce Me n T
Hanover A-B
Some People are Wise and Some Are Otherwise, an Overview of Data Collection For Effective Cyber CI Changing the Paradigm: Towards Intelligence-driven Situational Awareness Interpreting the Suspects Language UncoversHidden Data During the Forensic Analysis
The Business of Bots and How to More Effectively Combat This Threat Coordination Between Law Enforcement and Computer network Defense Organizations Cyber Investigation Search Kit
Investigating Social networking Sites Introduction to Investigation in Internet Relay Chat (IRC) and Usenet (newsgroups)
Hanover C-D
Hanover F-G
20
loCaTion
Le g a L Baker Do You Have The Full Digital Picture? Digital Evidence in Child Porn Cases Making the DCFL Process Work For you
r e se a r Ch & d e ve LoPMe n T Inman Analysis of Duplication in a Large Dataset and its Implications For Storage Limewire RAM Analysis Dynamic Attack Redirection to Honeypots Metadata Analysis for Digital Forensics Triage
Kennesaw
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
21
GRAnD HALL A forensics (WednesdayFriday) GRAnD HALL B forensics (WednesdayThursday) exhibiT hall GRAnD HALL C defense industrial base (WednesdayFriday) GRAnD HALL D information assurance (WednesdayFriday)
HAnOvER A-B law enforcement (Wednesday, Thursday, Friday) HAnOvER C-D law enforcement (Wednesday-Friday)
HAnOvER e forensics (Wednesday-Friday) HARRIS speaker ready room HAnOvER f-G law enforcement (Wednesday-Friday) FAIRLIE law enforcement (Wednesday AM) research & development (Wednesday AM) defense industrial base (Wednesday PM) information assurance (Thursday) forensics (Thursday AM) DUnWOODy forensics (Wednesday-Friday) COURTLAnD defense industrial base (Wednesday-Friday) BAKER legal (Wednesday-Friday) AUBURn defense industrial base (Wednesday AM; Thursday PM) law enforcement (Wednesday PM; Thursday AM) research and development (Wednesday PM) information assurance (Wednesday PM)
22
WednesdaY, JanuarY 26
TI ME E vE n T PLACE
ThursdaY, JanuarY 27
TI ME E vE n T PLACE
fridaY, JanuarY 28
TI ME E vE n T PLACE
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
23
Bi rd s of a f e aT he r
T hursdaY: 17001830 loCaTion session TiTle and presenTers session desCripTion
Grand hall a
Open Slot
Grand hall b
The National Forensics Training Center at Mississippi State university has been training state and local law enforcement officers for over five years to combat cyber crime. Since 2005, over 4000 state and local law enforcement officers have been trained in techniques ranging from simple bag and tag of computer systems to advanced cell phone techniques. In 2008, Mississippi State university received a grant along with Auburn and Tuskegee universities in Alabama to provide this training to disabled veterans and wounded warriors in an effort to provide workforce transition training to Americas veterans. The training has been successful in sparking an interest among veterans and wounded warriors, and recently in the Department of Defense. Hopefully, with renewed funding and a partnership with the DoD Cyber Crime Center, MSu will continue the training and start providing some of the wounded warriors that wish to and are able to stay on active duty an opportunity for more training at DCITA. This birds of a feather session will be to provide information on the program and open the floor for infusion of ideas from the attendees on what we can do to make this program better. The National Forensics Training Center at Mississippi State university has been training state and local law enforcement officers for over five years to combat cyber crime. Since 2005, over 4000 state and local law enforcement officers have been trained in techniques ranging from simple bag and tag of computer systems to advanced cell phone techniques. In 2008, Mississippi State university received a grant along with Auburn and Tuskegee universities in Alabama to provide this training to disabled veterans and wounded warriors in an effort to provide workforce transition training to Americas veterans. The training has been successful in sparking an interest among veterans and wounded warriors, and recently in the Department of Defense. Hopefully, with renewed funding and a partnership with the DoD Cyber Crime Center, MSu will continue the training and start providing some of the wounded warriors that wish to and are able to stay on active duty an opportunity for more training at DCITA. This birds of a feather session will be to provide information on the program and open the floor for infusion of ideas from the attendees on what we can do to make this program better. This session will be a discussion about the threat of unbound media (mainly Bluetooth but includes wifi, infrared or anything without wires). Everybody is now unbound and nobody secures it. This session will include a live demo where attendees can check their phones to make sure Bluetooth off - is really off. We will lead in to discussion on securing all unbound media, a massive new threat area.
Grand hall C
Standard Model Reality vs. Information Physics: Bridging the Gap in the Court Room
Chet Uber, Project Director Vigilant, BBHC Global LLC
24
session desCripTion
This session will discuss public and private collaborative efforts between the DIB SCC and government agencies such as the DoD, NSA, uSSS, and others.
When it comes to creating usable digital evidence, packet-level network intercept data can be very difficult to work with. This session will discuss real-world methods for getting meat off the bone during cyberspace investigations. Topics include: How to deal with massive quantities of packet capture (pcap) data. Going beyond an IP-centric approach to finding and tracking bad-guys online. Techniques for organizing unstructured and semi-structured data using open search engine technology. Finding and extracting digital artifacts from pcap data. Advanced web reconstruction technologies. How to quickly enhance a network investigation by creating a timeline. Dealing with Web 2.0 http applications like Facebook and webmail. Text entity extraction from full content. Extracting and cross-referencing people-related meta data. And finally, the ultimate enhancement to a network investigation is cross-referencing with computer forensic data from dead disks/phones, and other sources like Call Detail Records (CDR), security logs, and open source web harvesting. The NIJ Electronic Crime Technology Center of Excellence will be conducting research for the National Institute of Justice Research Report Electronic Crime Needs Assessment for State and Local Law Enforcement. This Birds of a Feather session will introduce this research project, the methodologies to be used and the information to be identified and compiled to produce a comprehensive report to NIJ identifying the impact of electronic crime and digital evidence on State and local criminal justice agencies. The discussion will focus on the challenges and issues State and local law enforcement currently face as well as the challenges that can be anticipated as a result of emerging technologies. The last NIJ Electronic Crime Needs Assessment Research Report was published in March of 2001. The subject matter focuses on the discussion of a lack of trained personnel that are capable of performing Incident Response activity and automating a solution to that response. Additionally, there will be discussions of the volatile data collections, tools used, and rapid analysis of the tool results.
nIJ Electronic Crime and Digital Evidence needs Assessment for State and Local Law Enforcement Workshop
Robert OLeary, Director, NIJ Electronic Crime Technology Center of Excellence; Dr. Victor Fay-Wolfe, PhD, Professor, University of Rhode Island; Russell Yawn, Chief of Prosecution Services, Alabama District Attorneys Association; Kristen McCooey, University of Rhode Island Digital Forensics Center; Martin Novak, Physical Scientist, NIJ Electronic Crime Portfolio Program Manager
hanover e
hanover f-G
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
25
26
sessIon descRIptIons
introduction to botnets
Pre-ConferenCe Training
advanced network intrusion Traffic analysis
Saturday and Sunday, Location: Dunwoody; Duration: 1 Day; Classification: FOUO; Intended Audience: Information Assurance Presenters: Joe Fichera and Mike Cowan In this one-day hands-on training session, attendees learn how to identifying intrusion traffic, understand/ identify the techniques used by the attacker and how to reconstruct the intrusion traffic. Attendees also learn how to identify the attack vector and mitigate loss and secure the vulnerability using Wireshark, Netwitness and Snort.
Saturday and Sunday, Location: Auburn; Duration: 1 Day; Classification: FOUO; Intended Audience: Information Assurance Presenters: Andrew Ingraham and John Auman Botnets are a significant part of the Advanced Persistent Threat (APT) facing corporate and government networks today. Botnet software has evolved to become sophisticated, customizable crime-ware that allows virtually anyone to easily build their own version of bots and botnets and launch their own coordinated infiltrations. This course introduces botnets and gives students an opportunity to get hands-on experience setting up and running a self-contained botnet. In addition, students look at the evidence left behind from a botnet compromise in network traffic and Windows system artifacts. Students should be familiar with basic networking and have a basic understanding of Windows system artifacts.
computer hardware and familiarity with Windows operating system environments. This training is not for forensic examiners.
nW3C Tux4n6
FridaySunday, Location: Learning Center; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Herb Scott and nicholas newman This seven-hour course teaches students how to use the TuX4N6 digital triage tool, created by NW3C, to safely preview the active files on a suspect computer in a forensically sound manner. The TuX4N6 tool is based on the Linux operating system and has the advantage of being able to read other computer systems files without writing to or altering the data on those systems. Students are taught how to conduct a manual search of a computer, use automated features to search the computer for keywords and specific file types, and how to save evidence to external storage media. Upon successful completion of the course, students receive a free copy of the TuX4N6 tool.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
27
sessIon descRIptIons
online anonymity
Friday and Monday, Location: Kennesaw; Duration: 1 Day; Classification: FOUO; Intended Audience: Law Enforcement Presenters: Steve Bolt and Bob Reyes This one-day hands-on course is derived from the week long OuT course offered by DCITA. Tools and methodologies are demonstrated and provided that will enable an examiner or investigator to conduct information gathering efforts while obfuscating their source location.
Windows 7 forensics
Friday and Monday, Location: Courtland; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Mark neno and Walt Bobby With the introduction of the Windows 7 operating system, forensic examiners need guidance regarding how the OS impacts their exams. Among the topics that are discussed are Libraries, Jump Lists, Pinning, Gadgets, Thumbnail Caching, Sticky Notes, exFAT, System Protection and Backup (Windows Backup, System Image, Previous Versions, Volume Shadow Copies), Virtualization, XP Mode, Registry, SuperFetch, Windows Search, Indexing, BitLocker and BitLocker to Go. Also considered is the use of Windows 7 as a platform for examinations.
PLenary sessions
Cybersecurity and american economic prosperity in the 21st Century
Tuesday, 0845-0930; Location: Centennial Ballroom Presenter: Honorable Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President President Obama has declared that the cyber threat is one of the most serious economic and national security challenges we face as a nation and that Americas economic prosperity in the 21st century will depend on cybersecurity. In this global, digital age, the Nations competitiveness and prosperity depend on cybersecurity. Cyber investigators working together with the government, public, and private sectors cyber investigators will make cyberspace safer and more resilient for the Nation, its citizens, and its businesses.
Cyber skills Matter: findings from the Csis Commission on Cybersecurity for the president
Tuesday, 1015-1100; Location: Centennial Ballroom Presenter: Alan Paller; Director of Research, SAnS Institute Earlier this year, a report from the prestigious Center for Strategic and International Studies provided the first proof that, in the hunt for the advanced persistent threat, the quality of cyber skills has a grander impact than the quality of cyber hardware and software. Sadly, it is far tougher to find highly skilled security practitioners than to buy another software or hardware product. In this briefing, the presenter shares the CSIS data and then describes the national talent search/ talent development program designed to grow the pipeline of highly qualified cyber security hunters.
BreakouT sessions
10 Mistakes hackers Want You to Make
Wednesday, 1100-1150; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: Sanjay Bavisi, EC-Council This presentation delves into lapses in security practices, which provide opportunity for hackers to exploit vulnerabilities, intrude into networks and systems and commit crime. It highlights the threat scenario in the IT environment and its implication for organizations. The main focus of the presentation is what measures organizations must adopt to safeguard IT infrastructure from threats in the cyberspace.
28
sessIon descRIptIons
to investigate and litigate digital evidence and cyber crime cases more effectively and efficiently.
a review of all Cell phone forensics Tools and hoW They Work a Cell phone and Gps forensic Tool Classification system
Wednesday, 0830-1150; Location: Centennial Centennial Ballroom 1; Track: Forensics; Geek Meter: 1 Presenter: Sam Brothers, Digital Forensics Analyst, U.S. Customs and Border Protection This session provides an overview of ALL commercially available tools for cell phone data extraction! A minisection focuses on tools specific to the iPhone. The presenter demonstrates and discusses how cell phone (and GPS) forensic tools actually work and discusses the Small Device Digital Forensic Tool Classification System (Pyramid) that he developed. Our world has been saturated with a plethora of these inexpensive digital devices. What is becoming increasingly useful is the retrieval and analysis of the information stored on such devices. As youd expect, this includes phone numbers dialed, incoming calls received, phone directories, appointment reminders and calendars. But there is so much more. With over a billion subscribers worldwide, cell phones are a realm that is for the most part an untapped resource of valuable information when it comes to forensic examinations of digital media.
covered. Additional tools for image enhancement, video clarification, biometrics imaging issues, and measurement also are discussed. Attendees leave with practical techniques that can be applied immediately, as well as a knowledge of up-and-coming tools and techniques.
a Malware analysis Case study: analysis of the {Tdl3, Tidserv, Tdss, alureon} kernel Mode rootkit
Thursday, 1330-1420; Location: Grand Hall A; Track: Forensics; Geek Meter: 2 Presenter: Paul Bartruff, Senior Engineer, SAIC The TDL rootkit, also commonly referred to as Tidserv, TDSS, or Alureon, is a sophisticated kernel mode rootkit that appears to be developed and maintained by professionals. This discussion covers a brief history lesson on TDL, including its probable origin and affiliations; several specific concepts of the x86 architecture leveraged by kernel mode rootkits; and how they apply to our TDL3 sample. This analysis is a deep dive into the third generation of the rootkit (TDL3) with a particular focus on the kernel mode component specifically its stealth capability and persistence mechanism in a win32 environment. Additionally, if time permits, a brief discussion of the recent 64bit version of TDL will be conducted about how the architecture change, both hardware (x86_64) and software (win64), affects techniques.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
29
sessIon descRIptIons
in the operating systems of tomorrow? This session reviews different agent-based solutions and methods to gain remote access to systems for analysis, as well as the common pitfalls of live capture and how to avoid them.
network security systems that monitor traffic and help mitigate impacts resulting from cyber attacks. It focuses on methods for measuring the effectiveness of sensors at a particular location. Sensors and network monitoring systems are expensive, and organizations are naturally interested in what the return is for purchasing and deploying a sensor. The model assesses the benefits in terms of the reduction in potential damages resulting from cyber attacks that are mitigated to various degrees by having this new network device. The implications of the analysis, extensions needed and future research directions are discussed.
30
sessIon descRIptIons
best practices for ediscovery reporting
Thursday, 0930-1020; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: David Speringo, Senior Consultant/Engineer, AccessData Discoverable data is currently being generated across the corporate and government infrastructures at exponential rates. The data may reside almost anywhere on laptops, desktops and even hard-to-reach structured database resources as well. This ever-growing mass of data requires organizations not only to focus on data management but also to optimize their reporting capabilities. Reporting at different levels of the eDiscovery process is critical to illustrating a chain of custody and validating your eDiscovery methodologies before the court. However, it also facilitates the development of your data management strategies. This session explores how to best manage the various reporting mechanisms in order to gain a better understanding of how to manage discoverable data. provide their Facebook and MySpace identities to permit the military to more easily track their posts? Can or should DoD monitor the blogs of it military and civilian workforce? How can it obtain logs from IbC providers? What are the rules for law enforcement investigators? Does the First Amendment protect posts that are critical of ones unit, the President, the Congress, etc.? Can a supervisors unfriending of a subordinate constitute an adverse personnel action, triggering associated due process requirements? Does social media present a new threat vector for attacking DoD systems? What rules apply to working undercover on a social networking site? The case law is evolving quickly. Find out how. The session explains the tactics, techniques and procedures implemented; the infrastructure put in place to manage botnets and facilitate malfeasance; the types of damage botnets have and can cause; the threats of botnets in the future; and issues and suggestions to expose and mitigate them.
borderless networks
Thursday, 0830-0920; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Jeff Wells, Engineering Manager, Cisco Systems We work, live, play and learn in a world that has no boundaries and knows no borders. We expect to connect to anyone, anywhere, using any device, to any resource-securely, reliably, transparently. To support this realty in an organization, IT staff must deal not only with new devices and usage models, but also with changing business practices that place huge new demands on the core infrastructure. In todays modern workplace, it is increasingly common that primary business resources, including data centers, applications, employees, and customers, are all outside the traditional business perimeter. Extending business borders around all these people and resources taxes your IT department. IT simply cannot scale when every project is an exception to traditional IT design and management practices. IT needs a better way to scale and manage users and customers in any location, given those users may be using virtually any device to access almost any application located anywhere in the world. There is a dramatic shift occurring toward ubiquitous wired and wireless access, but many organizations still treat wired and wireless networks as separate entities. This session reveals how Ciscos Borderless Network Architecture helps It departments unify their approach to securely delivering applications to users in a highly distributed environment. The crucial element to scaling secure access is a policy-based architecture that allows IT to implement centralized access controls with enforcement throughout the network, from server, to infrastructure, to client.
blogs, Tweets and the law: The first Year of dTM 09-026
Wednesday, 1030-1150; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Rick Aldrich, Senior Computer network Operations Policy Analyst, Information Assurance Technology Analysis Center Last February, the Deputy Secretary of Defense issued Directive-type Memorandum (DTM) 09-026. It directed that The NIPRNET shall be configured to provide access to Internet-based capabilities [IbC] across all DoD Components. IbC was broadly defined to include a wide variety of social media. As DoD and its leadership race to embrace the benefits of the new social media, what are the associated legal issues that need to be addressed? Can commanders order military personnel to
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
31
sessIon descRIptIons
building Your insider Threat audit program
Wednesday, 1550-1650; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: Daniel velez, Program Manager, Raytheon Oakley Building an insider threat cyber audit program in your organization requires a number of considerations from legal to operational. This session covers lessons learned from the development of insider threat cyber audit programs across the u.S. government and the private sector. The points raised in the presentation will help you plan and implement your insider threat cyber audit program and help you refine your organizations auditing and monitoring requirements so you get it done right the first time. increase the number of qualified professionals to meet the needs of law enforcement, counterintelligence, national defense and legal communities. This session will describe the CDFAE program construct and what it entails to have an accredited educational program as a National Center of Digital Forensics Excellence. It will focus upon the establishing of a common core curriculum and development of standards for education and training in Digital Forensics studies, employing a progressive education model based upon core learning objectives, and providing an opportunity for students to demonstrate their knowledge and skills in Digital Forensics.
32
sessIon descRIptIons
Computer forensics in the linux environment
Friday, 0900-1050; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Chris Shanahan, Instructor/Course Developer, Defense Cyber Investigations Training Academy Whether youre a computer forensics examiner looking to harness the power of the Linux platform or to cut down on your budget for hardware and software, or youre a seasoned examiner just looking to expand your toolbox, the Linux platform can be a powerful, viable alternative to the traditional, Microsoft Windows-based applications in use today. In this session the presenter uses open source tools to demonstrate computer forensics techniques from the Linux platform. Attendees are taken through the entire computer forensics process from data collection to examination and analysis. Both volatile and non-volatile data collection and analysis techniques are discussed and demonstrated in this one-day training session. Attendees should have some familiarity with the Linux operating system and the shell the command-line interface (CLI). The Regional Computer Emergency Response TeamCONuS and the Arizona Branch Office Computer Crime Investigative Unit have been co-located since 2000. During this time the organizations have established processes that support the efforts to provide for the Computer Network Defense of the LandWarNet and law enforcement investigative requirements two requirements that are often seen to be in conflict. A successful blending of efforts done within legal and regulatory guidelines allows each organization to achieve mission success and support each other in the successful execution of their missions.
Computer, identify that individual: its already 2011 and i still dont have any Cool facial recognition software!
Wednesday, 1500-1550; Location: Inman; Track: Research and Development; Geek Meter: 1 Presenters: Jason Agurkis, Software Engineer, DCCI; Keith Bertolino, CEO, Cipher Tech Solutions, Inc This presentation explores the process of rapidly developing your own practical facial recognition applications in .NET with algorithms that cost less than your annual supply of Mountain Dew. We look at leveraging the newest algorithms in computer vision research, along with current SDks available in the commercial and open source communities. Along the way, we expose clever implementation tricks to drastically improve the performance of offthe-shelf algorithms to ensure your end product is as operationally useful, as it is cool to watch.
Configuring vMs
Thursday, 0830-0920; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenters: Special Agent David Shaver, Special Agent in Charge, United States Army, Computer Crime Investigative Unit; Special Agent Ryan Pittman, Digital Forensics and Research Branch, US Army CID This presentation covers the most common methods for converting an EnCase or DD image into a working Virtual Machine. In addition it explains steps necessary to overcome most activation issues, corrupt drives and how to pull data from a Virtual Machine which could enhance your examination\investigation. It also provides the necessary software to extract data from a running VM.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
33
sessIon descRIptIons
cyber espionage and cyber warfare is acknowledged to include unauthorized disclosure, modification and/ or withholding of information (aka denial of service). This presentation concentrates on how to prevent unauthorized disclosure of information and defines the characteristics of covert communication channels as well as techniques used to achieve stealthy data exfiltration. Real-time detection of advanced exfiltration techniques is problematic, however, having defined the channels and means of data theft, so approaches and techniques to detect and mitigate the vulnerability are discussed. Attendees will take away an understanding of the following: the breadth and scope of the threat landscape, motives/objectives of threat actors in government domains, covert communication channels, stealthy data exfiltration and detection techniques. by companies and organizations. This presentation illustrates ways to limit the attackers advantages and mitigate cyber threats in a timely manner. The presenter discusses a methodology to refine and develop enterprise security capabilities for effective defense on the evolving cyber battlefield. The approach enables organizations to leverage existing enterprise investments and field integrated system-of-systems that are interoperable and scalable. When combined with trained people and rigorous procedures, the capabilities create a vigilant security operations environment that will enable organizations to get a step ahead of adversaries and interrupt their attack chains. The methods can be implemented by organizations of any size and ensure the network visibility, situational awareness, collaboration, intelligence and prevention necessary to engage the APT in todays virtual world. This presentation discusses practical advice for prosecuting computer crimes with a focus on gathering all of the evidence available. Too often prosecutions go forward before the government captures and analyzes all of the evidence. It also explores where to look to both prove your case and to disprove common defenses. Lastly, it looks at some common concerns and address unique aspects of trying your case under the Uniform Code of Military Justice.
deep packet inspection: protecting federal agency networks against the next Generation of Cyber Threats
Thursday, 0930-1020; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2; Law Enforcement Only Presenter: Greg Kopchinski, Director of Product Management, Bivio networks, Inc. Malicious cyber activity targeting federal IT infrastructure is on the rise. It is no longer a question of if, but when, a network will come under attack, and whether federal agency network managers have the technology necessary to quickly identify and mitigate potential threats. This presentation demonstrates how DPI-enabled networking solutions can be deployed to address new and existing network threats and vulnerabilities that threaten national security. The presentation also provides attendees with invaluable insight on how fully customized data mining and collection as they relate to network security, can provides traffic analysis and management solutions in government and commercial organizations.
developing process for the extraction and documentation of Cell phone evidence
Friday, 0900-1050; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 2 Presenter: Cynthia Murphy, Detective, Madison Police Department Digital forensic examiners have seen a remarkable increase in requests to examine data from cellular phones. The examination of cellular phones and the extraction of data from them present a number of challenges for forensic examiners. Because of this, the development of guidelines and processes for the extraction and documentation of data from cellular phones is extremely important. The prsenter covers her recently published paper introducing framework for the development of process in cell phone forensic examinations which address the development of process for cell phone forensic examinations. She also provides sample forms, flow charts and other useful documents for forensic examiners who work on cell phones.
do You have the full digital picture? digital evidence in Child porn prosecutions
Friday, 0900-0950; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Captain Joe Kubler, Appellate Government Counsel, Air Force Government Trial and Appellate Counsel Division
34
sessIon descRIptIons
What if a system can be designed to redirect an attack an IDS detects towards a honeypot segregated from the production network? Would that system be able to capture a full attack, including full payloads and information about intention, while keeping the rest of the network safe? This presentation covers this concept and discuss the need, possibility, and implementation issues associated with dynamic honeypot redirection. It concludes with some examples of a redirector in operation. focused? Finally, these findings will be applied, enabling CISOs and security executives to rely on efficient and effective strategies to reduce risk and guide strategic decision-making. The complete 2010 Data Breach Investigations Report may be accessed online: http:// www.verizonbusiness.com/resources/reports/rp_2010data-breach-report_en_x g.pdf?&src=/solutions/ security/index.xml&id=
feeding incident response into Your detection systemsThursday, 0930-1020; Location: Fairlie; Track: Information Assurance; Geek Meter: 2 Presenter: Patrick Mullen, Research Engineer, Sourcefire Incorporated With cyber threats by nation-states against u.S. government agencies on the rise, the Obama Administration has made effective cybersecurity a strategic priority. A 2009 report from the Homeland Security Departments u.S. Computer Emergency Readiness Team (uS-CERT) documented a vast increase in breaches in the Federal Government in the past two years, from 5,144 cybersecurity incidents in agencies in fiscal 2006 to 18,050 in fiscal 2008. While todays threats and networks are more targeted and constantly evolving, most security solutions are static leaving you blind to the network. And while your network security solutions may be new, chances are they are based on outdated assumptions. In this session the presenter discusses the shortcomings of todays network security and best practices for agencies as they strive to improve their cybersecurity infrastructure. The session addresses the importance of intelligent network security and the need for full network visibility, relevant context and automated impact assessment and IPS tuning, and illustrates the need for network security that adapts to dynamic networks and threats in real time.
financing Terrorists and Criminals: The impact of non-Traditional Monetary systems and the internet on homeland security
Wednesday, 1330-1420; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1-2 Presenter: Phillip Osborn, Supervisory Special Agent, Department of Homeland Security A significant aspect of our nations homeland and national security strategy targets the financing that supports terrorism. New and non-traditional financial
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
35
sessIon descRIptIons
transfer and value systems however, such as electronic currencies and pre-paid stored value cards, have and continue to emerge which render various aspects of this strategy obsolete. This presentation provides an overview of these systems and identifies the various ways which they can be exploited by terrorists and criminals to circumvent exiting anti-money laundering and terrorist financing measures. the history of the eMule client (how it has evolved in the last eight years), how it works from a users point of view, and the forensic artifacts it leaves on a computer. These artifacts let an investigator determine information, including downloaded and shared files, servers and peers. We describe the most significant information available in files left by eMule and walk through a simple example to demonstrate how these bits of information can be put together.
first Thing We do, lets kill all the lawyers: a Criminal investigators Guide to Working with Those pesky prosecutors
Wednesday, 1550-1650; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: William yurek, Senior Counsel, U.S. Dept of Justice Attendees are given inside pointers on how to maximize their relationship with the prosecutors they work with to achieve maximum results with minimal conflict. This session is presented by a current criminal investigator with over 14 years of federal prosecution experience and over 13 years experience as a federal Special Agent.
36
sessIon descRIptIons
system, and on our smart phones and PDAs. In some cases, the data might end up with a contractor or in a cloud infrastructure. Finding the data and securing it is not easy. To address this, the government needs to adopt an information-centric approach to security. This means asking the following questions: What sensitive information do I have? Where is it stored? How is it used? Who needs access to it? differences among various age groups, such as botnet size, mission task and geographic distribution of CnC (Command and Control) servers. We have discovered new techniques designed to evade the current botnet CnC detection mechanisms, e.g. uRI generator which can dynamically generate hundreds thousands unique uRIs for botnet CnC server, and mapping of CnC server uRI to foreign country IP addresses. Finally, we measure the effectiveness and weakness of common botnet mitigation solutions, including sinkholes being deployed to break CnC communications. on u.S. person collection, retention and dissemination rules, as well as the specialized collection techniques and the rules governing their employment. The briefing not only covers the IO rules but also explores how they may impact intelligence-related cyber operations or investigations, or traditional intelligence operations or investigations that have a cyber component. Besides E.O. 12333 and DoD 5240.1-R, the briefing also explores how DoD policy has impacted the conduct of intelligence activities.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
37
sessIon descRIptIons
interpreting the suspects language uncovers hidden data during the forensic analysis
Friday, 0900-0950; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Jeff naylor, Instructor/Course Developer, Defense Cyber Investigations Training Academy Forensic analysis provides only one half of the evidence. Through a technique called language analysis, we will completely unmask the suspects behavior and intentions and reveal data that is critical to the investigation. provides an introductory explanation of these protocols, how they are used and how you can investigate within them. Recommended prerequisite knowledge: understanding of basic network terminology and IP addressing; understanding of the structure, content, and analysis of full headers of SMTP e-mail. get started with malware analysis. Youll also see the approach in action in a live demo.
38
sessIon descRIptIons
iphone and idevice forensics
Wednesday, 1100-1150; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Andrew Medico, Computer Scientist, Department of Defense Cyber Crime Center The Apple iPhone is an extremely popular cell phone, with over 50 million units sold to date. However, it is more than just a cell phone. Its hardware, software and capabilities are more like a miniaturized computer. Between the data intentionally stored on the device by the user and hidden data stored by the operating system to power special effects, it is a goldmine of forensic data. It contains records of associates, logs of communications (voice calls, voice mail, SMS, MMS, e-mail, instant messages), GPS and cell tower position data and more. This presentation covers the specific data found on the iPhone, data acquisition techniques and tools (including tradeoffs of speed vs. completeness and forensic soundness) and data analysis techniques, and demonstrates an automated analysis tool developed by DC3. The presentation also addresses applicability of the techniques to iPod touch and iPad devices. material. Additionally, the capabilities of transmitting this information have broadened to include internet access, Bluetooth connectivity in addition to simple text messages. With the evolution of these technological advances, we are now confronted with additional security concerns, relating to the safeguarding and protection not only of our voice communications, but also the content material that we transmit and that which resides on the mobile device itself. There have been numerous instances we have all read/heard about via countless news stories of text messages, voice conversations/messages that have mysteriously appeared in various tabloids, revealing personal information. How did this information migrate from an individuals personal phone to the front page of the tabloid? Was the phone stolen or did an inside source hear the conversation/message or see the content of the text messages? How were the actual conversations and entire content of the messages removed from the phone? These incidents present a broad spectrum of concerns, not only for personal users, but also government. this breed of cyber criminals, government agencies must be aware of the culprits and their business models. This presentation provides an analysis of cybercrimes lucrative business models and strategies to protect government networks against this new face of organized crime using local and state government examples.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
39
sessIon descRIptIons
and report on Macintosh evidence. In this session attendees examine and report on Macintosh evidence. Attendees also examine property lists and the SQLite databases on Macintosh systems to recover the same type of evidence found in Index.dat files, the registry and link files on Windows systems. Students learn to recover artifacts from the Safari and Firefox browsers including cookies, download path entries, form data, browser history, cache files, bookmarks, chat files and sign-on passwords.
possibility of their use for the introduction of malware. Concepts for the creation and examination of mobile barcodes are presented. Many barcodes types are discussed with an emphasis on Microsoft Tag and QR Codes.
mirC
Wednesday, 1500-1550; Location: Auburn; Track: Information Assurance; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy Internet Relay Chat is a tried and true protocol that is still a viable out of band communication channel that is leveraged by the opposition. The IRC networks are being used to obfuscate communication between the adversaries and the high-tech investigator needs to become aware of the usage of the IRC clients. This session provides attendees with the necessary information to effectively download install and utilize an IRC client to initiate a data collection effort. Examples are provided that show the way in which IRC is being implemented in the field and how the information is relevant.
40
sessIon descRIptIons
near real Time audit data analysis Comes of age
Thursday, 0830-0920; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Dr. Bruce Gabrielson, Lead Technical Advisor, nSA CnD R&T PMO (BAH) Current CND strategies are focused on protecting DoD information systems and limiting an adversarys ability to impact the networks on which these information systems reside. This presentation addresses a new technology developed at NSA in cooperation with DC3 and other defense and intelligence community organizations. The Data Extraction utility is designed to enable automated parsing, normalization, extraction, aggregation, filtering and then detection of insider threat attack patterns based on log and log-like data in near real time on network platforms. It can be deployed as an agent separately or within the DoDs Host-Based Security System infrastructure on workstations, plus is also deployable on web and DNS Servers, printers, routers and firewalls to detect attacks normally undetectable through other means. DEu is highly scalable and secure, includes data integrity checks for extracted data, has a significantly low false positive rate, and fits the gap area between massive data collection and analysis verses practical data collection based on risks. It also takes advantage of new standards for reporting and log data expression. activities are identified, the payload may be encoded, making it harder for digital investigators to determine what occurred. This presentation provides valuable insight on exposing covert communications channels, data leakage and other unauthorized network activity. Event correlation and practical techniques to ferret out anomalous network traffic will be discussed along with analytical techniques for recognizing beacon Trojan activity and covert communications channels. At the end of this presentation attendees leave better equipped to identify and analyze anomalous network activity and perform in-depth investigations. how physical acquisition and analysis tools operate.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
41
sessIon descRIptIons
its lone group of operators. Coreflood is a sophisticated trojan used primarily in online banking fraud, but its capabilities make opportunistic information theft easy. It has had a large impact on many government, law enforcement and military networks. Unlike many malware kits, this one is not for sale and is operated by one small, but very, capable team. The operators of the Coreflood botnet have operated mostly under the radar for years, frequently changing programmed targeting directives but only rarely changing C2 domain names and protocols. This presentation pinpoints the operators, explains the factors behind their success and offers countermeasures for mitigation. Ben Feinstein presents data mining and analytical methods applied to SecureWorks vast data warehouse to identify and track Coreflood activity. These efforts provide information integral to actor attribution, intelligence benchmarking and countermeasure development. Don Jackson discusses the way this data is integrated with collaborative investigational findings produced through other signals intelligence (SIGINT), human intelligence (HuMINT) and open source intelligence (OSINT) to uncover the actors behind the threat, track their activity and provide an early warning system for Coreflood attacks. introduction to the problem, the presenters explain the architecture of a GPu in general terms, highlighting the features that allow it to achieve such high performance. They describe, at a high level, the design and implementation of their password-cracking software and discuss the scalability of the code to multiple GPus, whether on the same motherboard or in a distributed GPu cluster. Finally, the session reviews the results and the impact of high-performance GPus on password security. This presentation discusses the process of identifying key run-time features of malware and introduces a grammar for describing these run-time features. It also introduces a proof of concept tool for performing hostbased malware detection using these run-time features.
predictive analytics
Friday, 0900-0950; Location: Courtland; Track: Defense Industry Base; Geek Meter: 1 Presenter: Michael Whitaker, Director, CACI, Inc.-Federal This presentation provides an overview of attaching business process simulations to business intelligence dashboard technologies to provide predictive analysis capabilities. Current executive dashboard technologies for business process management, business activity monitoring and balanced scorecard rely on current situational data to present graphical information on dashboards. This overview shows how simulation models can be executed on demand from business intelligence applications to provide predictive, or future, dashboard metrics. The predictions are done within the context of the customers operational processes and provides management with lead time to affect impacts to the operational performance where traditional dashboard metrics fall short.
over anti-virus, Through the firewall, and out Your network the data Goes
Thursday, 1330-1420; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 2 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy The newer versions of Metasploit allow you to encode a payload into existing executable. When launched these encoded executables pass through the firewall and avoid anti-virus detection. The executables are encoded using the Shikata Ga Nai encoder. Shikata Ga Nai is a Japanese phrase that means nothing can be done about it. The presenter demonstrates how the executables are encoded, delivered and how the meterpreter payload can be utilized once the victim launches the file.
profiles of antivirus scans: a Comparison of eight av vendors virus scan effects on last accessed Times
Friday, 1000-1050; Location: Hanover E; Track: Forensics; Geek Meter: 2 Presenter: Charles yarbrough Jr, InfoSec Analyst, CERT One of the tenets of developing forensic timelines for cases in cyber investigations is the Last Accessed Time of files. A common problem of investigators performing digital investigations is that this timestamp can easily be changed by antivirus or anti-malware scans on suspect systems. In many cases this can disrupt or at least obfuscate timelines of what occurred on that system. The common perception is that once an antivirus scan is performed on a system then the timestamps for all files are changed. This presentation dispels this notion and refines what virus scans from eight antivirus vendors actually do when they do a scan. This is useful from an investigators standpoint because each vendors solution performs a different series of actions when doing a scan on a system, thereby altering last accessed times in a unique manner. This pattern allows the investigator to more confidently determine investigative timelines and to be more accurate in describing what actually took place on a suspect systems file system. The ultimate goal of this research and presentation is to provide investigators the various scan patterns that can be discerned from each of the eight antivirus vendors solutions.
password Cracking
Wednesday, 0930-1020; Location: Inman; Track: Law Enforcement; Geek Meter: 2 Presenter: Brian Havens, FX Staff, DC3 The presentation provides an overview of encryption types and common strategies employed to crack them. The factors that make an encryption strategy secure or insecure are discussed so that users can make informed decisions when protecting systems or data.
42
sessIon descRIptIons
vulnerabilities and common practices. PDF files are being utilized to exploit Adobe Reader vulnerabilities and have become a primary attack method to penetrate conventional security. By exploiting vulnerabilities at the browser and PDF plug-in level, criminals have successfully bypassed conventional network and hostbased security, such as intrusion prevention, antivirus and web gateways. Modern malware then initiates outbound communications to exploit security policies. Once outbound traffic has been established, security policies allow related inbound connections without much constraint or supervision. With the increased use of web-based computing and file types like PDF, the problem is compounded because companies cannot shut off web traffic access and theyenable malware to communicate back to cyber criminals. This session examines new attack techniques like exploiting PDF and Flash vulnerabilities. Plus, learn how next-generation threat prevention technology works to accurately analyze and block advanced persistent threats embedded within PDF and web-based attacks. A comparison is made of a 100,000+ node network with a decentralized infrastructure versus a centralized network with less than 1,500 nodes, and attendees see how the remediation needs and tactics varied. The session reviews several of the tactics, including active directory configuration, data centralization, network monitoring solutions, password change management software, setting user service expectations and project management of a large-scale remediation effort. Finally, details are presented about the products used, the challenges in implementation, effective project management, and the advantages and disadvantages of a centralized technical approach.
russian souveniers
Wednesday, 1600-1650; Location: Auburn; Track: Research and Development; Geek Meter: 1 Presenter: Marita Fowler, Section Chief, SAG US-CERT Over the past few years, crimeware kits have proven to be highly effective at compromising unsuspecting users and stealing valuable data. These easy-to-use kits have become the cyber weapon of choice and spawned a new breed of lazy, non-technical cyber criminals. This presentation provides live demonstrations of kit configurations and botnet operations for some of the most famous and infamous crimeware kits. uS-CERT analysts will also discuss various techniques, mitigation strategies, and evolutionary options for these financially motivated malware campaigns.
responding to advanced persistent Threat intrusions: effective Tools, Tactics and protocols for enterprise intrusion investigations
Wednesday, 0830-1020; Location: Courtland; Repeat Session: Wednesday, 1500-1650; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Stephen Windsor, Senior Associate, Booz | Allen | Hamilton This panel brings together APT intrusion experts from a variety of government and defense industrial base organizations who have extensive experience responding to and mitigating APT intrusions in the enterprise. This focus is on effective incident management, investigative techniques, indicators of compromise and how to find them in the enterprise, and ultimately, remediation and risk mitigation techniques. The session concludes with discussion on developing an enterprise APT risk mitigation strategy.
remediating Compromised environments: Case studies from large and small enterprises
Thursday, 1100-1150; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Wendi Rafferty, Managing Director, Mandiant This session examines in-depth case studies of two intrusion investigations conducted in 2010. Both of these intrusions were conducted by groups of sophisticated attackers attempting to establish a foothold in each organization, as well as exfiltrate sensitive data. The overall numbers and statistics of each investigation are presented, along with details about how the compromises occurred, what type of malware was used, and the tactics leveraged by the attacker. Attendees learn how each compromise differed and, as a result, how each organization implemented remediation tactics in a different manner. The focus of the presentation is on the remediation portion of the investigation and how two separate organizations implemented solutions very differently.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
43
sessIon descRIptIons
you can do now to help protect and defend your data, network and personnel against social engineering attacks. The following topics are discussed: how easy it is to gain information that can put you at risk; how social engineering can also be done via technology; case studies and examples of techniques that work; and social engineer users. Sample courseware is available after the session for participants to download and modify.
is demonstrated that automates this process without the overheads that prove so costly for investigator and client alike.
shadow volume link Manager and virtualbox; Tools for accessing shadow volume data
Wednesday, 0830-0920; Location: Kennesaw; Track: Research and Development; Geek Meter: 1 Presenter: Timothy Leschke, DCCI Staff, DC3 According to Microsoft, over one-third of all data loss is the result of accidental file deletion or modification. In response to this accidental data loss, Microsoft developed the Volume Shadow Copy Service. This service archives key data and system settings, which allow Windows 7 and Windows Vista platforms to recover from accidental data deletion and from destabilizing events, such as a virus attack or the incorrect installation of a software or hardware device. This archiving service also makes it possible for a user to view previous versions of documents. Because of the amount of data that this service archives, the shadow volume has been referred to as a goldmine of forensic evidence. In this session, the speaker presents a method for accessing shadow volume data from a forensic examination machine that is running Windows XP. The use of a virtual machine running the Vista operating system, along with the DCCI developed tool Shadow Volume Link Manager, are two of the tools demonstrated for accessing shadow volume data.
security 101 is dead Compliance is the living deadreal security Techniques for Todays environments
Friday, 1000-1050; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Marshall Heilman, Director, Consulting, Mandiant Auditors, teachers, security engineers and consultants have preached compliance and security 101 for years (I may have been guilty of this Im pleading the fifth.) But, it hasnt worked. Todays environments are too large and too complex for basic security measures to be effective. It is time for us as a community to take action. We need to start thinking about implementing complex security solutions that address real risks while enabling (not just allowing) business to operate. This session provides innovative security solutions used to better posture companies for the future. Each strategy is presented in light of the vulnerability that was exploited and the associated solution implemented to mitigate the threat. Attendees leave this presentation with realistic, actionable ideas for their own networks.
44
sessIon descRIptIons
Social Engineering is a technique that can be untied to harvest data from a company and agency. Individuals who utilized social engineering techniques were often highly skilled individuals, but in todays world anyone with access to a computer can be a master at this craft. During this presentation, attendees are exposed to techniques that can be used to harvest data from individuals. Utilizing these techniques and websites, investigators can find websites with specific content to help further aide in their investigations. session investigators learn how to use Splunk to index, search and analyze all enterprise threat data from a single location in real time, drastically cutting incident response times and limiting exposure to the threat by reacting more quickly.
suse studio
Wednesday, 0830-0920; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Dan Mares, Director, Forensic Development, norcross Group Attendees are shown how to subscribe to and build a SuSE-studio Linux boot disk suitable for forensic imaging processes. SuSE-Studio makes building a custom Linux boot image as easy as logging in, choosing the packages you want to install and clicking Build. This session teaches attendees how to use the online SuSE studio to build an iso or thumb Linux boot disk. Attendees also see how dcfldd with some custom scripts can make forensic disk imaging easy and verifiable. The scripts and a minimum number of default boot disks are provided.
subject identification
Thursday, 1500-1550; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Matthew McFadden, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session examines how to use public information available on the internet to search for subjects to establish leads and gather information on a target.
some people are Wise and some are otherwise, an overview of data Collection for effective Cyber Ci
Friday, 0900-0950; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session provides an overview of some open source data collections methods that may be used in the cyber CI arena. Once the tried and true individual tools have been presented a data management and collection tool will be demonstrated for the aggregation of the mundane collection utilities. Then the information is incorporated into i2 Analyst Notebook for further analytical work.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
45
sessIon descRIptIons
over the years. There will never be a replacement for the experience and knowledge of a savvy investigator and his/her observational and intuitive skills. What has changed in the field of investigation is the advent of different kinds of evidence collected and the methodology for documenting and preserving it. This presentation addresses a specialized system-based solution that has been developed and implemented to assist investigators to electronically document evidence found in the field, identify, label and track it, keep precise attendance records at the scene and be interoperable with the u.S. Department of Justice NIEM (National Information Exchange Model) compliance system.
The dod banner: The impact of key Cases over the past Year
Thursday, 1550-1650; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Rick Aldrich, Senior Computer network Operations Policy Analyst, Information Assurance Technology Analysis Center To respond to united States v. Long and subsequent concerns related to the protection of privileged communications, DoD issued a new banner and user agreement policy memorandum on May 9, 2008. The presentation addresses issues that have arisen with regard to the DoD-standardized language now required in all banners and user agreements, such the June 2010 Supreme Court case of Quon v. City of Ontario, the first case in which the Court was asked to address the reasonable expectation of privacy of the electronic communications of government employees in the workplace. How does this case impact the DoD banner? We also explore a host of other cases. How does the New Jersey Supreme Courts decision in Stengart v. Loving Care Agency impact the DoD banner? How have military cases dealt with the banner? How is the DoD banner likely to be impacted by federal efforts to standardize banner and user agreement language across the federal government? How is DoD responding to Congressional inquiries relating to the banner? Why is DoJ advocating taint teams in investigations relying on the DoD banner? Does the banner impact the handling of Privacy Act and HIPAA data?
The business of bots and how to More effectively Combat This Threat
Friday, 1000-1050; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 2 Presenter: Jonathan Gillman, Founder, CEO, Omniangle Technologies The united States is under constant attack from botnets, many of which are under the control of foreign entities. Information gathered from botnet attacks is often incomplete due to the IP spoofing botmasters use to cover their tracks. However, there is a highly lucrative use of botnets that leaves behind more usable information; affiliate marketing fraud. This presentation describes how and why botnets are used to commit this type of fraud, what information is left behind and how that data can be used to aggressively fight back against the infestation of botnets currently operating within united States.
The Malies: an award show for epic fail and Grand success in Malicious software
Thursday, 1500-1650; Location: Hanover E; Track: Forensics; Geek Meter: 1 Presenters: nick Harbour, Malware Analysis Team Lead, Mandiant; Peter Silberman, Malware Analyst, Mandiant; Stephen Davis This is award-show style presentation to honor the novel, innovative aspects of malicious software and the head-scratching curious blunders. Presented by three malware analysis ninjas, this discussion pulls from Mandiants rich repository of targeted malware to bring special recognition to malware authors for their achievements (or lack thereof). The categories presented range from Most Pointless Tool to Best Persistence Technique to Most Blatant Disregard for Getting Caught. Details are covered in each award but this is presentation is more fun than technical and there is something here for everyone regardless of your background.
46
sessIon descRIptIons
followed by brief technology demonstrations. Discussion and demonstration are geared toward the real-world impact of associating the inherent weaknesses of wireless networking with the power of an advanced penetration testing suite.
The Whiddler
Wednesday, 1030-1150; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Dr. Mark Mason, IA Technologist, 90th Information Operations Squadron, 90th Information Operations Squadron The Whiddler is a malware filtering tool based on statistical PE structural anomalies and a Bayesian Inference algorithm. The Portable Executable (PE) format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The Whiddler is able to achieve reliable results while processing up to five files per second, making it suitable for analyzing large quantities of files collected from the Air Force computer network. The prototype has several innovative aspects, including PE observables, a Bayesian Inference Engine and a Java graphic user interface.
seem to be an insurmountable task. To assist in this task, this session illustrates methods for discovery and the vetting of attack indicators. The rapid creation of tools and processes to assist in the determination of indicator utility and level of significance are also discussed and iterative refinement of information gathering capabilities, along with condensation and compilation of various information resources into actionable intelligence are demonstrated.
The Wild, Wild, Web: knowing the basics for online investigations
Wednesday, 0830-1020; Location: Hanover F-G; Repeat Session: Thursday, 0830-0920; Location: Auburn; Track: Law Enforcement; Geek Meter: 1 Presenter: Jayne Hitchcock, President, WHOA All attendees should know the basics of investigating online cases, whether for e-mails, message boards, social networking sites (such as Facebook), chat or IM. Attendees learn how to trace messages, contact the proper ISPs involved and how to work with victims. ISP/web site contact information specifically for law enforcement is provided that is not available to the general public.
The niJ electronic Crime Technology Center of excellence; delivering electronic Crime & digital evidence Tools, Technologies & resources to the Criminal Justice Community panel
Thursday, 0930-1150; Location: Grand Hall B; Track: Law Enforcement; Geek Meter: 1 Presenters: Martin novak, Physical Scientist, nIJ; Robert OLeary, Director, nIJ Electronic Crime Technology Center of Excellence; Dr. victor Fay-Wolfe, Project Developer, nIJ; Russell yawn, Deputy Director, nIJ; Randy Becker, Project Coordinator, nIJ; Dr. Mark Davis, Publication Development Coordinator, nIJ; Don Stewart, Project Manager, nIJ; Michael Termenelli, Project Manager, nIJ This panel showcases the mission, goals and success stories of the National Institute of Justice Electronic Crime Portfolio, including the tools and technologies research and development projects funded by NIJ. The distribution capabilities developed by the NIJ Electronic Crime Technology Center of Excellence and partner, university of Rhode Island, to deliver these tools and technologies to the criminal justice community are reviewed. The NIJ-funded tools and technologies to be showcased include: the NIJ ECTCoE Resource Wwebsite MacMarshall; Live Acquisition Triage Tool (LATT); Windows PE Boot CD SAFE Redlight Human Image Detection Tool; String Search Tool; NIJ ECTCoE electronic crime and digital evidence testing and evaluation reports. In addition, the resources delivery capability developed by the NIJ ECTCoE Is introduced, including: the searchable electronic crime and digital evidence training database; electronic crime and digital evidence tool and technology searchable database resource; digital evidence device photo and video library; and the ECTCoE tool and technology testing and evaluation report library. Additionally, the post course online testing and Technical Working Group collaboration capabilities launched by the NIJ ECTCoE through the CyberCop Portal are demonstrated.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
47
sessIon descRIptIons
understand the security Concerns associated with virtualization
Wednesday, 1500-1550; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Jay Ferron, Security Practice Lead, Global Knowledge Many organizations realize the benefits of implementing virtualization. In fact, by implementing virtualization, you can reduce the physical number of host computers. But does it reduce or add risk to your infrastructure? The goal of this session is to take a look at all of the issues and identify areas of concern as a cyber specialist.
timeline and digital mapping software packages used by attorneys and investigators today. They are focusing on how meaning can be brought to forensics data costeffectively using software automation. This technology is demonstrated in the session.
48
sessIon descRIptIons
analysis, and then back it up in court or otherwise, you need to understand how time-stamps work. This presentation begins by laying the foundations of timebased analysis, focusing on the natural behavior of objects in the NTFS file system before moving on to how time-stamps are stored in objects such as the MFT and directory indexes. The discussion ends with advanced concepts such as recovering and decoding timerelated data from unallocated space, comparing and contrasting the functionality of various time records (e.g. the Standard Information Attribute vs. the File Name Attribute), and how these artifacts may be intentionally or inadvertently manipulated. that led the investigators to believe that they were dealing with a criminal utilizing open WiFi networks to annonimize their activities are examined as well. Included in the discussion are issues associated with a suspect conducting criminal activity in different environmentsurban/city, apartment and suburban residential environmentsand associated factors for conducting a WiFi surveillance/investigation in these environments. These factors include physical and environmental restriction while conducting the WiFi surveillance; differing equipment requirements; WiFi tool selection and employment of the tools. One of the case studies details illegal use of open WiFi networks in conjunction with the use of malware to steal personal identifying data and banking information from dozens of victims located around the country. The suspect used this stolen data to establish eBay and PayPal accounts used to facilitate the sale of counterfeit software. innocent corporate laptops using wireless. These forms of extrusion transcend over into the enterprise as well. Data leakage from the wired-side continues to be prominent in enterprise networks, exposing hosts, usernames and even clear-text passwords for critical network infrastructures, thus exposing this data to promiscuous wireless attackers. A case study is provided outlining the anatomy of a wireless attack on a corporate network, showing the basis for the types of attacks that can occur. After covering the anatomy of the attacks and the perpetrators the session outlines steps for an appropriate Wireless Incident Response Plan, both technically and procedurally. Sources for additional information also are referenced and cited.
Windows 7 artifacts
Thursday, 1330-1420; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: Rob Attoe, Director, Public Sector, AccessData With the release of Windows 7 in 2009 many new PCs are now being shipped with this Operating System preinstalled. This session introduces the key areas of change from the Windows XP/Vista systems from a forensic standpoint and discusses the interpretation of the new artifacts.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
49
Ovie Carroll has 24 years of law enforcement experience, 20 of which he spent as a law enforcement officer/federal agent. He is currently the Director for the Department of Justice, Cybercrime Lab at the Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing cybercrime investigative, computer forensic and other technical support to DOJ attorneys as it applies to implementing the Departments national strategies in combating computer and intellectual property crimes worldwide. Mr. Carroll is also an adjunct professor with George Washington University, teaching two classes: Cyber Crime/Internet Investigations and Interview and Interrogation, in the Masters of Forensic Science program. Mr. Carroll is an instructor and course developer with the SANS Institute, where he teaches the Digital Forensic 408 class. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Technical Crimes unit at the Postal Inspector Generals Office, responsible for all computer intrusion investigations within the uSPS network infrastructure and providing all computer forensic analysis in support of investigations and audits. Within the Technical Crimes unit, Mr. Carroll was also responsible for management the Technical Surveillance Section, whose mission included the deployment, installation and monitoring of technical surveillance equipment surveillance and tracking devices used to track people and devices in support of criminal investigations. Mr. Carroll has also served as the Special Agent in Charge of the Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office, where he was responsible for coordinating all national-level computer intrusions occurring within the united States Air Force. He has extensive field experience applying his training to a broad variety of investigations and operations. As a special agent with the AFOSI, Mr. Carroll has also worked as a computer intelligence agent and resource protection where he protected highly classified information, physical devices and operations. In addition to his career fighting computer crime, Mr. Carroll has led and assisted in the planning and conduct of counterintelligence inquiries and has conducted investigations into a variety of offenses including murder, fraud, bribery, theft, gangs and narcotics.
Bill Eber is the Director of the Defense Cyber Crime Institute (DCCI) at the Department of Defense Cyber Crime Center (DC3). DCCI serves as the RDT&E element within DC3 providing research and development support as well as testing and evaluation services for the Defense Computer Forensics Laboratory (DCFL). Mr. Eber has a Bachelors degree in Mathematics and a Masters degree in Advanced Information Technology and has served in numerous capacities within the Intelligence Community over the past 28 years. Prior to assuming his current position, Mr. Eber served as a Technical Director within the Information Assurance Directorate at NSA.
don flynn
attorney advisor department of defense Cyber Crime Center (dC3)
Don Flynn is the Attorney Advisor for the Department of Defense Cyber Crime Center. His duties consist of developing and teaching computer law-related classes at the DoD Cyber Investigations Training Program, as well as providing legal counsel for that organization, DoD Computer Forensic Laboratory, and DoD Cyber Crime Institute, the National Cyber Investigative Joint Task ForceAnalytical Group, and DoD-DIB Collaborative Information Sharing Environment. A retired Air Force officer, he also is an adjunct faculty member for the Johns Hopkins university Carey School of Business, where he teaches classes concerning digital forensics.
randolph Georgieff
Team lead digital forensic intelligence (dfi) Team futures exploration section, department of defense Cyber Crime Center (dC3)
Randolph Georgieff has 20 years of experience, both in law enforcement and as a Digital Forensics Examiner (DFE) at DC3. He is currently working on digital forensics projects at the DC3 Futures Exploration Section, serving as team lead for the DC3 Digital Forensics Challenge (http://www.dc3.mil/challenge/), working with the secure Law Enforcement Community Portal and the National Repository for Digital Forensic Intelligence (NRDFI) (https://www.nrdfi.net/), and exploring and testing new digital forensic tools and processes with the DF vendor community. Mr. Georgieff coordinates with academia and other digital forensic professionals on finding solutions to the latest DFE challenges.
Jim Christy is a retired special agent who has specialized in Cyber Crime investigations and digital evidence for over 25 years in 39 years of Federal service. Mr. Christy returned to the Federal government as an IPA and is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired magazine in January 2007. From November 2003 to November 2006, Mr. Christy was Director of the Defense Cyber Crime Institute (DCCI) at DC3. The DCCI is responsible for the research and development and test and evaluation of forensic and investigative tools for the DoD Law Enforcement and Counterintelligence organizations. FX also is charged with intelligence analysis, outreach and strategic relationships for DC3. Mr. Christy is a retired Air Force Office of Special Investigations, Computer Crime Investigator. He consulted with David Marconi (author of Enemy of the State, Mission Impossible 2 and Live Free or Die Hard) and provided technical advice on critical infrastructure attacks used in the movie Live Free or Die Hard. The Association of Information Technology Professionals awarded Mr. Christy the 2003 Distinguished Information Science Award for his outstanding contribution through distinguished services in the field of information management. Previous recipients of this prestigious award include Admiral Grace Hopper, Gene Amdahl, H. Ross Perot, General Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch kapor.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
51
John T. Lynch, Jr. was appointed as the Principal Deputy Chief in the Computer Crime and Intellectual Property Section (CCIPS) in November 2010. Prior to that, he served as the Deputy Chief for Computer Crime beginning in September 2006. Mr. Lynch entered the Departments Civil Division through the Attorney Generals Honors Program in 1995 and has served in the Criminal Division at CCIPS since 1997. He joined the section as a Trial Attorney before he became Senior Counsel, Litigation Coordinator, and then Deputy Chief. During his time at CCIPS, Mr. Lynch has developed expertise on computer crime and cyber security. He regularly gives assistance and guidance to AuSAs and law enforcement agents in complex investigations involving computer crimes and electronic evidence collection. He has also advised senior Department officials on all aspects of cybercrime and cyber security policy and legislation. He has also contributed to CCIPSs international work, most notably as a member of the team negotiating the first multilateral treaty on computer crime at the Council of Europe, for which the team received the Attorney Generals Distinguished Service Award in 2002. He received his B.A. from the university of Rochester and his law degree from Cornell Law School.
alan paller
director of research sans institute (dC3)
The Honorable Howard Schmidt has had a distinguished career in defense, law enforcement and corporate security spanning more than 40 years. He brings together talents in business, defense, intelligence, law enforcement, privacy, academia and international relations. He currently is Special Assistant to the President and the Cybersecurity Coordinator for the federal government. In this role, Mr. Schmidt is responsible for coordinating interagency cybersecurity policy development and implementation for coordinating engagement with federal, state, local, international and private sector cybersecurity partners. Previously, Mr. Schmidt was the President and CEO of the Information Security Forum (ISF). Before ISF, he served as Vice President and Chief Information Security Officer and Chief Security Strategist for eBay Inc. He also served as Chief Security Strategist for the uS-CERT Partners Program for the Department of Homeland Security. Before eBay, he served as the Vice Chair of the Presidents Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House. Prior to serving the White House, Mr. Schmidt was Chief Security Officer for Microsoft Corp., where his positions included Chief Information Security Officer, Chief Security Officer, and where he formed and directed the Trustworthy Computing Security Strategies Group. Before Microsoft, Mr. Schmidt was a supervisory special agent and director of the Air Force Office of Special Investigations (AFOSI) Computer Forensics Lab and Computer Crime and Information Warfare Division. While there, he established the first dedicated computer forensics lab in the government and was responsible for Criminal and Counter Intelligence investigations against Department of Defense systems. Before AFOSI, Mr. Schmidt was with the FBI at the National Drug Intelligence Center, where he headed the Computer Exploitation Team. He is recognized as one of the pioneers in the field of computer forensics and computer evidence collection. Before working at the FBI, Mr. Schmidt was a city police officer from 1983 to 1994 for the Chandler Police Department in Arizona. Mr. Schmidt served with the u.S. Air Force in various roles from 1967 to 1983, both in active duty and in the civil service. He had served in the Arizona Air National Guard as computer communications specialist from 1989 until 1998, when he transferred to the u.S. Army Reserves as a Special Agent, Criminal Investigation Division, serving until 2010 with the computer crime investigations unit at CID HQ. Mr. Schmidt also served as the international president of the nonprofit Information Systems Security Association (ISSA) and was the cofounder and first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He was the Vice-Chair of the Board of Directors for (ISC)2 and Security Strategist for the Board. He is a former executive board member of the International Organization of Computer Evidence, and served as the co-chairman of
Alan Paller is founder and research director of the SANS Institute, a graduate degreegranting college and security training and research institution with more than 120,000 alumni in 70 countries. At SANS, he leads a global security innovation program that identifies people and practices that have made a measureable difference in cyber risk reduction, and illuminates those innovations so other security practitioners can take full advantage of them to improve security in their enterprises. He also oversees the Internet Storm Center (an early warning system for the Internet), NewsBites, the semi-weekly security news summaries that go to 210,000 people, @RISk (the authoritative summary of all critical new vulnerabilities discovered each week), and the identification of the most damaging new attacks being discovered each year. He has testified before both the u.S. Senate and House of Representatives. President Clinton recognized his leadership in the year 2000 by naming him as one of the initial members of the Presidents National Infrastructure Assurance Council. The Office of Management and Budget and the Federal CIO Council named Alan as their 2005 Azimuth Award winner, a singular lifetime achievement award recognizing outstanding service of a non-government person to improving federal information technology. Mr. Paller was one of seven people named by the Washington Post in 2010 as worth knowing, or knowing about in cyber security. The list included General Alexander, who heads the u.S. Cyber Command, Howard Schmidt, the White House Cyber Coordinator, and other national leaders. Earlier in his career Mr. Paller helped build a software company, took it public and merged it into a larger company listed on the New york Stock Exchange. His degrees are from Cornell university and the Massachusetts Institute of Technology.
52
Jeffrey l. Troy
deputy assistant director Cyber division, federal bureau of investigation
Mr. Troy, joined the FBI as a Special Agent in 1986. Mr. Troy served in Pittsburgh and New york Offices investigating Cyber, Public Corruption and Financial Criminal matters. As a manager he has served in Wilmington, Delaware and Milwaukee, Wisconsin establishing and enhancing the Cyber Crime Programs and Cyber Crime Task Forces. Mr. Troy manages the Cyber National Security and Cyber Criminal Programs. Mr. Troy has worked aggressively to build strong domestic and international cyber law enforcement partnerships through collocation of investigative, data collection and analytical resources, joint investigations, and development of threat mitigation strategies.
Special Agent Steven Shirley is Executive Director for the Department of Defense Cyber Crime Center (DC3), a national cyber center incorporating five organizations: the Defense Computer Forensics Laboratory, Department of Defenses only accredited lab for conducting deep forensic examinations of electronic media; the Defense Cyber Investigations Training Academy, a training center to create DoD cyber crime investigators and digital forensic examiners; the Defense Cyber Crime Institute, which performs research, development, test and validation for software and hardware in forensic applications; the National Cyber Investigative Joint Task Force/Analytical Group, an interagency collaboration; and the Defense Industrial Base Collaborative Information Sharing Environment, the DoD clearinghouse and focal point for the referral of intrusion events affecting the Defense Industrial Base. DC3 operates under the executive agency of the Secretary of the Air Force. Mr. Shirley served in the Air Force where he commanded counterintelligence, antiterrorism and investigative operations at every level of the Air Force. He was also a counterintelligence support officer to a unified command, and on the Office of the Secretary of Defense staff where he developed positions to protect DoD sensitive programs during arms control treaty inspections. In 2004, Mr. Shirley retired from the Air Force in the rank of colonel and was appointed to the Senior Executive Service. Prior to assuming his current position, he was the Vice Commander, Air Force Office of Special Investigations.
William yurek is a Special Agent and Cyber Program Manager at the Defense Criminal Investigative Service. He also serves as the DCIS representative to the National Cyber Investigations Joint Task Force. Before working for DCIS, Mr. yurek was a Senior Counsel in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice in Washington, D.C. He recently completed military service in the Air Force Office of Special Investigations as the senior military representative to the u.S. National Cyber Investigations Joint Task Force. Mr. yurek has also been a Senior Counsel in the Enforcement Division of the u.S. Securities and Exchange Commission, where conducted the first investigation and prosecution of an internet stock manipulation scheme in SEC history. Mr. yurek was a Team Leader and Investigator for the u.S. House of Representatives Select Committee on National Security and the Peoples Republic of China. He was a Special Assistant u.S. Attorney in the Eastern District of Virginia, the Central District of California, the Southern District of Florida and the District of Columbia. He also served as Counsel and Deputy Director of the Washington, D.C., area Joint Cyber Task Force. Mr. Yurek began his law enforcement career as a Special Agent in the u.S. Air Force Office of Special Investigations. In that position, he investigated felony criminal offenses including terrorism, fraud, narcotics, espionage and computer crime. He is a DoD-certified computer crime investigator and remains a reserve special agent with AFOSI today, assigned to the Office of the Director, Defense Cyber Crime Center.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
53
Jason p. agurkis
inventor of numerous patented and patent-pending technologies and has conducted extensive research on reputation systems, spam detection, public-key and identity-based cryptography, and network intrusion detection and prevention. As a recognized authority on online organized criminal activity, cyber warfare and cybersecurity, Mr. Alperovitch has significant experience working as a subject matter expert with all levels of u.S. and international law enforcement on analysis, investigations and profiling of transnational organized criminal activities and cyberthreats from terrorist and nation-state adversaries. He is frequently quoted as an expert source in national media outlets, including The Associated Press, NBC, The New york Times, uSA Today and The Washington Post. Prior to joining McAfee, Mr. Alperovitch led the research team and the software-asa-service business at Secure Computing. He is a frequent speaker and panelist at law enforcement, academic and leading security industry conferences.
senior Manager bae systems Erica Andren is a Senior Manager for BAE Systems, where she is responsible for the establishment of cyber analysis capabilities at the enterprise level. Prior to joining BAE Systems, she was the Director of Operations for Detachment 1 of the 318th Information Operations Group of the 688th Information Operations Wing (formerly known as the Air Force Information Operations Center) and liaison to the Department of Defense (DoD) Cyber Crime Center (DC3). At DC3 she established a counterintelligence cell in the National Cyber Investigative Joint Task Force and was the Director of the DoD-Defense Industrial Base Collaborative Information Sharing Environment, the first-ever successful collaboration between the u.S. government and the defense industry. She has also served in various Air Force intelligence officer positions, including Senior Watch Officer, Command Briefer, Flight Commander and then intelligence Systems Chief for u.S. Air Forces Central. She has deployed in support of Operations SOuTHERN WATCH, ENDuRING FREEDOM and IRAQI FREEDOM. Ms. Andren holds a Bachelor of Science in Physics from the united States Air Force Academy and a Master of Library and Information Science from the university of South Carolina. digital forensics Team, outreach, Webmaster department of defense Cyber Crime Center/futures exploration (dC3/fx) Brian Andrzejewski is a ManTech SMA employee currently assigned to DoD Cyber Crime Center, Futures Exploration (DC3 FX). He comes to the Department of Defense with over 15 years of IT experience as a consultant, technician, web developer, procurement, informatics, system analyst, network administrator and project manager in the residential, education, commercial and healthcare industries. Mr. Andrzejewskis current duties include serving as webmaster for DC3s websites, Outreach, and serves as the project lead for the National Repository for Digital Forensics Intelligence (NRDFI). He also supports the development and administration of the DC3 Digital Forensics Challenge. Mr. Andrzejewski is a Microsoft Certified System Administrator (MCSA) and Apple Certified Support Professional (ACSP), with training as an Accredited Purchasing Practitioner (APP), a Six Sigma Black Belt, and a Cisco Certified Network Associate (CCNA). He is actively pursuing certification as a DoD Certified Basic Digital Forensic Examiner. He holds
a Bachelor of Science degree in Computer Information Systems from Towson university and an Associates of Arts degree in Computer Information Systems from Harford Community College. In his spare time, he is known to modify hardware and his car, operate as a designated Curio and Relics collector and plays in competitive, team-based online video games.
director, public sector Training accessdata Corporation Rob Attoe is Director, Public Sector Training, at AccessData Corporation. As an instructor for AccessData, he develops digital forensics and decryption training solutions for local, state, federal and international law enforcement agencies, as well as worldwide corporate entities involved in the prevention, investigation and prosecution of high-technology crime. Integral to this role is the coordination of custom curriculum and the management of federal and governmental programs worldwide, which relies heavily on his ability to liase for federal training initiatives along with his expertise in Training Room and Mobile Lab hardware management. Prior to joining AccessData, Mr. Attoe served as a Computer Crime Specialist II in the Computer Crime Section of the National White Collar Crime Center (NW3C) located in Technology Park Fairmont, WV. While presenting the Basic Data Recovery and Analysis BDRA and Advanced Data Recovery and Analysis (ADRA) courses, he worked extensively on the research and design for its development, implementation and maintenance. He was with the NW3C from October 2003 to June 2005. Mr. Attoe is a member of the International Association of Computer Investigative Specialists (IACIS), from which he obtained certification as a Forensic Computer Examiner in 2005 and recertified in 2008. He has also co-authored many digital forensics courses throughout the world, including the Applied NT Forensics class for the National Hi-Tech Crime Unit in the United kingdom. Mr. Attoe has served as an instructor at the annual IACIS conference and regularly presents at other international conferences and organized events such as the HTCIA, DoD and Cybercrime events. founder and Ceo fireeye, inc. Ashar Aziz holds over 20 patents in networking, network security and datacenter virtualization. Mr. Aziz founded Terraspring, which was successfully acquired by Sun Microsystems in 2002, after which he became CTO of the companys N1 program. Before launching Terraspring, Mr. Aziz was a distinguished engineer at Sun, focused on networking and network security. He is a leading authority on botnets and other rampant malware and often speaks at business and industry forums. Mr. Aziz holds an S.B. in Electrical Engineering and Computer Science from MIT and an M.S. in Computer Science from the University of CaliforniaBerkeley, where he was a recipient of the uC Regents Fellowship. His past speaking engagements include ISSA/InfraGard Cornerstones of Trust 2010, uS-CERT GFIRST 2009, ISACA Information Security and Risk Management Conference 2009, DoD Cyber Crime 2009, DoD Phoenix Challenge 2009, DeVenCI Conference 2009, RSA 2007: Peer-2-Peer session host, Internet2 Joint Techs conference, January 2008, InfraGard/FBI Conference, February 2008, and the Morgan Stanley CTO Summit, June 2008.
rob attoe
erica andren
ashar aziz
brian andrzejewski
dmitri alperovitch
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
55
director of incident response General electric Richard Bejtlich is Director of Incident Response for General Electric, and leader of the GE Computer Incident Response Team (GE-CIRT, www.ge.com/cirt). Prior to joining GE, Mr. Bejtlich operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporations Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstones incident response team, and monitored client networks for Ball Corporation. Mr. Bejtlich began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). He is a graduate of Harvard University and the United States Air Force Academy. He wrote The Tao of Network Security Monitoring and Extrusion Detection, and coauthored Real Digital Forensics. He also writes for his blog (taosecurity.blogspot.com) and teaches for Black Hat. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Jonathan Bennett is an employee of CSC assigned to the Defense Cyber Investigations Training Academy (DCITA) as an instructor and curriculum developer for DCITAs Technology track. Prior to becoming an instructor, Mr. Bennett worked as a network and computer support technician at DCITA. Prior to coming to DCITA, he worked as a computer technician with a small computer support company. Mr. Bennett has completed a Bachelors degree in Information Systems Management from University of Maryland University College, and has achieved certifications in A+ and Security+ Computer Technology Industry Association (CompTIA), Microsoft Certified Professional (MCP) certification and CISSP from the International Information Systems Security Certification Consortium, Inc. (ISC)2. Chief executive officer Cipher Tech solutions, inc. keith Bertolino is the Chief Executive Officer and cofounder of Cipher Tech Solutions, Inc., a rapidly growing small business comprised of engineers and scientists supporting the defense and intelligence communities. Mr. Bertolino began his technical career in 2001 in IT support, building a company out of his parents basement while in high school. His young company supported many law firms in the suburbs of New york City. As a college undergraduate, he became involved with the Department of Defense, working for DC3. At DC3, he specialized in custom software development and created several tools that are still being used by the Defense Computer Forensics Laboratory. Mr. Bertolino has also published two research papers: the first on wireless security and another on steganography jamming. His research generated international attention in 2008 when it was featured in the August issue of IEEE Spectrum.
richard bejtlich
Jonathan bennett
paul bartruff
randy becker
keith d. bertolino
brian baskin
56
sean bodmer
senior research scientist Georgia Tech Richard Boyd is a senior research scientist at the Georgia Tech Research Institute. Dr. Boyd has over 13 years of professional software development experience. He has been the lead software engineer on projects involving mission planning and simulation, real-time rendering and GPu computing. He worked for Hughes Space and Communications (now Boeing Satellite Systems) prior to joining GTRI in the year 2000. Dr. Boyd has a Ph.D. in physics from the California Institute of Technology. digital forensics analyst u.s. Customs and border protection Sam Brothers is currently working for u.S. Customs and Border Protection as a Digital Forensics Examiner. He has been in the IT field for over 20 years, and currently specializes in cell phone, GPS and computer forensics. He has been featured in uSA Today and currently teaches Digital Forensic Analysis classes around the country for various u.S. law enforcement organizations. He also teaches and helped develop the only GPS Forensic certification in the world. director regional Computer emergency response TeamConus (rCerT-Conus) Kathleen Buonocore assumed the position of Director, Regional Computer Emergency Response Team-CONuS (RCERT-CONuS) December 2000. The mission of RCERTCONuS is to provide for the computer network defense of active Army, National Guard and Army Reserve networks within CONuS. Prior to this assignment, she held positions in the RCERT-CONuS as incident handler, data analyst and section supervisor. Technical Manager software engineering institute/CerT Dawn Cappelli is Technical Manager of CERTs Threat and Incident Management Team at Carnegie Mellon universitys Software Engineering Institute. Her teams mission is to assist organizations in improving their security posture and incident response capability by researching technical threat areas; developing information security assessment methods and techniques; and providing information, solutions and training for preventing, detecting, and responding to illicit activity. Team members are domain experts in insider threat and incident response. Team capabilities include threat analysis and modeling; development of security metrics and assessment methodologies; and creation and delivery of training and workshops. Ms. Cappelli has 30 years of experience in software engineering, including programming, technical project management, information security and research. She is often an invited speaker at national and international venues and is an adjunct professor in Carnegie Mellon s Heinz College of Public Policy and Management. Before joining CMu in 1988 she worked for Westinghouse as a software engineer developing nuclear power systems.
sam brothers
Chief forensic officer Carney forensics John Carney is Chief Forensic Officer and a practicing small-scale digital device forensic examiner at Carney Forensics. He has had a 30-year software engineering and information technology career. He was educated at the Massachusetts Institute of Technology (MIT) Media Lab where he earned a Bachelor of Science degree. He is a licensed attorney in Minnesota with a law firm in St. Paul focused on small business and entrepreneurs. He is a Minnesota Qualified Neutral and licensed as a mediator and arbitrator. Educated at Hamline university School of Law, Mr. Carney earned a Juris Doctor degree and Certificate in Dispute Resolution. He is an adjunct professor at Hamline university where he teaches Law Office Technology in the Legal Studies program. His curriculum includes units in computer forensics, mobile phone forensics, electronic discovery and litigation support. director of digital forensics basis Technology Brian Carrier leads the Digital Forensics team at Basis Technology which designs and develops products and custom systems. He is the author of the book File System Forensic Analysis and has developed several open source digital forensic analysis tools, including The Sleuth kit and the Autopsy Forensic Browser. Mr. Carrier has a Ph.D. in computer science from Purdue university and worked previously for @stake as a research scientist and technical lead for their digital forensic labs response team. He is on the committees of many conferences, workshops and technical working groups, including the Digital Forensic Research Workshop (DFRWS) and the Digital Investigation Journal. founding partner cmdlabs Eoghan Casey is founding partner of cmdLabs, a Newberry Group subsidiary specializing in cyber security and digital forensics. For over a decade he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. He provides specialized training in mobile device forensics and network forensics. As a Director of Digital Forensics and Investigations at Stroz Friedberg, Mr. Casey maintained an active docket of cases and co-managed the firms technical operations in the areas of computer forensics and cyber crime response. He also has extensive information security experience as an Information Security Officer at Yale University and in subsequent consulting work. Mr. Casey wrote the foundational book Digital Evidence and Computer Crime, coauthored Malware Forensics, and created the Handbook of Digital Forensics and Investigation. He also conducts research and teaches graduate students at Johns Hopkins University Information Security Institute and is editor-in-chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response.
John Carney
brian Carrier
steven bolt
kathleen buonocore
eoghan Casey
John bordwine
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
57
paul Cerkez
coach of the International Association of Computer Investigative Specialists (IACIS) and a member of the International Information Systems Forensics Association (IISFA) and the International Information Systems Security Certification Consortium (ISC)2. He has taught/lectured at the Defense Cyber Crime Conferences (2007-2009), the 4th OLAF European Computer Forensic Training (2010), and numerous specialized training sessions throughout the u.S. and E.u. He has published articles in Military Information Technology, PC Computing and MacWorld magazines and is a contributing author of Mac OSX, iPod, and iPhone Forensic Analysis DVD Toolkit, OS X Exploits and Defense, The Best Damn Cybercrime and Digital Forensics Book Period and the Certified Hacker Forensic Investigator (CFHI) Study Guide.
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Mike Cowan is an employee of CSC, assigned to the Defense Cyber Investigations Training Academy (DCITA). He has over 20 years of experience in information systems and information security. Mr. Cowan is an instructor for DCITAs Network Investigations Track and has an M.S. in Forensic Studies, Information Technologies and a B.S. in Internetworking Technologies and holds CISSP, MCSE, CEH, ECFE certifications. Prior to teaching at DCITA, Mr. Cowan was employed by Verizon as an IT Manager working in technical support, information security and business continuity. He retired from the u.S. Coast Guard in 1997, with 21 years of active duty service. project director advanced response Concepts Ed Cronin is currently the project director for the Condor mobile evidence collection and tracking handheld device at Advanced Response Concepts in Gardner, Massachusetts. He is the former police department chief of the City of Fitchburg, Massachusetts. He earned his Masters degree in Criminal Justice Management at the university of Massachusetts at Lowell. He has studied the British Criminal Justice System at Queens College at Oxford university in England. He is working on completing a Certificate in Advanced Graduate Studies (post masters degree) at Suffolk university in Boston in Organizational Development and Change with a concentration in Systems Thinking. During his 26-year law enforcement career, he was also the Chief of Police in Gardner, Massachusetts. He has worked in several countries of the former Soviet union training police and communities in democratic methods of policing and domestic violence education. He has worked at the u.S. Embassy in Cairo, Egypt, as a police advisor to the Egyptian Police. He is a certified by the Institute for Professional Excellence in Coaching as an executive coach. Member of the Technical staff, CerT program software engineering institute Adam Cummings is currently a member of the technical staff at CERT. He is a critical member of the insider threat team, a team focusing on insider threat research, threat analysis and modeling, assessments and training. Mr. Cummings has over 10 years experience in information systems, information assurance, military communications, project management and information technology education. He is a former Marine officer and holds
an M.S. in Information Security Policy Management from Carnegie Mellon university and a B.F.A. in Visual Journalism from Rochester Institute of Technology.
security engineer CsC Michael Cyr has over five years experience in the Department of Defense and commercial information security program. His expertise is in network penetration testing, web application assessments and wireless network auditing and he has discovered and publicly disclosed several vulnerabilities and exploits. He holds a Masters degree in Information Assurance from Towson University as well as the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), Certified Ethical Hacker (CEH), Nessus Certified, GIAC Certified Penetration Tester (GPEN), FEMA IS-00100.a Intro to the Incident Command System. Mr. Cyr is also part of the www. exploit-db.com exploit verification team. director Tulsa digital forensics Center, institute for information security, university of Tulsa. Mark Davis, PhD., has been working in the field of information assurance, computer security, and digital forensics at the University of Tulsa for the past ten years. During that time, he helped to establish the Tulsa Digital Forensics Center in 2001, a partnership between the University of Tulsa, the Tulsa police departments Cybercrime unit, the Oklahoma State Bureau of Investigation, and several other area law enforcement agencies. These entities work towards a common goal of successfully prosecuting crimes that contain a digital evidence component, through collaboration, research, training and education. Mark Davis received his Doctorate in December of 2009 from the University of Tulsa. Mark Davis is also a member of the NIJ Electronic Crime Technology Working Group, and Volunteers in Police Service. digital forensic engineer defense Cyber Crime institute (dCCi) Christopher Dearing is employed by General Dynamics AIS as a Digital Forensic Engineer for the Defense Cyber Crime Institute (DCCI). In addition to testing and validating forensic tools, he dabbles in research, development and the deformation of phalangeal apical tufts. Prior to his work with DCCI, Mr. Dearing worked as a software developer with Zen Technologies for the Missile Defense Agency in Arlington, VA. He is a graduate of Virginia Tech and currently volunteers his time coaching youth football and lacrosse. He uses mad lax skills (not his own) to uncover interesting things which he has hidden inside other, less interesting things. He is 64 with blue eyes and likes taking long walks on the beach in the moonlight with puppies. digital forensic examiner Cyber Counterintelligence activity Philip Dellorso has worked in the IT field for more than 20 years, the majority of which he spent as a software programmer and web designer. He began programming in assembly on IBM mainframes and has experience with most major programming languages, including fortran, cobol, pascal, visual basic, java, C, C++ and C#. On
Michael Cyr
Charles Clapper
ed Cronin
Christopher dearing
robert Collins
adam Cummings
philip dellorso
58
Martin easton
principal engineer l-3 Communications Mark Fenkner is a senior analyst for the L-3 Communications incident response team. senior Computer engineer department of defense Cyber Crime Center (dC3) David Ferguson has 25 years of experience in the IT field. He is the former Director of the DCFL and was formerly the Deputy Director of the Information Assurance Branch on the Air Staff. He is currently working at DC3 as a Senior Computer Engineer. Mr. Ferguson has B.S. and M.S. degrees in Computer Engineering from Wright State University, Dayton, OH. security practice lead Global knowledge Jay Ferron brings more than 20 years of experience in security, networking, virtualization and high-performance computing. A multi-faceted author, trainer, speaker,- and designer, he has led the development of Windows and uNIX security designs, network infrastructures, enterprise designs and installations for numerous Fortune 500 companies, as well as government and health agencies. As president of the Association of Personal Computer user Groups (APCuG), global board director of Global IT Community Association (GITCA), board member of the CT Information Systems Audit and Control Association, Microsoft Springboard Technical Expert Panel (STEP) member and Microsoft Most Valuable Professional (MVP), Mr. Ferron is a regular presenter at such prestigious events as COMDEX, Microsoft Tech-Ed, Microsoft Worldwide Partner Conference, Web 2.0 Summit and many user groups. He is the author of more than 15 courseware books and papers on security, networking and virtualization technologies for Microsoft and other vendors. In his current work at Global Knowledge, he is building a unique cyber security program that provides a global perspective of the challenges of designing a secure system. Blog: http://blog.mir.net/. He holds the following certifications: CEHI, CISM, CISSP, CWSP, MCITP, MCSE, MCT, MVP NSA IAM. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Joe Fichera is a an employee of CSC assigned to the Defense Cyber Investigations Training Academy (DCITA) as an instructor and curriculum developer for DCITAs Network Investigations track. He is a Certified Computer Examiner (CCE) and member of the ISFCE. He also holds certifications as a Security Certified Network Specialist (SCNS), A+, Network+ and Microsoft Certified Professional (MCP). Prior to coming to DCITA, Mr. Fichera owned and operated Phoenix Digital Forensic Services in Manchester, NH, providing forensic services and network support. He was also the Chief Technical Instructor and Network Administrator at Blended Solutions Technical Institute. He has 20 years of instructor experience and spent 15 years as a law enforcement officer in the State of New Hampshire.
Mark fenkner
david ferguson
bruce diamond
drew fahey
Tom dukes
Joseph fichera
Josiah dykstra
ben feinstein
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
59
he worked for six years as Program Manager for the uSAID Chief Information Security Office, where he helped develop their information security program, information security technologies and their FISMA compliance program. He holds a CISSP certification and has presented at a multitude of industry events.
forensics examiner dC3/fx Mr. Randolph Georgieffs professional career includes the following: Department of Defense Futures Exploration (DC3/FX) / Digital Forensics Challenge Team Lead, Department of Defense Computer Forensics Lab (DC3/ DCFL) / General Dynamics Advanced Information Systems (GD-AIS) / Digital Forensic Examiner (DFE), Department of Defense Computer Investigation Training Program (DC3/D.C.I.T.P) / Computer Sciences Corporation (C.S.C.) / Instructor - Course Developer, PD / Forensic Services Section - Computer Crime unit / Digital Forensic Examiner (DFE). His organizations training received includes the following: International Association of Computer Investigative Specialists [I.A.C.I.S.], National White Collar Crime Center Training and Research Institute, Defense Computer Investigations Training Program [D.C.I.T.P.], Defense Computer Investigations Training Academy [D.C.I.T.A.], George Mason university (GMu) / Regional Computer Forensics Group (RCFG), Microsoft, Perlustro ILook, Access Data (FTk), Guidance Software (EnCase) Training Center, Public Schools / Community Colleges Part Time / Adult Evening Education Instructor. executive director of the Technology services division national Center for Missing & exploited Children Mike is the Executive Director of the Technology Services Division for the National Center for Missing & Exploited Children. In this capacity he is responsible for overseeing the Centers enterprise information technology systems and services. Mike has previous corporate and law enforcement experience, which includes a position as the vice president of High Technology Investigations at Prudential Financial. At Prudential, he was responsible for carrying out and supervising all computer related investigations for Prudential. He is a former New Jersey State Trooper and is responsible for the formation and development of the NJSPs High Technology Crimes Investigations Unit, which has garnered international accolades for its expertise in computer crime investigations. He has provided expert testimony before Congress, and throughout federal, state and international courts in the areas of computer crime investigations and computer forensics. In a partnership with Interpols General Secretariat and the International Center for Missing & Exploited Children, Mike has provided training to over 1000 law enforcement officers from 125 countries in the technical aspects of Internet investigations. Mike has provided technical and investigative assistance to numerous law enforcement agencies throughout the world including the FBI, united States Secret Service, u.S. Customs Service, Naval Intelligence, New Scotland yard, Royal Newfoundland Constabulary Service and local police departments across the country in a wide array of criminal investigations where computers were involved. He has lectured extensively throughout the country on the topic of computer crime investigations. Mike is a past president of the Northeast Chapter of the High Technology Crimes Investigations Association. In addition, he has been involved in leadership roles in organizations such as the National Strategic Policy
Council on Cyber and Electronic Crime, the International Computer Security Association, among others.
founder, Ceo omniangle Technologies Jonathan Gillman was the lead investigator of the Cyber Fraud Division at the Florida Attorney Generals Office. He managed numerous successful investigations into the telecommunications, finance and online marketing industries. During his tenure with the Florida AG, the Cyber Fraud Division entered into multi-million dollar settlements with AT&T, Verizon Wireless, mQube, World Avenue, Media Breakaway and others in the online marketing space. In 2008, he left the Florida AG to manage Compliance and Regulatory Affairs for Epic Advertising. During his time at Epic he led numerous initiatives designed to increase visibility into the marketing activities of affiliates operating within the CPA and broader online marketing ecosystem. In 2009 Jonathan founded Omniangle Technologies, a business intelligence and information security firm. Omniangle currently partners with Fortune 500 companies and government agencies to provide intelligence within the internet marketing space. As CEO of Omniangle, Mr. Gillman directly manages the research and development of automated tools designed to capture evidence of online marketing fraud and identify other information security threats. Jonathan is a graduate of Florida State University with a Bachelors degree in Criminology. software engineer ais, incorporated Richard Gloo is a computer scientist and senior developer. He holds an M.S. in Telecommunications from SuNy Institute of Technology and a B.S. in Computer Science from SuNy Institute of Technology. He has a background in forensics research and development efforts, steganographic techniques and covert communication development. His experience includes reverse-engineering data and protocol formats with the intent of hiding information, as well as data field extraction. His reverse engineering experience consists of exploring and implementing techniques such as statistical analysis and file format fuzzing (a form of black box testing) to discover structure of a data format. incident response Manager Mandiant Christopher Glyer is a Manager at MANDIANT, with over eight years experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, penetration testing and strategic corporate security development. Mr. Glyer has significant experience working with the federal government, defense industrial base, financial industry, manufacturing industry, healthcare industry and Fortune 500 companies. He has performed incident response and forensic analysis for global companies possessing tens of thousands of computer systems throughout the world. Mr. Glyer has led incident response teams in multiple Advanced Persistent Threat and card data theft compromises. national program Manager for internet intellectual property rights enforcement operations immigration and Customs enforcement Senior Special Agent Michael Godfrey has 30 years
Jonathan Gillman
randolph Georgieff
Marita fowler
Michael Geraghty
richard Gloo
Terrence Gareau
Christopher Glyer
William Geimer
60
Mike Guthrie
senior Consultant delta risk Jason Healey is a Senior Consultant at Delta Risk and sits on the Board of Directors of the Cyber Conflict Studies Association. He previously was executive director for Goldman Sachs Asia and served as Director for Cyber Infrastructure Protection at the White House. He also worked at HQ Air Force at the Pentagon, where he coordinated all Air Force efforts to stand up the Joint Task Force-Computer Network Defense. director, Consulting Mandiant Marshall Heilman is a Director at Mandiant with over 11 years of experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, offensive security and strategic corporate security development. Mr. Heilman has extensive experience working with the federal government, defense industrial base, foreign governments, financial industry, telecommunications industry and Fortune 500 companies. He has spoken at multiple security conferences, including OWASP, ISSA, Cybercrime, uSSS MTu, and FIRST. Prior to joining Mandiant, Mr. Heilman was a member of the United States Marine Corps. He possesses a current Top Secret government security clearance. founder spectrum system services, inc. Tim Henderson has over 25 years of experience with systems development and integration projects with a focus on project management, software architectures, application system design and software development, and system security. He is the founder of Spectrum System Services, Inc. and has served as the Chief Technology Officer for Net Commerce. Mr. Henderson has proven record in a wide-range of systems integration activities including project management, workflow analysis and business process reengineering, policy analysis, system requirements definition, application design, development, testing, training and implementation. He has authored white papers, books, and other copyrighted materials describing successful implementation strategies for moving existing enterprise IT infrastructures into new/modern environments. Mr. Henderson is a certified information systems security professional (CISSP). security project Manager, director of security Governance CGi James Hewitt is a security project manager and governance lead for the CGI Federal Enterprise Security Practice. His recent work includes projects for CMS, FCC and the American Reinvestment and Recovery Act. He is actively researching the application of work in other disciplines to the security field, such as process analysis, Earned Value Management (EVM), ITIL and structured capital planning.
Jason healey
Marshall heilman
kieth Gould
Tim henderson
nick harbour
Yuri Gubanov
Chief Executive Officer Belkasoft yuri Gubanov is the CEO and owner of Belkasoft, an independent software vendor from Russia. Mr. Gubanov has worked his way up from a junior software developer to a senior developer, then to a project manager and later to a top-manager in the IT industry. He graduated with honors from St. Petersburg State university, one of the best universities of Russia, and he started Belkasoft two years later while he in graduate school. Very soon the company became well-known in the forensic market for their Instant Messenger analysis product so Gubanov has concentrated on forensic products instead of general-purpose ones. Since 2003 he has been a senior lecturer at St. Petersburg State university, teaching various courses like programming essentials, Microsoft. NET basics, usability and human-computer interaction. Besides developing computer forensics software and teaching, Mr. Gubanov is fan of carve snowboarding, slalom roller skating and guitar playing. yuris LinkedIn account can be found at http://ru.linkedin.com/in/ yurigubanov.
James hewitt
brian havens
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
61
steve hickey
law enforcement agencies worldwide. Ms. Hitchcock is a valued resource to these agencies in solving internetrelated crimes. Additionally, she has worked tirelessly with our legislators in the drafting and passing of many of this countrys internet laws. As president of two all-volunteer organizations, WHOA (Working to Halt Online Abuse) at haltabuse.org and WHOA-kTD (kids/ Teens Division) at haltabusektd.org, Ms. Hitchcock continues a mission to educate adults and children in safety online, conducting law enforcement training seminars for local, county, state, military and federal law enforcement agencies. Her speaking schedule on cyber crime and cyber safety includes many middle/ high schools, universities and colleges. She also lectures at libraries, conferences, corporations and events. She has traveled throughout the united States, Canada and Europe, and as far as Sookmyong university in Seoul, korea, for speaking engagements and workshops. She has been featured on Americas Most Wanted, 48 Hours, Primetime, Good Morning America, Cosmopolitan and TIME magazines, and numerous local, national and international newscasts, and was selected by Lifetime TV as their Champion for Change. Her eighth book is Net Crimes & Misdemeanors 2nd edition, which covers just about anything that can happen to you online and how to stay safer with an accompanying website at netcrimes.net. Her ninth book, True Crime Online: Most Shocking Stories from the Dark Side of the Web is due out in fall 2011. She is also on the editorial board of the International Journal of Cyber Crimes and Criminal Justice (IJCCCJ) at cybercrimejournal.co.nr and writes articles for several magazines. She is a member of Operations Security Professionals Society, Sisters in Crime (national and New England), National Rifle Association (Life Member), The American Legion, and the 3rd Marine Division Association (Life Member).
Certified forensic analyst viaforensics Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm. He divides his energies between investigations, research and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures and trains both corporations and law enforcement agencies. As a recognized expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences and is writing books on Android and iPhone forensics.
charged with developing strategic and tactical plans for the department. He is an experienced computer security professional with proven success in the use of network intelligence for network defense. Prior to joining iDefense, he led the intelligence gathering activities at Counterpane Internet Security and ran Counterpanes global network of Security Operations Centers. He served in the u.S. Army for 23 years in various command and staff positions involving information technology and computer security. He retired as a lieutenant colonel in 2004. He spent the last two years of his career as the u.S. Armys Computer Emergency Response Team Chief (ACERT), coordinating network defense, network intelligence and network attack operations for the Armys global network. Mr. Howard holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the u.S. Military Academy, where he also taught computer science later in his military career. He has published many academic papers on technology and security and most recently contributed as an executive editor to Cyber Fraud: Tactics, Techniques and Procedures, the first book published by Verisign/ iDefense.
project lead, internet isolation project l-3 Communications Bruce Hoy is the project lead for the L-3 Communications internet isolation project. director of security engineering CGi federal ken Huang is the Director of Security Engineering at CGI Federal. Over the last 21 years, he has worked extensively to architect, design, develop and secure mission-critical business applications. Mr. Huangs experience covers various IT security areas, including Security Architecture Planning, Security Architecture Gap Analysis, Managed Service Security Controls Implementations, Security Testing and Evaluation (ST&E), Identity and Access Management (IDM), Secure Code Review for both J2EE and Microsoft based Architecture, Digital Signature, PkI, Encryption, XML, SAML, Hardening for Operating System, Database and Application, and Certification and Accreditation processes. Cyber Threat analyst u.s. department of state Michel Huffaker is a cyber intelligence analyst with the Bureau of Diplomatic Securitys Office of Computer Security in the Cyber Threat Analysis Division, where she specializes in providing in-depth regional computer threat assessments and provides research in order to produce cyber threat forecasts, warnings and trends. She routinely handles incident response and analysis requests from Department of State entities and individuals worldwide. In addition to subject matter expertise in threat arising in both the Western Hemisphere and Africa, Ms. Huffaker also provides analysis and reporting on East Asia Pacific cyber developments. She is a graduate of the Defense Language Institute Foreign Language Center and is a Mandarin Chinese linguist. senior security engineer Cni Chris Hurley has over 10 years of experience performing penetration testing for a variety of commercial and u.S. government clients. He was the Principal Information
bruce hoy
andrew hoog
Michel huffaker
Chet hosmer
Jayne a. hitchcock
Chief scientist, vp, Wetstone Technologies Chet Hosmer is the Sr. Vice President and Chief Scientist and founder of WetStone Technologies, Inc., WetStone subsidiary of Allen Corporation of America. He has over 25 years of experience in developing high technology software and hardware products, and during the last 15 years, has focused on research and development of information security technologies, with specialty areas including: steganalysis, digital forensics and malicious code examination. intelligence director verisign/idefense Rick Howard is responsible for the day-to-day intelligence gathering and distribution efforts at iDefense and is
Chris hurley
rick howard
62
threat assessment and incident response capabilities. He routinely handles incident response and analysis requests from Department of State entities and individuals worldwide. As a doctoral candidate in computer science (the basis of his undergraduate and post graduate degrees), Mr. Keating holds numerous certifications and lectures frequently in classified and unclassified environments on a wide range of topics including network topography, media forensics, dynamic and static reverse engineering and malware-related security incident mitigation.
vice president, security awareness and strategic partnerships Core security Technologies Tom kellermann is Vice President of Security Awareness and Strategic Partnerships at Core Security Technologies. Mr. Kellermann Chaired the Threats Working Group and was Commissioner of the CSIS Commission on Cyber Security for the 44th Presidency. He also was a Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. Cyber Threat analyst CerT/sei Christopher King is a member of the Insider Threat Team of the CERT Threat and Incident Management group. He currently is researching technical indicators of insider threat, developing new assessment methodologies, and conducting analysis of insider threat cases. Before coming to CERT, Mr. king worked at the Defense Information Systems Agency as an Information Assurance Manager and held roles in other DoD and DHS organizations. He has a B.S. in Information Sciences and Technology from Penn State university, and a M.S. in Information Security Policy and Management from Carnegie Mellon university. He is interested in Information Warfare, Insider Threats, Forensic Acquisition and Counterintelligence. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Michael Kobett is an employee of The Newberry Group and a member of Team CSC assigned to the Defense Cyber Investigations Training Academy (DCITA). He is currently assigned to the Defense Industrial Base track and is a primary instructor/course developer for the Power of Community and Incident Responder Fundamentals courses. Prior to joining the DCITA, he was a manager in the u.S. State Department Computer Investigations and Forensics Laboratory. He has conducted several semester-long A+ certification classes for Anne Arundel Community College in Maryland. He has also taught numerous classes relating to Home PC Repair and Upgrade and Internet-related classes. In addition, Mr. kobett has over 15 years of PC troubleshooting and network support experience. He obtained his M.S. in Telecommunications Management from the University of Maryland, university College. He is a Certified Ethical Hacker, a Certified Computer Forensics Examiner and has obtained several other industry-related certifications, including Security+, MCSA, Network+ and A+.
Tom kellermann
director of product Management bivio networks, inc. Greg kopchinski is a Director of Product Management at Bivio Networks, where he has full responsibility for the companys suite of networking systems. Mr. Kopchinski has a strong background in product management and marketing for embedded computer technologies with several leading companies, including Motorola, Force Computers, Captus Networks and Ziatech (acquired by Intel). he is a graduate of Cal Poly, San Luis Obispo, with a B.S. in Electronic Engineering. Computer forensics research expert kyrus Technology Corporation Jesse kornblum is a Computer Forensics Research Guru for the Kyrus Technology Corporation. Based in the Washington, D.C. area, his research focuses on computer forensics and computer security. He has helped pioneer the field of memory analysis and authored a number of computer forensics tools including the md5deep suite of hashing programs and a system for fuzzy hashing similar files. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum previously served as a computer crime investigator for the Air Force and with the Department of Justice. He has run a three-mile race at 10,000 feet above sea level with a llama. analysis Team lead software engineering institute/CerT Dr. Paul krystosek is the Analysis Team Lead at the Software Engineering Institutes CERT Network Situational Awareness Group. Dr. krystosek joined the SEI in 2008. Prior to that he was at Lawrence Livermore National Laboratory as a member of CIAC, the Computer Incident Advisory Capability, which was Department of Energys incident response team. He also worked at Argonne National Lab and Fermi National Accelerator Laboratory. He taught Computer Science at Bradley University, Illinois Institute of Technology and North Central College. He received his B.A. from Albion College, an M.S. from Bradley university, and his Ph.D. from Illinois Institute of Technology. He is a member of ACM. appellate Counsel afloa/JaJG Captain Joseph kubler is an Appellate Government Counsel for the Air Force Government Trial and Appellate Counsel Division, Bolling AFB, D.C. He represents the Air Force in appellate review of courts-martial before the Air Force Court of Criminal Appeals and the united States Court of Appeals for the Armed Forces. Captain kubler previously served as a Senior Trial Counsel trying Air Force courts-martial worldwide. In his current position he continues to assist the prosecution, providing advice to counsel in the field, trying cases for the government, and defending the convictions on appeal. senior forensic Technician defense Computer forensics laboratory (dCfl) Scott Lalliss is a Senior Forensic Technician at the Defense Computer Forensic Laboratory, where he specializes in Damaged Media Recovery and imaging and extraction of special devices. He has testified as an expert witness in federal court on the subject of damaged media recovery and has had several advanced training courses. His military experience and intelligence background-
Greg kopchinski
Jesse kornblum
Christopher king
don Jackson
ryan kazanciyan
Michael kobett
neal keating
scott lalliss
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
63
rob lee
flash-memory data extraction and analysis. He is also interested in developing data visualization techniques to support both digital forensic examinations and faster reverse-engineering of digital artifacts. Mr. Leschkes previous experience includes working as an Intelligence Analyst in support of National Security and also as a Forensic Examiner on an FBI Computer Analysis Response Team. Mr. Leschke is an FBI Certified Forensic Examiner and a DoD Certified Basic Digital Forensic Examiner. He holds a Master of Science (M.S.) degree in Computer Science from Loyola university Chicago and is currently pursuing a Doctorate in Computer Science through the university of Maryland - Baltimore County. Mr. Leschkes forensic tool development includes Shadow Miner and Shadow Volume Link Manager. Both tools support the forensic examination of shadow volumes as found in Windows Vista and Windows 7. Mr. Leschkes previous conference papers include An Introduction to the Global Positioning System: A Foundation for GPS Receiver Forensic Examinations, Cyber DumpsterDiving: $Recycle.Bin Forensics for Windows 7 and Windows Vista, and Shadow Volume Trash: $Recycle. Bin Forensics for Windows 7 and Windows Vista Shadow Volumes. Mr. Leschkes most recent publication is a chapter titled The Exokernel Operating System and Active Networks. This chapter was published by IGI Global (2009) in Handbook of Research on Advanced Operating Systems and kernel Applications: Techniques and Technologies.
president lieberman software Philip Lieberman is an outspoken and highly regarded industry influencer who is quoted by national, business and trade press on u.S. cybersecurity as well as specific technology issues including cloud computing and security in the cloud. Mr. Lieberman has recently been featured in stories in The Wall Street Journal, The Los Angeles Times, The Washington Post, uSA Today and Newsday, as well as prestigious industry publications including Dark Reading, Government Computer News, Government Security News, Sarbannes-Oxley Compliance Journal, Redmond Magazine, Computerworld, Network World, CIO Today and Information Week. Over the past year he has further established himself as one of the countrys leading security experts. Keenly attuned to emerging cyber security issues, Mr. Lieberman became a trusted advisor to the u.S. Senates Homeland Security and Government Affairs Committee and is routinely called upon by committee staff to review and comment on proposed legislation that is critical to maintaining the safety and security of the country. In addition, he addressed government and industry audiences at major events including Cyber Security Conference, GovIT Expo, Microsoft Management Summit and the Microsoft Worldwide Partner Conference. Over the years he has personally spearheaded the development of businesscritical identity management policies and procedures for clients at federal, state and local government agencies including the SEC and uSDA, as well as Northrup Grumman, Lockheed Martin, Visa, GMAC, Wells Fargo, Wachovia, Ernst & young, Deloitte, Mutual of Omaha, AIG, The Hartford, Prudential, Pacificare, Humana, Shands Healthcare, Mattel, Johnson & Johnson, Jockey, Sears, Dole, kroger, Petco, Arizona State university, Carnegie Mellon, uCLA, HP, IBM, AT&T, Time Warner, Disney, u-Haul, uPS, Amtrak and Ryder. Mr. Lieberman has published numerous books in the field of computer science, has taught at uCLA, and is the author of many
computer science courses. He has a B.A. from San Francisco State university (1981) in Physics with minors in Computer Science and Business.
associate booz | allen | hamilton Scot Lippenholz works for Booz Allen Hamiltons Digital Forensics Team, which supports the Department of Defense, Intelligence Community, Federal government, Defense Industrial Base and major financial institutions. Mr. Lippenholzs focus is on developing techniques that enhance teams technical skills, responding to and managing large-scale intrusion investigations, and conducting forensic examinations for counterintelligence and counter-terrorism investigations. He has worked in information technology for over 15 years, primarily as a Windows System and Security Engineer. He obtained his B.S. from university of Maryland, Baltimore County, and is working on his M.S. from in Forensic Studies of Information Technology from Stephenson university. vice president of Training accessdata keith Lockhart is responsible for the development of forensic and encryption training solutions for local, state, federal and international law enforcement agencies, as well as worldwide corporate entities involved in the prevention, investigation and prosecution of high-technology crime. Prior to joining AccessData, he served as a computer crime specialist at the National White Collar Crime Center (NW3C) in Fairmont, WV. Mr. Lockhart served as program manager of the INET (Internet Trace Evidence Recovery and Analysis) course, providing the framework of complex research and design for its development and maintenance. Prior to NW3C, he was a police officer with the kent State university Police Department. Earlier in his career, Mr. Lockhart worked in the narcotics division of the Western Portage Drug Task Force in northeast Ohio. In that assignment, he worked cooperatively with the FBI, DEA, ATF, HuD and u.S. Postal Inspection Service to successfully investigate and prosecute over 100 felony cases. He is a member of the International Association of Computer Investigative Specialists (IACIS), the High Technology Crime Investigators Association (HTCIA), and the Narcotics Association of Regional Coordinating Officers (NARCO). Mr. Lockhart has instructed at the FBI National Academy, the ATF annual Computer Information Systems conference, the kennesaw Southeast Crybercrime Institute, and many IACIS conferences. He holds a Bachelors degree in Criminology from kent State university and an A.A. degree in Computer Forensics from Redlands Community College. Chief operating officer d3 services, ltd. Jason Lord is a leading industry Cyber Security Subject Matter Expert with 15 years of expertise in Computer Forensics, Digital Media Investigation, Malicious Code Analysis and Incident Response/Handling. He currently serves as the Chief Operating Officer at d3 Services, Ltd., a veteran-owned small business located in Dumfries, VA. Prior to joining d3 Services, Mr. Lord was the Technical Director of Federal Consulting at Symantec Corporation, and was previously a Forensics Expert at Guidance Software, Northrop Grumman and BAE Systems. He served for eight years in the united States Marine Corps prior to moving into the commercial sector.
scot lippenholz
keith lockhart
philip lieberman
Jason lord
randy lee
Timothy leschke
64
rob Maddox
computational work and teaching. He obtained his doctorate in the field of Theoretical Solid State Physics in 1997 from the University of Texas at Dallas. His experience extends to the fields of physics, mathematics, software engineering, computer network defense, artificial intelligence and reverse engineering. He designed and developed several host-based and network-based anomaly detectors on several research programs, and has earned numerous awards. His latest achievement, a Bayesian-based static malware detector has been submitted for a patent.
forensic ops senior program Manager, advanced securities Group nek James McCarter is a Mobile Technologies Engineer and Intelligence Operations Instructor at NEk. His job requires him to develop and teach cell phone forensics and site exploitation courses to the military, law enforcement professionals and other intelligence organizations. His focus of instruction is using forensic software and hardware to conduct exploitation operations in tactical, counterterrorism environments to gather actionable intelligence. Mr. McCarter conducted Signals Intelligence support in Operation Enduring Freedom-Philippines as a Marine. He instructs exploitation procedures on captured enemy cell phones seized by personnel conducting counterterrorism operations and force protection activities, including DoD Agencies, the united States Military, DHS, FBI, and other law enforcement organizations. Mr. McCarter also has instructed over 100 hours of biometric, explosive residue detection and latent print exploitation tactics, techniques and procedures to dozens of students. project developr uri department of Computer science and statistics kristen McCooey is the Lead Information Technologist at the uRI Department of Computer Science and Statistics. Ms. McCooey has completed extensive training from Access Data, X-Ways Software, Guidance Software, and the university of Rhode Island. She holds her ACE Certification from Access Data, her CCE Certification from ISFCE and is a member of the HTCIA.
James McCarter
software architect redWolf Computer forensics Mark Mckinnon is currently the owner of RedWolf Computer Forensics, a software company that creates free and purchased software. Mr. McKinnon has over 20 years experience in IT, ranging from mainframe/ PC programming, database administration and digital forensics. Some of his more notable free programs are Skype Log Parser, Google Chrome Parser, CSC Parser and the Vista Thumbcache Parser. Mr. Mckinnon is the creator of Drive Prophet, a triage program for Windows Systems. He is an adjunct professor at Davenport University teaching Computer Forensics and an associate of Ak+ Computer Consulting LLC, where he does digital forensic examinations and E-Discovery. Computer scientist department of defense Cyber Crime Center (dC3) Andrew Medico is a software developer for Cipher Tech Solutions, Inc. He has been at the Defense Cyber Crime Institute since 2008, where he performs research and develops new tools to support the Defense Computer Forensic Laboratory. He produced several releases of the dc3dd disk imaging utility and recently developed an iPhone/iPod touch forensics application. Mr. Medico holds a B.S. in Computer Science from Northeastern University. director of professional services accessdata Chris Mellen is Director of Professional Services at AccessData Corporation, where he is responsible for the development and management of AccessDatas Professional Services. His staff have varied and extensive backgrounds in digital investigations, coming from law enforcement, counterintelligence and corporate security. Prior to joining AccessData, Mr. Mellen served as a Manager with Guidance Software Professional Services, as a Special Agent with the Department of Defense with the Cyber Counterintelligence Activity and as a Computer Crime Specialist at the National White Collar Crime Center in Fairmont, WV. He also spent 11 years on active duty in the united States Marine Corps with an honorable discharge. While in the Marines, Mr. Mellen served with the Military Police, Customs, the Criminal Investigation Division and the Naval Criminal Investigative Service. He holds a Bachelors degree in Criminal Justice from Colorado Technical University and Masters degree in Computer Information Systems from Boston university. professor polytechnic institute of new York university Dr. Nasir Memon is a professor in the Computer Science department at the Polytechnic Institute of New york university. He is the director of the Information Systems and Internet Security (ISIS) lab at Polytechnic (http://isis. poly.edu). He earned his B.E. in Chemical Engineering and M.S. in Math from BITS, Pilani, India, in 1981. He got his M.S. in Computer Science (1989) and Ph.D. in Computer Science (1992) from the university of Nebraska, Lincoln. Dr. Memons research interests include digital forensics, data compression, computer and network security and multimedia computing and security. He has published more than 200 articles in journals and conference proceedings and holds four patents in image compression and security with six more pending application. He has won several awards,
Mark Mckinnon
andrew Medico
kristen McCooey
dan Mares
director, forensic development norcross Group Dan Mares is a retired federal agent now working as a computer forensic examiner. He began writing software programs to facilitate the analysis of seized electronic data in 1986, and developed the Maresware suite of investigative software programs. Mr. Mares provides ongoing technical and programming assistance to state and federal agencies in computer related cases. He assisted in the development of Seized Computer Evidence Recovery Specialist and Computer Investigation in an Automated Environment courses at the Federal Law Enforcement Training Center in Glynco, Georgia, and the Basic and Advanced Data Recovery Classes at the National White Collar Crime Center. In addition to providing instructional classes on forensic processing, and how to use his own suite of software, he has also instructed computer forensics for the following: FLETC (Federal Law Enforcement Training Center), NWCCC (National White Collar Crime Center), FEMA, university of Texas (McCombs Business School), the FBI Academy in Quantico, VA, and the Norwegian National Police Academy. ia Technologist 90th information operations squadron Dr. Mark Mason is a scientist with over 20 years of experience in research/development, analysis, mathematical modeling, reverse engineering,
Christopher Mcdaniels
director, dko, 22 nWs
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Matthew McFadden is an employee of CSC, assigned to the Defense Cyber Investigation Training Academy (DCITA). As a member of the Network Intrusion Track, Mr. McFadden researches, develops and instructs network intrusion and investigation. He has spent several years in the field of Information Technology specializing in Information Assurance and Security, Network Intrusion/ Penetration and Forensics. Mr. McFadden has performed research projects, consulted, presented and has worked in Network Administration. He also holds industry IT certifications, a Bachelor of Science in Network Security, a Master of Science in Information Security and is a candidate for a Doctoral degree in Computer Science.
Matthew Mcfadden
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
65
for several global organizations. He has also developed security and fraud awareness training seminars used to educate employees, as well as federal, state and local law enforcement officials, and has established and operated security incident response teams and forensic investigation units for several large enterprise organizations. Mr. Mical has been an active member with the FBI Infraguard, united States Secret Service Electronic Crimes Task Force, ISSA, HTCIA, ASIS, ANSIR and CTIA Fraud Task Forces.
senior Technical staff sei Soumyo Moitra is a senior member of Technical Staff with CERT Network Situational Awareness Group. He has been involved with modeling and analyzing network traffic for security and monitoring. He is currently working on metrics for the cost-effectiveness of network sensors and modeling network security operations. Prior to his joining the SEI, Mr. Moitra taught Operations Management; worked on telecommunications services and planning at Bellcore, New Jersey; and also taught Policy Analysis at Baruch College, New york. He has an M.A. from Cornell university, an M.S. from Syracuse university and a Ph.D. from SuPA (now Heinz College), CMu. He has been an Alexander von Humboldt Fellow at the Max-Planck-Institute, Freiburg, Germany, and a visiting professor at NTT in Tokyo. He has published journal articles in a number of subject areas and presents regularly at conferences. He is a member of INFORMS (Institute for Operations Research and Management Science), the American Statistical Association and SIGMA XI: The Research Society. president forensic strategy services Scott Moulton is a Certified Computer Forensic Specialist and is president of Forensic Strategy Services and My Hard Drive Died. He has given speeches at some of the biggest conferences, produced videos watched by hundreds of thousands of people, and does podcasts and radio shows to spread the knowledge of how to repair hard drives and recover data for legal cases. Mr. Moulton is a master at Data Recovery working for some of the biggest names. He wrote and is the lead instructor on Data Recovery and Hard Drive Forensics courses. His class been very popular and taught his forensic processes on damaged drives all over the country. As a litigation support expert, Mr. Moulton focuses on collecting and preparing evidence where a computer contains data that may be legal proof in a case. He is skilled in recovering deleted data, researching cases and has testified as an expert witness. In the five years since his companys inception, Mr. Moulton has handled many complex cases that include but are not limited to homicide, embezzlement, theft, divorce and corporate fraud. detective Madison police department Detective Cindy Murphy is employed by the City of Madison Wisconsin Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE/CCFT, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones and other items of digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual
assaults, child pornography, financial crimes and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College and is currently working on her M.Sc. in Forensic Computing and Cyber Crime Investigation through University College, Dublin.
senior lead engineer defense Computer forensics laboratory (dCfl) Sig Murphy has worked for General Dynamics at the DoD Computer Forensic Laboratory since 2000. He is currently serving as a Senior Lead Examiner and the acting CI Section Chief. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Starting his career as a Special Agent with the united States Army Criminal Investigative Division, Jeff became a leading expert in criminal profiling. He continued his innovative techniques as he helped establish one of the first computer crime units in the military. After his tenure in the military, he continued studying criminal behavior with Richland County Sheriffs Department. Next, he established Naylor Investigative and Consulting Firm, focusing on computer forensic. In 2008, Jeff was requested by the South Carolina Attorney Generals Office to train the Internet Crimes Against Childrens (ICAC) Task in computer forensics and write their policy and procedures. Currently, Jeff is employed by CSC and supports the Defense Cyber Investigative Training Academy as a Senior Forensic Instructor. He has been qualified as an expert in federal, State and Military Court in computer forensic, sexual crimes, profiling, crime scene analysis, and collection of digital evidence. Jeff has also published a book developing a new classification system based on the behavior of criminals utilizing the computer for criminal activity. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Lucus Nelson is a CSC employee assigned to the DCITA contract as a Subject Matter Expert/Instructor on the Forensics Track. Prior to joining the DCITA team, Mr. Nelson served as a police officer in Michigan and a member of the Internet Crimes Against Children (ICAC) task force. Mr. Lucus is certified through IACIS and Access Data (ACE) in digital forensics. He currently teaches the following DCITA courses: Windows Forensic Exams with Encase and/or FTk, Macintosh Forensics and the Deployable Forensics course. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Mark Neno is employed by CSC as an Instructor and Course Developer assigned to the Defense Cyber Investigations Training Academy - Forensic Track. He teaches Windows Forensic Examinations-EnCase, Data Recovery, Basic Cyber Investigators Course, Deployable Forensics, Continuing Education-EnCase and Continuing Education-Forensic Toolkit. He has received training in
soumyo Moitra
sig Murphy
Jeff naylor
adam Meyers
scott Moulton
lucus nelson
Jason Mical
Cynthia Murphy
Mark neno
66
the Digital Forensics Program for the u.S Customs Service and the Department of Homeland Security, Immigration and Customs Enforcement. Mr. Nick has been an active contributor to the advancement and the recognition of digital forensics as an accredited forensic science. He is a former member of the Executive Board of the Scientific Working Group on Digital Evidence. He is currently an American Society of Crime Lab Directors Certified Digital Evidence Inspector and has trained as an ISO Provisional International Assessor.
software engineer defense Cyber Crime institute (dCCi) Matthew Nolan is a software engineer at DCCI. Hes been with General Dynamics at the Institute for about a year and a half and specializes in trying to bring more advanced statistical analysis to digital forensics. physical scientist, office of science and Technology national institute of Justices (niJ) Martin Novak is a Physical Scientist with the National Institute of Justices (NIJ) Office of Science and Technology, Information and Sensor Technology Division. He manages NIJs Electronic Crime Research and Development Portfolio. Within his portfolio, Mr. Novak is responsible for developing effective program plans, developing and managing solicitations, implementing grants and agreements to execute program plans, ensuring that research and development applications are peer reviewed via fair objective processes, ensuring that project goals and objectives are directly linked to validated criminal justice technology needs, making certain that projects do not unnecessarily duplicate other public and private sector efforts and are focused on those goals and that will provide the highest returns within available funds. Mr. Novak has been with NIJ for 12 years and previously managed several technology centers in NIJs National Law Enforcement and Corrections Technology Center (NLECTC) System. forensic operations senior program Manager nek advanced securities Group, inc. Catherine Okeefe is the Forensic Operations Senior Program Manager and an Intelligence Operations Instructor at NEk. Her job requires her to develop and teach computer forensics and media exploitation courses to the military, law enforcement professionals and other intelligence organizations. Her focus of instruction is using forensic software and hardware to conduct exploitation operations in tactical, counterterrorism environments to gather actionable intelligence. Ms. OKeefe was recently deployed to Iraq in support of Operation Iraqi Freedom. She was a Media Exploitation Analyst and conducted media exploitation on captured enemy digital/analog media seized by personnel conducting counterterrorism operations and force protection activities, including DoD Agencies, the united States Military, DHS, FBI and other law enforcement organizations. The mission required OKeefe to conduct examinations and recovery of data stored on various forms of media in order to gather information meeting Primary Intelligence Requirements and/or evidence of crimes against u.S. and Coalition Forces. Ms. Okeefe also worked as a Computer Forensic Analyst for a private company and has performed work on over 100 civil, criminal, internal and administrative cases including those involving theft of intellectual property, employee misconduct, contract disputes, divorce, child exploitation,
robert oleary
stephen newman
Matthew nolan
Martin novak
Tyler oliver
nicholas r. newman
nW3C Nicholas Newman began his career as a Computer Crimes Specialist with the National White Collar Crime Center in January of 2006, bringing with him nearly a decade of information technology and software engineering experience. Mr. Newman has also represented NW3C in the mass media through such organizations as uSA Today and the MSNBC Today Show and has spoken at the Internet Crimes Against Children and High Tech Crime International Association conferences, among others. Mr. Newman contributes to and regularly instructs NW3Cs ISEE, STOP, STOP-T3, BDRA, ISLEN and LINuX computer forensic courses, and is also the lead developer of NW3Cs TuX4N6 forensic digital triage tool.
Catherine okeefe
Gunter ollmann
Jason nichols
Managing director science applications international Corporation Glenn J. Nick serves as the Managing Director of SAIC Digital Forensics practice, based in McLean, Virginia. Mr. Nick provides more than 27 years of local and federal law enforcement experience with an emphasis in conducting and managing complex multinational hightech investigations. Over the last ten years of his federal service Mr. Nick worked to establish the u.S Department of the Treasurys Computer Investigative Specialist program. He worked jointly with representatives of the Alcohol Tobacco and Firearms, the Internal Revenue Service, the u.S Customs Service, and the u.S Secret Service to develop training curricula, establish best practices, and deploy more than 500 highly trained special agents to their originating agencies. In addition, he was responsible for the design and implementation of the u.S Customs CyberSmuggling Center (C3), the first federal effort to address and combat illegal activity facilitated by the Internet. He also directed the work of approximately 175 digital forensics Agents and managed
Glenn nick
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
67
Cyber intelligence analyst rCerT-Conus Sean Paul assumed the position of assistant Team Lead for the Threat Analysis Cell (TAC) and lead developer of the QTip Tool Suite in the u.S. Armys Regional Computer Emergency Response Team - CONuS (RCERT-CONuS) since June 2009. The mission of the RCERT-CONuS is to provide for the Computer Network Defense of Active Army, National Guard and Army Reserve networks within CONuS. Prior to this assignment, he held positions in the RCERT-CONuS as an Information Assurance Technician, Computer System Security Analyst and Cyber Intelligence Analyst. senior solutions architect for intelligence, investigation and law enforcement Technologies adobe John Penn is Senior Solutions Architect for Intelligence, Investigation and Law Enforcement Technologies at Adobe Systems, in San Jose, CA. He spent 11 years at Adobe as a Senior Computer Scientist working on Photoshop and is now focused on the development of tools, techniques and training for the intelligence and law enforcement community, as well as for the National Center for Missing and Exploited Children. Mr. Penn has a history in the technology sector extending 30 years. He has been working to foster communication between law enforcement and industry. He hopes his efforts will build a better understanding of law enforcement challenges in industry and bring a better understanding of technology to the law enforcement and judicial system. Malware analyst secure innovations Vincenzo Pierorazio has over five years of experience in the information systems field, two of which are in the Department of Defense. His expertise is in network penetration testing and digital forensics. He holds a Masters degree in Forensic Studies of Information Systems from Stevenson university and has the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP) and GIAC Certified Penetration Tester (GPEN). principal deer run associates Hal Pomeranz is an experienced technology authority, delivering pragmatic Information Technology/Security solutions and Digital Forensic investigation services through Deer Run Associates, the company he founded in 1997. Mr. Pomeranz also is a SANS Institute Faculty Fellow and continues to develop the SANS/GIAC unix Security Certification (GCuX) curriculum. He teaches courses in the SANS/GIAC Certified Forensic Analyst (GCFA) curriculum and is a regular author for the SANS Computer Forensics blog. senior analyst verizon Christopher Porter is a Senior Analyst on the Risk Intelligence team for Verizon Business. In this role, he engages in collecting, analyzing and distributing internal and external data relevant to understanding and managing information risk. The output from these
sean paul
John penn ii
activities is used to improve Verizons services, inform personnel and clients, and provide credible influence to the constant evolution of security planning. Mr. Porter has nearly 15 years of experience in IT and security industries. His background includes work as an economist, in network and system administration, and as an information security consultant. Mr. Porter first joined Verizon Business (Trusecure and Cybertrust) in 2004 and worked as a Senior Consultant for the Security Management Program, where he led a team to deliver security services to several Fortune 500 financial, insurance and health care institutions at over 80 global sites. Since joining the Risk Intelligence team in 2009, Mr. Porter co-authored the 2009/2010 Data Breach Investigations Report and contributed to the 2009 Supplemental Data Breach Investigations Report.
Chief Cybersecurity strategist and Co-director, international Cyber Center CsC and George Mason university Andy Purdy is Co-Director of the International Cyber Center at George Mason University and Is Chief Cybersecurity Strategist for CSC. He was formerly the Acting Director for the National Cyber Security Division/ uS-CERT. He also served as Howard Schmidts deputy as a member of the White House Staff, helping to draft the National Strategy to Secure Cyberspace. Managing director Mandiant Wendi Rafferty is a Managing Director in Mandiants Los Angeles office and is responsible for the west coast region of Mandiants consulting services as well as continued management of Mandiants federal services operations. Ms. Rafferty has more than three years of experience conducting and managing Commercial Incident Response investigations and Federal Cyber Security Operations while at Mandiant, and over eight years of experience in the Computer Security community. Ms. Rafferty has supported network intrusion response with the Department of Defense, federal law enforcement agencies, and the national intelligence community. She has advanced training in computer forensic analysis, computer intrusion investigations, electronic evidence preservation and conducting counterintelligence collections and investigations. Rafferty has been a featured speaker on incident response at SANS, CSI SX, GFirst, DoD Cybercrime, and the FBI National Infragard Conference. She holds a Bachelors degree in Computer Science and a Masters degree in Management Information Systems. product Manager, lead security researcher Motorola airdefense Michael Raggo (CISSP, NSA-IAM, CCSI, SCSA, CSI) applies over 20 years of security technology experience and evangelism to the technical delivery of Wireless Security Solutions, and was a contributor to a new and patented AirDefense product, Wireless Vulnerability Assessment. Mr. Raggos technology experience includes penetration testing, wireless assessments, compliance assessments, firewall and IDS/IPS deployments, incident response and forensics, risk management and security research. He is a former security trainer. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, InfoSec, etc.) and has briefed the Pentagon.
andy purdy
Wendi rafferty
vincenzo pierorazio
hal pomeranz
steven W. oxman
Michael T. raggo
Christopher porter
68
Chief information officer dod business Transformation agency Michael Robinson is the Chief Information Officer for the Department of Defenses Business Transformation Agency (BTA). As the CIO, he is responsible for all IT operations, information assurance and computer forensic activities within BTA. In addition to his work with BTA, Mr. Robinson is an adjunct faculty member at Stevenson university in the graduate schools Forensic Studies program. He holds a number of certifications, including CCE, MCSE and Security+. He has two Masters degrees, one in forensic studies and one in information assurance. Additionally, he has a graduate certificate in Intelligence Studies. He has published over a dozen articles in IT, with the most recent article entitled Issues with Cell Phone Forensics. program Manager defense personnel security research Center Andrie Rose graduated from California State university, Fullerton, with a Bachelors degree in Sociology and a Masters in Public Administration. She received a Masters in Criminal Justice from the State university of New york, Albany. While in graduate school, she worked at the New york State Division of Criminal Justice Services and the Orange County Probation Department. In 2003 Ms. Rose joined Northrop Grumman (PERSEREC contractor) as a research analyst. She has collaborated on projects such as an evaluation of military enlistment screening methods, an assessment of best practices for preventing and detecting identity fraud, and an evaluation on the extent to which people self-report criminal offenses when applying for security clearances. Ms. Rose is currently working to identify cyber vetting guidelines for law enforcement personnel and national security positions. She is a member of the International Association of Chiefs of Police, the Association of Certified Fraud Specialists and the American Society of Criminology. She was also certified by the American Association of Motor Vehicle Administrators as a fraudulent document recognition instructor. research scientist Georgia Tech Paul Royal is a Research Scientist at the Georgia Institute of Technology, where he engages in collaborative research on various facets of the online criminal ecosystem. Prior to joining Georgia Tech, he served as Principal Researcher at Purewire, Inc., where he worked with other researchers to identify threats and design methods that enhanced the companys web security service. Mr. Royal is a frequent press resource on security issues and has been quoted in uSA Today, The Washington Post, Forbes and others. incident response section chief 33 nWs Christi Ruiz is the Incident Response section chief. Her team is responsible for handling all AF computer intrusions, from discovery to secure and recover. Her team works 24/7 to ensure AF networks are secured and that compromised systems are cleaned and placed back online as quickly as possible.
Michael robinson
andrie rose
Ceo paraben Corporation Throughout the past two decades as CEO of Paraben Corporation, Amber Schroader has been the driving force behind some of the most innovative Digital Forensic technology to be introduced into the industry. She has developed over two-dozen software programs designed for recovering digital data from handheld devices such as cellular phones and PDAs, computer hard drives, and large-scale computer networks capable of storing data from several thousand computers. With an aggressive development schedule, Ms. Schroader continues to bring forth new and exciting technology to the computer forensic community worldwide. Ms. Schroader coined the concept of the 360-degree approach to digital forensics, pushing for a big-picture consideration of the digital evidence acquisition process. An accomplished curriculum developer and instructor, Ms. Schroader has written and taught numerous classes for this specialized field. She continues to support the industry through speaking engagements at DoD Cybercrime, HTCIA, CSI and a variety of other events. forensic analyst department of defense Elizabeth Schweinsberg is a Digital Forensics Analyst who specializes in Intrusion Analysis for the Department of Defense. She hunts for malware that tries to stay hidden and determines how it got there. Ms. Schweinsberg has been in the computer industry for over a decade and in digital forensics since she received her M.S. in Information Security, Technology and Management from Carnegie Mellon University. When not behind the computer, she works on her avian millinery. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Christian Scott is an employee of CSC assigned to the Defense Cyber Investigations Training Academys (DCITA) Technology Track. Prior to joining DCITA, Mr. Scott worked in the private sector as a project engineer and security consultant, working primarily on intelligence community and Fortune 500 company contracts. Mr. Scott established his experience as a security professional while serving in the united States Army as a Counterintelligence Agent, specializing in Technical Intelligence. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Christopher Shanahan is an employee of CSC assigned to the Defense Cyber Investigations Training academy (DCITA) in Linthicum, Maryland as an instructor and course developer in the Forensics Track. With more than eighteen years of experience in law enforcement -- nine as a detective responsible for digital forensics and electronic crimes, Mr. Shanahan has extensive experience in cyber crime investigations and digital forensics. In addition, Mr. Shanahan was responsible for building a state-of-the-art digital forensics lab for a County police department in Northern Delaware -- a busy lab that still operates successfully today. Mr. Shanahan holds a BS in Computer and Network Security and maintains a number of industry-recognized technical certifications. In 2009 Mr. Shanahan coached the winning team in the
amber schroader
elizabeth schweinsberg
Christian scott
lee reiber
paul royal
Chris shanahan
randy robbins
Christi ruiz
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
69
worked for Science Applications International Corporation (SAIC) as a network and security engineer within the Intelligence Community. His research focuses primarily on malware analysis and subversive software development techniques, working to identify common attack methodologies utilized to compromise computer systems and operate undetected. He received his B.S. in Computer Science from the Georgia Institute of Technology and is currently pursuing his M.S. in Information Security. Additionally, he holds the Certified Information Systems Security Professional (CISSP) certification.
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Bryan Spano is a course developer and instructor in the Forensics Track at the Defense Cyber Investigations Training Academy (DCITA), part of the Defense Cyber Crime Center (DC3). Prior to joining DC3, Mr. Spano gained extensive experience as a federal law enforcement agent, specializing in cyber crime investigations and evidence response. He holds a Bachelors degree in Physics from the u.S. Naval Academy. senior Consultant/engineer accessdata With ten years of experience in the e-discovery sector as a practicing attorney, electronic discovery consultant, and computer forensic specialist, David Speringo serves as a senior consultant on staff with AccessData. Prior to joining AccessData, Mr. Speringo held senior-level management and consulting positions at both ends of the e-discovery spectrum: within a law firm and at a national e-discovery litigation support company. Within these roles he has taught classes providing continuing legal education for attorneys and has been a guest speaker at several legal conferences on the topics of litigation support technologies, best practices, and litigation technology cost management. Within the forensics world, Mr. Speringo is a certified computer examiner (CCE) and has led forensic teams on the investigative acquisition and analysis of data for clients composed of several AMLAW 100 firms and Fortune 500 companies over the past seven years. He received his B.A. in Political Science/ History from the University of Connecticut in 1997, and his law degree (J.D.) from Roger Williams Law School in 2000. forensic lead specialist defense Cyber Crime Center (dC3) Robert Spitler is a Forensic Lead Specialist with the Defense Cyber Crime Center. He is an Air Force veteran with over 20 years of law enforcement and over nine years of digital forensics experience. Mr. Spitler has experience investigating major criminal offenses at the state and federal level, as well as experience in intelligence exploitation and corporate investigations. He has testified as an expert witness in digital forensics on several occasions. Mr. Spitler has certifications in digital forensic examination through IACIS (CFCE), Guidance Software (ENCE), and DoD (CBDFE). He is a certified Law Enforcement Instructor (VA) and Instructor in Computer Forensics (IACIS). He has been directly involved with the continued advancement of digital forensics during his career through training and association involvement, including numerous hours of computer crime and forensic instruction for local, state, federal and foreign law enforcement as well as corporate investigators.
Mr. Spitler served on the Board of Directors for the International Association of Computer Investigative Specialists for five years. He has conducted forensic training with IACIS and HTCIA and co-developed and taught cyber classes for the u.S. Department of State Anti-Terrorism Assistance Program for law enforcement in foreign countries.
deputy staff Judge advocate air force office of special investigations (afosi) Lieutenant Colonel Cindy Stanley is the Deputy Staff Judge Advocate for Air Force Office of Special Investigations. She has served in various positions including staff judge advocate, deputy staff judge advocate, area defense counsel and executive officer. Colonel Stanley was recognized as Air Combat Commands 2004 Outstanding Deputy Staff Judge Advocate of the year and was the 2005 12th Air Force Outstanding Judge Advocate. She is admitted to practice law before the Supreme Court of Nebraska and the united States Court of Appeals for the Armed Forces. project Manager niJ electronic Crime Technology Center of excellence Donald Stewart, CFCE, is a Project Manager with the NIJ Electronic Crime Technology Center of Excellence. The ECTCoE staff works with the NIJ Office of Science & Technology Electronic Crime Portfolio and colleagues in law enforcement, academia and the private sector to provide state and local law enforcement with the electronic crime and digital evidence tools, technology and training they will need to serve the public with the highest degree of expertise, increase the number of successful investigations involving electronic crime and digital evidence, and achieve the highest possible prosecution to conviction rate. In 2000 he established Computer Forensic Section for the Forensic Services unit at the Prosecutors Office in Berks County, Pennsylvania while he was employed there as a Detective. He worked for 32 years in Law Enforcement prior to his retirement. He is a member of HTCIA and IACIS. He currently serves on the Law Enforcement Advisory Board for Berks Technical Institute. Wyomissing, PA. (5 yrs.), where he advises on the Criminal Justice Course content. He holds a Bachelor Degree in Criminal Justice Administration from Alvernia university, Reading, PA. analyst, network situational awareness Group CerT Ed Stoner is an analyst working in the Network Situational Awareness group of CERT. His work has been focused on detecting malicious behavior through network indicators. senior investigator, Crucial security programs harris - Crucial security programs Christopher Taylor is a forensics practitioner and researcher whose work has supported various arms of the federal government for the last 12 years. He has worked both traditional, dead-drive forensics and incident response on live networks, with special focus on dealing with long-running intrusion cases. project Manager niJ electronic Crime Technology Center of excellence Michael Terminelli is a Project Manager of the NIJ
bryan spano
aaron shelmire
erik sherman
don stewart
david speringo
Mary singh
robert spitler
ed stoner
Christopher Taylor
Christopher smoak
Michael Terminelli
70
certifications as an EnCE, MCSE, MCT, and CompTIAs A+, Network+, Security+ and CTT+. Her professional background includes four years of active duty service in the Marine Corps as a communications officer.
Manager Mandiant Tim Treat is a Manager at Mandiant. He runs the San Francisco office and serves as the lead consultant supporting the Security Operations Center for a large government client in California. As lead consultant, he ensures operational cohesion exists between incident response teams, network traffic analysts, network operations teams and other network experts to secure the clients enterprise. His emphasis on operational security is paramount to ensuring the clients security personnel have adequate situational awareness and network security capabilities that are synchronized to engage threats and attacks effectively. Prior to joining Mandiant, Mr. Treat served 13 years in the united States Air Force as a tactical communications engineer assigned to the 607th Air Support Operations Group, the 5th Combat Communications Group and the 820th Security Forces Group. He also served as the Director of Operations for the Air Force Space Command Network Operations and Security Center, where he was responsible for providing secure network services to over 30 locations around the globe. Tim continues to serve today as a uSAF Reservist assigned to the Air Force Frequency Management Agency in Alexandria, VA. Technology Consultant viaforensics Christopher Triplett is a Technology Consultant for viaForensics and manages the Android R&D and training program. He has been instrumental in the implementation of new methods for extracting data from Android devices and has trained investigators from all over the world on mobile device forensics. In addition, Mr. Triplett maintains a military top secret clearance as an Air Force pilot and has worked closely with intelligence agencies during overseas combat operations. senior Technical lead, intrusions General dynamics Jason upchurch is the Senior Technical Lead, Intrusion Forensics, for General Dynamics Advanced Information Systems Cyber Systems commercial forensic practice. Prior to joining the Commercial practice, he was the technical lead for the Intrusions and Information Assurance Section and Intrusions group at the DoD Cyber Crime Center. Mr. Upchurch is responsible for leading incident response and forensics relating to computer intrusions. In addition, he provides mentoring/coaching to other cyber systems personnel, develops automation techniques for digital forensics and provides training both internally and externally on Malware Analysis and Large Dataset Forensics. He has presented at conferences at the national and international level. Computer forensic specialist saiC Ryan Valencik is an ACE certified Computer Forensic Specialist in the Cyber and Digital Media division of SAIC. He graduated holds a B.S. in Computer Forensics from Bloomsburg university of Pennsylvania and is currently enrolled at Nyu Polytechnic pursuing his M.S. in Cyber
Security. Mr. Valencik has spent more than two years studying the forensic implications of Windows Media Player and the databases and file structures employed by the program.
vice president, information assurance nCi information systems Dan VanBelleghem is a recognized leader in network security research and engineering. He currently leads the information assurance and cybersecurity practice at NCI Information Systems. His prior experience includes Systems and Security Engineering for clients in the DoD, Department of State, Department of Justice and Fortune 100 clients. His past client engagements include security-related research and consulting activities in penetration testing, incident response, security strategic planning, and enterprise security architecture design. Mr. VanBelleghem is a certified information systems security professional (CISSP) and a certified computer examiner (CCE). He also holds the IAM and IEM certifications from the National Security Agency (NSA). instructor/Course developer defense Cyber investigations Training academy (dCiTa) Jesse Varsalone is a Computer Forensic Senior Professional at Computer Sciences Corporation and Is assigned to the Defense Cyber Investigations Training Academys Network Investigations Track. His certifications include the following: A+, Linux+, Net+, iNet+, Security+, Server+, CTT+, CIW Professional, CWNA, CWSP, MCT, MCSA, MSCE 2000/2003, MCSA/ MCSE Security, MCSD, MCDBA, MCSD, CNA, CCNA, MCDST, Oracle 8i/9i DBA, and Certified Ethical Hacker. Prior to joining DCITA, he severed as the Director of the MCSE and Network Security Program at the Computer Career Institute at Johns Hopkins University. For the 2006 academic year, he served as an Assistant Professor of Computer Information Systems at Villa Julie College in Baltimore, Maryland, where he taught courses in Networking, Active Directory, Exchange, Cisco and Forensics. He holds a Bachelors degree from George Mason University and a Masters degree from the university of South Florida. lead Cyber security forensic examiner General dynamics Ryan Vela is a Lead Cyber Security Forensic Examiner for GDAIS and is based in San Antonio, TX. He has been in the cyber security field for over 10 years. He spent four years working at the Defense Cyber Crime Institute (DCCI) and three years working at the Defense Computer Forensics Laboratory (DCFL), where he assisted with both ASCLD/LAB Legacy and ISO Accreditation. During his tenure, Mr. Vela rewrote and restructured all procedures and policies and created a document management system. He then implemented a Professional Development Program including proficiency and competency testing as well as a QA Section. Mr. Vela now consults with private industry in planning, building, managing and accrediting forensic laboratory capabilities. director of defense programs raytheon Daniel Velez is the Director of Defense Programs at Raytheon Oakley Systems, and is responsible for the delivery and support of insider threat monitoring and
Tim Treat
buddy k. Tidwell
Jesse varsalone
Christopher Triplett
Jason upchurch
ryan vela
alissa Torres
ryan valencik
daniel velez
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
71
Matt Watchinski
Todd Waits
senior director, vulnerability research Team sourcefire Matt Watchinski serves as the Senior Director of the Vulnerability Research Team (VRT) at Sourcefire, where he leads the Sourcefire VRT to ensure that the open source Snort community and Sourcefire customers are consistently and proactively protected from the latest threats as quickly as possible. Mr. Watchinski works in conjunction with hundreds of thousands of security specialists worldwide who contribute Snort rules for new and evolving threats every day, often in record time. Prior to joining Sourcefire, he held similar roles with Hiverworld (now nCircle) and Farm9 (now Ambiron Trustwave). law enforcement program specialist federal law enforcement Training Center Top Watson is a Law Enforcement Program Specialist with the Technical Operations Division (TOD), which is a division within the Office of Training Operations at the Federal Law Enforcement Training Center. TOD is mandated with designing, developing, coordinating and administering training programs related to the prevention, detection, investigation and prosecution of crime through the use of electronic surveillance equipment, digital imaging and the seizure of digital evidence through computer forensics. Mr. Watson has been active in the field of law enforcement for over 30 years, working at the local, state, military and federal levels. His assignments have ranged from patrol, investigations, physical security, protective service operations and high-risk special operations. His current assignment includes performing Program Specialist duties in support of TODs 10 advanced training programs at the FLETC. Wan pM l-3 Communications Jay Weinstein is the L-3 Communications Wide Area Network Program Manager. director, Center for Telecommunications and network security (CTans) oklahoma state university Dr. Mark Weiser is the Fleming Professor in Technology Management and Director of Oklahoma State universitys Center for Telecommunications and Network Security (CTANS). Dr. Weiser teaches Telecommunications Systems, Information Assurance, Digital Forensics and hands-on Telecommunications and Networking laboratory classes. He has published in the Journal of Management Information, Communications of the ACM and other leading journals, focusing on the areas of upper-layer network protocols, security, forensics and technology supported teaching. CTANS was created to serve as the focal point for research, teaching and outreach at OSu. In the past year, CTANS faculty have garnered research and development funding from DoD, NSA, AFOSR and NSF, as well as multiple private contracts. The work spans from secure wireless communications to trust mechanisms, to detecting deception in written documents. Under Dr. Weisers leadership, the graduate and undergraduate Information Assurance and Forensics curricula were developed and have grown into popular offerings, such as a Graduate Certificate, multiple Options and an undergraduate minor. OSu is home to the National Repository of Digital Forensic Information, which is a collaborative effort with
the DoD Cyber Crime Center. OSu was in the first group of institutions in the country to obtain the designation of Center of Academic Excellence in Information Assurance Education and Research.
engineering Manager Cisco systems Jeff Wells is a Consulting Systems Engineer for Cisco Systems. He has over 30 years in IT, 20 years in application development and security and 25 years in network design, implementation and security. He has been with Cisco for 10 years and is currently working for their DoD Information Assurance advanced technology team. software engineer lockheed Martin Samuel Wenck works for Lockheed Martin as a software engineer supporting custom tool development for Lockheeds Computer Incident Response Team (LM-CIRT) within the Security Intelligence Center. He co-presented Agile Development for Incident Response at last years DC3 Conference. He has more than 20 years experience in IT working in many areas including web application development, network security, INFOSEC and vulnerability/risk assessment. director CaCi, inc., federal Michael Whitaker has over 30 years of software application development and project management experience. After serving in the u.S. Air Force developing war game simulations, Mr. Whitaker joined CACI in May of 1986. He has worked various projects for the DoD and commercial companies while working for CACI. His expertise in application development is well known within CACI. He co-authored CACIs software reengineering methodology, RENovateSM, which consists of seven volumes describing the technical and management approach to software reengineering. Technical director Mandiant Chuck Willis is the leader of the Open Web Application Security Project (OWASP) Broken Web Applications Project and a Technical Director with Mandiant, where he concentrates in application security, research and development. Prior to joining Mandiant, he performed security software engineering, penetration testing and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a u.S. Army Counterintelligence Special Agent. Mr. Willis holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings, the OWASP AppSec Conference, the IT underground security conference in Europe, DefCon and ShmooCon. He has contributed to several open source security software projects and is a Certified Information Systems Security Professional and a Certified Forensic Computer Examiner.
J.J. Wallia
Michael Whitaker
Jay Weinstein
Matt Warnock
ken Warren
Chuck Willis
72
ricky Windsor
senior Technical forensics Manager saiC kristi Witsman is the Senior Technical Forensics Manager of the Digital forensics Practice at SAIC. She has been performing advanced Cyber Forensics for 10 years, and worked in the u.S. Department of Justice criminal divisions High Technology Investigative unit as a computer forensics specialist. She has worked extensively at the Department of State Computers Investigative and Forensics branch as a senior forensic Analyst. Ms. Witsman has published numerous articles regarding advanced forensics detection and analysis. She also has provided training to the International Association of Computer Investigative Specialists (IACIS) Certified Computer Forensic Examiner Courses, Trial preparation training/courtroom testimony and forensics media training. She has testified in federal court in more than 50 courtroom cases. Ms. Witsman holds Masters and undergraduate degrees in Information Systems form Virginia Polytechnic Institute and State university and has numerous certifications. internet security analyst CerT Malicious Code Team/sei Jonathan Woytek has been a member of the CERT Malicious Code team since August of 2006. His duties have included handling malware analysis requests from government, law enforcement and civilian agencies, monitoring public sources for new malware tradecraft and trends, and collecting and analyzing new samples of interest. Examining in-the-wild attacks has lead to an interest in script and plug-in content-based attack methodologies and ways for analysts to defeat them. Prior to coming to CERT, Woytek worked as a Systems Administrator in academia and commercial organizations since 1996. In addition to security, he maintains interests in digital media and disaster recovery. infosec analyst CerT Charles Yarbrough has been a systems administrator and Information Security Incident Handler for the university of North Carolina at Chapel Hill and is currently a Computer Security Information Specialist with CERT. He is currently based at the Defense Cyber Crime Center (DC3). Mr. yarbrough holds the CISSP, SANS, GSEC and GCIH certifications and has worked in the IT industry for over 15 years. He is also actively involved in ISSA and Infragard. Chief investigator, office of prosecution services state of alabama Russell yawn, CFCE, is the Chief Investigator in the Office of Prosecution Services for the State of Alabama and is responsible for managing the three digital forensic labs for the State of Alabama, as well as assisting the District Attorneys in developing high-impact graphics and exhibits for use in the court room in high profile cases.
kristi Witsman
Jonathan Woytek
stephen Windsor
senior Counsel u.s. department of Justice William yurek is a Special Agent and Cyber Program Manager at the Defense Criminal Investigative Service. He also serves as the DCIS representative to the National Cyber Investigations Joint Task Force. Before working for DCIS, Mr. yurek was a Senior Counsel in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice in Washington, D.C. He recently completed military service in the Air Force Office of Special Investigations as the senior military representative to the u.S. National Cyber Investigations Joint Task Force. Mr. Yurek has also been a Senior Counsel in the Enforcement Division of the u.S. Securities and Exchange Commission, where conducted the first investigation and prosecution of an internet stock manipulation scheme in SEC history. He was a Team Leader and Investigator for the u.S. House of Representatives Select Committee on National Security and the Peoples Republic of China. He was a Special Assistant u.S. Attorney in the Eastern District of Virginia, the Central District of California, the Southern District of Florida and the District of Columbia. Mr. Yurek also served as Counsel and Deputy Director of the Washington, D.C., area Joint Cyber Task Force. Mr. Yurek began his law enforcement career as a Special Agent in the u.S. Air Force Office of Special Investigations. In that position, he investigated felony criminal offenses including terrorism, fraud, narcotics, espionage and computer crime. He is a DoD-certified computer crime investigator and remains a reserve special agent with AFOSI today, assigned to the Office of the Director, Defense Cyber Crime Center. senior faculty Member and director of security Consulting sans institute and savvis Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Mr. Zeltser frequently speaks on information security and related business topics at conferences and private events. He also writes articles and has co-authored several books. Mr. Zeltser is one of the few individuals in the world who have earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. He has an M.B.A. from MIT Sloan and a Computer Science degree from the university of Pennsylvania. For more information about his projects, see http://zeltser. com and http://twitter.com/lennyzeltser.
lenny zeltser
James e. Wingate
russell Yawn
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
73
afternoon break
14001445 | Conference level foyer
Morning reception
07000745 | Centennial foyer
afternoon break
14001445 | Conference level foyer
Wednesday
74
Morning reception
07300830 | exhibit hall
Morning reception
07300830 | exhibit hall
italian luncheon
12001330 | exhibit hall
afternoon break
14301500 | exhibit hall
afternoon break
14301500 | Conference level foyer
Morning reception
07000800 | Centennial foyer
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
75
Win Great including Prizes, Amazon K indle, iPod BestBuy G Touch, ift Card, O ne night S Baltimore tay at Marriott, T -shirts, and more !!!!
A Chance
to
AccessData (Booth 105) At Ease Computing (Booth 514) BlackBag Technologies, Inc (Booth 510)
Amazon Kindle Edge to edge, 700MB, 52X, bulk 100/pack, 600/carton, MAM-A Silver CDR BlackBag Forensic Kit: BBT OGIO Laptop bag, BBT notebook, BBT Pens, BBT Mug, voucher for BBT Forensic Software Bundle-BlackLight, Mobilyze, SoftBlock and MacQuistion USB WriteBlocker iPod Touch 8GB GD Goody Bag EnCase Portable 1 Copy of HBGary Responder Field Edition; 3 copies of Call of Duty: Black Ops Free night stay @ Baltimore Marriott TBD Oxygen Forensic Suite 2010, Analyst license iRecovery Stick $50 Best Buy Gift Card $50 Best Buy Gift Card 3 books from our catalog TeelTech Power Tip Kit Shirt
CRU Dataport (Booth 609) FireEye, Inc (Booth 512) General Dynamics (Booth 604) Guidance Software (Booth 303) HBGary (Booth 310) Marriott (Sponsor) norman Data Defense (Booth 509) Oxygen Softtware (Booth 109) Paraben Corporation (Booth 204) Solera networks (Booth 617) Sunbelt Software (Booth 309) Syngress (Booth 218) Teel Technologies (Booth 215) vound Software (Booth 322)
76
sIlent auctIon
silent auction
{ please see the silent auction insert for details and a list of auction items. } silent auction starts: Tuesday, 1130 | silent auction bidding ends: Thursday, 1250 | bids posted by: Thursday, 1500 Winners Claim bid and donate Money----Thursday, 1500, through friday, 1000, Conference registration desk
The Silent Auction begins Monday night during the Opening Reception and ends Tuesday night in the Exhibit Hall during the reception. Visit exhibitors and areas around the exhibits to view the items being auctioned and enter your bid on the Silent Auction form. The highest bid at the cutoff will be the winner. All monies raised go to the National Center for Missing and Exploited Children (NCMEC). NCMECs mission is to assist in the prevention of child abduction and sexual exploitation; help find missing children; and assist victims of child abduction and sexual exploitation, their families, and the professionals who serve them. NCMEC was established in 1984 as a private, nonprofit 501(c) (3) organization to provide services nationwide for families and professionals in the prevention of abducted, endangered, and sexually exploited children.
77
The object of this game is to toss a CD into the top of the container.
Rules: A series of 10 plastic containers are arranged in a reverse bowling pin setup. Each container has a point value assigned. A chair is placed approximately 8 feet from the containers. While sitting, each individual tosses three CDs. Individuals may buy Mulligans for $5 for 3 tosses. Scoring: The winner is the individual with the highest combined total score (see bottom of Olympics description for scoring points). Prizes: 1st: Medal and Popup Speakers 2nd: Medal and Waterproof Flashlight 3rd: Medal and Digital Keychain Sponsored By:
The object of the game is to throw the diskette as far and as accurately as possible.
Rules: A line will be drawn the length of the room. Each individual gets 3 complimentary tosses. Mulligans may be purchased for $5 each. Scoring: The distance from where the diskette first hits, off the center line is subtracted from the length of throw. The winner is the individual with the highest score in feet. Prizes: 1st: Medal and Popup Speakers 2nd: Medal and Waterproof Flashlight 3rd: Medal and Digital Keychain
prizes for The overall olYMpians Cyber Crime Survivor determines the Cyber Crime Olympic Champion. The event takes place in General Session on Friday from 0730 to 0855 (prizes will be awarded at 0830). prizes: 1st: Trophy and nintendo Wii 2nd: Trophy and iPod Touch 3rd: Trophy and Flip Camcorder General rules The Conference Chair may adjust the rules as necessary and at any time, and there are no appeals Individuals compete against all other registered individuals Events occur Wednesday evening following the reception sChedule of evenTs held in exhibiT areas Wednesday Evening (1900): Floppy Disk Throw and CD Toss following the Reception Friday (0830): Cyber Crime Survivor in the General Session sCorinG for all evenTs (Points will be awarded based on rank against other individuals.) 1st 50 pts 2nd 45 pts 3rd 40 pts 6th 25 pts 7th 20 pts 8th 15 pts 4th 35 pts 9th 10 pts 5th 30 pts 10th + 5 pts
78
dC3 introduces the 2011 Challenge and discusses several 2010 submissions
Thursday, Forensic Track Session, 0830-0900, Centennial Ballroom 1
university of Texas at san antonios Writeblockers presents Their solutions and Methodologies
Thursday, Forensic Track Session, 0940-1005, Centennial Ballroom 1
u.s. Team Williams Twins forensics presents Their solutions and Methodologies
Thursday, Forensic Track Session, 0850-0915, Centennial Ballroom 1
Grafton high schools Crash override presents Their solutions and Methodologies
Thursday, Forensic Track Session, 1005-1030, Centennial Ballroom 1
idaho falls high schools pwnage presents Their solutions and Methodologies
Thursday, Forensic Track Session, 1000-1030, Centennial Ballroom 1
The objectives of the annual DC3 Digital Forensics Challenge are to establish relationships, resolve technological issues, and develop new tools, techniques and methodologies for the digital forensic community. This year 71 teams submitted solutions, a significant increase from the 44 teams that submitted the previous year. The Challenge presented problem-solving scenarios in the following areas of forensic studies:
Missing File Header Reconstruction Detect Suspicious Software Registry Analysis Metadata Audio Steg keylog Cracking Password Cracking Steg S-Tools NTSF File Record PCAP Data Recovery Compromised Host Disk Image PAX Cracking Accessing the Shadow Volume on Password Protected Vista Platform Windows 7 uSB Thumb Drive Encryption Extracting Hidden Evidence in a VMWare WinXP Virtual Machine Steganography MFT File Reader Development Text String Searching Tool Development Language Identifier Tool Development Data Recovery from HPA as a universal Tool or per Manufacturer Tool Development Data Recovery from unmarried TPM Hard Disk Tool Development VSC Parser Tool Development
For more information about the Challenge, visit the website at www.dc3.mil/challenge
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
79
EXIT
Aisle 100
Aisle 200
Aisle 300
Aisle 400
EXIT
115 113 111 109
Aisle 500
218 216
417 415
517 515
Aisle 600
618 616
212 210
311 309
511 509
512 510
105 205 104 203 204 303 404 603 604 805 807
806
809
811
813
EXIT
EXIT
STORAGE
OFFICE
0'
5'
10'
20'
30'
AccessData .............................Booth 105 ADF Solutions, Inc. ..................Booth 211 At Ease Computing, Inc ...........Booth 514 Belkasoft .................................Booth 622 Bit9 .........................................Booth 111 BlackBag Technologies, Inc......Booth 510 Blue Coat Systems, Inc. ...........Booth 516 CED Solutions .........................Booth 618 Cellebrite USA Corp ................Booth 612 Partnering with nEK Advanced Securities Group Cenzic Inc................................Booth 112 Champlain College ..................Booth 518 Chickasaw nation Industries ..Booth 312 Clearwell Systems ...................Booth 805
Core Security Technologies ......Booth 313 CRU DataPort ..........................Booth 609 CSC .........................................Booth 610 Damballa Inc. ..........................Booth 522 Data Security Inc. ....................Booth 116 DC3 .........................................Booth 819 DC3 Recruiting ........................Booth 817 Dell .........................................Booth 511 Deloitte Services LP .................Booth 212 DFI news.................................Booth 809 DFLABS ...................................Booth 414 Digital Intelligence Inc.............Booth 205 Fernico ....................................Booth 410 FireEye, Inc ..............................Booth 512 Forensic Computers, Inc. .........Booth 318
Fortinet, Inc. ............................Booth 113 General Dynamics Advanced Information Systems .............Booth 604 GFI Software ...........................Booth 309 Global Knowledge...................Booth 210 Guidance Software..................Booth 303 Harris ......................................Booth 315 HBGary, Inc..............................Booth 310 High Tech Crime Institute ........Booth 409 IATAC ......................................Booth 110 ImmixGroup ............................Booth 616 Imperva ...................................Booth 216 Intelligent Computer Solutions ...............................Booth 613 Katana Forensics .....................Booth 215 Partnering with Teel Technologies
80
1100 1900 1130 1300 1445 1530 1700 1900 0730 1900 0730 0830 1030 1100 1200 1330 1430 1500 1700 1900 0730 1330 0730 0830 1030 1100 1200 1330 1330
Lunch: Afternoon Break Reception Wednesday, January 26 Morning Reception Morning Break Lunch Afternoon Break Reception Thursday, January 27 Morning Reception Morning Break and Raffle Closing Lunch and Silent Auction Exhibit Hall Closing
EAST HALL
911 909 912 910 1011 1009 1014 1012
812
815
817
819
Entrance
STORAGE
CYber Caf The Cyber Caf is located in the Grand Hall Foyer on the Exhibit Level. Monday, January 24 1000 1700 Tuesday, January 25 0700 1900 Wednesday, January 26 0730 2100 Thursday, January 27 0700 1700 Friday, January 28 0700 1200
Lieberman Software Corporation ...........................Booth 203 Lockheed Martin .....................Booth 118 Logicube, Inc. ..........................Booth 418 MacAulay-Brown, Inc. (MacB) ..................................Booth 416 MAM-A ...................................Booth 514 Partnering with At Ease Computing, Inc Mandiant ................................Booth 209 ManTech International Corporation ...........................Booth 104 Merlin International, Inc..........Booth 412 MH Service GMBH ..................Booth 314 nCMEC ...................................Booth 815 nEK Advanced Securities Group ....................................Booth 612
nitroSecurity ...........................Booth 517 norman Data Defense .............Booth 509 north Central Sight Services ..Booth 807 nW3C .....................................Booth 904 Oklahoma State University......Booth 811 Oxygen Software.....................Booth 109 Palo Alto networks .................Booth 415 Paraben Corporation ...............Booth 204 Passware, Inc...........................Booth 316 Raytheon Company .................Booth 603 SAIC ........................................Booth 404 SAnS Institute .........................Booth 311 Software Engineering Institute, Carnegie Mellon University ...Booth 615 Solera networks......................Booth 617
Spirent Federal ........................Booth 623 Stevenson University ...............Booth 317 Syngress ..................................Booth 218 Technology Pathways ..............Booth 621 Teel Technologies ....................Booth 215 The newberry Group ...............Booth 611 University of Maryland University College .................Booth 421 US Army Threat Systems Management Office ..............Booth 515 valid Edge ...............................Booth 213 vound Software ......................Booth 322 WetStone Technologies, Inc. ....Booth 115 Wounded Warriors ..................Booth 813
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
81
company pRoFIles
accessdata .................................................................booth 105
www.accessdata.com
AccessData has pioneered digital investigations for 20+ years, serving law enforcement, government agencies and corporations worldwide. AccessData delivers state-of-the-art computer forensics, network forensics, password cracking and decryption solutions. Its Forensic Toolkit and enterprise solutions allow organizations to search, preserve, process, analyze and produce evidence for investigations, incident response, eDiscovery and information assurance. www. accessdata.com
BlackBag Technologies, Inc. provides Mac-based data forensic and eDiscovery solutions to law enforcement and private sector clients. BlackBag offers clients a comprehensive and secure suite of services, software and training solutions.
Blue Coat Systems offers an Application Delivery Network infrastructure that optimizes and secures the flow of information to any user, on any network, anywhere.
Cellebrites mobile forensics products enable extraction and analysis of invaluable evidentiary data including deleted and hidden data for military, law enforcement, governments, and intelligence agencies across the world. Cellebrites uFED provides fast and secure mobile data extraction and analysis from mobile phones and GPS devices, in the lab or in the field. For more information visit www.cellebrite.com.
Cenzic provides software, managed service, and cloud security products that help organizations secure their websites against hacker attacks. Cenzic focuses on Web application security, automating the process of identifying security defects at the Web application level where more than 75% of attacks occur; helping customers in remediating those defects, managing risk and attaining compliance with regulations such as PCI.
82
company pRoFIles
Champlain College .....................................................booth 518
cps.champlain.edu
Champlain College has helped students succeed in business and technology careers for over 130 years. In 1993, Champlain introduced its first online courses and in 1996 offered its first degree program entirely online. The Computer Forensics Online degree program was introduced in 2001. Visit cps.champlain.edu to learn more.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
83
company pRoFIles
deloitte services lp ...................................................booth 212
www.deloitte.com/federal
Deloitte is proud to work with the Department of Defense to deliver extraordinary advantages to the 21st Century Warfighter. Drawing upon extensive experience serving government and industry, and a deep understanding of the Department of Defense, Deloitte provides clients with unique and integrated solutions in areas including IT integration, financial management, human capital, strategy and operations, and enterprise resource planning.
fernico........................................................................booth 410
www.fernico.com
Fernicos new ZRT 2 is the leading system to manually examine any cell phone to record evidential data with high definition video capture. FAR Pro Blu Ray is the premier system for archiving digital evidence to DVD or Blu Ray discs automatically .Far Pro Imager is the most cost effective automated solution to acquire bulk quantities of discs.
84
company pRoFIles
harris ..........................................................................booth 315
www.harris.com
Since its inception in 2000, Crucial Security has delivered innovative technology and technical services solutions to federal government customers. Today, Crucial Security is a wholly owned subsidiary of Harris Corporation. Our motto: Crack it. Code it. Change the Game. touts our cutting-edge yet practical network security practices supported by seasoned experts with a variety of intelligence and law enforcement backgrounds.
i2 .................................................................................. sponsor
www.i2group.com
i2 is the leading provider of intelligence and investigation management software for law enforcement, defense, national security and private sector organizations. For over 20 years, 4,500 organizations in 150 countries have relied on i2s proven technology to investigate, predict, prevent and defeat crime and terrorism.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
85
company pRoFIles
Macaulay-brown, inc. (Macb) ....................................booth 416
www.macb.com
MacB is an advisory & assistance and technical services company with over 30 years of professional service to the uS government and prime contractors, in EW, Intel, Cyber, NetDef and IA capabilities. MacB was part of the original AFCERT in San Antonio and is a major contributor to the standup of 24 AFs CITS Blk 30 Mission Assurance upgrade.
86
company pRoFIles
nW3C ............................................................................ sponsor
www.nW3C.org
The National White Collar Crime Center (NW3C) provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of economic and high-tech crime.
U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |
87
company pRoFIles
stevenson university .................................................booth 317
accelerate.stevenson.edu
Stevenson university offers undergraduate and graduate degrees to adult students seeking to establish careers, enhance existing careers or change careers. Stevenson offers degrees in Forensic Science, Forensic Studies, Criminal Justice, Information Systems, Business, and Nursing.
88