Vous êtes sur la page 1sur 92

SponSored by: dod Cyber Crime Center

Con f e re n Ce org an i z e r

Table of Contents
ConferenCe Hyatt Regency Atlanta Map .................................................................................. 2 General Information............................................................................................... 3 Welcome ................................................................................................................ 5 Thanks to the Sponsors .......................................................................................... 7 Hours of Operation ................................................................................................ 7 Pre-Conference Training Agenda (FridayMonday) .......................................... 810 Classified Training Session: Cyber Counterintelligence (CI) Briefings ................... 10 Pre-Conference Training Planner .......................................................................... 11 Digital Signatures and Hash Set Summit Agenda ................................................. 22 Conference Agenda (TuesdayFriday) ............................................................ 1321 Breakout Session Locator Map ............................................................................. 22 Breakout Session Planner ..................................................................................... 23 Birds of a Feather Sessions............................................................................. 2425 Open Meeting Rooms .......................................................................................... 25 DC3 Tool Expo ...................................................................................................... 26 Session Descriptions....................................................................................... 2749 Pre-Conference Training Descriptions .................................................... 2728 Plenary Session Descriptions........................................................................ 28 Track Session Descriptions ..................................................................... 2849 Speaker Biographies....................................................................................... 5173 Plenary Speakers.................................................................................... 5153 Breakout Speakers ................................................................................. 5573 exposiTion and speCial evenTs Special Event Listing ...................................................................................... 7475 Exhibit Hall Raffle ................................................................................................ 76 Silent Auction ....................................................................................................... 77 Cyber Crime Olympics 2011 ................................................................................. 78 DC3 Digital Forensics Challenge Award Presentation........................................... 79 Exposition Floorplan and Exhibitor Listing ..................................................... 8081 Company Profiles ........................................................................................... 8288

dod Cyber Crime Center (dC3)


The Department of Defense Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics for any DoD investigation that requires computer forensic support to detect, enhance, or recover digital media, including audio and video. The center assists in criminal, counterintelligence, counterterrorism, and fraud investigations of the Defense Criminal Investigative Organizations (DCIOs) and DoD counterintelligence activities. It also supports safety investigations and Inspector General and commander-directed inquiries. DC3 aids in meeting intelligence community document exploitation objectives from a criminal law enforcement forensics and counterintelligence perspective. DC3 provides computer investigation training to forensic examiners, investigators, system administrators, and any other DoD members who must ensure Defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 remains on the leading edge of computer technologies and techniques through research, development, testing, and evaluation applied to digital evidence processing and computer forensic analysis and by partnering with governmental, academic, and private industry computer security officials. DC3s Mission: Provide digital evidence processing and electronic media analysis for criminal law enforcement and Department of Defense counterintelligence investigations and activities. Deliver investigations and forensic training to DoD members to ensure info systems are secure from unauthorized use. Remain on the cutting edge of future investigations through research, development, testing, and evaluation (RDT&E). Serve as the focal point and clearinghouse for Defense Industrial Base incident reporting and computer emergency response actions as part of the Department of Homeland Securitys Critical Infrastructure Partnership Advisory Council initiative, through the housing of the analytical portion of the National Cyber Investigative Joint Task Force, and protection of Sensitive but Unclassified information on contractor networks.

Hyatt Regency atlanta FlooRplan

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

geneRal InFoRmatIon
dress/aTTire
Business Casual

laW enforCeMenT onlY presenTaTions


Law Enforcement Only presentations can be attended by Law Enforcement, Prosecutors and Forensic Examiners working for Law Enforcement. Please note, press are not allowed to attend any track presentations. Only attendees with Law Enforcement or Legal ribbons may attend these presentations.

inTerneT aCCess in Your GuesT rooM


Internet access is provided to all Conference attendees in their guest rooms at the Hyatt Grand. Please use the following information: Username: DOD2011 Password: Cyber

aTTendee CerTifiCaTes
Cyber Crime conference certificates will be e-mailed to all conference attendees who have turned in their surveys. These certificates qualify you for training credit for certifications you may have (such as the CISSP), and are also valid to use as proof that you attended the conference.

fedex offiCe
The Hyatts FedEx Office is located on the Lobby Level. Business hours: Mon.-Fri. 0700 to 1900, Sat. 0900-1700, Sun. 0900 to 1300 Services include photocopying, printing, facsimiles, word processing, shipping, high-speed internet access, and moreall at very affordable prices.

pre-ConferenCe TraininG
Each person attending a pre-conference training course receives a detailed lesson on the topic they have chosen. The majority of the hands-on training rooms are equipped with computers so students can learn in a lab atmosphere. Students must attend a full training session in order to receive a certificate of attendance.

Weapons
Weapons can be checked in a safety deposit box or secured in your guest room. If weapons are not checked or secured in your guest room, please place a Do Not Disturb sign on the guest room door so the room will not be serviced.

speaker readY rooM


The Speaker Ready room is located in the Harts room. It is open one hour before sessions start each day and closes one hour after the last session of the day. If you are a speaker please make sure to upload your brief in the speaker ready room to the conference network.

presenTaTion ChanGes aT ConferenCe


The conference DVD all attendees receive onsite was created one month prior to the conference. Presentations received after the deadline are not included on the DVD, and some presentations are updated onsite. You may download the most current presentations in the Harris Room (Speaker Ready Room) before you leave on Friday. If you wish to copy an updated presentation that is designated for Law Enforcement Only you must show proof of your law enforcement affiliation (which includes working for the JAG).

press
Press are invited to attend the conference all day Tuesday until the reception ends at 1900. Press must wear a press ribbon and may use the Greenbriar Room for interviews

eMerGenCY nuMbers
Dial (703) 740-1980 to reach the conference emergency phone, which is located at Conference Registration in the Grand Hall Foyer. Messages received on that number are posted on the message board by the Registration Desk.

CYber CriMe olYMpiCs, sponsored bY nCMeC


It is time to determine the 2011 DoD Cyber Crime Olympic Champion! The Cyber Crime Olympics consist of unique games in which attendees may compete with one another. They include two ice-breaker, team-building activities that take place after the Tuesday reception, along with a cash bar. This year the Olympic Games have three main events: (1) CD Toss and (2) Floppy Disk Throw on Tuesday, and (3) Cyber Crime Survivor Game on Friday. The top three participants from the Tuesday preliminary rounds play Cyber Crime Survivor Game for the Olympic Championship on Friday morning. All proceeds go to the National Center for Missing and Exploited Children (NCMEC). Let the games begin! For details see page 77.

QuesTions
Please contact one of our conference staff members if you have questions during the conference. Staff are easily identified by either their Technology Forums or DC3 STAFF badge. During conference hours there is always someone at the Registration Desk in the Grand Hall Foyer to assist you.

surveY
After the conference you will be e-mailed a website link where you can provide feedback about the conference. We are eliminating paper surveys to save precious natural resources. Your input is very valuable, so please take a moment to comment and help us make the conference the best it can be.

silenT auCTion, sponsored bY nCMeC


The 2011 Cyber Crime Silent Auction takes place TuesdayThursday at 1250. Winners are posted on the message board outside Conference Registration. Participants must visit the Registration Desk to pay for their prizes before the conference is over. All winners must pay for their bid by 1000 on Friday. All proceeds go to the National Center for Missing and Exploited Children (NCMEC).

badGes
You must wear your conference badge at all times (while attending sessions or functions of the conference). Badges are bar-coded and contain the same information that is listed on your business card (name, title, organization, address, phone, fax and e-mail). Allowing your badge to be scanned by an exhibitor is the same as giving someone your business card.

exhibiT hall raffle


The Exhibit Hall Raffle encourages attendees to visit as many exhibitors as possible and rewards those who visit at least 30 booths and complete their raffle form by giving them a chance to win great prizes. The prize drawing takes place 1045 on Thursday in the Exhibit Hall and players must be present to win.

folloW us on TWiTTer and faCebook

Keyword: CyberCrime 2011

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

Welcome
Welcome to the Department of Defenses 10th Annual Cyber Crime Conference and Exposition, sponsored by the DoD Cyber Crime Center (DC3). This years Conference theme is Cyber Hunters: Predators and Prey. Last year, almost 1,100 personnel attended this event. This year, we have a packed agenda in store for all attendees which includes more than 40 pre-conference, hands-on digital forensics training courses, 20 concurrent track sessions, and a plenary session with the movers and shakers in the business. The purpose of the conference is to bring together government digital forensic examiners, prosecutors, law enforcement/ counterintelligence investigators, systems administrators, and information assurance personnel, as well as to provide an opportunity for all Federal, State and Local law enforcement personnel to address issues surrounding the proliferation of cyber crime. This is the only DoD/Federal/State Government event that brings all these personnel together in an open and interactive forum to explore ways to work together to ensure successful prosecutions through unbiased digital forensics media analysis, investigative support, and counterintelligence operations. This years conference theme, Cyber Hunters: Predators and Prey., explores the ever-increasing ways criminals prey on personal and institutional security and how individuals and organizations can combat and prevent these threats. Come learn from the experts about the most sophisticated tools and techniques available for exposing and preventing cyber crime and how the investigators can better hunt down cyber predators. Well also export a 250-300 node network and provide over a dozen hands-on digital forensics courses to help you make sure youre the predator and not the prey. Our goal is to provide you with focused sessions that afford ample opportunities to ask questions and engage in dialogue with the subject matter experts. In addition, you wont want to miss the many special events that occur throughout the week. Please read through the program guide for details. I would like to make specific mention of two of these events: the Cyber Crime Olympics and the Silent Auction, both of which raise funds for the National Center for Missing and Exploited Children (NCMEC). The Cyber Crime Olympics, taking place in the Centennial Ballroom, offers fun activities where conference attendees can compete while networking with peers. The events include the CD Toss and the Floppy Disk Throw. First round participation is free. Extra tosses requires a small donation to NCMEC. The Silent Auction, located in the Exhibit Hall, our second event and also raises funds for NCMEC. Some of the 80-plus exhibitors participating in the Conference will be auctioning their products or services, so dont miss it! Refer to page 77 of this guide for Silent Auction details. I would like to quickly congratulate all of the 2010 DC3 5th Annual Digital Forensic Challenge winners. DC3s Digital Foreniscs Challenge encourages innovation from a broad range of individuals, teams, and institutions to provide technical solutions for computer forensic examiners in the labas well as in the field. Approximately 25 different challenges ranging from basic forensics to advanced tool development were provided to all participants. The challenges were single based challenges and were designed to be unique and separate from one another. The objectives of DC3s Annual Digital Forensics Challenge are to establish relationships; resolve technological issues; and develop new tools, techniques, and methodologies for the digital forensic community. As we begin the 2011 event, encouragement to express ideas, collaborate with one another, and take full advantage of the extensive resources offered has been afforded to each attendee. These resources will assist in gaining knowledge and experience that is necessary to successfully fight the ever-growing cyber crime challenges that the digital forensics community faces. Finally, I wish to thank you for supporting our program, and also thank the cast of the TV show NCIS and their Technical Advisor Leon Carroll (retired NCIS Special Agent) for their tremendous support for the conference.

Jim Christy Special Agent (Retired) Director, Futures Exploration, Department of Defense Cyber Crime Center

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

tHanks to tHe conFeRence sponsoRs


plaTinuM

As of January 10, 2011

hours of operaTion
aTTendee & exhibiTor reGisTraTion The registration desk is located in the Grand Hall Foyer on the Exhibit Level. Thursday, January 20 1600 2000 Friday, January 21 0730 1630 Saturday, January 22 0700 1700 Sunday, January 23 0730 1800 Monday, January 24 0600 1630 Tuesday, January 25 0700 1700 Wednesday, January 26 0730 1700 Thursday, January 27 0700 1700 Friday, January 28 0730 1200 exhibiT hall Tuesday, January 25 Lunch: Afternoon Break Reception Wednesday, January 26 Morning Reception Morning Break Lunch Afternoon Break Reception 1100 1900 1130 1300 1445 1530 1700 1900 0730 1900 0730 0830 1030 1100 1200 1330 1430 1500 1700 1900 0730 1330 0730 0830 1030 1100* 1200 1330** 1330
(not open during General Session)

CYber CriMe sTadiuM reCepTion

openinG reCepTion

noTepad/folio

ConferenCe baGs

hoTel rooM keY

ConferenCe lanYards

CYber Caf

ConferenCe Mouse-pads

Media sponsorship

reCepTion beveraGe sTaTion

Thursday, January 27 Morning Reception Morning Break and Raffle Closing Lunch and Silent Auction Exhibit Hall Closing

breakfasT sponsor MorninG and afTernoon breaks

CYber Caf The Cyber Caf is located in the Grand Hall Foyer on the Exhibit Level. Monday, January 24 1000 1700 Tuesday, January 25 0700 1900 Wednesday, January 26 0730 2100 Thursday, January 27 0700 1700 Friday, January 28 0700 1200

ConferenCe pens
Wednesday Tuesday & Thursday
* Raffle winners will be announced at 1045 ** Silent Auction closes at 1250

CYber CriMe sTadiuM GaMes CYber CriMe olYMpiCs

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

pRe-conFeRence agenda | Thursdayfriday


Thursday, January 20
all day 16002000 Travel day Conference registration Grand hall foyer

Pre-ConferenCe Training
fridayMonday
Pre-conference training include handson classes where attendees can earn continuing education credits. Geared towards a smaller teacher to student ratio, these classes are limited to only 20 to 40 people in each training session. All training sessions (except the SAnS and nW3C classes) earn Defense Cyber Investigations Training Academy Credit Hours.

friday, January 21
07301630 07300830 08301630 Conference registration Morning reception pre-ConferenCe TraininGday 1
TraininG session TiTle repeaTinG sChedule
REPEATS MONDAy REPEATS SuNDAy - MONDAy REPEATS MONDAy REPEATS MONDAy REPEATS MONDAy REPEATS SuNDAy - MONDAy REPEATS SuNDAy - MONDAy REPEATS SuNDAy - MONDAy REPEATS MONDAy REPEATS SuNDAy - MONDAy NO REPEAT SESSION REPEATS SATuRDAy - SuNDAy

Grand hall foyer Conference level foyer

loCaTion

Pre-ConferenCe TrainingDaY 1

Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north

Analysing Malicious Carrier Files Introduction to Malware Analysis Windows 7 Forensics Snort for network Analysis Follow the Script Please! Wireless Technology Workshop Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks Windows Incident Response Online Anonymity Mac Forensics - 2011 SAnS Metasploit Kung FU nW3C TUX4n6

09301015 14001445

Morning Coffee break afternoon Coffee/refreshments break

Conference level foyer Conference level foyer

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

pRe-conFeRence agenda | saTurdaysunday conFeRence agenda


saTurday, January 22
07301700 07300830 08301630 Conference registration Morning reception pre-ConferenCe TraininGday 2
TraininG session TiTle repeaTinG sChedule
REPEATS SUnDAy REPEATS SUnDAy - MOnDAy REPEATS SUnDAy REPEATS SUnDAy REPEATS SUnDAy REPEATS SUnDAy - MOnDAy REPEATS SUnDAy - MOnDAy REPEATS SUnDAy - MOnDAy REPEATS SUnDAy REPEATS SUnDAy - MOnDAy nO REPEAT SESSIOn REPEATS SUnDAy

Grand hall foyer Conference level foyer

loCaTion

pre-ConferenCe TraininGdaY 2

Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north

Introduction to Botnets Introduction to Malware Analysis (Cont.) Pen Testing 101 Advanced network Intrusion Traffic Analysis Introduction to EnCase for Prosecutors and Case Agents Wireless Technology Workshop (Cont.) Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks (Cont.) Windows Incident Response (Cont.) network Exploitation Analysis Techniques Mac Forensics - 2011 (Cont.) SAnS Metasploit Kung FU (Cont.) nW3C TUX4n6

09301015 14001445 16301800

Morning Coffee break afternoon Coffee/refreshments break Training receptionits 5 oclock somewhere
Forget the winter blues and put on your favorite Hawaiian shirt! you may purchase a Hawaiian shirt at Conference Registration.

Conference level foyer Conference level foyer Grand hall West

sunday, January 23
07301800 07300830 08301630 Conference registration Morning reception pre-ConferenCe TraininGday 3
TraininG session TiTle repeaTinG sChedule
NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION NO REPEAT SESSION REPEATS MONDAy

Grand hall foyer Conference level foyer

loCaTion

Pre-ConferenCe TrainingDaY 3

Auburn Baker Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox International South International north

Introduction to Botnets Introduction to Malware Analysis Pen Testing 101 Advanced network Intrusion Traffic Analysis Introduction to EnCase for Prosecutors and Case Agents Wireless Technology Workshop Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks Windows Incident Response network Exploitation Analysis Techniques Mac Forensics - 2011 SAnS Metasploit Kung FU nW3C TUX4n6

09301015 14001445

Morning Coffee break afternoon Coffee/refreshments break

Conference level foyer Conference level foyer

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

pRe-conFeRence agenda | Monday


Monday, January 24
06001630 07301445 07300830 08001600 Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception Classified Training session: Cyber Counterintelligence (Ci) briefing
Clearance Check: 0630 | buses depart hotel: nlT 0715 | pickup for return Trip: 1600 You must have preregistered and prequalified to attend by January 4, 2011.

Grand hall foyer Grand hall foyer Conference level foyer offsite from hotel (Transportation provided)

The briefings center around tactics, techniques, and procedures (TTPs), along with updates on current policies, investigations, and operations from the services and national-level agencies. Due to the sensitive nature of its content, the session is classified as Secret//nOFORn. Below are the briefing topics and descriptions: Cyber CI Policy both at the National and DoD levels Cyber CI training both at the National and DoD levels What the DoD services are seeing from State and Non-State actors in terms of Cyber CI What the DoD services are doing in regards to Cyber CI National level program with a Cyber CI focus
important information Classified Session attendees must register and pick up a conference badge at the Conference Registration Desk at the Exhibition Level prior to arriving at the clearance checkpoint on Monday morning. Conference Registration is open Sunday until 1800 and opens Monday morning at 0600. On Monday morning, meet at the clearance checkpoint in the hotel (Grand Hall East) at 0630. Please arrive early due to the large number of people attending this session. DC3 staff will verify your conference registration, your clearance, and your government-issued picture ID prior to allowing you to board the bus. noTe: Please DO nOT carry cell phones or other PDA devices to the classified session. Cyber CI Briefing registration was limited and restricted to U.S. citizens who possess a SECRET clearance with the United States.

08301630 Auburn Baker

pre-ConferenCe TraininGday 4
TraininG session TiTle

loCaTion

pre-ConferenCe TraininGdaY 4

Analyzing Malicious Carrier Files Introduction to Malware Analysis (Cont.) Windows 7 Forensics Snort for network Analysis Follow the Script Please! Wireless Technology Workshop (Cont.) Introduction to Cyber Analysis: Teaching an Old Dogma new Tricks (Cont.) Windows Incident Response (Cont.) Online Anonymity Mac Forensics - 2011 (Cont.) The digital signatures and hash set summit [For the complete agenda for this session, see page 12]
Morning 0830-1130: Executive Session (Invitation Only) Afternoon 1230-1630: Open Session

Courtland Dunwoody Fairlie Greenbriar Edgewood Inman Kennesaw Lenox Learning Center

09301015 14001445

Morning Coffee break afternoon Coffee/refreshments break

Conference level foyer Conference level foyer

10

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

pRe-conFeRence tRaInIng planneR conFeRence agenda


Use this page to make a quick-reference list of the sessions you wish to attend.

fridaY, JanuarY 21
TI ME E vE n T PLACE

saTurdaY, JanuarY 22
TI ME E vE n T PLACE

sundaY, JanuarY 23
TI ME E vE n T PLACE

MondaY, JanuarY 24
TI ME E vE n T PLACE

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

11

dIgItal sIgnatuRes and HasH set summIt agenda


Monday, 0830-1630 | location: learning Center
The Summit addresses the ever-increasing volume of potential evidence acquired in every investigation and cyber incident. The timely analysis of the acquired data is a critical factor of each investigation/cyber incident. The purpose of the Signature and Hash Set Summit is to discuss developing a collaborative community to share hash and signature sets, online, enabling Law Enforcement (LE), Counterintelligence (CI) and Counterterrorism (CT) to reduce the amount of time expended upon digital forensic examinations during investigations. The overarching perspective is to address constraints of the respective communities by providing a primary resource for hash and signature comparison in a high availability platform. The summit is broken into two sessions (executive and general): (1) Executive Session (AM) Invite Only (2) General Session (PM) Open to Conference Attendees The recent Crimes Against Children conference highlighted the lack of access to relevant tools and information, which only increases the pressure on centralized labs and service agencies, driving up the processing time and total duration before successful prosecution. Although the focus of the Summit is targeting child pornography, the signature and hash sets to be managed can be applied to every case category. By making this utility available at the local level we can increase detection and load balance centralized forensic lab facility requests. The ultimate goal is to find a common ground that provides an inexpensive and nearly immediate initial processing capability to every interested LE / CI/ CT agency in the country. We are seeking Investigative and Cyber executives to discuss the collaborative efforts of a national repository and the ability to contribute their organizations data set. Registered conference attendees that maintains or uses hash sets may attend the general session.

exeCuTive session (inviTaTion onLy) 0830 introductions by MC: brian havens, dC3
Key players What are the goals of the summit?

0900

identifying the issues


Various organizations having their own databases need for centralized all-inclusive repository The format of the data is not standardized The stored metadata is not standardized Lack of LE access to Digital Signatures and Hash Sets 24/7/365 How to make available Ever increasing volume of digital evidence to analyze Separating the wheat from the chaff New tools and techniques must be developed to meet the need Freely available to law enforcement Legal, policy, or other administrative/organizational barriers to sharing orGanizaTions represenTed aT The suMMiT
DC3 OSu NW3C Microsoft McAfee NIST Symantec NCIS Army CID DOJ uSACIL CERT CC .. and more

1000

brainstorming solutions
NRDFI Demonstration | Dr. Mark Weiser, Oklahoma State University Presentation by Dan Mares Maresware Hashing Programs Massaging of the nSRL data files

12001300 1300 1330 1500

lunch generaL session (oPen To aLL aTTendees) introductions overview of identified problems overview of proposed solutions
NRDFI Demonstration | Dr. Mark Weiser, Oklahoma State University Presentation by Dan Mares Maresware Hashing Programs Massaging of the nSRL data files

12

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

conFeRence agenda | Tuesday


generaL session & oPening nighT reCePTion
Tuesday

Tuesday, January 25
07001700 07001900 07000745 11301700 Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue exhibit hall opensnot open during sessions Grand hall foyer Grand hall foyer Centennial foyer exhibit hall
(LoCaTion: CenTenniaL BaLLrooM 1-4)

generaL session
07450815 opening presentation

Master of Ceremonies: Bill Eber, Director Defense Cyber Crime Institute (DCCI) national Anthem: U.S. Army Ground Force Band, Fort McPherson, Georgia

08150845 08450930 09301015 10151100 11001130

Welcome from the director of dC3


Special Agent Steven D. Shirley, Executive Director, Department of Defense Cyber Crime Center (DC3)

Cybersecurity and americas economic prosperity in the 21st Century


Honorable Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Invited)

Morning Coffee break | Sponsored by bae systems Cyber skills Matter: findings from the Csis Commission on Cybersecurity for the president
Alan Paller, Director of Research, SAnS Institute

Centennial foyer

dC3 Challenge awards


Randy Georgieff, Section Lead Digital Forensics Challenge, Futures Exploration (FX), Department of Defense Cyber Crime Center (DC3) Special Agent Steven D. Shirley, Executive Director, Department of Defense Cyber Crime Center (DC3) See page 80 for Award Winners

11301300 13001315 13151400 14001445 14451530 15301615 16151700

southern bbQ lunch in the exhibit hall


**Silent Auction Begins**

exhibit hall

announcements
Master of Ceremonies: Bill Eber, Director Defense Cyber Crime Institute (DCCI)

The future of Computer forensics and investigations


Ovie Carroll, Director, CCIPS Cybercrime Lab, U.S. Department of Justice

The 21st Century Cyber Threat


Mr. Jeff Troy, the Deputy Assistant Director, FBI Cyber Division

dessert social | Sponsored by bae systems pursuing Cybercrime Targets around the World
Mr. John Lynch, Principal Deputy Chief (CCIPS), U.S. Department of Justice

exhibit hall

pieces of the investigation


Moderator: Don Flynn, Attorney Advisor, Department of Defense Cyber Crime Center (DC3) Panelists: Special Agent Paul Alvarez, AFOSI; Brian Havens, FX Staff, DC3; Albert Rees, Trial Attorney, Computer Crime and Intellectual Property Section (CCIS), Criminal Division, U.S.; Lieutenant Colonel Cindy Stanley, Deputy Staff Judge Advocate, AFOSI; Special Agent William yurek, Senior Counsel, U.S. Department of Justice

17001900

opening night reception (Media/Press invited)

exhibit hall

Sponsored by: CsC; Reception Beverages Sponsored by: i2 All attendees are invited to a special reception inside the Exhibit Hall. Dont miss this opportunity to connect with colleagues and learn about the IT products and service solutions that our exhibitors have to offer. Hors doeuvres and drinks will be served.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

13

conFeRence agenda | Wednesday


BreakouT sessions
Wednesdayfriday

Wednesday, January 26
07301700 07302100 07300830 07301900 08301150
loCaTion

Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue exhibit hall open Morning breakout sessions
08300920 09301020 10301100

Grand hall foyer Grand hall foyer exhibit hall exhibit hall

11001150

de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Grand Hall C Automated Wireless Pentesting with SILICA-U
REPEAT SESSION

Amnesia Live CDHaving no Memory Of your Surfing MORnInG COFFEE BREAK Exhibit Hall sponsored by: adobe Securing Web 2.0 Are your Web Applications Vulnerable? Data Exfiltration: Detection and Defense
REPEAT SESSION

new Lab, new Cocom, new network, new Challenges Responding to Advanced Persistent Threat Intrusions; Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations
REPEAT SESSION

Courtland

Auburn

network Monitoring for Cyber Security


REPEAT SESSION

Evidence-Based Security: Better Management Through Better Measurement


REPEAT SESSION

Asymetrical Botnet Attacks: Challenges and Strategies for Countering Cyberwarfare

breakouT sessions daY 1

for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Grand Hall A SUSE Studio Reverse Engineering Obfuscation and Communications Damaged Media Recovery A Review of All Cell Phone Forensics Tools
CONTINuED

A Review of All Cell Phone Forensics Tools and HOW they Work A Cell Phone and GPS Forensic Tool Classification System CD/DvD On-Disk Structures Photo ForensicsThere Is More to a Picture than Meets the Eye MORnInG COFFEE BREAK

CD/DvD On-Disk Structures


CONTINuED

Photo ForensicsThere Is More to a Picture than Meets the Eye


CONTINuED

Grand Hall B

MAC Analysis in the Windows Environment Applying Reforms From the Intelligence Community to Computer Forensics F-Response to the Rescue Advancements in Android Forensics Malware Analysis (just about anyone can do ) Introduction to True Crypt
SEE LEGAL TRACk

MAC Analysis in the Windows Environment


CONTINuED

Dunwoody Centennial Ballroom 2-3 Edgewood

The Whiddler X-Ways, The Other White Meat Advanced SQLite in Forensics

i n for MaTi on a ssur a n Ce Grand Hall D Security For the network Administrator MORnInG COFFEE BREAK 10 Mistakes Hackers Want you to Make

14

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

conFeRence agenda | Wednesday


Wednesday (ConTinued)
08301150
loCaTion

Morning breakout sessions (Continued)


08300920 09301020 10301100 11001150

LaW e n for Ce Me n T Hanover A-B Officer Safety in a Digital Environment A More Strategic Approach to Cyber Crime The Wild, Wild, Web: Knowing the Basics for Online Investigations
REPEAT SESSION

breakouT sessions daY 1

Hanover C-D Hanover F-G Fairlie

MORnInG COFFEE BREAK Exhibit Hall sponsored by: adobe

Officer Safety in a Digital Environment


CONTINuED

Firefox Plug-ins Useful for Online Investigations Splunk as an Enterprise Incident Response and Forensic Tool
SEE RESEARCH & DEVELOPMENT TRACk

Monetizing the Hack From Data to Cash Le g a L

Baker Edgewood Inman Kennesaw Fairlie

Cell Phone Surveillance, Location, Seizure, and Search


SEE FORENSICS TRACk

Intelligence Law in a Cyber World Password Cracking Applying the Science of Similarity to Computer Forensics

MORnInG COFFEE BREAK

Blogs, Tweets & the Law: The First year of DTM 09-026
SEE FORENSICS TRACk

r e se a r Ch & d e ve LoPMe n T Russian Souvenirs Shadow volume Link Manager and virtualBox; Tools for Accessing Shadow volume Data iPhone Forensics MORnInG COFFEE BREAK Solid State Drives nokia Series 40 Physical Acquisition and Analysis Internals italian lunch in the exhibit hall afternoon breakout sessions
13301420 14301500 15001550 16001650

12001330 13301650

exhibit hall

loCaTion

de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Data Exfiltration: Detection and Defense


REPEAT SESSION

Responding to Advanced Persistent Threat Intrusions; Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations
REPEAT SESSION

breakouT sessionsdaY 1

Grand Hall C

Pwnasaurus: How Are Attackers Taking Over your networks


REPEAT SESSION

AFTERnOOn BREAK Exhibit Hall sponsored by: adobe

Building a Fortune 5 CIRT Under Fire


REPEAT SESSION

Pwnasaurus: How Are Attackers Taking Over your networks


REPEAT SESSION

Courtland

Building a Fortune 5 CIRT Under Fire


REPEAT SESSION

Automated Wireless Pentesting with SILICA-U


REPEAT SESSION

Fairlie

network Monitoring for Cyber Security

Evidence-Based Security: Better Management Through Better Measurement


REPEAT SESSION

Utilizing DnS to Characterize Malicious Actors Based Upon Operation

for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Windows Memory Forensics and Direct Kernel Object Manipulation Mac Triage - Do you Know What You Are Missing? Browser Forensics: Advanced Discovery & analysis of Internet Artifacts AFTERnOOn BREAK Exhibit Hall Lifting the Lid on Cyber Espionage and Tracking Insider Threats Using Forensic Triage for Document and Media Exploitation

Mac Triage - Do You Know What You Are Missing?


CONTINuED

How Criminals Build Botnets for Profit

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

15

conFeRence agenda | Wednesday


Wednesday (ConTinued)
loCaTion 13301420 14301500 15001550 16001650

for e n si Cs Centennial Ballroom 2-3 Grand Hall A Dunwoody Grand Hall B Edgewood Where Did My Data Go? Deploying EnCase Enterprise to a Snap Server Deploying Advanced Features of the Cellebrite UFED Live Device Acquisition and Analysis And Why you Should Care FTK Imager, Triage and Beyond AFTERnOOn BREAK Exhibit Hall sponsored by: adobe Centers for Digital Forensics Academic Excellence (CDFAE) Technology as a Force Multiplier in the Processing of Crime Scene Collaborative Forensic Analysis: Reducing Case Load Through Division of Labor Mobile Tagging or Tag youre IT! Is Your Cellphone Talking? i n for MaTi on a ssur a n Ce Understanding The Security Concerns Associated with virtualization mIRC LaW e n for Ce Me n T Hanover A-B Hanover C-D Intelligence Gathering Through Twitter national Repository for Digital Forensic Intelligence (nRDFI) Financing Terrorists and Criminals; the Impact of nontraditional Monetary Systems and the Internet on Homeland Security Technology Advancements at nCMEC Le g a L Baker Effective Expert Witness Testimony AFTERnOOn BREAK 20+ Ways to Improve Digital Evidence & Cyber Crime Trials AFTERnOOn BREAK Espionage: A System Dynamics Model of Crimes Against Our national Security Wireless Investigations Cisco network Devices Incident Response
SEE INFORMATION ASSuRANCE TRACk

Do You See What I See? Strategies to Streamline Explicit Image Identification. Classification, and Reporting Practical Host-Based Malware Detection Using Run-Time Features

breakouT sessions daY 1

Grand Hall D Auburn

Securing the Weakest Link AFTERnOOn BREAK


SEE LAW ENFORCEMENT TRACk

Building your Insider Threat Audit Program


SEE RESEARCH AND DEVELOPMENT TRACk

Hanover F-G

First Thing We Do, Lets Kill all the Lawyers; a Criminal Investigators Guide To Working With Those Pesky Prosecutors
SEE RESEARCH AND DEVELOPMENT TRACk

Auburn

re se a r Ch & d e ve LoPMe n T Inman Cloud Computing Forensics Open Source vs. Closed Source. Which is More Secure?
SEE LAW ENFORCEMENT TRACk

AFTERnOOn BREAK

Computer, Identify that Individual; ITS ALREADy 2011 and I Still Dont Have Any Cool Facial Recognition Software! Hard Drive Forensics: Diagnostics & Understanding a Broken Drive
SEE INFORMATION ASSuRANCE TRACk

The Many Thumbs of Megan Fox Password Cracking with Graphics Processors Russian Souvenirs exhibit hall

Kennesaw Auburn 17001900

Wednesday night reception: Cyber Crime stadium


Reception Sponsor: saiC | Game Sponsors: damballa inc. and lockheed Martin Wear your sports attire. Most fanatical fan will win the new nano Touch! Play sports-related games at the following booths: Damballa Inc., (522), Lockheed Martin (118), and SAIC (404) and earn raffle tickets towards the grand prize, Wii, Xbox 360 4GB with Kinnect Console, and nook WiFi E-Reader.

19002100

Cyber olympics 2011 events: floppy disk Throw and Cd Toss


Proceeds Go to the national Center for Missing and Exploited Children (nCMEC) For detail about the two events, see page 78. Sponsored By: CsC and The newberry Group

Centennial ballroom 2-3

16

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

conFeRence agenda | Thursday


Thursday, January 27
07301700 07001700 07300830 07301900 all day Conference registration Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue exhibit hall open dC3 Tool expo Grand hall foyer Grand hall foyer exhibit hall exhibit hall pre-function area of the Centennial ballroom

This is an unique opportunity to view and provide feedback on over a dozen tools developed specifically for Cyber Crime Investigators and Digital Forensic Examiners, and Analysts. See page 26 for more information.

08301150 10301100

Morning breakout sessions Morning Coffee break and raffle drawing | Break Sponsored by: bae systems
Win Fabulous Prizes in the Raffle. Raffle Winners will be Announced at 1045.

exhibit hall

loCaTion

08300920

09301020

10301100

11001150

de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Grand Hall C Wireshark, not Just A Pretty Interface Operation Coredump: Countering the Afcore Botnet Threat Learning Web Application Attacks, Defense and Forensics with OWASPBWA
REPEAT SESSIOn

The Metasploit Wireless Suite


REPEAT SESSIOn

MORnInG COFFEE BREAK Exhibit Hall sponsored by: bae systems

Malware Analysis For non-Coders/ Developers Advanced Command and Control Channels
REPEAT SESSIOn

Courtland

S.H.R.E.D. - Stop Helping Really Evil Doers for e n si Cs

WEP and WPA Cracking

Learning Center

Configuring vMs

breakouT sessions daY 2

Forensic Artifacts from the eMule P2P Client

Remediating Compromised Environments: Case Studies From Large and Small Enterprises Cyber Threats to the Defense Industry Simple MySQL Data Extraction for Forensic Analysts MORnInG COFFEE BREAK Cryptanalysis for Incident Responders, c20.11
SEE LAW ENFORCEMENT TRACk

Centennial Ballroom 1 Hanover E Grand Hall A Centennial Ballroom 2-3 Dunwoody Grand Hall B Fairlie

DC3 Digital Forensics Challenge 2010 Solutions Presentations by Winners Introduction to Malware Analysis With Immunity Debugger Linux EXT File Recovery via Indirect Blocks Introduction To non-Standard Digital Evidence Wireless Incident Response, Investigating a Wireless Breach Shadow Warriors - A Tour of vista/Windows 7 volume Shadow Copy Introduction to TUX4n6: nW3Cs Digital Triage Tool
SEE LAW ENFORCEMENT TRACk

Best Practices for eDiscovery Reporting vDL Slack in nTFS


SEE INFORMATION ASSuRANCE TRACk

Introduction to Embedded Systems Indicators of Compromise for Advanced Persistent Threats


SEE INFORMATION ASSuRANCE TRACk

i n for MaTi on a ssur a n Ce Grand Hall D near Real Time Audit Data Analysis Comes of Age Deep Packet Inspection: Protecting Federal Agency networks Against the next Generation of Cyber Threats Feeding Incident Response into your Detection Systems Threat Auditing: Identifying Malicious Code and Other Anomalies The Hidden Joys (& Benefits) of Running a Continuous Monitoring Program

MORnInG COFFEE BREAK

Fairlie

SEE FORENSICS TRACk

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

17

conFeRence agenda | Thursday


Thursday (ConTinued)
08301150
loCaTion

Morning breakout sessions (Continued)


08300920 09301020 10301100 11001150

LaW e n for Ce Me n T Hanover A-B Photo ForensicsThere is More to a Picture than Meets the Eye Firefox Plug-ins Useful for Online Investigations
REPEAT SESSION

Photo ForensicsThere is More to a Picture than Meets the Eye


CONTINuED

Hanover C-D Hanover F-G Auburn Edgewood

Forensics Data Extraction (FDE) Triage Tool iPhones and Androids: Data Extraction and Controversy MORnInG COFFEE BREAK Exhibit Hall sponsored by: bae systems

Using Deepnet as a Covert Channel for Communication The Morphing of Peer to Peer Apps Usenet newsgroup Investigations Adobe Photoshop Digital Imaging and Law Enforcement PAnEL: Delivering Electronic Crime & Digital Evidence Tools, Technologies & Resources to the Criminal Justice Community
CONTINuED

breakouT sessionsdaY 2

Modding and Minituration

The Wild, Wild, Web: Knowing the Basics for Online Investigations
REPEAT SESSION

Centennial Ballroom 2-3

SEE FORENSICS TRACk

PAnEL: Delivering Electronic Crime & Digital Evidence Tools, Technologies & Resources to the Criminal Justice Community Le g a L

Baker

Whats Your Authority?

Gun-toters & Knuckle-draggers: A Prosectors Guide to Working with Criminal Investigators

MORnInG COFFEE BREAK

Challenges for Law Enforcement & Prosecutors in Cloud Computing

r e se a r Ch & d e ve LoPMe n T Inman Borderless networks visualization of Mobile Forensics Data: Techniques and Case Studies network Traffic Analysis - Sipping From the Firehose The Evolution of Cyber Analysis in the Cyber Security Revolution Exploring Font Based Steganogrphy with a Focus on Tool Development Fuzzy Hashing and the False negative Rate exhibit hall

MORnInG COFFEE BREAK

Kennesaw

12001330

pizza lunch, silent auction and exhibit hall Closing


Raise Money for Charity! Silent Auction Closes 1250 (Purchase $5 lunch tickets at Registration Desk. While supplies last.) See page 77 for more event information about the event.

13301420

afternoon breakout sessions


13301420 14301500 15001550 16001650

breakouT sessionsdaY 2

loCaTion

de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Protecting Against PDF-based, Modern Malware Attacks Internationalized Domain names
REPEAT SESSION

AFTERnOOn BREAK Conference Level Foyer sponsored by: bae systems

Cloud Computing Basics How To Deal With Instant Messengers In A Forensic Investigation The Metasploit Wireless Suite
REPEAT SESSION

Learning Web Application Attacks, Defense and Forensics with OWASPBWA


REPEAT SESSION

Grand Hall C

Cain and Abel Password Recovery Internationalized Domain names


REPEAT SESSION

Courtland

Advanced Command and Control Channels


REPEAT SESSION

18

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

conFeRence agenda | Thursday


Thursday (ConTinued)
13301650 afternoon breakout sessions (Continued)
13301420 14301500 15001550 16001650 loCaTion

for e n si Cs Learning Center Centennial Ballroom 1 Hanover E Get Down and Dirty With your Mobile Media nTFS On-Disk Structures Android - A Forensic Primer A Malware Analysis Case Study: Analysis of the {TDL3, Tidserv, TDSS, Alureon} Kernel Mode Rootkit Introduction to Malware Analysis Windows 7 Artifacts Combating Spear-Phishing: Convergence of Intel, Ops, and Forensics Chasing Down a Spillage Incident: Pll and Classified Data Spills External, Transparent Malware Analysis and its Applications AFTERnOOn BREAK AFTERnOOn BREAK Conference Level Foyer sponsored by: bae systems Stick Around: Persistence Mechanisms in Recent APT Compromises SSDs and Forensics: A Good Mix?

nTFS On-Disk Structures


CONTINuED

The Malies: An Award Show for Epic Fail and Great Success in Malicious Software Timeline Analysis Using Open Source Tools Introduction to Manual Unpacking with OllyDBG/Immunity Solid State Disk Data Recovery: Dead Disk Analysis is Dying Why I Dont Care How you Got Hacked Is This Normal? The ABCDEs of Registry Analysis Forensic Training in a Digital Battlefield

Grand Hall A Grand Hall B

breakouT sessionsdaY 2

Dunwoody Centennial Ballroom 2-3

i n for MaTi on a ssur a n Ce Grand Hall D Fairlie Government IT Security Strategies Defeating APT Through Capabilities-Based Security Operations The Common Credentials Dilemma Internet Isolation using a virtualized Hardened Browser

LaW e n for Ce Me n T Hanover A-B Hanover C-D Hanover F-G Over Anti-virus, Through the Firewall and Out your network the Data Goes Using Gmail for Data Mining Web 2.0 for Cyber Investigators Le g a L Baker AFTERnOOn BREAK re se a r Ch & d e ve LoPMe n T Inman Kennesaw Smart Phone Forensics Screening national Security Applicants for Digital Dirt AFTERnOOn BREAK Assessing the Benefits of network Security Systems Ubuntu 10.04 LTS - First Look The DoD Banner: Development Over the Past year AFTERnOOn BREAK Subject Identification Undercover Operations-Proactive Techniques Black Ice: The Invisible Threat of Digital Steganography Botnets, Modern Distributed Threats Showdown with the Shodanhq Search Engine

virtual Labs - Safe Environments for Analysis, Hacking and Learning

17001830

birds of a feather see pages 2425 for the complete list of birds of a feather sessions and locations

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

19

conFeRence agenda | friday


friday, January 28
07301200 07001200 07000800 07300850 information desk Cyber Caf | Sponsored by: Guidance software Morning reception | Sponsored by: CompTia and pearsonvue Cyber Crime survivor Game, awards, Closing remarks, and Closing video 08300850: Top 3 olympic participants
(Olympic Results/Awards and Closing video will start at 0800)

Grand hall foyer Grand hall foyer Centennial foyer Centennial ballroom 2-3

09001150
loCaTion

Morning breakout sessions


09000950 Amnesia Live CD Having no Memory Of your Surfing
REPEAT SESSION

10001050

11001150

de fe n se i n d usTr i a L Ba se Centennial Ballroom 4 Grand Hall C


Botnets - Cyber Pirates on the Prowl

Threat Intelligence Knowledge Management for Incident Response


REPEAT SESSION

2011 Cyber Threats and Trends Threat Intelligence Knowledge Management for Incident Response
REPEAT SESSION

Courtland

Predictive Analytics

for e n si Cs Learning Center If Appliances Could Talk Mobile Technologies in a Digital Battlefield Investigation of the Windows Media Player Database Automated Audio and video Analysis

breakouT sessions daY 3

Centennial Ballroom 1 Hanover E Grand Hall A Centennial Ballroom 2-3 Dunwoody

Developing Process for the Extraction and Documentation of Cell Phone Evidence Agent Based Forensics-Options, Pitfalls, & Triumphs Accredidation as Only the First Step Profiles of Antivirus Scans: A Comparison of Eight Av vendors virus Scan Effects on Last Accessed Times An Overview of Location-Based Services (LBS)

Forensics Analytics Projects Super Timeline Analysis

Computer Forensics in the Linux Environment When did it Happen? Are You Sure About That? Exploiting Facebook Artifacts

i n for MaTi on a ssur a n Ce Grand Hall D


Poison Ivy RAT

Security 101 is DeadCompliance is the Living Dead Real Security Techniques for Todays Environments LaW e n for Ce Me n T

Social Engineering 2.0

Hanover A-B

Some People are Wise and Some Are Otherwise, an Overview of Data Collection For Effective Cyber CI Changing the Paradigm: Towards Intelligence-driven Situational Awareness Interpreting the Suspects Language UncoversHidden Data During the Forensic Analysis

The Business of Bots and How to More Effectively Combat This Threat Coordination Between Law Enforcement and Computer network Defense Organizations Cyber Investigation Search Kit

Investigating Social networking Sites Introduction to Investigation in Internet Relay Chat (IRC) and Usenet (newsgroups)

Hanover C-D

Hanover F-G

20

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

conFeRence agenda | friday


friday (ConTinued)
08301150 Morning breakout sessions (Continued)
09000950 10001050 11001150

breakouT sessions daY 3

loCaTion

Le g a L Baker Do You Have The Full Digital Picture? Digital Evidence in Child Porn Cases Making the DCFL Process Work For you

r e se a r Ch & d e ve LoPMe n T Inman Analysis of Duplication in a Large Dataset and its Implications For Storage Limewire RAM Analysis Dynamic Attack Redirection to Honeypots Metadata Analysis for Digital Forensics Triage

Kennesaw

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

21

BReakout sessIon locatoR map


CEnTEnnIAL 1 forensics (WednesdayFriday) CEnTEnnIAL 1-4 plenary session CEnTEnnIAL 2-3 forensics (Wednesday, Thursday PM, Friday) law enforcement (Thursday AM)

CEnTEnnIAL 4 defense industrial base (WednesdayFriday)

THE LEARnInG CEnTER forensics (WednesdayFriday)

GRAnD HALL A forensics (WednesdayFriday) GRAnD HALL B forensics (WednesdayThursday) exhibiT hall GRAnD HALL C defense industrial base (WednesdayFriday) GRAnD HALL D information assurance (WednesdayFriday)

HAnOvER A-B law enforcement (Wednesday, Thursday, Friday) HAnOvER C-D law enforcement (Wednesday-Friday)

HAnOvER e forensics (Wednesday-Friday) HARRIS speaker ready room HAnOvER f-G law enforcement (Wednesday-Friday) FAIRLIE law enforcement (Wednesday AM) research & development (Wednesday AM) defense industrial base (Wednesday PM) information assurance (Thursday) forensics (Thursday AM) DUnWOODy forensics (Wednesday-Friday) COURTLAnD defense industrial base (Wednesday-Friday) BAKER legal (Wednesday-Friday) AUBURn defense industrial base (Wednesday AM; Thursday PM) law enforcement (Wednesday PM; Thursday AM) research and development (Wednesday PM) information assurance (Wednesday PM)

InMAn research & development (Wednesday-Friday)

KEnnESAW research & development (Wednesday-Friday)

22

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

BReakout sessIon planneR conFeRence agenda


Use this page to make a quick-reference list of the sessions you wish to attend.

WednesdaY, JanuarY 26
TI ME E vE n T PLACE

ThursdaY, JanuarY 27
TI ME E vE n T PLACE

fridaY, JanuarY 28
TI ME E vE n T PLACE

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

23

BIRds oF a FeatHeR sessIons


birds of a featherbring Your own slides sessions
These sessions offer an opportunity for attendees with similar interests to gather in an open discussion group and are designed to cover topics or subtopics in a more interactive, conversational manner than the formal conference sessions offered during the day. Eight session slots are available on Thursday. Sessions are open from 1700 to 1830. Some sessions have already been assigned but many are still available. (See schedule below.) The most current schedule is posted on the bulletin board at Conference Registration. All attendees are welcome to sign up to lead a session. Stop by the bulletin board and sign your name and session title up for an open slot. After signing up, go to the room and put your name and session title in the room. First-come, first-served. A laptop and projector are provided. Dont want to lead a session, but interested in attending? Check the bulletin board for a real-time update of the schedule.

Bi rd s of a f e aT he r
T hursdaY: 17001830 loCaTion session TiTle and presenTers session desCripTion

Grand hall a

Open Slot

Grand hall b

Training Wounded Warriors to Return to Duty


National Forensics Training Center

The National Forensics Training Center at Mississippi State university has been training state and local law enforcement officers for over five years to combat cyber crime. Since 2005, over 4000 state and local law enforcement officers have been trained in techniques ranging from simple bag and tag of computer systems to advanced cell phone techniques. In 2008, Mississippi State university received a grant along with Auburn and Tuskegee universities in Alabama to provide this training to disabled veterans and wounded warriors in an effort to provide workforce transition training to Americas veterans. The training has been successful in sparking an interest among veterans and wounded warriors, and recently in the Department of Defense. Hopefully, with renewed funding and a partnership with the DoD Cyber Crime Center, MSu will continue the training and start providing some of the wounded warriors that wish to and are able to stay on active duty an opportunity for more training at DCITA. This birds of a feather session will be to provide information on the program and open the floor for infusion of ideas from the attendees on what we can do to make this program better. The National Forensics Training Center at Mississippi State university has been training state and local law enforcement officers for over five years to combat cyber crime. Since 2005, over 4000 state and local law enforcement officers have been trained in techniques ranging from simple bag and tag of computer systems to advanced cell phone techniques. In 2008, Mississippi State university received a grant along with Auburn and Tuskegee universities in Alabama to provide this training to disabled veterans and wounded warriors in an effort to provide workforce transition training to Americas veterans. The training has been successful in sparking an interest among veterans and wounded warriors, and recently in the Department of Defense. Hopefully, with renewed funding and a partnership with the DoD Cyber Crime Center, MSu will continue the training and start providing some of the wounded warriors that wish to and are able to stay on active duty an opportunity for more training at DCITA. This birds of a feather session will be to provide information on the program and open the floor for infusion of ideas from the attendees on what we can do to make this program better. This session will be a discussion about the threat of unbound media (mainly Bluetooth but includes wifi, infrared or anything without wires). Everybody is now unbound and nobody secures it. This session will include a live demo where attendees can check their phones to make sure Bluetooth off - is really off. We will lead in to discussion on securing all unbound media, a massive new threat area.

Grand hall C

Standard Model Reality vs. Information Physics: Bridging the Gap in the Court Room
Chet Uber, Project Director Vigilant, BBHC Global LLC

Assuring Unbound Media Grand hall d


Brad Smith RN,CISSP,NSA-IAM, Director, Computer Institute of the Rockies

24

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

BIRds oF a FeatHeR sessIons


Bi rd s of a f e aT he r
ThursdaY: 17001830 loCaTion session TiTle and presenTers DIB SCC Discussions hanover a-b
Wayne Boline,Senior Manager, Raytheon; Mike Gordon; Steve Lines; David Ehinger

session desCripTion
This session will discuss public and private collaborative efforts between the DIB SCC and government agencies such as the DoD, NSA, uSSS, and others.

Cyber Forensics of Lawfully Intercepted Packets hanover C-d


Dave Gruber Vice President Merlin International

When it comes to creating usable digital evidence, packet-level network intercept data can be very difficult to work with. This session will discuss real-world methods for getting meat off the bone during cyberspace investigations. Topics include: How to deal with massive quantities of packet capture (pcap) data. Going beyond an IP-centric approach to finding and tracking bad-guys online. Techniques for organizing unstructured and semi-structured data using open search engine technology. Finding and extracting digital artifacts from pcap data. Advanced web reconstruction technologies. How to quickly enhance a network investigation by creating a timeline. Dealing with Web 2.0 http applications like Facebook and webmail. Text entity extraction from full content. Extracting and cross-referencing people-related meta data. And finally, the ultimate enhancement to a network investigation is cross-referencing with computer forensic data from dead disks/phones, and other sources like Call Detail Records (CDR), security logs, and open source web harvesting. The NIJ Electronic Crime Technology Center of Excellence will be conducting research for the National Institute of Justice Research Report Electronic Crime Needs Assessment for State and Local Law Enforcement. This Birds of a Feather session will introduce this research project, the methodologies to be used and the information to be identified and compiled to produce a comprehensive report to NIJ identifying the impact of electronic crime and digital evidence on State and local criminal justice agencies. The discussion will focus on the challenges and issues State and local law enforcement currently face as well as the challenges that can be anticipated as a result of emerging technologies. The last NIJ Electronic Crime Needs Assessment Research Report was published in March of 2001. The subject matter focuses on the discussion of a lack of trained personnel that are capable of performing Incident Response activity and automating a solution to that response. Additionally, there will be discussions of the volatile data collections, tools used, and rapid analysis of the tool results.

nIJ Electronic Crime and Digital Evidence needs Assessment for State and Local Law Enforcement Workshop
Robert OLeary, Director, NIJ Electronic Crime Technology Center of Excellence; Dr. Victor Fay-Wolfe, PhD, Professor, University of Rhode Island; Russell Yawn, Chief of Prosecution Services, Alabama District Attorneys Association; Kristen McCooey, University of Rhode Island Digital Forensics Center; Martin Novak, Physical Scientist, NIJ Electronic Crime Portfolio Program Manager

hanover e

hanover f-G

Scripted Incident Response and volatile Data Collection


Robert Renew, Northrop Grumman

open Meeting rooms


An Open Meeting Room is available for impromptu meetings. If you would like to reserve any of the following rooms for a meeting, please post on the sign outside the room as well as on the message board located by the Registration Desk in the Grand Hall Foyer on the Exhibit Level. These rooms are available on a first-come first serve basis.

Wednesday Edgewood Lenox

13301430 16001700 08301700

Thursday Auburn Edgewood Lenox

13301700 08301030 13301700 08301700

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

25

dc3 tool eXpo


dC3 Tool expo
Thursday, January 27 | location: Grand hall foyer
The DC3 Tool Expo is a unique opportunity to view and provide feedback on over a dozen tools developed specifically for Cyber Crime Investigators and Digital Forensic Examiners, and Analysts. The goal is to bring awareness to the digital forensic community of the availability of free tools and resources that are available to the Law Enforcement (LE) digital forensics community through the National Repository for Digital Forensics Intelligence (NRDFI). Come get a demo and speak directly to the developer. Provide feedback that might enhance the overall capability and usefulness of the tool. Tools to be demoed include:
DC3_CV Mr. keith Bertolino & Mr. Jason Agurkis DC3 iPhone Analyzer Mr. Andrew Medico DC3 Triage Mr. Chanpreet Julka DFIT Mr. Matt Nolan Shadow Volume Link Manager Mr. Timothy Leschke DMAT Mr. Harold Rodriguez FDE SA Bill Dent FmAV = Force-multiplier Anti-Virus - Mr. Harold Rodriguez Steg - Mr. Mark Hirsh DCCI_StegDetect DCCI_LSBextr bs_break DCCI_StegCarver DCCI_StegReg DCCI_Video Validator DCCI_FLD (Foreign Language Detector) DCCI_SCViewer

DC3 Thanks you for Attending the Conference.

26

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
introduction to botnets

geek Meter rates presentations as follows:


Geek Meter 1: No technical knowledge needed Geek Meter 2: Moderate technical knowledge needed Geek Meter 3: Extensive technical knowledge needed Law enforcement only presentations can be attended by Law Enforcement, Prosecutors and Forensic Examiners working for Law Enforcement. Please note, press are not allowed to attend any track presentations.

Pre-ConferenCe Training
advanced network intrusion Traffic analysis
Saturday and Sunday, Location: Dunwoody; Duration: 1 Day; Classification: FOUO; Intended Audience: Information Assurance Presenters: Joe Fichera and Mike Cowan In this one-day hands-on training session, attendees learn how to identifying intrusion traffic, understand/ identify the techniques used by the attacker and how to reconstruct the intrusion traffic. Attendees also learn how to identify the attack vector and mitigate loss and secure the vulnerability using Wireshark, Netwitness and Snort.

Saturday and Sunday, Location: Auburn; Duration: 1 Day; Classification: FOUO; Intended Audience: Information Assurance Presenters: Andrew Ingraham and John Auman Botnets are a significant part of the Advanced Persistent Threat (APT) facing corporate and government networks today. Botnet software has evolved to become sophisticated, customizable crime-ware that allows virtually anyone to easily build their own version of bots and botnets and launch their own coordinated infiltrations. This course introduces botnets and gives students an opportunity to get hands-on experience setting up and running a self-contained botnet. In addition, students look at the evidence left behind from a botnet compromise in network traffic and Windows system artifacts. Students should be familiar with basic networking and have a basic understanding of Windows system artifacts.

computer hardware and familiarity with Windows operating system environments. This training is not for forensic examiners.

intro to Malware analysis Techniques


FridaySaturday and SundayMonday, Location: Baker; Duration: 2 Days; Classification: FOUO; Intended Audience: Information Assurance Presenters: Matthew McFadden and Casey Szyper This two-day hands-on course teaches fundamentals and concepts involved in malware analysis at a basic level. Malicious code is often found on computer systems during network intrusion investigations. The main goals of analysis are to assess an executable to discover its functionality, and to identify the artifacts of its presence and usage.

Mac forensics 2011


FridaySaturday and SundayMonday, Location: Centennial Ballroom 2-3; Duration: 2 Days; Classification: FOUO Intended Audience: T2 Presenters: Sara newcomer and Lucus nelson This two-day hands-on training addresses forensic examinations of Mac systems (OS X). We first approach the Mac platform with traditional forensic methods using EnCase to find and analyze OS X artifacts. We also use OS X to examine exported OS X specific data which can best be viewed in its native environment. Attendees should have a basic level of familiarity with Guidance Softwares EnCase Forensic Edition.

introduction to Cyber analysis: Teaching an old dogma new Tricks


FridaySaturday and SundayMonday, Location: Edgewood; Duration: 2 Days; Classification: FOUO; Intended Audience: Information Assurance Presenter: Debra Kent Cyber analysis is a growing field that combines traditional analysis with the highly technical concepts of network intrusions to determine how various incidents are connected. Those in the technical field frequently lack training in the analytical process and those in the analytical field generally lack the technical background to understand complex computer forensic reports and other data pertinent to creating accurate reports. This two-day course provides an overview of cyber analysis as it applies to the network intrusion problem set and covers a basic overview of network intrusions and electronic artifacts, an introduction to basic Analyst Notebook use, and an introduction to analyzing the data. This course provides attendees the chance to become familiar with reading technical reports and placing them into a basic analytical link analysis chart using I2s Analyst Notebook. Students should be familiar with IP addresses and basic threats to computer networks.

analyzing Malicious Carrier files


Friday and Monday, Location: Auburn; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Christopher Daywalt and Daniel Raygoza This one-day class covers the fundamentals of analyzing malicious carrier files such as PDFs, Microsoft Office documents and CHM files used in spear phishing attacks. It covers the structure of common carrier file types and methods for recognizing, extracting, deobfuscating and analyzing embedded scripts and shellcode. Students then learn how to leverage this embedded logic to enable accurate extraction of any additional payloads found within the carrier file. The analysis of dropped files such as executables and libraries will not be covered. This course is a combination of file-level forensic examination and malicious code analysis. While significant reverse engineering experience is not required to attend the class, students should (A) be able to navigate computer systems from a command line, (B) be comfortable analyzing data in hex editor and related tools, (C) understand common programming concepts, (D) understand basic code analysis techniques, and (E) have some familiarity with a debugger.

network exploitation analysis Techniques


Saturday and Sunday, Location: Kennesaw; Duration: 1 Day; Classification: FOUO; Intended Audience: Information Assurance Presenters: Jesse varsalone and Steve Bolt This training session (presented in 2010 as Introduction to Metaspoit) combines the disciplines of Pen Testing, Information Assurance and Forensics into a unique opportunity to learn the components of a network attack, the traffic the attack generates and the artifacts left behind. Presenters use Metasploit to launch attacks while monitoring network traffic for analysis. After examining the captured traffic, forensic artifacts of the attack are identified and discussed.

introduction to enCase for prosecutors and Case agents


Saturday and Sunday, Location: Fairlie; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Bryan Spano and Malcolm Smith A quality computer forensic examination is worthless if the communicated results are not understood by the consumer. Enhance your knowledge and understanding on the consumer end of that communication through active learning. Former FBI Special Agent Bryan Spano and Former Law Enforcement Officer Malcolm Smith lead attendees through hands-on exercises that cover some of the basic terminology, functions, capabilities and limitations of a common primary forensic tool used during forensic examinations. Roll up your sleeves, grab a (forensic) wrench and get under the hood! This training session is for prosecutors and case agents that are not computer forensic examiners. Pre-requisite knowledge: computer literacy, familiarity with basic

nW3C Tux4n6
FridaySunday, Location: Learning Center; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Herb Scott and nicholas newman This seven-hour course teaches students how to use the TuX4N6 digital triage tool, created by NW3C, to safely preview the active files on a suspect computer in a forensically sound manner. The TuX4N6 tool is based on the Linux operating system and has the advantage of being able to read other computer systems files without writing to or altering the data on those systems. Students are taught how to conduct a manual search of a computer, use automated features to search the computer for keywords and specific file types, and how to save evidence to external storage media. Upon successful completion of the course, students receive a free copy of the TuX4N6 tool.

follow the script please!


Friday and Monday, Location: Fairlie; Duration: 1 Day; Classification: Public; Intended Audience: Law Enforcement Presenters: Ernest Krutzsch and David DeMaio This one-day hands-on workshop introduces students to the concepts of writing and editing scripts to automate incident response activities. Students learn how to author and edit incident response scripts for Windows and Linux environments. This session is intended for beginners and those who simply need a refresher.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

27

sessIon descRIptIons
online anonymity
Friday and Monday, Location: Kennesaw; Duration: 1 Day; Classification: FOUO; Intended Audience: Law Enforcement Presenters: Steve Bolt and Bob Reyes This one-day hands-on course is derived from the week long OuT course offered by DCITA. Tools and methodologies are demonstrated and provided that will enable an examiner or investigator to conduct information gathering efforts while obfuscating their source location.

Windows 7 forensics
Friday and Monday, Location: Courtland; Duration: 1 Day; Classification: FOUO; Intended Audience: Forensics Presenters: Mark neno and Walt Bobby With the introduction of the Windows 7 operating system, forensic examiners need guidance regarding how the OS impacts their exams. Among the topics that are discussed are Libraries, Jump Lists, Pinning, Gadgets, Thumbnail Caching, Sticky Notes, exFAT, System Protection and Backup (Windows Backup, System Image, Previous Versions, Volume Shadow Copies), Virtualization, XP Mode, Registry, SuperFetch, Windows Search, Indexing, BitLocker and BitLocker to Go. Also considered is the use of Windows 7 as a platform for examinations.

pieces of the investigation


Tuesday, 1615-1700; Location: Centennial Ballroom Panelists: Special Agent Paul Alvarez, AFISO; Brian Havens, FX Staff, DC3; Albert Rees, Trial Attorney, Computer Crime and Intellectual Property Section (CCIS), Criminal Division, U.S.; Lieutenant Colonel Cindy Stanley, Deputy Staff Judge Advocate, AFOSI; Special Agent William yurek, Senior Counsel, U.S. Department of Justice The presentation shows how a number of different disciplines work together when there is a possible intrusion into DoD or DoD contractor systems. It is important that all individuals know what the roles of the other parties are and how they contribute to a successful investigation.

pen Testing 101


Saturday and Sunday, Location: Courtland; Duration: 1 Day; Classification: Public; Intended Audience: Information Assurance Presenters: Michael Kobett and Jeff naylor This two-day training session introduces open source pen testing tools and methods to students in a handson environment. youll learn the importance of Rules of Engagement for both tester and target. Then youll dive into a white box test to get your feet wet and prepare for the black box test at the end of the session. All students receive a CD/DVD containing the tools used during the class.

The 21st Century Cyber Threat


Tuesday, 1400-1445; Location: Centennial Ballroom Presenter: Mr. Jeff Troy, the Deputy Assistant Director, FBI Cyber Division The briefing focuses on the current threat environment, cyber threat actors, the impact of these threats and what the FBI does to address these issues.

PLenary sessions
Cybersecurity and american economic prosperity in the 21st Century
Tuesday, 0845-0930; Location: Centennial Ballroom Presenter: Honorable Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President President Obama has declared that the cyber threat is one of the most serious economic and national security challenges we face as a nation and that Americas economic prosperity in the 21st century will depend on cybersecurity. In this global, digital age, the Nations competitiveness and prosperity depend on cybersecurity. Cyber investigators working together with the government, public, and private sectors cyber investigators will make cyberspace safer and more resilient for the Nation, its citizens, and its businesses.

The future of Computer forensics and investigations


Tuesday, 1315-1400, Location: Centennial Ballroom Presenter: Ovie Carroll, Director, CCIPS Cybercrime Lab, U.S. Department of Justice Ovie Carroll discusses current trends facing computer forensic professionals and the future of computer forensics and investigations. This presentation covers some important evidence we are still missing out on in our investigations because of our current procedures. Additionally, the presentation discusses where computer forensics is going and how we need to be preparing, both in methodology and practice, to achieve success with the challenges that are just around the corner.

sans Metasploit kung fu


Friday -Saturday, Location: International South; Duration: 2 Days: Public; Intended Audience: Forensics This class would be essential to any industry that has to test regularly as part of compliance requirements or regularly tests their security infrastructure as part of healthy security practices such as penetration testers, vulnerability assessment personnel, auditors, general security engineers,and security researchers.

snort for network analysis


Friday and Monday, Location: Dunwoody; Duration: 1 Day; Classification: Public; Intended Audience: Information Assurance Presenters: Joe Fichera and Ernie Krutzsch This one-day hands-on training session is intended for incident responders and anyone with a desire to learn how to use Snort to analyze network traffic. Attendees use Snort to quickly gain insight into the analysis of previously captured network traffic to locate particular files, or types of files, and for anomalies that indicate an intrusion.

Cyber skills Matter: findings from the Csis Commission on Cybersecurity for the president
Tuesday, 1015-1100; Location: Centennial Ballroom Presenter: Alan Paller; Director of Research, SAnS Institute Earlier this year, a report from the prestigious Center for Strategic and International Studies provided the first proof that, in the hunt for the advanced persistent threat, the quality of cyber skills has a grander impact than the quality of cyber hardware and software. Sadly, it is far tougher to find highly skilled security practitioners than to buy another software or hardware product. In this briefing, the presenter shares the CSIS data and then describes the national talent search/ talent development program designed to grow the pipeline of highly qualified cyber security hunters.

BreakouT sessions
10 Mistakes hackers Want You to Make
Wednesday, 1100-1150; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: Sanjay Bavisi, EC-Council This presentation delves into lapses in security practices, which provide opportunity for hackers to exploit vulnerabilities, intrude into networks and systems and commit crime. It highlights the threat scenario in the IT environment and its implication for organizations. The main focus of the presentation is what measures organizations must adopt to safeguard IT infrastructure from threats in the cyberspace.

Windows incident response


FridaySaturday and SundayMonday, Location: Inman; Duration: 2 Days; Classification: FOUO; Intended Audience: T2 Presenters: Michael Moore and Albert Mauri This hands-on course is an abridged edition of DCITAs CIRC, focusing on response in a Windows environment. Topics addressed include: Search and seizure; first response; processing on-screen data; shutdown procedures; packaging and transportation; incident response; Windows 2003 server; incident preparation; physical memory acquisition; information collection; evidence imaging; and hardware-based imaging.

pursuing Cybercrime Targets around the World


Tuesday, 1530-1615; Location: Centennial Ballroom Presenter: John Lynch, Deputy Chief for Computer Crime in Criminal Division, U.S. Department of Justice The session provides some examples of major cybercrime cases prosecuted by the Department of Justice to illustrate the challenges and lessons to be learned in pursuing cybercrime targets around the world.

20+ Ways to improve digital evidence and Cyber Crime Trials


Wednesday, 1500-1650; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Donald Flynn Jr., Attorney Advisor, Department of Defense Cyber Crime Center This presentation discusses the key elements and decision points in cases involving either digital evidence or cyber crime. Each critical step is discussed at length with all advantages and disadvantages taken into account. The aim is to enable lawyers and investigators

28

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
to investigate and litigate digital evidence and cyber crime cases more effectively and efficiently.

2011 Cyber Threats and Trends


Friday, 1000-1100; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 1 Presenter: Rick Howard, Intelligence Director, veriSign / iDefense This session is a discussion about the current cyber security trends identified in 2010 and manifested in 2011 across the spectrum of Cyber Crime, Cyber War, Cyber Espionage, Cyber Hactavism and Cyber Terrorism.

a review of all Cell phone forensics Tools and hoW They Work a Cell phone and Gps forensic Tool Classification system
Wednesday, 0830-1150; Location: Centennial Centennial Ballroom 1; Track: Forensics; Geek Meter: 1 Presenter: Sam Brothers, Digital Forensics Analyst, U.S. Customs and Border Protection This session provides an overview of ALL commercially available tools for cell phone data extraction! A minisection focuses on tools specific to the iPhone. The presenter demonstrates and discusses how cell phone (and GPS) forensic tools actually work and discusses the Small Device Digital Forensic Tool Classification System (Pyramid) that he developed. Our world has been saturated with a plethora of these inexpensive digital devices. What is becoming increasingly useful is the retrieval and analysis of the information stored on such devices. As youd expect, this includes phone numbers dialed, incoming calls received, phone directories, appointment reminders and calendars. But there is so much more. With over a billion subscribers worldwide, cell phones are a realm that is for the most part an untapped resource of valuable information when it comes to forensic examinations of digital media.

covered. Additional tools for image enhancement, video clarification, biometrics imaging issues, and measurement also are discussed. Attendees leave with practical techniques that can be applied immediately, as well as a knowledge of up-and-coming tools and techniques.

advanced Command and Control Channels


Thursday, 1100-1150; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 2 Presenters: neal Keating, Cyber Intelligence Analyst, U.S. Department of State-Cyber Threat Analysis Division; Adam Meyers, SRA International, Inc. As the cat and mouse game between cyber attackers and cyber defenders continues, todays most advanced types of malware are constantly developing alternative ways to create covert command and control (C2) channels. This presentation includes a high-level explanation of C2 channels in advanced types of malware, as well as an in-depth analysis of the tactics, techniques and procedures used by several of these channels such as AJAX programming, RSS feeds, social networking sites and more.

a Malware analysis Case study: analysis of the {Tdl3, Tidserv, Tdss, alureon} kernel Mode rootkit
Thursday, 1330-1420; Location: Grand Hall A; Track: Forensics; Geek Meter: 2 Presenter: Paul Bartruff, Senior Engineer, SAIC The TDL rootkit, also commonly referred to as Tidserv, TDSS, or Alureon, is a sophisticated kernel mode rootkit that appears to be developed and maintained by professionals. This discussion covers a brief history lesson on TDL, including its probable origin and affiliations; several specific concepts of the x86 architecture leveraged by kernel mode rootkits; and how they apply to our TDL3 sample. This analysis is a deep dive into the third generation of the rootkit (TDL3) with a particular focus on the kernel mode component specifically its stealth capability and persistence mechanism in a win32 environment. Additionally, if time permits, a brief discussion of the recent 64bit version of TDL will be conducted about how the architecture change, both hardware (x86_64) and software (win64), affects techniques.

advanced sQlite in forensics


Wednesday, 1100-1150; Location: Edgewood; Track: Forensics; Geek Meter: 2 Presenter: Andrew Hoog, Certified Forensic Analyst, viaForensics This session covers the acquisition and analysis of SQLite databases in environments spanning computers through the rapidly growing mobile environment. Data stored in an SQLite database can provide data highly valuable to any investigation. This session provides a detailed overview of how SQLite databases are structured and operate, basic software to view SQLite data, techniques for simple deleted data recovery and, finally, advanced algorithms that can be used to recover data not only for a SQLite file, but from entire raw images.

accreditation as only the first step


Friday, 0900-0950; Location: Grand Hall A; Track: Forensics; Geek Meter: 1 Presenter: Ryan vela, network Defense and Digital Forensics, General Dynamics Attendees of this session should have experience in either participating or considering government or private sector forensic laboratories and accreditation. Accreditation is a practical application of quality assurance to which all personnel within digital forensics should be concerned. This session prepares attendees to do the following: list areas that must be addressed on top of accreditation requirements; describe issues they must pay attention to as the forensics industry changes at a faster pace than accreditation requirements; outline a clear process that laboratories can institute to create a feedback loop with personnel; identify methods of demonstrating in their document management system areas where they go above the normal baseline requirements; and describe the future of accreditation and what it will mean for government and private laboratories in the future.

a More strategic approach to Cyber Crime


Wednesday, 0830-1020; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenters: Andy Purdy, Chief Cybersecurity Strategist and Co-Director, International Cyber Center, CSC and George Mason University; Tom Kellerman, Core Security; Jason Healey, Delta Risk and the Cyber Conflict Studies Association This panel presents and explores the view that the current approach to malicious cyber activity is destined to fail because it is too focused on a reactive, law enforcement-centric approach that uses the private sector as a source for data on malicious activity rather than as a true partner. We explore the thesis that representatives of the private sector should partner not only with law enforcement, but government more broadly, to develop and implement a strategic, proactive, people-processes-technology approach designed to reduce the frequency, impact and risk of malicious activity. The focus should be on the most significant malicious actors and those who enable them knowingly or unwittingly (shippers, ISPS, merchant banks, payment processors and providers IP hosting companies, clueless admins who are allowing bots on the network, and so on).

advancements in android forensics


Wednesday, 0900-0950; Location: Edgewood; Track: Forensics; Geek Meter: 2 Presenter: Christopher Triplett, Technology Consultant, viaForensics This session discusses recent advancements in Android forensics in both logical and physical methods. New exploitation advancements open the possibility of gaining access to every Android device, even those with passcode protection. Both logical and physical recovery are demonstrated on a pattern-locked Motorola Droid. Attendees gain an understanding of the underlying process of forensic imaging within the Android environment and learn ways of fully utilizing the logical data when a physical recovery is not possible.

adobe photoshop, digital imaging and law enforcement


Thursday, 1100-1150; Location: Edgewood; Track: Law Enforcement; Geek Meter: 1 Presenter: John Penn ll, Senior Solutions ArchitectIntelligence, Investigation and Law Enforcement Technologies, Adobe Systems Inc. This presentation discusses digital image and video issues and challenges faced by law enforcement. Key topics include image manipulation, manipulation detection, and image verification, all of which play an increasingly important role in law enforcement. The presentation looks at how rapidly images can be manipulated and the tool marks that are left by in the process of manipulating images. Challenges related to verification of media acquired from investigations and media used in court presentations are also be

agent-based forensics options, pitfalls and Triumphs


Friday, 0900-0950; Location: Hanover E; Track: Forensics; Geek Meter: 1 Presenter: Amber Schroader, CEO, Paraben Corporation Enterprise forensics is expanding as an option for both reactive and proactive approaches to data protection, mining and discovery. There are many techniques to gather this data, but can they hold up to the changes

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

29

sessIon descRIptIons
in the operating systems of tomorrow? This session reviews different agent-based solutions and methods to gain remote access to systems for analysis, as well as the common pitfalls of live capture and how to avoid them.

android: a forensic primer


Thursday, 1330-1420; Location: Hanover E; Track: Forensics; Geek Meter: 2 Presenter: Erik Sherman, Instructor/Course Developer, Defense Cyber Investigations Training Academy The Android Operating System is used by thousands, if not millions, of people every day, but few know the back end and associated data. The inner workings are still unclear to some IT professionals. This primer on Android provides the basic knowledge necessary to interpret data from this OS. This presentation is focused on the basics of data storage locations, file systems and many other items of forensics value.

amnesia live Cd having no Memory of Your surfing


Friday, 0900-0950; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Michael Kobett, Instructor/Course Developer, Defense Cyber Investigations Training Academy The Amnesia Live CD offers users online anonymity. The presenter demonstrates and discusses this Live CD distribution, which creates an anonymous environment by using the TOR routing system onboard a virtual keyboard to negate the effects of a hardware-based key logger and erase memory contents on shutdown to negate cold-boot attacks and memory forensic analysis.

network security systems that monitor traffic and help mitigate impacts resulting from cyber attacks. It focuses on methods for measuring the effectiveness of sensors at a particular location. Sensors and network monitoring systems are expensive, and organizations are naturally interested in what the return is for purchasing and deploying a sensor. The model assesses the benefits in terms of the reduction in potential damages resulting from cyber attacks that are mitigated to various degrees by having this new network device. The implications of the analysis, extensions needed and future research directions are discussed.

applying reforms from the intelligence Community to Computer forensics


Wednesday, 0830-0920; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Michael Robinson, Chief Information Officer, DoD Business Transformation Agency The u.S. Intelligence Community (IC) has taken it on the chin over the past decade. The IC has been publicly criticized with respect to the events of September 11, the Weapons of Mass Destruction in Iraq, the shoe bomber, the Christmas Day airline bomber, and so forth. Despite public criticism, the IC has undergone appreciable reform with respect to its intelligence analysis. The changes are being felt in the areas of collection efforts, at the analyst level and in the larger intelligence effort. There are a number of similarities between the fields of intelligence work and computer forensics investigations. The computer forensics field can take advantage of the ICs ongoing transformation to make drastic improvements in protocols and procedures. As a result, the computer forensics community will be more successful in its analytical efforts, in achieving much needed standards, and in improving success stories. This presentation provides practical examples to illustrate the comparative points between the two disciplines.

asymmetrical botnet attacks: Challenges and strategies for Countering Cyberwarfare


Wednesday, 1100-1150; Location: Auburn; Track: Defense Industry Base; Geek Meter: 2 Presenter: Sean Bodmer, Senior Research Analyst, Damballa Russian hacktivists successfully attacked and disrupted Georgias government and financial systems during the two countries brief war in 2008. A recent attack against u.S. institutions appears to have been directed from North Korean agencies. Clearly, cyberwarfare is a reality. And yet, many organizations cling to outdated notions of botnet attacks and how best to counter them. Cyberwar is much more sophisticated than worms, trojans or hackers attempting to compromise a few servers. Sophisticated botnetscan organize tens of thousands of PCs and servers on a moments notice. These machines have been compromised without their owners knowledge. Each one can be redirected into a cyberwarfare attack in as little as 15 minutes. Both of the attacks listed above were launched using botnets.

an overview of location-based services (lbs)


Friday, 1000-1100; Location: Grand Hall A; Track: Forensics; Geek Meter: 2 Presenter: Matt Warnock, Analyst, Department of Defense Location-based Services (LBS) are nearly ubiquitous on todays mobile devices. LBS can find a devices location with startling accuracy and users can obtain services that are specific to their location. Since we carry these devices with us nearly all the timelike cell phones and mobile computers we must be aware of the safety, security and privacy considerations of LBS. While LBS can be fun, practical and useful, they have a potential dark side. This presentation examines the types of location technologies that are available, including global positioning system (GPS), assisted-GPS, GSM geolocation and WiFi geolocation. The presentation also reviews current services that are available to mobile users, their intended features and benefits and the unintended consequences of using these services. Attendees learn how these technologies obtain information about users and devices, and how to use this to find a specific location, and with what accuracy. Attendees also learn what information about a location is provided to the service and what other information is included and can be aggregated to paint a picture of the user that might not be expected.

automated audio and video analysis


Friday, 1100-1150; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 3 Presenters: Todd Waits, Software Engineering Institute: CERT Forensics, Jeffrey A. Hamed, visiting Scientist, SEI: CERT DIID This 50-minute presentation presents best practices regarding media analysis tool setup, including software choice, codecs and compression software, and hardware selection. It also covers the methodologies behind our automated analysis system, how it interacts with a digital asset manager, and how the automatically generated metadata can be used to perform link analysis visualization operations to find connections and information previously missed.

applying the science of similarity to Computer forensics


Wednesday, 0930-1020; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: Jesse Kornblum, Research Geek, Kyrus Technology Computers are fantastic at finding identical pieces of data, but terrible at finding similar data. Part of the problem is first defining the term similar in any given context. The relationships between similar pictures are different than the relationships between similar pieces of malware. This presentation explores the different kinds of similar data, presents a scientific approach to finding similar things, and explores how these apply to computer forensics. Fuzzy hashing was just the beginning! Topics include wavelet decomposition, control flow graphs, cosine similarity and lots of other fun mathy stuffs that will make your life easier.

analysis of duplication in a large dataset and its implications for storage


Friday, 0900-0950; Location: Inman; Track: Research and Development; Geek Meter: 3 Presenter: David Ferguson, Senior Computer Engineer, Department of Defense Cyber Crime Center This presentation is based on the analysis of a 500 TB collection of media images collected from groups of people that communicate with each other on a regular basis. The collection has been gathered over a nine year period. The amount of duplication is significant and provides opportunities to store the exploited data in novel ways. The analysis presented should have applications to other large data sets from similar groups or businesses.

automated Wireless penTesting with siliCa-u


Wednesday, 0830-1020; Location: Centennial Ballroom 4; Repeat Session: Wednesday, 1500-1650; Location: Courtland; Track: Defense Industry Base; Geek Meter: 1 Presenter: Christian Scott, Instructor/Course Developer, Defense Cyber Investigations Training Academy This presentation examines the capabilities of SILICA-u for penetration testing wireless networks, with an emphasis on unit portability and automation. Specifics of the session include possible exploit techniques, unique capabilities, limitations of the system, and use of SILICA-u in conjunction with other penetration testing suites (proprietary and open-source.) The session is followed by technology demonstrations.

assessing the benefits of network security systems


Thursday, 1500-1550; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Dr. Soumyo Moitra, Senior Tech Staff, SEI This session reviews metrics to assess the benefits from

30

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
best practices for ediscovery reporting
Thursday, 0930-1020; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: David Speringo, Senior Consultant/Engineer, AccessData Discoverable data is currently being generated across the corporate and government infrastructures at exponential rates. The data may reside almost anywhere on laptops, desktops and even hard-to-reach structured database resources as well. This ever-growing mass of data requires organizations not only to focus on data management but also to optimize their reporting capabilities. Reporting at different levels of the eDiscovery process is critical to illustrating a chain of custody and validating your eDiscovery methodologies before the court. However, it also facilitates the development of your data management strategies. This session explores how to best manage the various reporting mechanisms in order to gain a better understanding of how to manage discoverable data. provide their Facebook and MySpace identities to permit the military to more easily track their posts? Can or should DoD monitor the blogs of it military and civilian workforce? How can it obtain logs from IbC providers? What are the rules for law enforcement investigators? Does the First Amendment protect posts that are critical of ones unit, the President, the Congress, etc.? Can a supervisors unfriending of a subordinate constitute an adverse personnel action, triggering associated due process requirements? Does social media present a new threat vector for attacking DoD systems? What rules apply to working undercover on a social networking site? The case law is evolving quickly. Find out how. The session explains the tactics, techniques and procedures implemented; the infrastructure put in place to manage botnets and facilitate malfeasance; the types of damage botnets have and can cause; the threats of botnets in the future; and issues and suggestions to expose and mitigate them.

botnets, Modern distributed Threats


Thursday, 1550-1650; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Alissa Torres, Instructor/Course Developer, Defense Cyber Investigations Training Academy Not smart enough to build your own botnet? You can now rent one! Botnets play a role in nearly every kind of cybercrime seen today. This type of network can be used to mount distributed denial of service attacks, spam storms, clickfraud and identity/intellectual property theft, all while covertly existing on host machines in zombie networks that span the globe. This session provides an overview on how bots are being used (and rented) to commit cybercrime. Methods of indicator collection via traffic analysis and volatile data are discussed, as well as techniques on how to shutdown individual Zombiesin order to mitigate the damage this sophisticated web may inflict on a network.

borderless networks
Thursday, 0830-0920; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Jeff Wells, Engineering Manager, Cisco Systems We work, live, play and learn in a world that has no boundaries and knows no borders. We expect to connect to anyone, anywhere, using any device, to any resource-securely, reliably, transparently. To support this realty in an organization, IT staff must deal not only with new devices and usage models, but also with changing business practices that place huge new demands on the core infrastructure. In todays modern workplace, it is increasingly common that primary business resources, including data centers, applications, employees, and customers, are all outside the traditional business perimeter. Extending business borders around all these people and resources taxes your IT department. IT simply cannot scale when every project is an exception to traditional IT design and management practices. IT needs a better way to scale and manage users and customers in any location, given those users may be using virtually any device to access almost any application located anywhere in the world. There is a dramatic shift occurring toward ubiquitous wired and wireless access, but many organizations still treat wired and wireless networks as separate entities. This session reveals how Ciscos Borderless Network Architecture helps It departments unify their approach to securely delivering applications to users in a highly distributed environment. The crucial element to scaling secure access is a policy-based architecture that allows IT to implement centralized access controls with enforcement throughout the network, from server, to infrastructure, to client.

black ice: The invisible Threat of digital steganography


Thursday, 1500-1550; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: James Wingate, vice President and Director, SARC, Backbone Security Sniffing out insider threats has always been a major priority in securing DoD networks. Detecting insider threats has become more important than ever before due to the continuing migration to Network Centric Warfare (NCW). With NCW, more insiders have access to more information on the Global Information Grid (GIG) than ever before. At the same time, the tradecraft of malicious insiders continues to evolve and advance in ways that are increasingly difficult to detect. Thus, the risk of classified or sensitive data exfiltration is much higher than ever before. More and more insiders are discovering they can use an Internet era version of an ancient information hiding technique called steganography that will allow them to fly under the radar of network surveillance sensors. Thus, information hidden with any of the proliferating number of digital steganography applications is not unlike black ice its there but you just cant see it because its transparent its invisible. This presentation provides a brief history and tutorial on steganography to raise awareness of the threat from insider use of digital steganography to exfiltrate classified or sensitive information.

browser forensics: advanced discovery & analysis of internet artifacts


Wednesday, 1330-1420; Location: Hanover E; Track: Forensics; Geek Meter: 1 Presenter: Rob Maddox, Senior Instructor and Manager, Contract Trainer Program, AccessData This session provides students with an advanced overview of evidentiary artifacts for the latest leading Internet browsers including Internet Explorer 8 and Google Chrome. Attendees learn to locate and recover specific artifacts of forensic interest related to these browsers.

building a fortune 5 CirT under fire


Wednesday, 1330-1420; Location: Courtland; Repeat Session: Wednesday, 1500-1550; Location: Grand Hall C Track: Defense Industry Base; Geek Meter: 2 Presenter: Richard Bejtlich, Director Incident Response, General Electric In 2007, the CISO of General Electric decided to invest in a dedicated program to detect and respond to intrusions, as a centralized, formal function within GE. Since then, GE has built a Computer Incident Response Team (CIRT) by hiring analysts, deploying dozens of sensors across the planet, aggregating billions of log records, and institutionalizing its detection and response processes. At the same time, GE has continued to face the sorts of information security challenges found in many global organizations. In this presentation, GEs Director of Incident Response describes his experience building and leading GE-CIRT. He describes how lessons learned at a Fortune 5 company can apply to any organization, from the smallest start-up to the largest multinational, defense agency, or government organization. Special attention is given to the role of Defensible Enterprise Architecture, Network Security Monitoring, team building and operations, preparing and applying for FIRST membership, and justifying resources through metrics and communication with leadership.

botnets Cyber-pirates on the prowl


Friday, 1000-1050; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: John Auman, Instructor/Course Developer, Defense Cyber Investigations Training Academy A well-populated and managed botnet can be a fleet of virtual pirates waiting for hapless victims to sail by or an army of cyber-soldiers waiting for orders to attack. Whether stealing personal information and credentials for online theft or lying in wait to launch a Distributed Denial of Service. botnets are one of the largest threats to citizens, businesses and governments operating over the Internet. This presentation provides a detailed introduction to the botnet category of malware. Topics include how the malware can be introduced, what capability the malware offers the hacker with specifics of some of the most often seen varieties of malware.

blogs, Tweets and the law: The first Year of dTM 09-026
Wednesday, 1030-1150; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Rick Aldrich, Senior Computer network Operations Policy Analyst, Information Assurance Technology Analysis Center Last February, the Deputy Secretary of Defense issued Directive-type Memorandum (DTM) 09-026. It directed that The NIPRNET shall be configured to provide access to Internet-based capabilities [IbC] across all DoD Components. IbC was broadly defined to include a wide variety of social media. As DoD and its leadership race to embrace the benefits of the new social media, what are the associated legal issues that need to be addressed? Can commanders order military personnel to

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

31

sessIon descRIptIons
building Your insider Threat audit program
Wednesday, 1550-1650; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: Daniel velez, Program Manager, Raytheon Oakley Building an insider threat cyber audit program in your organization requires a number of considerations from legal to operational. This session covers lessons learned from the development of insider threat cyber audit programs across the u.S. government and the private sector. The points raised in the presentation will help you plan and implement your insider threat cyber audit program and help you refine your organizations auditing and monitoring requirements so you get it done right the first time. increase the number of qualified professionals to meet the needs of law enforcement, counterintelligence, national defense and legal communities. This session will describe the CDFAE program construct and what it entails to have an accredited educational program as a National Center of Digital Forensics Excellence. It will focus upon the establishing of a common core curriculum and development of standards for education and training in Digital Forensics studies, employing a progressive education model based upon core learning objectives, and providing an opportunity for students to demonstrate their knowledge and skills in Digital Forensics.

Cloud Computing forensics


Wednesday, 1330-1420; Location: Inman; Track: Research and Development; Geek Meter: 1 Presenter: Josiah Dykstra, U.S. Department of Defense Cloud computing is gaining attention and acceptance from small businesses, large corporations and government for scalability and cost savings. While much has been discussed about security for the cloud, less has been said about the impact to the forensic examination of the environment after a crime. We discuss some of the unique forensically relevant characteristics of the cloud, including challenges for the forensic examiner and forensic considerations for the cloud consumer. Finally, a research agenda is presented to address some of the tool, technique and legal challenges currently present.

Challenges for law enforcement and prosecutors in Cloud Computing


Thursday, 1100-1150; Location: Baker; Track: Legal; Geek Meter: 2 Presenter: Donald Flynn Jr., Attorney Advisor, Department of Defense Cyber Crime Center Cloud computing is heralded as the wave of the future. Yet with our legal system and case law, it will present a number of difficult challenges to law enforcement personnel and prosecutors in obtaining appropriate warrants, establishing authenticity, discovering jurisdiction, dealing with foreign authorities, and otherwise investigating cases, maintaining adequate network security and litigating issues at trial

Cd/dvd on-disk structures


Wednesday, 0830-1150; Location: Hanover E; Track: Forensics; Geek Meter: 3 Presenter: Christopher Taylor, Senior Investigator, HarrisCrucial Security Programs This session is a detailed analysis of ISO9660 and UDF from the view of how the data is actually laid on a CD/DVD. The forensic tools we use on a daily basis show us what files are present on a disk and give us considerable extra information about these files, such as various dates and times. But, where do these tools get this data from? In this session we examine a disk from the hex view and explain what those tools are reading in order to provide that data to us. An understanding of how and where the tool got the information is vital when it comes time to defend that tool and your processes on the stand.

Collaborative forensic analysis: reducing Case load through division of labor


Wednesday, 1500-1550; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Keith Lockhart, vice President of Training, AccessData There was a day when all it took to make the case was 30 minutes of viewing a floppy diskette sector by sector in the hopes of recovering one or two files that may prove beneficial to an investigation. Today, it may take 30 days to create and analyze a data set that yields millions of files with thousands of responsive graphics, documents and metadata. It is not uncommon for todays target environments to contain multiple computers, uSB devices, discs and/or networks with incredibly large amounts of stored data. To effectively cope with this volume of information, investigators and analysts must be prepared to work together. This collaboration should include collaborative data analysis, collaborative data processing, remote case access and administration, and multiple user permission and task management. This session discusses these requirements and how to implement them in your work environment.

Chasing down a spillage incident: pii and Classified data spills


Thursday, 1330-1420; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Chris Mellen, Director of Professional Services, AccessData There is no patch against user error. As long as authorized users require access to sensitive information, that information will continue to find its way to unsecured systems. Attendees of this session learn how to audit for, track down and remedy these data spillage incidents before the bad guys find the data.

Cell phone surveillance, location, seizure and search


Wednesday, 0830-1020; Location: Baker; Track: Legal; Geek Meter: 2; Law Enforcement Only Presenter: Tom Dukes, Senior Counsel, U.S. Department of Justice This presentation for attorneys and investigators merges the technical with the legal aspects of investigations involving cell phones and other mobile devices. Topics include identifying the service providers, obtaining data held by service providers, obtaining real-time communications, locating cell phones, and seizing and searching cell phones.

Cisco network devices incident response


Wednesday, 1500-1550; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Matthew McFadden, Instructor/Course Developer, Defense Cyber Investigations Training Academy This presentation examines procedures for evidence collection from Cisco devices during an incident response.

Combating spear-phishing: Convergence of intel, ops and forensics


Thursday, 1330-1420; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2/3 Presenters: Captain Christopher McDaniels, Director DKO, 22 nWS; Christi D. Ruiz, Deputy, Director DOK, 33nWS Like most Network Defense teams, the AFCERT has seen its share of spear-phishing campaigns against Air Force members. This presentation showcases the accomplishments of the AFCERT in identifying, responding to and mitigating these threats. The detection of malicious logic by very specific signatures was a tipper to a bigger offensive operation that brought together the intel community, forensics professionals, operators and incident responders. We were able to reverse-engineer the malware and take response actions based on the findings. We mitigated the spread of the malicious code, repaired the computers and prepared for the next onslaught.

Centers for digital forensics academic excellence (Cdfae)


Wednesday, 1500-1650; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 1 Presenter: Ricky Windsor, Digital Forensic Examiner, Department of Defense Cyber Crime Center/Futures Exploration CDFAEs objective is to increase the readiness of degree bearers within the Criminal Justice, Information Technology, Information Assurance, and Information Management, domains looking to enter Digital Forensic career fields through increasing the applied content available to partnered academic institutes. This DC3 initiative is developing a partnership with academia to establish standards and best practices for digital forensics practitioners, educators, and researchers to advance the discipline of Digital Forensics and

Cloud Computing basics


Thursday, 1500-1550; Location: Centennial Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 1 Presenter: Erik Sherman, Instructor/Course Developer, Defense Cyber Investigations Training Academy Many new products appearing on the consumer market are labeled cloud. This has many different impacts on software functions, data recovery and even paid services. This presentation defines the many aspects of cloud computing by analyzing current and future products, many of which will impact your mission within the near future.

32

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
Computer forensics in the linux environment
Friday, 0900-1050; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Chris Shanahan, Instructor/Course Developer, Defense Cyber Investigations Training Academy Whether youre a computer forensics examiner looking to harness the power of the Linux platform or to cut down on your budget for hardware and software, or youre a seasoned examiner just looking to expand your toolbox, the Linux platform can be a powerful, viable alternative to the traditional, Microsoft Windows-based applications in use today. In this session the presenter uses open source tools to demonstrate computer forensics techniques from the Linux platform. Attendees are taken through the entire computer forensics process from data collection to examination and analysis. Both volatile and non-volatile data collection and analysis techniques are discussed and demonstrated in this one-day training session. Attendees should have some familiarity with the Linux operating system and the shell the command-line interface (CLI). The Regional Computer Emergency Response TeamCONuS and the Arizona Branch Office Computer Crime Investigative Unit have been co-located since 2000. During this time the organizations have established processes that support the efforts to provide for the Computer Network Defense of the LandWarNet and law enforcement investigative requirements two requirements that are often seen to be in conflict. A successful blending of efforts done within legal and regulatory guidelines allows each organization to achieve mission success and support each other in the successful execution of their missions.

Changing the paradigm: Towards intelligence-driven situational awareness


Friday, 0900-0950; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenter: Dmitri Alperovitch, Cybercrime Strategist and Director of Public Sector Initiatives, McAfee This presentation reviews todays cybercrime trends from the perspective of a security vendor whose aim is to protect enterprise and government networks to consumer PCs from these threats. We discuss the vectors that we monitor and the tactics we are observing. Then review how we are using these data points in what we refer to as Global Threat Intelligence to analyze and correlate data such as IP addresses of IPS attacks, domains/uRLs hosting malware, spam (including malware) and other factors. We describe how this Global Threat Intelligence is used to protect endpoints and gateways in near real-time. The session then discusses the complementary activities we feel are essential in raising the bar against cybercrime and what we predict for the future of the cybercriminal enterprise.

Cryptanalysis for incident responders, v20.11


Thursday, 1100-1150; Location: Grand Hall A; Track: Forensics; Geek Meter: 2; Law Enforcement Only Presenter: Jason Lord, Chief Operating Officer, d3 Services, Ltd. This presentation shows attendees current tools, techniques and procedures for performing cryptoanalysis attacks on encrypted documents, volumes and drives.

Computer, identify that individual: its already 2011 and i still dont have any Cool facial recognition software!
Wednesday, 1500-1550; Location: Inman; Track: Research and Development; Geek Meter: 1 Presenters: Jason Agurkis, Software Engineer, DCCI; Keith Bertolino, CEO, Cipher Tech Solutions, Inc This presentation explores the process of rapidly developing your own practical facial recognition applications in .NET with algorithms that cost less than your annual supply of Mountain Dew. We look at leveraging the newest algorithms in computer vision research, along with current SDks available in the commercial and open source communities. Along the way, we expose clever implementation tricks to drastically improve the performance of offthe-shelf algorithms to ensure your end product is as operationally useful, as it is cool to watch.

damaged Media recovery


Wednesday, 1100-1150; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Scott Lalliss, Senior Forensic Technician, Defense Computer Forensics Laboratory A last-minute act of desperation to keep from getting caught in the act is often where damaged media recovery begins. Someone getting caught in the act is often the best evidence we can hope to find, and that is exactly why a person would destroy even their most precious equipment to keep us from getting it. Recovery candidates come in as many forms as media itself does: tapes, optical media (CDs and DVDs), hard drives, memory cards, mobile devices, gaming platforms, etc. This presentation discusses the capabilities that the Defense Computer Forensic Laboratory can offer in recovering damaged media and also some of the tricks the presenter has found while working on some difficult pieces of media, like using upside-down platter and head stack swaps on certain hard for example. Also discussed are the latest procedures for acquiring device contents that have errors during imaging or extraction along with some other ways that you can maximize the chances of getting a successful recovery.

Cyber investigation search kit


Friday, 1000-1050; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: James Meyer, Instructor/Course Developer, Defense Cyber Investigations Training Academy Its time to execute a search warrant from which you are expecting to recover digital evidence. What should your search kit include? In this session the presenter reviews the essentials of the basic, intermediate and advanced cyber search kits and when you need which. This presentation includes a demonstration of an on-scene hard drive duplication.

Cyber Threats to the defense industry


Thursday, 1100-1150; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 3 Presenter: Mary Singh, Senior Consultant, Mandiant The threat landscape shifted dramatically in early 2010, when several organizations publicly disclosed they had been exploited by advanced, persistent threats that exfiltrated sensitive information using sophisticated techniques. While the APT has been at work in government and defense networks for years, these disclosures were taken as breaking news. What many organization learned when they began combating this threat is that the APT requires different tools, techniques and practices. Conventional prevent and detect measures, such as anti-virus and IDS, fail to protect the victim, and often even the targets own personnel do more harm than good. This presentation focuses on hard drive forensics and dives into the technical aspects of recent, real incidents to illustrate what attendees need to know. We show information from case studies that reveals how the enemy conducts operations; details of the tools and malware he employs; vulnerabilities, exploits and social engineering tactics he uses to compromise the target; data exfiltration techniques; some mistakes that get the attacker caught; and how he hides in plain sight within an environment. We also discuss what attendees can do to more successfully identify, respond to and remediate the damage.

Configuring vMs
Thursday, 0830-0920; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenters: Special Agent David Shaver, Special Agent in Charge, United States Army, Computer Crime Investigative Unit; Special Agent Ryan Pittman, Digital Forensics and Research Branch, US Army CID This presentation covers the most common methods for converting an EnCase or DD image into a working Virtual Machine. In addition it explains steps necessary to overcome most activation issues, corrupt drives and how to pull data from a Virtual Machine which could enhance your examination\investigation. It also provides the necessary software to extract data from a running VM.

data exfiltration: detection and defense


Wednesday, 1100-1150; Location: Courtland; Repeat Session: Wednesday, 1330-1420; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenters: Dan vanBelleghem Jr., vP Information Assurance, nCI Information Systems; Tim Henderson, nCI Information Sys. Traditional IT defenses have concentrated on strong perimeter defense and hardened hosts. While these defenses remain imperative, new strategies for cyber protection are needed. CISOs and other security professionals are well aware that virtually any perimeter defense can be compromised by a knowledgeable, determined foe whether by technical or social means. Attack vectors employed by nation-state threat actors have outflanked our layered defenses and, with reasonable expectation, the enemy is already within the network defense perimeter. The goal of cyber crime,

Coordination between law enforcement and Computer network defense organizations


Friday, 1000-1050; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 2 Presenter: Kathleen Buonocore, Director, RCERT-COnUS; Special Agent Charles Clapper, Arizona Branch Office CCIU

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

33

sessIon descRIptIons
cyber espionage and cyber warfare is acknowledged to include unauthorized disclosure, modification and/ or withholding of information (aka denial of service). This presentation concentrates on how to prevent unauthorized disclosure of information and defines the characteristics of covert communication channels as well as techniques used to achieve stealthy data exfiltration. Real-time detection of advanced exfiltration techniques is problematic, however, having defined the channels and means of data theft, so approaches and techniques to detect and mitigate the vulnerability are discussed. Attendees will take away an understanding of the following: the breadth and scope of the threat landscape, motives/objectives of threat actors in government domains, covert communication channels, stealthy data exfiltration and detection techniques. by companies and organizations. This presentation illustrates ways to limit the attackers advantages and mitigate cyber threats in a timely manner. The presenter discusses a methodology to refine and develop enterprise security capabilities for effective defense on the evolving cyber battlefield. The approach enables organizations to leverage existing enterprise investments and field integrated system-of-systems that are interoperable and scalable. When combined with trained people and rigorous procedures, the capabilities create a vigilant security operations environment that will enable organizations to get a step ahead of adversaries and interrupt their attack chains. The methods can be implemented by organizations of any size and ensure the network visibility, situational awareness, collaboration, intelligence and prevention necessary to engage the APT in todays virtual world. This presentation discusses practical advice for prosecuting computer crimes with a focus on gathering all of the evidence available. Too often prosecutions go forward before the government captures and analyzes all of the evidence. It also explores where to look to both prove your case and to disprove common defenses. Lastly, it looks at some common concerns and address unique aspects of trying your case under the Uniform Code of Military Justice.

do You see What i see?


Wednesday, 1600-1650; Location: Grand Hall A; Track: Forensics; Geek Meter: 1 Presenter: Paul Cerkez, Software Engineer, DCS Corp/nSU As evidenced by the recent Russian spy ring scandal, sigital steganography is being used for real world operations. It is more than just a toy. These methodologies are used to hide communications between actors in criminal or covert activities. An inherent difficultly in developing steganography defensive attacks is overcoming the variety of methods for hiding a message and the various choices of media available. Their communications medium was discovered because of carelessness on their part. One method was found, were there others? When a message is transmitted in a non-textual format, (i.e., in the visual content of an image), it is referred to as a semagram. Semagrams are a subset of steganography. Semagrams are relatively easy to create (as shown in previous years using the hiding techniques based on papers published by researchers from the University of Tehran, Iran). However, detecting a hidden message in or embedded as an image-based semagram is a grander magnitude of difficultly than typical digital steganography. In the counter-espionage world, the rule of the thumb is that there is always a message hidden in an image or graphic, it is simply up to the steganalyst to find it. When digital steganographic software methods are applied to graphics or images to embed a message, the structure of the carrier medium is modified in some manner. Modifying the structure leaves traceable evidence. In a semagram, the image is the message, so there is no modification to detect. They work well for simple messages and dead drops. u.S. Patents issued based on semagram technology show that this feature has been exploited in the copyright/watermarking world to increase protection. This presentation follows up the previous four years presentations. It provides a brief summary of the technology underlying semagrams and presents a review of what has happened since last years conference, as well as some new information: the latest trends and papers published on image based steganography (semagrams); current status of the presenters research; a demonstration of a simple program to create semagrams (hide messages in the visual content of an image); and testing results to date.

dC3 digital forensics Challenge 2010 acknowledgment of Winning Teams


Thursday, 0830-1020; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 3 Presenter: Randolph Georgieff, DC3/FX DF Challenge Team Lead, Department of Defense Cyber Crime Center/Futures Exploration This session DC3 Digital Forensics Challenge 2010 Acknowledgment of Winning Teams includes a short pre-briefing on the types of challenges selected for inclusion in the DC3 Digital Forensics Challenge 2010 and the reasons for the various categories of the 2010 Challenges. The various category winning team members, their affiliations and some brief remarks concerning their processing of the challenges are included.

deploying advanced features of the Cellebrite ufed


Wednesday, 1300-1350; Location: Grand Hall A; Track: Forensics; Geek Meter: 3 Presenter: Steve Hickey, Instructor /Course Developer, DCITA Are you getting the best use of your uFED? The Cellebrite uFED has many advanced features and settings which can aid your logical data extractions. Topics covered in this presentation include the three methods of updating the uFED, authenticating uFED users and data entering case information directly into the uFED. Additionally, well take a detailed look at the report manager software and demonstrate customization features along with contact packs, and data extraction directly to a PC. Included is a segment covering practical tips and tricks for using the uFED. This presentation is intended for everyday users of the uFED that want to improve their skills and streamline uFED administration.

deep packet inspection: protecting federal agency networks against the next Generation of Cyber Threats
Thursday, 0930-1020; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2; Law Enforcement Only Presenter: Greg Kopchinski, Director of Product Management, Bivio networks, Inc. Malicious cyber activity targeting federal IT infrastructure is on the rise. It is no longer a question of if, but when, a network will come under attack, and whether federal agency network managers have the technology necessary to quickly identify and mitigate potential threats. This presentation demonstrates how DPI-enabled networking solutions can be deployed to address new and existing network threats and vulnerabilities that threaten national security. The presentation also provides attendees with invaluable insight on how fully customized data mining and collection as they relate to network security, can provides traffic analysis and management solutions in government and commercial organizations.

developing process for the extraction and documentation of Cell phone evidence
Friday, 0900-1050; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 2 Presenter: Cynthia Murphy, Detective, Madison Police Department Digital forensic examiners have seen a remarkable increase in requests to examine data from cellular phones. The examination of cellular phones and the extraction of data from them present a number of challenges for forensic examiners. Because of this, the development of guidelines and processes for the extraction and documentation of data from cellular phones is extremely important. The prsenter covers her recently published paper introducing framework for the development of process in cell phone forensic examinations which address the development of process for cell phone forensic examinations. She also provides sample forms, flow charts and other useful documents for forensic examiners who work on cell phones.

defeating apT through Capabilities-based security operations


Thursday, 1500-1550; Location: Fairlie; Track: Information Assurance; Geek Meter: 1 Presenter: Tim Treat, Manager, Mandiant The Advanced Persistent Threat (APT) and other sophisticated cyberspace attackers maintain significant advantages against conventional security systems used

dynamic attack redirection to honeypots


Friday, 1000-1050; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenters: Chris Rankine III, Research Scientist, Georgia Tech Research Institute , Georgia Tech Information Security Center; Dan Tabor In most environments, honeypots are benign systems collecting information about broad scoped attacks, and IDS policy blocks an attack as soon as it is detected.

do You have the full digital picture? digital evidence in Child porn prosecutions
Friday, 0900-0950; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Captain Joe Kubler, Appellate Government Counsel, Air Force Government Trial and Appellate Counsel Division

34

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
What if a system can be designed to redirect an attack an IDS detects towards a honeypot segregated from the production network? Would that system be able to capture a full attack, including full payloads and information about intention, while keeping the rest of the network safe? This presentation covers this concept and discuss the need, possibility, and implementation issues associated with dynamic honeypot redirection. It concludes with some examples of a redirector in operation. focused? Finally, these findings will be applied, enabling CISOs and security executives to rely on efficient and effective strategies to reduce risk and guide strategic decision-making. The complete 2010 Data Breach Investigations Report may be accessed online: http:// www.verizonbusiness.com/resources/reports/rp_2010data-breach-report_en_x g.pdf?&src=/solutions/ security/index.xml&id=

external, Transparent Malware analysis and its applications


Thursday, 1330-1420; Location: Fairlie; Track: Information Assurance; Geek Meter: 3 Presenters: Paul Royal, Research Scientist, Georgia Tech; Christopher Smoak, Research Scientist, Georgia Tech Research Institute Malware has become the centerpiece of many security threats on the Internet. Malware analysis is important for information security practitioners because it is the basis for understanding the intentions of malicious programs. Current malware analysis approaches reside in the guest OS or emulate part of its underlying hardware, which leaves them vulnerable to detection and attack by modern malware. To combat this problem, we present an alternative, external approach to malware analysis. The resulting tool, called Ether, operates outside of the guest through the use of hardware virtualization extensions. In addition to demonstration of Ethers efficacy as a stand-alone malware analysis tool, we describe use of its underlying idea as the core of an automated malware analysis system that processes tens of thousands of new malware samples each day to produce actionable intelligence.

exploiting facebook artifacts


Friday, 1000-1050; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: Robert Spitler, Forensic Lead Specialist, DC3 Facebook is a privately owned social networking website owned by Facebook, Incorporated, with over 500 million users worldwide. Chances are high that a forensic examiner will at some point encounter suspects who have been using Facebook to communicate with victims and with other suspects. This presentation begins with a brief explanation of the origins and history of Facebook and how it is being used to commit or facilitate crime. It also identifies issues specific to evidentiary Facebook artifacts. Myriad issues involved with locating, identifying and reporting on web artifacts are discussed and solutions are presented to assist with examinations. The continuing discussion focuses on data located in Microsoft Internet Explorer web cache, unallocated space, swap files, file slack, etc. The presentation discusses the best keyword searches to use that have the highest success rate with locating data specific to the suspect and his or her friends. Information is presented that shows how pages connect with each other and how that data looks when located in a forensic image. This will assist the examiner in identifying and showing relationships between the suspect and any friends. Lastly, we look at the automated tools that can assist with extracting specific artifacts, such as chat conversations. These tools have limitations and typically will only extract data from files located in web cache.

effective expert Witness Testimony


Wednesday, 1330-1420; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Donald Flynn Jr., Attorney Advisor, Department of Defense Cyber Crime Center This presentation explains the legal requirements for being recognized as an expert witness, effective strategies for testifying, answering cross-examination, dealing with discovery requests and especially their application to digital forensics.

espionage: a system dynamics Model of Crimes against our national security


Wednesday, 1500-1650; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Adam Cummings, Member of the Technical Staff, Software Engineering Institute-CERT Program Since 2002, the Insider Threat Center at CERT has researched four types of criminal activity relating to an insiders use of information technology (IT): sabotage, theft of Intellectual Property (IP), fraud and espionage. This research has been based on empirical evidence, by way of coding the behavioral, technical and organizational elements of real-life cases adjudicated in the u.S. criminal court system. The coded database of cases has grown to over 400 cases of insider threat activity and has been used to conduct several types of analysis, including system dynamics models, which are used to demonstrate the interaction of variables in a complex problem and develop a crime profile. To date, the Insider Threat Center has developed profiles of IT sabotage and theft of IP, which effectively demonstrate the nature of the problem that has led to significant disruptions of u.S. organizations, both Public and private. This session demonstrates our third crime profile, which centers around espionage and the constant threat to our national security information.

feeding incident response into Your detection systemsThursday, 0930-1020; Location: Fairlie; Track: Information Assurance; Geek Meter: 2 Presenter: Patrick Mullen, Research Engineer, Sourcefire Incorporated With cyber threats by nation-states against u.S. government agencies on the rise, the Obama Administration has made effective cybersecurity a strategic priority. A 2009 report from the Homeland Security Departments u.S. Computer Emergency Readiness Team (uS-CERT) documented a vast increase in breaches in the Federal Government in the past two years, from 5,144 cybersecurity incidents in agencies in fiscal 2006 to 18,050 in fiscal 2008. While todays threats and networks are more targeted and constantly evolving, most security solutions are static leaving you blind to the network. And while your network security solutions may be new, chances are they are based on outdated assumptions. In this session the presenter discusses the shortcomings of todays network security and best practices for agencies as they strive to improve their cybersecurity infrastructure. The session addresses the importance of intelligent network security and the need for full network visibility, relevant context and automated impact assessment and IPS tuning, and illustrates the need for network security that adapts to dynamic networks and threats in real time.

exploring font based steganography with a focus on Tool development


Thursday, 1100-1150; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenters: Michael Cyr, Security Engineer, CSC; vincenzo Pierorazio, Secure Innovations The world of steganography has become stale as the same exfiltration techniques become easier and easier to detect. Once any major steganalysis tool can find the hidden payload, its game over. Its time to look past the JPGs and into new and even stealthier techniques. In this day and age we already know to look for the malicious PDF, the Macro Word file, and the image file as possible points for leakage, but in this session we examine just how easy it is to create a program that utilizes a rarely documented steganography technique. Furthermore, since the attacker always has it easy, we go the next step and present a tool for detecting this type of anomaly. Welcome to the world of Font Color Based Steganography.

evidence-based security: better Management through better Measurement


Wednesday, 0930-1020; Location: Auburn; Repeat Session: Wednesday, 1500-1550; Location: Fairlie; Track: Defense Industry Base; Geek Meter: 2 Presenter: Christopher Porter, Senior Analyst, verizon The presenter examines data requirements for justified decisions as well the many misconceptions that litter the road toward developing a risk-based security program. This foray into theory and principles is given a practical foundation through data from breach investigations conducted in 2009 plus the 2004-2008 dataset previously released. Some of the findings to be addressed in this presentation include: Who is behind data breaches? How do breaches occur? What commonalities exist? Where should mitigation efforts be

financing Terrorists and Criminals: The impact of non-Traditional Monetary systems and the internet on homeland security
Wednesday, 1330-1420; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1-2 Presenter: Phillip Osborn, Supervisory Special Agent, Department of Homeland Security A significant aspect of our nations homeland and national security strategy targets the financing that supports terrorism. New and non-traditional financial

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

35

sessIon descRIptIons
transfer and value systems however, such as electronic currencies and pre-paid stored value cards, have and continue to emerge which render various aspects of this strategy obsolete. This presentation provides an overview of these systems and identifies the various ways which they can be exploited by terrorists and criminals to circumvent exiting anti-money laundering and terrorist financing measures. the history of the eMule client (how it has evolved in the last eight years), how it works from a users point of view, and the forensic artifacts it leaves on a computer. These artifacts let an investigator determine information, including downloaded and shared files, servers and peers. We describe the most significant information available in files left by eMule and walk through a simple example to demonstrate how these bits of information can be put together.

f-response to the rescue


Wednesday, 0830-0920; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 1 Presenter: Joseph Fichera, Instructor/Course Developer, Defense Cyber Investigations Training Academy F-Response is the must-have tool in your toolbox for all of your incident response/forensic investigations. This presentation is overview of the remote forensic/intrusion investigation capabilities that can be applied to any situation or environment in the field or corporate setting using F-Response.

firefox extensions for investigators


Thursday, 0830-0920; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This breakout session showcases several Firefox extensions that can assist investigators as they gather information online. The extensions easily allow an investigator to collect and verify IP addresses, registrant information, contact information and geo location of websites.

forensic data extraction (fde) Triage Tool


Thursday, 0930-1020; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 2; Law Enforcement Only Presenter: William Dent, Chief, Forensic Data Extraction Section, Defense Computer Forensics Laboratory Abstract: The Defense Computer Forensics Laboratory (DCFL) Forensic Data Extraction (FDE) section will begin using version 3.0 of the FDE triage tool in Cy10. The new tool features the addition of basic registry information, different sorting features, additional user features and capabilities. The new features are demonstrated at any/all tool demos and in briefing seminars. After-hours Birds of a Feather question and answer sessions can be added based on attendee responses or requests. This breakout is for law enforcement and legal personnel. NOTE: The DC3 Triage tool from DCCI should also be released this year and a joint presentation of the two tools may be possible.

fTk imager, Triage and beyond


Wednesday, 1330-1420; Location: Grand Hall B; Track: Forensics; Geek Meter: 1 Presenter: Lucus nelson, Instructor/Course Developer, Defense Cyber Investigations Training Academy Attendees in this session learn how to use FTk Imager (free tool) to conduct initial triage, imaging, custom searches and some limited deleted file recovery. Attendees require some knowledge of forensic fundamentals, but this is a basic-level presentation. FTK Imager can also be run from a thumb drive for easy portability and the potential for black bag operations.

firefox plug-ins useful for online investigations


Wednesday, 1100-1150; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 2 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session looks at plug-ins such as World IP and HostIP.info that can assist you in determining IP address and the country location of websites. Other plug-ins will be covered, such as IP Geolocation Search and Flagfox, which provide the user with detailed Geolocation information of websites. The IExif for Firefox plug-in provides Geolocation information based on the GPS metadata embedded in picture files. Other plug-ins are also discussed and demonstrated during this presentation.

fuzzy hashing and the false negative rate


Thursday, 1100-1150; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: Matthew nolan, Software Engineer, Defense Cyber Crime Institute The presentation highlights the work being done with Fuzzy Hashing, and the statistical backing to it, to allow for better detection of parts of known files.

forensic Training in a digital battlefield


Thursday, 1550-1650; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 3 Presenter: Catherine OKeefe, Forensic Operations Senior Program Manager, nEK Advanced Securities Group, Inc. This presentation addresses the role of Digital and Cellular Forensics Operations in the Global War on Terror.

Get down and dirty with Your Mobile data


Thursday, 1330-1420; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Amber Schroader, CEO, Paraben Corporation Can you carve the latest tidbits out of your mobile evidence? Do you know where spyware is lurking slowly stealing your privacy? Mobiles have become the number one source of moving data in the world, but can you clearly move through the data to gather the most valuable tidbits. Learn how to navigate the cell phone file systems to find the latest data for your investigation.

first Thing We do, lets kill all the lawyers: a Criminal investigators Guide to Working with Those pesky prosecutors
Wednesday, 1550-1650; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: William yurek, Senior Counsel, U.S. Dept of Justice Attendees are given inside pointers on how to maximize their relationship with the prosecutors they work with to achieve maximum results with minimal conflict. This session is presented by a current criminal investigator with over 14 years of federal prosecution experience and over 13 years experience as a federal Special Agent.

forensics analytics projects


Friday, 1100-1150; Location: Grand Hall A; Track: Forensics; Geek Meter: 1; Law Enforcement Only Presenter: Steven Oxman, Senior Cost Analyst, U.S. navynaval Center for Cost Analysis Sometimes people living in the united States obtain credit card accounts overseas in nations that do not have financial treaties with the united States. Sometimes these people move money to these protected credit card accounts and then use their credit cards to purchase items in the united States. This way, these people do not have to make visible certain income and financial assets. Sometimes people living in the united States wish to transfer large sums of money around the united States without declaring these large fund money transfers. These activities are usually illegal and are usually occurring in the support of illegal activities (e.g., terrorism and money laundering). There are data capture, data analysis and analytics, and data presentation techniques that can assist agencies with ferreting out these illegal activities. This presentation highlights two such efforts.

Government iT security strategies


Thursday, 1500-1550; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: John Bordwine, Public Sector CTO, Symantec Corporation Each day we are seeing more security threats and attacks than ever before. To give you some perspective, just last year alone Symantec detected more than 3.2 billion cyber attacks, which Is equal to one attack for every two people in the world. And the number is growing. Not only is the volume of attacks rising, but the threats are more sophisticated than ever. For example, we have seen threats now targeting specific people at organizations. Government organizations need to protect their most valuable asset, an enormous amount of information from this growing number of threats. If a few of us share an e-mail, then that e-mail appears on our hard drives, in our sent mail folders, on our backup devices, on the companys backup

forensic artifacts from the eMule p2p Client


Thursday, 0930-1020; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Dr. Frank Adelstein, ATC-ny eMule is a peer-to-peer (P2P) client that has been gaining popularity. Forensic investigators are seeing more cases in which eMule was used to share files. After running, eMule leaves numerous forensic artifacts on a computer that a forensic investigator can analyze to understand how it was used. This session describes

36

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
system, and on our smart phones and PDAs. In some cases, the data might end up with a contractor or in a cloud infrastructure. Finding the data and securing it is not easy. To address this, the government needs to adopt an information-centric approach to security. This means asking the following questions: What sensitive information do I have? Where is it stored? How is it used? Who needs access to it? differences among various age groups, such as botnet size, mission task and geographic distribution of CnC (Command and Control) servers. We have discovered new techniques designed to evade the current botnet CnC detection mechanisms, e.g. uRI generator which can dynamically generate hundreds thousands unique uRIs for botnet CnC server, and mapping of CnC server uRI to foreign country IP addresses. Finally, we measure the effectiveness and weakness of common botnet mitigation solutions, including sinkholes being deployed to break CnC communications. on u.S. person collection, retention and dissemination rules, as well as the specialized collection techniques and the rules governing their employment. The briefing not only covers the IO rules but also explores how they may impact intelligence-related cyber operations or investigations, or traditional intelligence operations or investigations that have a cyber component. Besides E.O. 12333 and DoD 5240.1-R, the briefing also explores how DoD policy has impacted the conduct of intelligence activities.

Gun-toters and knuckle-draggers: a prosecutors Guide to Working with Criminal investigators


Thursday, 0930-1020; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Special Agent William yurek, Senior Counsel, U.S. Dept of Justice This session is intended for attorneys who work with criminal investigators on a regular basis. Attendees are given inside pointers on how to maximize their relationship with criminal investigators and achieve maximum results with minimal conflict. This session is presented by a current criminal investigator with over 14 years of federal prosecution experience and over 13 years experience as a federal Special Agent.

if appliances Could Talk


Friday, 0900-0950; Location: Learning Center; Track: Forensics; Geek Meter: 1 Presenter: Kristi Witsman, Lead Computer Forensic Specialist, SAIC Most office and even household appliances now contain some type of memory if not digital storage capabilities. Everything from the copy machine, fax machine, cars, gps systems, network appliances and even some refrigerators store data that can be used solve the many mysteries that life presents. Attendees are challenged to identify all of the devices used in a day in the life of an average white collar professional. The presentation discusses the significance of the data stored on these types of devices and very simplistic strategies for discovering such information.

internationalized domain names


Thursday, 1330-1420; Location: Grand Hall C; Repeat Session: Thursday, 1600-1650; Location: Courtland; Track: Defense Industry Base; Geek Meter: 2 Presenter: Michel Huffaker, Cyber Threat Analyst, Department of State This session examines how Internationalized Domain Names (IDNs) and their new coding language pose new challenges to united States Government computer network defense professionals and analysts. Until the advent of IDNs, intrusion detection system signatures written in manufacturer-specific syntax offered the capability to effectively monitor network traffic. Now these signatures must be updated in order to monitor and analyze traffic on uSG networks communicating with IDN-hosted web sites. Additionally, new initiatives for end user education will be required in order to make uSG personnel aware of the possible threats stemming from the global adoption of IDNs.

hard drive forensics: diagnostics and understanding a broken drive


Wednesday, 1500-1550; Location: Kennesaw; Track: Research and Development; Geek Meter: 3 Presenter: Scott Moulton, President, Forensic Strategy Services The goal of this session is to teach you how to handle a damaged hard drive and what your options are. We introduce you to the proper hardware, equipment and software that will give you the best possibility and skills at completing this task and identify the most viable path to recovering data from a failed hard disk or other storage device. The point is to help you determine what the problem is so that you know if its the board, the heads, media, etc. The presenter takes a shotgun approach to diagnostics by the process of elimination, but more significantly explain when you should STOP before destroying your chance at important data.

indicators of Compromise for advanced persistent Threats


Thursday, 1100-1150; Location: Grand Hall B; Track: Forensics; Geek Meter: 2 Presenter: Scot Lippenholz, Booz Allen Hamilton; Randy Robbins, Associate, Booz Allen Hamilton This presentation discusses a variety of persistence and obfuscation techniques used by APT (Advanced Persistent Threat) related malware to ensure survival and elude detection. We discuss several techniques used by adversaries from recent intrusions (Windows services, stub path, run key, ADS, etc) and demonstrate how several different automated Incident Response tools can detect these methods.

internet isolation using a virtualized hardened browser


Thursday, 1550-1650; Location: Fairlie; Track: Information Assurance; Geek Meter: 2 Presenters: Jay Weinstein, L-3 WAn PM, L-3 Communications; Mark Fenkner, Principal EngineerL-3 Communications; Bruce Hoy In the face of a growing information warfare threat, secure architectural alternatives are being pursued by the DoD and the major Defense Industrial Base companies in an effort to design for the fight and the current high-threat Internet environment. Supporting these efforts, L-3 Communications is piloting virtualized hardened-browser capabilities designed to provide highperformance, high-security, isolated internet access for its users that are designed to tolerate exploitation. The security of this architecture is based on non-persistent virtual images that re-start to a pristine state daily and has a significant and added benefit of creating a virtual air-gap between the internal corporate network and the Internet this isolation provides the capability to disrupt/prevent adversary C2 and exfiltration channels, rendering the Advance Persistent Threat benign. L-3 Communications is leading an effort within the DIB to explore isolating browser based communications to the internet from the unclassified network. The project (ongoing) included evaluation of several technologies and the down selection and pilot of two solutions in a production environment. Included within this presentation is a full project update including plans for an enterprise rollout, demonstration of the solutions and an open discussion on the pros and cons of the solution and architecture.

how Criminals build botnets for profit


Wednesday, 1500-1650; Location: Hanover E; Track: Forensics; Geek Meter: 2 Presenter: Gunter Ollmann, vice President of Research, Damballa Botnets are a de facto criminal business platform. This presentation discusses our latest findings of an ongoing, multi-year, research effort of a large botnet group compromised of active 600+ botnets. We focus on the remaining fundamental issues and mysteries, including botnets demographic and geographic profiling, criminal characteristics manifested by different botnet age groups, new detection avoidance tricks and the effectiveness of existing blocking and mitigation solutions. Based on the amount of data we have collected over years regarding prolific botnets, we are able to conduct the first large-scale botnets demographic and longevity study. It is worth noting that about 11% of the botnet population is more than three years old, while 13% population is less than six months old. Further data analysis reveals other interesting

intelligence Gathering through Twitter


Wednesday, 1330-1420; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 2 Presenter: Brian Baskin, Deputy Lead Technical Engineer, Defense Cyber Investigations Training Academy Twitter has evolved into becoming the latest and most popular online chat system for entertainment fans and criminals across the world. Over 100 million user accounts send over a billion messages every month on the service to their friends, associates, and partners. This presentation works through the service from the ground up, explaining its use and purpose while showing ways to collect information from targeted sources.

intelligence law in a Cyber World


Wednesday, 0930-1020; Location: Edgewood; Track: Legal; Geek Meter: 1 Presenter: Lieutenant Colonel Cindy Stanley, Deputy Staff Judge Advocate, AFOSI This presentation details the intelligence oversight (IO) rules for DoD intelligence components, with a focus

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

37

sessIon descRIptIons
interpreting the suspects language uncovers hidden data during the forensic analysis
Friday, 0900-0950; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Jeff naylor, Instructor/Course Developer, Defense Cyber Investigations Training Academy Forensic analysis provides only one half of the evidence. Through a technique called language analysis, we will completely unmask the suspects behavior and intentions and reveal data that is critical to the investigation. provides an introductory explanation of these protocols, how they are used and how you can investigate within them. Recommended prerequisite knowledge: understanding of basic network terminology and IP addressing; understanding of the structure, content, and analysis of full headers of SMTP e-mail. get started with malware analysis. Youll also see the approach in action in a live demo.

introduction to True Crypt


Wednesday, 0930-1020; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 1 Presenter: James Meyer, Instructor/Course Developer, Defense Cyber Investigations Training Academy During this basic introduction to True Crypt, the presenter will conduct a live demonstration on how to create and mount True Crypt volumes as well as encrypt an entire OS drive. Additionally, tools that may help an investigator identify the existence of True Crypt volumes and methods that may be used to crack True Crypt volumes are demonstrated.

introduction to Malware analysis with immunity debugger


Thursday, 0830-1020; Location: Hanover E; Track: Forensics; Geek Meter: 3 Presenter: Jason Upchurch Sr. Technical Lead, Intrusions, General Dynamics Immunity Debugger is a powerful user mode debugger designed with large a Python API for easy extensibility. It is a powerful tool to write exploits, reverse engineer, or in our case, analyze malware. The course is an introduction to debugger methods that will serve as a transition from those who have dynamic malware monitoring experience (sysinternals, capture bat, wireshark, et al.) to the use of a debugger as an augmentation to dynamic analysis. Some ASM/C knowledge is necessary to gain full use of the material. The session includes argument location/identification, command location, simple debugger hiding and introduction to patching. The first hour includees a lecture and case examples and the second hour practical experience for those who have their own machines. Machines will require Windows XP in a VM. Software setup will be posted online at Cyber4.us well before the class.

introduction to non-standard digital evidence


Thursday, 0830-0920; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 1 Presenter: Sig Murphy Sr. Lead Engineer, Defense Computer Forensics Laboratory, General Dynamics This briefing is an introduction to seizure and analysis for devices that do not fall under the typical PC/MAC workstation designation. The discussion covers console game systems (such as the XBOX360, Playstation 3, Wii, etc), portable devices (such as GPS devices, portable game systems and MP3 Players) and other non-standard digital evidence. The presentation is meant as an introductory field guide for first responders and forensic examiners. Device seizure and device analysis are covered for each device. In addition, a projection on future technologies and their impact on digital forensics is provided.

introduction to Tux4n6: nW3Cs digital Triage Tool


Thursday, 0830-0920; Location: Fairlie; Track: Forensics; Geek Meter: 2 Presenter: nicholas newman, nW3C TuX4N6is a forensically sound on-scene triage tool developed by NW3C with input from law enforcement agencies throughout the country. TuX4N6was designed specifically to address the needs and requirements of law enforcement officers performing on-scene computer triages. This session surveys the various search and preview features in TuX4N6and follow with a live demonstration.

introduction to embedded systems analysis


Thursday, 1100-1150; Location: Grand Hall B; Track: Forensics; Geek Meter: 2 Presenter: Sig Murphy, Sr. Lead Engineer, Defense Computer Forensics Laboratory, General Dynamics This briefing serves as an introduction to the exploitation (and analysis) of embedded systems (ES). Embedded Systems are specialized computing devices that are not deployed as general purpose computers. An embedded system is preprogrammed to perform a narrow range of functions with minimal end user or operator intervention. Many of the devices that we rely on each day, such as cell phones, routers and vehicles all contain embedded systems. Even though it takes a higher level of technical competency to access and alter an embedded system vice a general purpose computer, it is still possible to do so. Taking into consideration the role that ESs play in our critical systems, and potential supply chain concerns, it is sometimes necessary for an agency to perform an analysis on ESs to ensure their validity. This presentation introduces the most common ESs available today, how they can be exploited and how agencies can best safeguard their ES-reliant technologies.

investigating social networking sites


Friday, 1100-1150; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session demonstrates tools and methods for investigating social networking sites such as MySpace, Facebook, Twitter etc.

introduction to Manual unpacking with ollydbG/immunity


Thursday, 1500-1650; Location: Grand Hall B; Track: Forensics; Geek Meter: 3 Presenter: Jason Upchurch, Sr. Technical Lead, Intrusions, General Dynamics Packing and obfuscation of malicious software is becoming common place. It represents a significant, time-consuming portion of the malware analysis process. This presentation introduces methods used to defeat unpacking and covers downloadable scripts, patching, caves and manual extraction of de-obfuscated code. The first hour is a lecture and case examples by the instructor and the second hour is a practical experience for those who have their own machines. Machines will require Windows XP in a VM. Software setup will be posted online at Cyber4.us well before the class.

investigation of the Windows Media player database


Friday, 1100-1150; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Ryan valencik, Computer Forensic Specialist, SAIC This is a detailed description of the forensically relevant information that can be parsed from the Windows Media Player wmdb file format. The demonstration details a byte-level breakdown of the .wmdb file as well as discuss related registry keys. Windows Media player artifacts are commonly used to show knowledge of possession of certain contraband materials and can be used to profile the typical use of a given user. This information will enhance any media related examination. The Windows Media Player database and associated registry keys silently collects data regarding user activity largely unbeknownst to the user. The data stored there will provide additional leads and clues to an examiner as well as corroboration of other data, statements and theories on the commission of a crime.

introduction to practical Malware analysis


Thursday, 1330-1420; Location: Grand Hall B; Track: Forensics; Geek Meter: 3 Presenter: Lenny Zeltser, Sr. Faculty Member and Director of Security Consulting, SAnS Institute and Savvis Malware analysis is a critical aspect of many digital forensics investigations. Yet, this skill set is still relatively rare and is deemed to be limited to practitioners with a strong programming background. This technical session presents a practical approach to reverse-engineering malicious software. The presentation outlines live behavioral analysis and some code analysis approaches, to make this topic accessible even to individuals with a limited exposure to programming concepts. Youll learn the fundamentals and associated free tools to

introduction to investigations in internet relay Chat (irC) and usenet (newsgroups)


Friday, 1100-1150; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenter: Bryan Spano, Instructor/Course Developer, Defense Cyber Investigations Training Academy IRC and usenet are two protocols/venues on the Internet that facilitate a substantial amount of advanced criminal activity. Former FBI Special Agent Bryan Spano

38

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
iphone and idevice forensics
Wednesday, 1100-1150; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Andrew Medico, Computer Scientist, Department of Defense Cyber Crime Center The Apple iPhone is an extremely popular cell phone, with over 50 million units sold to date. However, it is more than just a cell phone. Its hardware, software and capabilities are more like a miniaturized computer. Between the data intentionally stored on the device by the user and hidden data stored by the operating system to power special effects, it is a goldmine of forensic data. It contains records of associates, logs of communications (voice calls, voice mail, SMS, MMS, e-mail, instant messages), GPS and cell tower position data and more. This presentation covers the specific data found on the iPhone, data acquisition techniques and tools (including tradeoffs of speed vs. completeness and forensic soundness) and data analysis techniques, and demonstrates an automated analysis tool developed by DC3. The presentation also addresses applicability of the techniques to iPod touch and iPad devices. material. Additionally, the capabilities of transmitting this information have broadened to include internet access, Bluetooth connectivity in addition to simple text messages. With the evolution of these technological advances, we are now confronted with additional security concerns, relating to the safeguarding and protection not only of our voice communications, but also the content material that we transmit and that which resides on the mobile device itself. There have been numerous instances we have all read/heard about via countless news stories of text messages, voice conversations/messages that have mysteriously appeared in various tabloids, revealing personal information. How did this information migrate from an individuals personal phone to the front page of the tabloid? Was the phone stolen or did an inside source hear the conversation/message or see the content of the text messages? How were the actual conversations and entire content of the messages removed from the phone? These incidents present a broad spectrum of concerns, not only for personal users, but also government. this breed of cyber criminals, government agencies must be aware of the culprits and their business models. This presentation provides an analysis of cybercrimes lucrative business models and strategies to protect government networks against this new face of organized crime using local and state government examples.

limewire raM analysis


Friday, 0900-0950; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: Tyler Oliver, Bloomsburg University of Pennsylvania In any investigation it is possible for an examiner to face peer to peer (P2P) networking and file sharing. Therefore it is vital to understand where some important evidence may be contained. In the case of the well known P2P application by Lime Company known as Limewire, key evidence can be found not only on the hard disk but also in Random Access Memory (RAM). This presentation outlines what types of evidence can be uncovered in RAM, as well as the tools and techniques needed to sort through the vast amounts of data retrieved through RAM acquisition.

iphones and androids: data extraction and Controversy


Thursday, 0930-1020; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Lee Reiber, CEO, Mobile Forensics, Inc. This session covers extraction techniques for both the iPhone handset and Android operating system. Learn what tools extract the most data logically and also what techniques can be used to obtain a physical image from these devices. Additionally, we discuss the controversy for both types of devices, centering on the rooting of the device to obtain a physical image. This type of recovery has been a debated technique in the cell phone forensics community. Come and find out why actually obtaining a quasi bit-by-bit copy of a phones user area that can yield massive amounts of data might be frowned upon by some. We review the benefits and the inherent issues with these techniques so you can decide.

learning Web application attacks, defense and forensics with oWaspbWa


Thursday, 0830-0920; Location: Courtland; Repeat Session: Thursday, 1600-1650; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Chuck Willis, Technical Director, MAnDIAnT The Open Web Application Security Project (OWASP) Broken Web Applications project (www.owaspbwa.org) provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This presentation describes the project and shows how it can be used for training and experimentation by individuals in a variety of roles. Demonstrations cover how the project can be used by people who discover and exploit web application vulnerabilities, people who prevent and defend against web application attacks, and people who respond to web application incidents.

linux exT file recovery via indirect blocks


Thursday, 0830-1020; Location: Grand Hall A; Track: Forensics; Geek Meter: 3 Presenter: Hal Pomeranz, Principal, Deer Run Associates Modern EXT file systems make recovering deleted files a challenge on Linux systems and traditional file carving tools do a poor job of recovering files in the Linux environment. This is because of both a lack of well-defined end of file signatures in many standard Unix file formats, and because of indirect blocks (file metadata) contained within the data runs. However, it is precisely this metadata that can be leveraged to more exactly recover deleted data from Linux file systems. This presentation demonstrates new techniques and tools for recovering files from unallocated blocks in EXT file systems.

is this normal? The abCdes of registry analysis


Thursday, 1550-1650; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Elizabeth Schweinsberg, Forensic Analyst, Dept of Defense (u//FOuO) Learn the ABCDEs of finding persistent malware in the Windows Registry. After a brief overview of the structure of the registry, learn how Autorun, Bounds, Chronology, Drivers, and Encryption will help you narrow the areas of the registry to examine to find the badness. The presentation focuses on tools and techniques that the practitioner can use right away.

lifting the lid on Cyber espionage and Tracking insider Threats


Wednesday, 1500-1550; Location: Learning Center; Track: Forensics; Geek Meter: 1 Presenter: Randy Lee, Director of Federal Engineering, Fortinet While old-school hackers would offer their services to high-profile industrial spying operations, todays organized crime syndicates are combining social engineering, viruses, trojans and spyware to launch destructive and sophisticated blended threat attacks to target everyday users. These criminals, who once thrived on identity theft and extortion, continue to become increasingly successful and are now using these newer, more sophisticated threats to cast their nets wider and wider. Driven by profits, rogue nation-states, access to capital and efficient markets for identities and tools, cyber criminals are more and more targeting specific government organizations for rich opportunities to siphon valuable transactions or repositories of large collections of personal and mission critical data that command high prices on the black market. Even with billions of dollars spent on security technologies, security breaches continue to rise. To effectively combat

live device acquisition and analysis...and Why You should Care


Wednesday, 1330-1420; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Ken Warren, Training Director, AccessData Imagine the scenario where you are unable to take a machine down or even access it physically, but need to obtain critical files from it. In this session we show you how to remotely capture memory, image drives and even mount remote devices locally. In certain circumstances, using these types of techniques can be a lifesaver, not to mention saving the investigator from countless hours of work and the risk of not getting the information at all.

is Your Cell phone Talking?


Wednesday, 1500-1550; Locatoin: Edgewood Presenter: Glenn nick, Digital Forensic Practice Manager, SAIC Mobile devices have evolved over the years, from simple means of voice communication to complex min-computers. Users today have access to various software applications, which enable numerous functions to include the processing, storage and transmission of

MaC analysis in the Windows environment


Wednesday, 0830-1150; Location: Grand Hall B; Track: Forensics; Geek Meter: 1 Presenter: Rob Maddox, Senior Instructor and Manager, Contract Trainer Program, AccessData Ever heard that you must use a MAC to examine a MAC? Not so any more. This three-hour session focuses on examining HFS drive structure to image, examine,

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

39

sessIon descRIptIons
and report on Macintosh evidence. In this session attendees examine and report on Macintosh evidence. Attendees also examine property lists and the SQLite databases on Macintosh systems to recover the same type of evidence found in Index.dat files, the registry and link files on Windows systems. Students learn to recover artifacts from the Safari and Firefox browsers including cookies, download path entries, form data, browser history, cache files, bookmarks, chat files and sign-on passwords.

Malware analysis for non-Coders/ developers


Thursday, 1100-1150; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Michael Robinson, Chief Information Officer, DoD Business Transformation Agency Even with firewalls, host-based security systems and anti-virus solutions in place, malware is still creeping into the NIPRNet. Identifying and removing malware is as much art as it is science. Reverse engineering of these pests is often easier for those people who are developers, programmers, or coders. But what about technical personnel who dont write code? What are they to do? This presentation walks you through attack vectors, malware analysis and removal.

possibility of their use for the introduction of malware. Concepts for the creation and examination of mobile barcodes are presented. Many barcodes types are discussed with an emphasis on Microsoft Tag and QR Codes.

Mobile Technologies in a digital battlefield


Friday, 1000-1050; Location: Learning Center; Track: Forensics; Geek Meter: 3 Presenter: James McCarter, Forensic Ops Senior Program Manager, nEKAdvanced Securities Group This session address the fact that exploitation of enemy mobile communications and devices is essential in ensuring that missions are carried out in an expeditious manner. Addressing and adapting to mobile device vulnerabilities is paramount in giving the war fighter the offensive edge.

Mac Triage: do You know What You are Missing?


Wednesday, 1330-1650; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 3 Presenter: Drew Fahey, Director of Forensics, BlackBag Tech. This lab is aimed at experienced forensic professionals with some experience working in a Mac environment. During this session designed specifically for the first responder, participants will gain a limited understanding of a handful of Mac forensic tools and processes. The class includes scenario and lecture instruction to help students better understand, as context for potential evidence retrieval, how suspects use and store Mac files on their Macs. Additionally, participants learn how to conduct forensically sound previews of Mac systems to decide whether there is a need for further analysis or not. You will discover the areas of grandest interest to the investigator when you first come into contact with a Macintosh computer. Live RAM memory and device imaging are included in this session. In addition attendees learn how to easily and quickly analyze iPhone, iPod Touches and iPads in the field and in a lab setting.

Metadata analysis for digital forensics Triage


Friday, 1000-1050; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: Jimmy Wylie, University of new Orleans In the case of Digital Forensics Triage, the investigator is faced with processing large amounts of data in a very limited timeframe (~20 to 30 minutes). With hard drives consistently becoming larger, it becomes more apparent that todays file browser-based investigative platforms are ill equipped to handle this scenario. File System Metadata provides an interesting way to help alleviate this problem as it is small and can be parsed quickly. However, current tools amount to producing a long list of files with MAC times which the investigator must tediously read through. We present a metadata analyzer that, through the use of visualization techniques and statistics, offloads some of the analysis to the computer and allows the investigator to more easily find anomalies in large sets of data.

Modding and Minituration


Thursday, 0830-0920; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 2 Presenter: Martin Easton III, Instructor/Course Developer, Defense Cyber Investigations Training Academy (DCITA) This session explores the hobby of modding (modifying computers beyond their original design specifications) and the ongoing miniaturization of electronics in general and computers specifically. It also explores the implications of such in a search and seizure environment.

Monetizing the hack- from data to Cash


Wednesday, 0830-0920; Location: Fairlie; Track: Law Enforcement; Geek Meter: 2 Presenter: Ernest Hilbert II, President, Online Intelligence This presentation is about what truly happens after the hack from the perspective of the hacker. It covers how the data is used and turned into profit. All data is valuable even the unclassified data. In order to truly fight cyber crime you have to know not only what happened but what happens next. There is no room for assumptions, guessing or speculation.

Making the dCfl forensic process Work for You


Friday, 1000-1050; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Donald Flynn Jr., Attorney Advisor, Department of Defense Cyber Crime Center Digital evidence and cyber crime cases are not often discussed in law school or in agent training. DCFL is swamped with requests for digital processing. If you understand the process and the opportunities for using it for the maximum benefit of your office, you will be better able to prosecute such cases and will be able to do it in less time. This presentation helps you achieve both goals.

mirC
Wednesday, 1500-1550; Location: Auburn; Track: Information Assurance; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy Internet Relay Chat is a tried and true protocol that is still a viable out of band communication channel that is leveraged by the opposition. The IRC networks are being used to obfuscate communication between the adversaries and the high-tech investigator needs to become aware of the usage of the IRC clients. This session provides attendees with the necessary information to effectively download install and utilize an IRC client to initiate a data collection effort. Examples are provided that show the way in which IRC is being implemented in the field and how the information is relevant.

national repository for digital forensic intelligence (nrdfi)


Wednesday, 1330-1420; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 3; Law Enforcement Only Presenters: Brian Andrzejewski, Digital Forensics Team, Outreach, Webmaster, Department of Defense Cyber Crime Center/Futures Exploration; Dr. Mark Weiser, OSU; Dr. David Biros, OSU; Jason nichols The Department of Defense Cyber Crime Center (DC3) Futures Explorations (FX) Digital Forensic Intelligence (DFI) partnered with Oklahoma State universitys Center for Telecommunications and Network Security (CTANS). This partnership created a national repository of digital forensic intelligence to facilitate timely discovery of evidence in criminal and counterintelligence investigations, as well as the exploitation of digital media acquired in the Global War on Terrorism. The NRDFI contains information that is directly related to digital forensic and cyber investigations. The NRDFI was created to collect this information so it can be shared with the law enforcement community.

Malware analysis (That almost anyone Can do)


Wednesday, 0930-1020; Location: Dunwoody; Track: Forensics; Geek Meter: 2/3 Presenter: Philip Dellorso, Digital Forensic Examiner, Cyber Counterintelligence Activity Malware analysis can be done without reverse engineering or deep knowledge of binary or machine code. This presentation shows you how to conduct malware analysis on a limited budget and with limited resources. Using readily available and free software tools you learn some simple techniques for determining the threat posed to your organization by malicious software.

Mobile Tagging or Tag Your iT


Wednesday, 1500-1550; Location: Grand Hall B; Track: Forensics; Geek Meter: 1 Presenter: Mark neno, Instructor/Course Developer, Defense Cyber Investigations Training Academy Use of Mobile Barcodes (or Mobile Tagging) are discussed to enable their proper identification, to understand their potential as a covert communications channel for the dissemination of uRLs, text, phone numbers, contact information, and to explore the

40

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
near real Time audit data analysis Comes of age
Thursday, 0830-0920; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Dr. Bruce Gabrielson, Lead Technical Advisor, nSA CnD R&T PMO (BAH) Current CND strategies are focused on protecting DoD information systems and limiting an adversarys ability to impact the networks on which these information systems reside. This presentation addresses a new technology developed at NSA in cooperation with DC3 and other defense and intelligence community organizations. The Data Extraction utility is designed to enable automated parsing, normalization, extraction, aggregation, filtering and then detection of insider threat attack patterns based on log and log-like data in near real time on network platforms. It can be deployed as an agent separately or within the DoDs Host-Based Security System infrastructure on workstations, plus is also deployable on web and DNS Servers, printers, routers and firewalls to detect attacks normally undetectable through other means. DEu is highly scalable and secure, includes data integrity checks for extracted data, has a significantly low false positive rate, and fits the gap area between massive data collection and analysis verses practical data collection based on risks. It also takes advantage of new standards for reporting and log data expression. activities are identified, the payload may be encoded, making it harder for digital investigators to determine what occurred. This presentation provides valuable insight on exposing covert communications channels, data leakage and other unauthorized network activity. Event correlation and practical techniques to ferret out anomalous network traffic will be discussed along with analytical techniques for recognizing beacon Trojan activity and covert communications channels. At the end of this presentation attendees leave better equipped to identify and analyze anomalous network activity and perform in-depth investigations. how physical acquisition and analysis tools operate.

nTfs on-disk structures


Thursday, 1330-1650; Location: Centennial Ballroom 1; Track: Forensics; Geek Meter: 2 Presenter: Christopher Taylor, Senior Investigator, HarrisCrucial Security Programs This presentation is a detailed analysis of NTFS from the view of how the data is actually laid on the drive. The forensic tools we use on a daily basis show us what files are present on a disk and give us considerable extra information about these files, such as various dates and times. But, where do these tools get this data from? In this session we examine a disk from the hex view and explain what those tools are reading in order to provide that data to us. Understanding of how and where the tool got the information is vital when it comes time to defend that tool and your processes on the stand.

new forensic linux boot Cd


Wednesday, 0930-1020; Location: Inman; Track: Research and Development; Geek Meter: 1 Presenter: Maurice Calhoun, Senior Engineer, Defense Cyber Crime Institute Present the new Linux Boot CD for first responders. The CD is based on a Linux platform with the necessary software for the incident responders to gain access to the pertinent forensic information from both Live and Dead boxes.

officer safety in a digital environment


Wednesday, 0830-1150; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: victor Watson, Law Enforcement Program Specialist, Federal Law Enforcement Training Center This session is a case study review where attendees see systematically how easy it was to identify an undercover police officers identity through his unsafe use of social networking sites, which could possibly lead to his safety and the safety of others being placed at risk. Goals of the program are to increase the awareness among military and civilian law enforcement how adversaries collect intelligence using open source methods and to introduce a simple risk management methodology, along with countermeasure tools, to counter the adversarys collection methods to lower the risk to public safety personnel. Attendees receive a training package containing Lesson Plan, PowerPoint, Training Manual, Presentation Strategy Guide, Supporting Video and access to a secure portal with tools to work in a secure environment free of charge.

new lab, new Cocom, new network, new Challenges


Wednesday, 0830-1020; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 2 Presenter: James Cornell, Senior Forensic/Malware Examiner, U.S. Africa Command The AFRICOM Cyberspace Engagement office is tasked with a wide range of CNA/CND/CI and traditional forensic support. This session discusses the fast pace and constantly changing role of the Stuttgart Regional Network Analysis Lab (SR-NAL) and the lessons learned. Combining traditional forensics with malware analysis and network traffic analysis into a single report for many audiences, this dynamic type of lab is redefining the way leadership views the Cyber Ninjas assigned to do everything from zero day triage to in depth examinations of media collected in the field. Topics include the following: the new mindset this type of lab requires; getting malware and forensic analysts to work together; leveraging resources to streamline report dissemination; the use of LE and CI information from a single case; the many shades of purple when working in a new command. Standing in the middle of DISA, EuCOM and AFRICOM kevlar required.

network Monitoring for Cyber security


Wednesday, 0830-0920; Location: Auburn; Repeat Session: Wednesday, 1300-1350; Location: Fairlie; Track: Defense Industry Base; Geek Meter: 1 Presenter: Dr. Paul Krystosek, Analysis Team Lead, Software Engineering Institute CERT network Situational Awareness Group The scope of network monitoring covers a wide range of technologies. Full packet capture, storage and analysis are the most demanding in terms of storage capacity, analytic capability as well as legal and privacy issues. The other end of the spectrum is sampled network flow monitoring which stores the least amount of information that is still useful in a cyber security context. In between are several technologies each with its own strengths and weaknesses. What are the relative merits of each technology? Once youve captured and stored the data, what can you do with it? In this presentation we compare and contrast several network monitoring strategies and implementations.

open source vs. Closed source Which is More secure?


Wednesday, 1330-1420; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: James Arnold, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session provides is an objective look at the world of open source software versus closed source from a security perspective. Security is a major concern both in networks and software. Just about every week we hear about a security hole in a piece of software. Some of these holes are in proprietary software and a few even show up in open source software. When we weigh the two against each other which one makes the most sense in an environment where security is paramount?

network Traffic analysis sipping from the firehose


Thursday, 0930-1020; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Eoghan Casey, Founding Partner, cmdLabs This presentation covers tools, techniques and challenges associated with investigating sophisticated network intrusions, with a focus on finding the roots of problems in network traffic. When full packet captures are available, they can contain all of the details pertaining to an incident, including how an intrusion occurred and whether data was stolen. However, it can be difficult to separate the important details from legitimate user activities, particular when dealing with terrabytes of network traffic. Even when malicious

nokia series 40 physical acquisition and analysis internals


Wednesday, 1100-1150; Location: Fairlie; Track: Research and Development; Geek Meter: 2 Presenter: Brian Carrier, Director of Digital Forensics, Basis Technology Nokia mobile phones can be found all over the world, making it important for a digital investigator to be able to acquire as much data from them as possible. This session examines the lower-level details of acquiring and analyzing Nokia Series 40 phones, which are the non-Symbian Nokia models, and covers the basics of the F-Bus protocol and the commands that can be used to acquire physical memory. It also covers the internal data structures that are used to store phone book entries, call logs and text messages, and help you better understand

operation Coredump: Countering the afcore botnet Threat


Thursday, 0830-0920; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 2 Presenters: Don Jackson, Director, SecureWorks Counter Threat Unit (CTU); Ben Feinstein, Director, SecureWorks Operation Coredump is an ongoing effort to counter the threat posed by the Coreflood (AFcore) botnet and

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

41

sessIon descRIptIons
its lone group of operators. Coreflood is a sophisticated trojan used primarily in online banking fraud, but its capabilities make opportunistic information theft easy. It has had a large impact on many government, law enforcement and military networks. Unlike many malware kits, this one is not for sale and is operated by one small, but very, capable team. The operators of the Coreflood botnet have operated mostly under the radar for years, frequently changing programmed targeting directives but only rarely changing C2 domain names and protocols. This presentation pinpoints the operators, explains the factors behind their success and offers countermeasures for mitigation. Ben Feinstein presents data mining and analytical methods applied to SecureWorks vast data warehouse to identify and track Coreflood activity. These efforts provide information integral to actor attribution, intelligence benchmarking and countermeasure development. Don Jackson discusses the way this data is integrated with collaborative investigational findings produced through other signals intelligence (SIGINT), human intelligence (HuMINT) and open source intelligence (OSINT) to uncover the actors behind the threat, track their activity and provide an early warning system for Coreflood attacks. introduction to the problem, the presenters explain the architecture of a GPu in general terms, highlighting the features that allow it to achieve such high performance. They describe, at a high level, the design and implementation of their password-cracking software and discuss the scalability of the code to multiple GPus, whether on the same motherboard or in a distributed GPu cluster. Finally, the session reviews the results and the impact of high-performance GPus on password security. This presentation discusses the process of identifying key run-time features of malware and introduces a grammar for describing these run-time features. It also introduces a proof of concept tool for performing hostbased malware detection using these run-time features.

predictive analytics
Friday, 0900-0950; Location: Courtland; Track: Defense Industry Base; Geek Meter: 1 Presenter: Michael Whitaker, Director, CACI, Inc.-Federal This presentation provides an overview of attaching business process simulations to business intelligence dashboard technologies to provide predictive analysis capabilities. Current executive dashboard technologies for business process management, business activity monitoring and balanced scorecard rely on current situational data to present graphical information on dashboards. This overview shows how simulation models can be executed on demand from business intelligence applications to provide predictive, or future, dashboard metrics. The predictions are done within the context of the customers operational processes and provides management with lead time to affect impacts to the operational performance where traditional dashboard metrics fall short.

photo forensics There is More to a picture Than Meets the eye


Wednesday, 0830-1150; Location: Grand Hall A; Repeat Session: Thursday, 0830-1150; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Dr. nasir Memon, Professor, Polytechnic Institute of new york University Given images and video, can you tell which camera it was taken from? Can you tell if it was manipulated? Given a camera or even a picture, can you find from the Internet all other pictures taken from the same camera? Forensics professionals all over the world are increasingly encountering such questions. Given the ease by which digital images can be created, altered and manipulated, with no obvious traces, digital image forensics has emerged as a research field with important implications for ensuring digital image credibility. This session provides an overview of recent developments in the field, focusing on three problems. First, collecting image evidence and reconstructing them from fragments, with or without missing pieces. This involves sophisticated file carving technology. Second, attributing the image to a source, be it a camera, a scanner or a graphically generated picture. The process entails associating the image with a class of sources with common characteristics (device model) or matching the image to an individual source device, for example a specific camera. The third problem is attesting to the integrity of image data, which involves image forgery detection to determine whether an image has undergone modification or processing after being initially captured.

over anti-virus, Through the firewall, and out Your network the data Goes
Thursday, 1330-1420; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 2 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy The newer versions of Metasploit allow you to encode a payload into existing executable. When launched these encoded executables pass through the firewall and avoid anti-virus detection. The executables are encoded using the Shikata Ga Nai encoder. Shikata Ga Nai is a Japanese phrase that means nothing can be done about it. The presenter demonstrates how the executables are encoded, delivered and how the meterpreter payload can be utilized once the victim launches the file.

profiles of antivirus scans: a Comparison of eight av vendors virus scan effects on last accessed Times
Friday, 1000-1050; Location: Hanover E; Track: Forensics; Geek Meter: 2 Presenter: Charles yarbrough Jr, InfoSec Analyst, CERT One of the tenets of developing forensic timelines for cases in cyber investigations is the Last Accessed Time of files. A common problem of investigators performing digital investigations is that this timestamp can easily be changed by antivirus or anti-malware scans on suspect systems. In many cases this can disrupt or at least obfuscate timelines of what occurred on that system. The common perception is that once an antivirus scan is performed on a system then the timestamps for all files are changed. This presentation dispels this notion and refines what virus scans from eight antivirus vendors actually do when they do a scan. This is useful from an investigators standpoint because each vendors solution performs a different series of actions when doing a scan on a system, thereby altering last accessed times in a unique manner. This pattern allows the investigator to more confidently determine investigative timelines and to be more accurate in describing what actually took place on a suspect systems file system. The ultimate goal of this research and presentation is to provide investigators the various scan patterns that can be discerned from each of the eight antivirus vendors solutions.

password Cracking
Wednesday, 0930-1020; Location: Inman; Track: Law Enforcement; Geek Meter: 2 Presenter: Brian Havens, FX Staff, DC3 The presentation provides an overview of encryption types and common strategies employed to crack them. The factors that make an encryption strategy secure or insecure are discussed so that users can make informed decisions when protecting systems or data.

poison ivy raT


Friday, 0900-0950; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy Poison Ivy is a remote administration tool (RAT) that is known to be rampant in the wild. The tool, which allows the attacker to exfiltrate data over an encrypted channel, can wreak havoc on a network. The presenter demonstrates the command and control interface that the attacker utilizes, and discusses tools useful for deleting the RAT on your network. Individuals who have seen this tool in the wild are encouraged to attend the presentation and share their experiences.

password Cracking with Graphics processors


Wednesday, 1600-1650; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenters: Richard Boyd Sr., Research Scientist, Georgia Tech; Joshua Davis, Research Scientist, Georgia Tech Research Institute, CISSP, C|EH Georgia Tech Research Institute has been investigating applications for GPus in the areas of cryptography and computer security. This presentation describes the presenters work, which used GPus to mount brute-force attacks on passwords encrypted with a cryptographic hash function. After a general

protecting against pdf-based, Modern Malware attacks


Thursday, 1330-1420; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Ashar Aziz, Founder and CEO, FireEye, Inc. As conventional intrusions evolve into unconventional attacks, enterprises must also evolve their security beyond conventional protections. Cyber criminals latest exploits are rendering traditional solutions ineffective as they capitalize on newly discovered

practical host-based Malware detection using run-time features


Wednesday, 1600-1650; Location: Grand Hall B; Track: Forensics; Geek Meter: 3 Presenters: Jonathan Woytek, Internet Security Analyst, CERT Malicious Code Team/SEI; Ross Kinder, Malware Reverse Engineer, CERT Malicious Code

42

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
vulnerabilities and common practices. PDF files are being utilized to exploit Adobe Reader vulnerabilities and have become a primary attack method to penetrate conventional security. By exploiting vulnerabilities at the browser and PDF plug-in level, criminals have successfully bypassed conventional network and hostbased security, such as intrusion prevention, antivirus and web gateways. Modern malware then initiates outbound communications to exploit security policies. Once outbound traffic has been established, security policies allow related inbound connections without much constraint or supervision. With the increased use of web-based computing and file types like PDF, the problem is compounded because companies cannot shut off web traffic access and theyenable malware to communicate back to cyber criminals. This session examines new attack techniques like exploiting PDF and Flash vulnerabilities. Plus, learn how next-generation threat prevention technology works to accurately analyze and block advanced persistent threats embedded within PDF and web-based attacks. A comparison is made of a 100,000+ node network with a decentralized infrastructure versus a centralized network with less than 1,500 nodes, and attendees see how the remediation needs and tactics varied. The session reviews several of the tactics, including active directory configuration, data centralization, network monitoring solutions, password change management software, setting user service expectations and project management of a large-scale remediation effort. Finally, details are presented about the products used, the challenges in implementation, effective project management, and the advantages and disadvantages of a centralized technical approach.

russian souveniers
Wednesday, 1600-1650; Location: Auburn; Track: Research and Development; Geek Meter: 1 Presenter: Marita Fowler, Section Chief, SAG US-CERT Over the past few years, crimeware kits have proven to be highly effective at compromising unsuspecting users and stealing valuable data. These easy-to-use kits have become the cyber weapon of choice and spawned a new breed of lazy, non-technical cyber criminals. This presentation provides live demonstrations of kit configurations and botnet operations for some of the most famous and infamous crimeware kits. uS-CERT analysts will also discuss various techniques, mitigation strategies, and evolutionary options for these financially motivated malware campaigns.

responding to advanced persistent Threat intrusions: effective Tools, Tactics and protocols for enterprise intrusion investigations
Wednesday, 0830-1020; Location: Courtland; Repeat Session: Wednesday, 1500-1650; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Stephen Windsor, Senior Associate, Booz | Allen | Hamilton This panel brings together APT intrusion experts from a variety of government and defense industrial base organizations who have extensive experience responding to and mitigating APT intrusions in the enterprise. This focus is on effective incident management, investigative techniques, indicators of compromise and how to find them in the enterprise, and ultimately, remediation and risk mitigation techniques. The session concludes with discussion on developing an enterprise APT risk mitigation strategy.

s.h.r.e.d. stop helping really evil doers!


Thursday, 0930-1020; Location: Courtland; Track: Defense Industry Base; Geek Meter: 1 Presenter: Michael Kobett, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session demonstrates how easily a large amount of sensitive information related to a wide area network was discovered simply by researching an IP address found on a piece of discarded paper. Examples of the pertinent information discovered include: individuals home, work and cell phone numbers and personal e-mail accounts vendor ID information including customer ID numbers, vendor contact information and phone numbers. Detailed information on routers used in the WAN Network Maps detailing the physical layout of the WAN. (Personal /detailed information is blurred so the attendees do not actual see the details.) All of the information was legally discovered using Google and basic information collection tools such as wget.

pwnasaurus: how are attackers Taking over Your networks


Wednesday, 1330-1420; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 2 Presenters: Terrence Gareau, Hacker, CnI IT; Chris Hurley, CnI RED TEAM; Mike Guthrie, CnI RED TEAM Attendees are shown demonstrations of live attacks currently being employed by hostile attackers to infiltrate and take over government networks. The demonstrations are supplemented with a PowerPoint presentation detailing the salient points of each attack. The red team will compile the statistics of the top five exploits that have been successful on the networks of their government partners in the past three months. Each of these five exploits are detailed and demonstrated by the red team and the impact to the target network beyond simple exploitation is presented from both the attackers perspective and the perspective of the network defenders who must identify and understand the level of compromise. Finally, mitigation strategies for each of these exploits (and the resulting tactics used by attackers) are presented.

reverse engineering obfuscation and Communications


Wednesday, 0930-1020; Location: Learning Center; Track: Forensics; Geek Meter: 2/3 Presenter: Adam Meyers, Senior Cyber Security Engineer, SRA International Reverse code engineering of malware is an important step in adversary categorization that can lead to attribution and defensive tactics for mitigating and remediating an intrusion. Malware authors know this and thus try to make the reversers job as difficult as possible. The malware author or adversary will use executable packers to slow down the reverser, and increasingly they use a variety of obfuscation techniques to hide key data from the reverser. This presentation provides attendees with background into the art of obfuscation. Using live demonstrations of both dynamic and static analysis techniques attendees become familiar with the various tricks implemented by malware authors to cover their tracks. Attendees are introduced to some tools written for IDA Pro to help deobfuscate malware and assist in the cat and mouse game of reverse code engineering. The session also demonstrates how to reverse malware to identify command and control encryption/obfuscation and apply that to packet captures to decipher what activities the adversary accomplished during the incursion to aid in remediation and mitigation.

screening national security applicants for digital dirt


Thursday, 1330-1420; Location: Kennesaw; Track: Research and Development; Geek Meter: 1 Presenters: Andree Rose, Program Manager, Defense Personnel Security Research Center; Andree Rose, Project Manager, Defense Personnel Security Research Center Increasingly, hiring managers and security clearance background investigators are using online information collected from social networking profiles, blogs and other online communities to supplement preemployment screening and post-hire monitoring. This presentation discusses the effects of social media on national security, addresses the pros and cons of using online data to make employment decisions, and provides guidance on developing cyber vetting strategies and social media policies.

remediating Compromised environments: Case studies from large and small enterprises
Thursday, 1100-1150; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Wendi Rafferty, Managing Director, Mandiant This session examines in-depth case studies of two intrusion investigations conducted in 2010. Both of these intrusions were conducted by groups of sophisticated attackers attempting to establish a foothold in each organization, as well as exfiltrate sensitive data. The overall numbers and statistics of each investigation are presented, along with details about how the compromises occurred, what type of malware was used, and the tactics leveraged by the attacker. Attendees learn how each compromise differed and, as a result, how each organization implemented remediation tactics in a different manner. The focus of the presentation is on the remediation portion of the investigation and how two separate organizations implemented solutions very differently.

securing the Weakest link


Wednesday, 1330-1420; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Jay Ferron, Security Practice Lead, Global Knowledge Network security issues are something organizations are faced with every day. You can implement technologies such as IDS/IPS and firewalls to help lock down your network. However, have you considered how to protect your networks against nontechnical intrusions such as social engineering? This session explores 10 things

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

43

sessIon descRIptIons
you can do now to help protect and defend your data, network and personnel against social engineering attacks. The following topics are discussed: how easy it is to gain information that can put you at risk; how social engineering can also be done via technology; case studies and examples of techniques that work; and social engineer users. Sample courseware is available after the session for participants to download and modify.

security for the network administrator


Wednesday, 0830-1020; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Jay Ferron, Security Practice Lead, Global Knowledge You are a new system administrator and have been trained to maintain that system. But have you been trained to secure it? Many network administrators are assigned the task of securing a network, but they have no idea how to do that. Do you understand the Big Picture and how your actions could compromise the security of your vital data and systems? Most administrators are living in a silo of information and dont have a real view of the big picture. This results in network administrators thinking its not my job. While true from an evaluation point of view, this can lead to major security issues. This presentation helps attendees you break out of the silo and get the big picture so you can identify security issues and how and where to report them.

is demonstrated that automates this process without the overheads that prove so costly for investigator and client alike.

showdown with the shodanhq search engine


Thursday, 1550-1650; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy Shodanhq.com is a search engine that allows you to find specific information about web hosts on the internet. The advanced search operators of shodanhq allow you to search hosts running specific versions of IIS or Apache on the web, hosts within a certain net block, and hosts with specific TLDs like .cn and .mil. The presentation also focuses on how this information can be used to exploit or patch systems.

securing Web 2.0are Your Web applications vulnerable?


Wednesday, 1100-1150; Location: Grand Hall C; Track: Defense Industry Base; Geek Meter: 2 Presenter: James Hewitt, Security Project Manager, Director of Security Governance, CGI; Ken Huang, Director, CGI This session discusses the technologies used by Web 2.0 such as Ajax, JSON, REST, RSS, Flash and SOAP. Used together or separately, these technologies have increased the flexibility of web applications. A Web 2.0 application can aggregate resources, such as blogs or RSS feeds, from a number of locations and then build a large repository of information for presentation on its own site. However, when implemented without security considerations, application inputs can be vulnerable and old attacks can gain new traction. Web 2.0 introduces new risks and its technologies are subject to new vulnerabilities. Vulnerabilities in web application can be exploited by unverified third party content. This session includes a demonstration on the vulnerabilities in a Web 2.0 application. The session also provides practical advice on how to securely develop, maintain and use Web 2.0 applications with a focus on three objectives: (1) develop an understand the top vulnerabilities with Web 2.0 applications, (2) gain practical skills on how to use Web 2.0 Applications in a secure manner and (3) learn how to use the SDLC to produce secure Web 2.0 applications (for application developers).

shadow volume link Manager and virtualbox; Tools for accessing shadow volume data
Wednesday, 0830-0920; Location: Kennesaw; Track: Research and Development; Geek Meter: 1 Presenter: Timothy Leschke, DCCI Staff, DC3 According to Microsoft, over one-third of all data loss is the result of accidental file deletion or modification. In response to this accidental data loss, Microsoft developed the Volume Shadow Copy Service. This service archives key data and system settings, which allow Windows 7 and Windows Vista platforms to recover from accidental data deletion and from destabilizing events, such as a virus attack or the incorrect installation of a software or hardware device. This archiving service also makes it possible for a user to view previous versions of documents. Because of the amount of data that this service archives, the shadow volume has been referred to as a goldmine of forensic evidence. In this session, the speaker presents a method for accessing shadow volume data from a forensic examination machine that is running Windows XP. The use of a virtual machine running the Vista operating system, along with the DCCI developed tool Shadow Volume Link Manager, are two of the tools demonstrated for accessing shadow volume data.

simple MysQl data extraction for forensic analysts


Thursday, 1100-1150; Location: Hanover E; Track: Forensics; Geek Meter: 2 Presenter: Hal Pomeranz, Principal, Deer Run Associates MySQL is a popular Open Source RDBMS and is often used as a back-end data store for web-based applications, including social networking apps and even command and control servers for malicious software. Consequently, data in these databases is often of interest to forensic analysts. However, extracting data from MySQL and other RDBMS has historically been the domain of DBAs and other specialists in database technologies. This presentation covers a few simple techniques that anybody can learn in order to access data in MySQL databases and extract that data in CSV format so that it can be manipulated with other applications.

smart phone forensics


Thursday, 1330-1420; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Eoghan Casey, Founding Partner, cmdLabs Smart phones like Windows Mobile systems, iPhones and Symbian devices present a substantial opportunity and challenge for forensic practitioners. These devices are essentially computers that people carry in their pockets, and they contain substantial amounts of information that can be useful from a forensic perspective, including communications, multimedia and location information. New acquisition methods have become available that give forensic practitioners access to more information on these devices, including deleted data. This presentation covers various methods for acquiring and analyzing data on a variety of smart phones, including Windows Mobile systems, iPhones and Symbian devices. Commercial and open source tools are presented. Common hurdles are discussed to help practitioners navigate issues such as data translation errors.

security 101 is dead Compliance is the living deadreal security Techniques for Todays environments
Friday, 1000-1050; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Marshall Heilman, Director, Consulting, Mandiant Auditors, teachers, security engineers and consultants have preached compliance and security 101 for years (I may have been guilty of this Im pleading the fifth.) But, it hasnt worked. Todays environments are too large and too complex for basic security measures to be effective. It is time for us as a community to take action. We need to start thinking about implementing complex security solutions that address real risks while enabling (not just allowing) business to operate. This session provides innovative security solutions used to better posture companies for the future. Each strategy is presented in light of the vulnerability that was exploited and the associated solution implemented to mitigate the threat. Attendees leave this presentation with realistic, actionable ideas for their own networks.

shadow Warriors a Tour of vista/Windows 7 volume shadow Copy


Thursday, 0830-0920; Location: Grand Hall B; Track: Forensics; Geek Meter: 2 Presenter: Mark McKinnon, Software Architect, RedWolf Computer Forensics; Lee Whitfield, Forensic 4Cast, Forensic Examiner In the last few years the number of cases involving volume shadow copies has soared. Since the introduction of this technology in Windows desktop operating systems forensic investigators have struggled to find a viable method for extracting meaningful data from these files. Current methods of analysis take a Grand deal of time and storage. As a result these files often go neglected in digital investigations. This session discusses how to manually decompile volume shadow copies in order to retrieve key evidence. A software tool

social engineering 2.0


Friday, 1100-1150; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 1 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy

44

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
Social Engineering is a technique that can be untied to harvest data from a company and agency. Individuals who utilized social engineering techniques were often highly skilled individuals, but in todays world anyone with access to a computer can be a master at this craft. During this presentation, attendees are exposed to techniques that can be used to harvest data from individuals. Utilizing these techniques and websites, investigators can find websites with specific content to help further aide in their investigations. session investigators learn how to use Splunk to index, search and analyze all enterprise threat data from a single location in real time, drastically cutting incident response times and limiting exposure to the threat by reacting more quickly.

suse studio
Wednesday, 0830-0920; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Dan Mares, Director, Forensic Development, norcross Group Attendees are shown how to subscribe to and build a SuSE-studio Linux boot disk suitable for forensic imaging processes. SuSE-Studio makes building a custom Linux boot image as easy as logging in, choosing the packages you want to install and clicking Build. This session teaches attendees how to use the online SuSE studio to build an iso or thumb Linux boot disk. Attendees also see how dcfldd with some custom scripts can make forensic disk imaging easy and verifiable. The scripts and a minimum number of default boot disks are provided.

ssds and forensics: a Good Mix?


Thursday, 1600-1650; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenter: Martin Easton, Instructor/Course Developer, Defense Cyber Investigations Training Academy Given the increased prevalence of solid state drives (SSDs) in todays computing world, it seems inevitable that the forensic examiner will encounter more and more of them in their investigations. But, how do they act in comparison to your standard hard disk drive? This session covers some of these considerations, including how SSDs work, the effects of the TRIM command, wear leveling, new hardware and other potential issues for the forensic examiner.

solid state disk data recovery: dead disk analysis is...dying


Thursday, 1500-1550; Location: Dunwoody; Track: Forensics; Geek Meter: 3 Presenters: Christopher King, Cyber Threat Analyst, CERT/ SEI; Timothy vidas Solid State Disk (SSD) drives are now becoming more mainstream, increasing the odds of us encountering one in the course of an investigation. The speed increase over traditional hard drives has made them more desirable in laptops, portable devices and highperformance desktop systems. SSD manufacturers currently implement differing methods of garbage collection and wear leveling that increases volatility of deleted data. This level of volatility varies across manufacturers and firmware versions. The recent arrival of the TRIM function in the ATA8-ACS2 specification essentially facilitates instant full-disk sanitization and prevents analysis of any deleted data, even data deleted via normal use. This presentation briefly discusses the background of SSDs, how they differ from traditional disks, and provides evidence on the difficulties of data recovery for investigators. It also discusses what to expect when an SSD is encountered in the field, recommended recovery techniques and some future issues with this type of storage as it becomes more popular.

subject identification
Thursday, 1500-1550; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Matthew McFadden, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session examines how to use public information available on the internet to search for subjects to establish leads and gather information on a target.

stick around: persistence Mechanisms in recent apT Compromises


Thursday, 1500-1550; Location: Learning Center; Track: Forensics; Geek Meter: 2 Presenters: Christopher Glyer, Incident Response Manager, Mandiant; Ryan Kazanciyan, Mandiant, Principal Consultant One of the fundamental elements of any targeted compromise is the means by which the attacker establishes and maintains persistence on a system. The Windows operating system provides numerous mechanisms that can be used and abused to allow malware to run upon system startup, including several that are not widely known or documented. During our incident investigations Mandiant consultants have seen a wide variety of persistence techniques employed by the Advanced Persistent Threat. These techniques range from simple Windows service manipulation to trojanized system binaries and more sophisticated attacks. During this presentation presenters discuss each of these techniques, provide examples of how they have been leveraged in actual incidents, and provide strategies for forensic analysis of persistence mechanisms at enterprise scale.

super Timeline analysis


Friday, 1100-1150; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Rob Lee, Director and SAnS Digital Forensics Curriculum Lead, SAnS Institute and Mandiant Super Timeline Analysis will completely change the way you approach Digital Forensics . . . forever. Utilizing advances in spear phishing, web application attacks and persistent malware, these new sophisticated attackers advance rapidly through your network. Forensic investigators must master a variety of operating systems, investigation techniques and incident response tactics to solve challenging cases. Temporal data is located everywhere on a computer system. File system MAC times, log files, network data, registry data, internet history files and file metadata all contain time data that can be correlated into critical analysis to successfully solve cases. While utilized first by the presenters team in AFOSI in 2001, timeline analysis has become a critical investigative technique to solve complex cases. Until recently, timeline analysis frameworks have not existed to easily allow multiple examinations of time based data into a single framework that is easily analyzed by investigators. Timeline analysis once learned has changed the way many in law enforcement and information security approach complex cases. It helps uncover additional indicators of compromise and aids in identifying when anti-forensic techniques have been used. Learn how timeline analysis will permanently change your approach to forensic cases.

some people are Wise and some are otherwise, an overview of data Collection for effective Cyber Ci
Friday, 0900-0950; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This session provides an overview of some open source data collections methods that may be used in the cyber CI arena. Once the tried and true individual tools have been presented a data management and collection tool will be demonstrated for the aggregation of the mundane collection utilities. Then the information is incorporated into i2 Analyst Notebook for further analytical work.

strategies to streamline explicit image identification, Classification and reporting


Wednesday, 1550-1650; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: Ken Warren, Training Director, AccessData The size of todays cases have easily reached millions of items and terabytes of data. The most basic imagerelated case can involve looking through hundreds of thousands of images. Todays cases very often involve millions of items and terabytes of data. Tools to help categorize and filter large data sets have been in existence for some time, but many examiners do not know how to leverage these tools and techniques to quickly and efficiently find items of interest. In this module, we teach how to best leverage a few techniques to maximize the return and minimize the time and resource investment in these cases.

splunk as an enterprise incident response and forensic Tool


Wednesday, 1100-1150; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 2 Presenter: Matthew McFadden, Instructor/Course Developer, Defense Cyber Investigations Training Academy Splunk is a monitoring and reporting tool for enterprise IT systems that deeply emphasizes search capability by consolidating logs, metrics, and other data from applications, services and network devices. In this

Technology as a force Multiplier in the processing of Crime scenes


Wednesday, 1500-1550; Location: Grand Hall B; Track: Forensics; Geek Meter: 1 Presenter: Ed Cronin, Advanced Response Concepts The basics of crime scene investigation in the field of law enforcement have remained largely unchanged

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

45

sessIon descRIptIons
over the years. There will never be a replacement for the experience and knowledge of a savvy investigator and his/her observational and intuitive skills. What has changed in the field of investigation is the advent of different kinds of evidence collected and the methodology for documenting and preserving it. This presentation addresses a specialized system-based solution that has been developed and implemented to assist investigators to electronically document evidence found in the field, identify, label and track it, keep precise attendance records at the scene and be interoperable with the u.S. Department of Justice NIEM (National Information Exchange Model) compliance system.

The dod banner: The impact of key Cases over the past Year
Thursday, 1550-1650; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Rick Aldrich, Senior Computer network Operations Policy Analyst, Information Assurance Technology Analysis Center To respond to united States v. Long and subsequent concerns related to the protection of privileged communications, DoD issued a new banner and user agreement policy memorandum on May 9, 2008. The presentation addresses issues that have arisen with regard to the DoD-standardized language now required in all banners and user agreements, such the June 2010 Supreme Court case of Quon v. City of Ontario, the first case in which the Court was asked to address the reasonable expectation of privacy of the electronic communications of government employees in the workplace. How does this case impact the DoD banner? We also explore a host of other cases. How does the New Jersey Supreme Courts decision in Stengart v. Loving Care Agency impact the DoD banner? How have military cases dealt with the banner? How is the DoD banner likely to be impacted by federal efforts to standardize banner and user agreement language across the federal government? How is DoD responding to Congressional inquiries relating to the banner? Why is DoJ advocating taint teams in investigations relying on the DoD banner? Does the banner impact the handling of Privacy Act and HIPAA data?

The hidden Joys (and benefits) of running a Continuous Monitoring program


Thursday, 1100-1150; Location: Fairlie; Track: Information Assurance; Geek Meter: 2 Presenters: Bill Geimer, President, Iron vine Security; Keren Cummins, Director of Federal and Mid-Atlantic Markets, nCircle Security risk has become a material risk and is reported as such in SEC filings. Occasional data snapshots are no longer sufficient resulting in the need for continuous monitoring as a key part of risk management. Hear from a panel their best practices to implement continuous monitoring systems and how to derive ROI benefits while meeting regulation mandates to overall improve security controls.

The business of bots and how to More effectively Combat This Threat
Friday, 1000-1050; Location: Hanover A B; Track: Law Enforcement; Geek Meter: 2 Presenter: Jonathan Gillman, Founder, CEO, Omniangle Technologies The united States is under constant attack from botnets, many of which are under the control of foreign entities. Information gathered from botnet attacks is often incomplete due to the IP spoofing botmasters use to cover their tracks. However, there is a highly lucrative use of botnets that leaves behind more usable information; affiliate marketing fraud. This presentation describes how and why botnets are used to commit this type of fraud, what information is left behind and how that data can be used to aggressively fight back against the infestation of botnets currently operating within united States.

The Malies: an award show for epic fail and Grand success in Malicious software
Thursday, 1500-1650; Location: Hanover E; Track: Forensics; Geek Meter: 1 Presenters: nick Harbour, Malware Analysis Team Lead, Mandiant; Peter Silberman, Malware Analyst, Mandiant; Stephen Davis This is award-show style presentation to honor the novel, innovative aspects of malicious software and the head-scratching curious blunders. Presented by three malware analysis ninjas, this discussion pulls from Mandiants rich repository of targeted malware to bring special recognition to malware authors for their achievements (or lack thereof). The categories presented range from Most Pointless Tool to Best Persistence Technique to Most Blatant Disregard for Getting Caught. Details are covered in each award but this is presentation is more fun than technical and there is something here for everyone regardless of your background.

The evolution of Cyber analysis in the Cybersecurity revolution


Thursday, 0930-1020; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: Erica Andren, Senior Manager, BAE Systems The increased volume, effectiveness and impact of cyber crimes perpetrated by Advanced Persistent Threat (APT) adversaries have necessitated a leap in capability from traditional Information Assurance to modern cybersecurity. This revolution has drastically changed the interface between operators and their intelligence support, requiring innovative new approaches to cyber analysis that incorporate both technical and strategic information sources. It also calls for agility and speed, yet relies on data that has to be mined, fused and assessed in order to become actionable intelligence. With an integrated, comprehensive approach to cyber analysis that combines data-driven and context-driven processes, cybersecurity professionals can detect and counter external and internal attacks at session speed, ultimately transitioning to proactive monitoring, alerting and response. This presentation discusses the new face of cyber analysis, which incorporates real- and near real-time analytics plus global threat assessments at enterprise scale. It also covers an example that applies this evolved cyber analysis to a solution for secure wireless networking in a distributed operations environment.

The Common Credentials dilemma


Thursday, 1550-1650; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Philip Lieberman, President, Lieberman Software Information technology groups in government agencies are responsible for maintaining a vast infrastructure of servers, workstations, mobile systems, databases, firewalls and network devices. Each one of these assets is controlled with privileged account passwords that allow full access to these components. Agencies can have thousands of such privileged accounts, so IT groups often deploy every system with an identical password and then leave this password unchanged throughout the organization. The fundamental flaw with this practice is the serious security implications and regulatory compliance violations that occur if the local account password on even one system is compromised. Without frequently generated unique passwords for every privileged account, a user can decrypt one password and gain unrestricted access to every place in the network that uses the same credentials. Former agents and employees familiar with their previous organizations privileged passwords, as well as current employees with similar access, pose particular threats. To resolve the problem, every privileged account password in the enterprise must be automatically discovered and updated at regular intervals. Securely storing the current passwords in a FIPS 140-2 encrypted database is also essential.

The Many Thumbs of Megan fox


Wednesday, 1550-1650; Location: Inman; Track: Research and Development; Geek Meter: 1 Presenter: Christopher Dearing, Digital Forensic Engineer, Defense Cyber Crime Institute Megan Fox is considered by many to be one of the most beautiful actresses in contemporary film. However, examining pictures of her thumbs show how smaller, unappealing images can be pieces of a larger, more appealing picture. Most forensic examiners view graphic images by looking at thumbnails of those images. However, many thumbnails can actually reside within a graphic image. This presentation examines how those thumbnail images can be manipulated to obfuscate the actual image.

The Metasploit Wireless suite


Thursday, 0930-1020; Location: Grand Hall C; Repeat Session: Thursday, 1500-1550; Location: Courtland; Track: Defense Industry Base; Geek Meter: 2 Presenter: Christian Scott, Instructor/Course Developer, Defense Cyber Investigations Training Academy This is an information session specifically focused on wireless tools included with current releases of the open source Metasploit penetration testing framework. Emphasis is given to unique tools such as karmetasploit, translation of independent tools such as airpwn, and the power of integration with the meterpreter shell and framework in general. The information session is

46

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
followed by brief technology demonstrations. Discussion and demonstration are geared toward the real-world impact of associating the inherent weaknesses of wireless networking with the power of an advanced penetration testing suite.

The Whiddler
Wednesday, 1030-1150; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Dr. Mark Mason, IA Technologist, 90th Information Operations Squadron, 90th Information Operations Squadron The Whiddler is a malware filtering tool based on statistical PE structural anomalies and a Bayesian Inference algorithm. The Portable Executable (PE) format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The Whiddler is able to achieve reliable results while processing up to five files per second, making it suitable for analyzing large quantities of files collected from the Air Force computer network. The prototype has several innovative aspects, including PE observables, a Bayesian Inference Engine and a Java graphic user interface.

The Morphing of peer-to-peer apps


Thursday, 1100-1150; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Alissa Torres, Instructor/Course Developer, Defense Cyber Investigations Training Academy The world of peer-to-peer applications has yet to reach maturity on the Internet. What started as a file sharing distribution system is now a model for various communications platform. One of the newest applications of this is Chatroulette, a randomized system of client-to-client webcam connections. Peerto-peer applications are inherently insecure, as their lack of management keeps activity on such a network anonymous and difficult to trace. Chatroulette, a peerto-peer application invented by a 17-year old Russian, is just one of the trendy offerings that make the Internet a more dangerous place for youth. What is new and current in todays peer-to-peer app world?

seem to be an insurmountable task. To assist in this task, this session illustrates methods for discovery and the vetting of attack indicators. The rapid creation of tools and processes to assist in the determination of indicator utility and level of significance are also discussed and iterative refinement of information gathering capabilities, along with condensation and compilation of various information resources into actionable intelligence are demonstrated.

Timeline analysis using open source Tools


Thursday, 1500-1650; Location: Grand Hall A; Track: Forensics; Geek Meter: 1 Presenter: Chris Shanahan, Instructor/Course Developer, Defense Cyber Investigations Training Academy While the advanced persistent threat against the United States has increased dramatically in recent years, so too has the need for computer forensics examiners and analysts to cull through volumes of data in a short amount of time. Whether evidentiary data originates from a traditional dead-box personal computer, a running web server, or a government employee running a laptop computer, timeline analysis tools and techniques can be used to target the examination and analysis of data, decreasing the amount of time required to gather actionable information. Current, cutting-edge open source tools available to computer forensics examiners and analysts for powerful, targeted timeline analysis are presented in this session. Attendees should have some familiarity with the Linux operating system and the shell the command-line interface (CLI).

The Wild, Wild, Web: knowing the basics for online investigations
Wednesday, 0830-1020; Location: Hanover F-G; Repeat Session: Thursday, 0830-0920; Location: Auburn; Track: Law Enforcement; Geek Meter: 1 Presenter: Jayne Hitchcock, President, WHOA All attendees should know the basics of investigating online cases, whether for e-mails, message boards, social networking sites (such as Facebook), chat or IM. Attendees learn how to trace messages, contact the proper ISPs involved and how to work with victims. ISP/web site contact information specifically for law enforcement is provided that is not available to the general public.

The niJ electronic Crime Technology Center of excellence; delivering electronic Crime & digital evidence Tools, Technologies & resources to the Criminal Justice Community panel
Thursday, 0930-1150; Location: Grand Hall B; Track: Law Enforcement; Geek Meter: 1 Presenters: Martin novak, Physical Scientist, nIJ; Robert OLeary, Director, nIJ Electronic Crime Technology Center of Excellence; Dr. victor Fay-Wolfe, Project Developer, nIJ; Russell yawn, Deputy Director, nIJ; Randy Becker, Project Coordinator, nIJ; Dr. Mark Davis, Publication Development Coordinator, nIJ; Don Stewart, Project Manager, nIJ; Michael Termenelli, Project Manager, nIJ This panel showcases the mission, goals and success stories of the National Institute of Justice Electronic Crime Portfolio, including the tools and technologies research and development projects funded by NIJ. The distribution capabilities developed by the NIJ Electronic Crime Technology Center of Excellence and partner, university of Rhode Island, to deliver these tools and technologies to the criminal justice community are reviewed. The NIJ-funded tools and technologies to be showcased include: the NIJ ECTCoE Resource Wwebsite MacMarshall; Live Acquisition Triage Tool (LATT); Windows PE Boot CD SAFE Redlight Human Image Detection Tool; String Search Tool; NIJ ECTCoE electronic crime and digital evidence testing and evaluation reports. In addition, the resources delivery capability developed by the NIJ ECTCoE Is introduced, including: the searchable electronic crime and digital evidence training database; electronic crime and digital evidence tool and technology searchable database resource; digital evidence device photo and video library; and the ECTCoE tool and technology testing and evaluation report library. Additionally, the post course online testing and Technical Working Group collaboration capabilities launched by the NIJ ECTCoE through the CyberCop Portal are demonstrated.

ubuntu 10.04 lTs first look


Thursday, 1550-1650; Location: Inman; Track: Research and Development; Geek Meter: 2 Presenter: Jonathan Bennett, Instructor/Course Developer, Defense Cyber Investigations Training Academy ubuntu is the most popular desktop Linux by many measures, and their recent Long Term Support release is sure to be widely adopted. It includes many changes from previous Ubuntu releases, as well as from other Linux distributions that are available. This presentation is a general introduction to Ubuntu and some of the newest changes in the GUI both, both security and usability focused, and some of the included tools and security features that are available during the installation process.

Threat auditing: identifying Malicious Code and other anomalies


Thursday, 1100-1150; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Chris Mellen, Director of Professional Services, AccessData; Jason Mical This session focuses on using both network forensics and host forensics to identify an anomaly, analyze its behavior and locate other machines affected by the threat. Analysis of system logs and network packet data and host artifacts are correlated to identify the impacted targets and conduct the forensic investigation.

Threat intelligence knowledge Management for incident response


Friday, 0900-0950; Location: Courtland; Track: Defense Industry Base; Geek Meter: 2 Presenter: Samuel Wenck III, Software Engineer, Lockheed Martin This presentation describes principles, demonstrates tools and offers lessons learned in the knowledge management of threat intelligence for incident response. Defending your organization against persistent attackers requires acquiring as much threat intelligence as possible during their attacks. Often, one can learn a lot about adversaries in preparation for their next attack, thwarting them with resilient mitigations before a successful compromise occurs. Taking all this disparate information from various sources and developing a successful threat-focused response can

undercover operations proactive Techniques


Thursday, 1500-1550; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenter: Jeff naylor, Instructor/Course Developer, Defense Cyber Investigations Training Academy This presentation examines how understanding social networking, language analysis, and your suspects cyber behavior can allow you to get inside the mind of the target and learn how to successfully operate in his/ herworld.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

47

sessIon descRIptIons
understand the security Concerns associated with virtualization
Wednesday, 1500-1550; Location: Grand Hall D; Track: Information Assurance; Geek Meter: 2 Presenter: Jay Ferron, Security Practice Lead, Global Knowledge Many organizations realize the benefits of implementing virtualization. In fact, by implementing virtualization, you can reduce the physical number of host computers. But does it reduce or add risk to your infrastructure? The goal of this session is to take a look at all of the issues and identify areas of concern as a cyber specialist.

utilizing dns to Characterize Malicious actors based upon operation


Wednesday, 1550-1650; Location: Fairlie; Track: Defense Industry Base; Geek Meter: 1 Presenter: Aaron Shelmire, SEI/CERT By taking a large catalog of 250,000 malware samples collected over 6 months we were able to collect many domain names associated with malicious behavior. In this discussion we detail our findings regarding the behaviors associated with those domain names. These behaviors include fast flux characteristics, sinkhole detection, domain name parking and distinctive characteristics of different kinds of malware.

timeline and digital mapping software packages used by attorneys and investigators today. They are focusing on how meaning can be brought to forensics data costeffectively using software automation. This technology is demonstrated in the session.

Web 2.0 for Cyber investigators


Thursday, 1330-1420; Location: Hanover F-G; Track: Law Enforcement; Geek Meter: 1 Presenter: Lieutenant Colonel David Landry, Chief, A6 Operations, AF Global Strike Command On December 5, 2009, the Defense Advanced Research Projects Agency (DARPA) challenged the Public to find 10 red weather balloons that DARPA randomly placed around the continental united States. One hundred teams competed with Web 2.0 tools in an effort to locate the balloons. This presentation gives an insiders perspective of participating in this DARPA Network Challenge (DNC). The presenter also reviews the effectiveness of other teams strategies. The DNC is very similar to a cyber crime investigation. A complex, time-critical problem was communicated across a wide geographic area and then solved by an ad hoc team. The DNC required the use of modern Web 2.0 tools such as Twitter, Google, wikis, YouTube, Facebook, web advertising and the mobile web. The presentation is valuable to law enforcement and cyber crime investigators because it reveals effective tactics and techniques used for discovery, coordination and disseminating information in cyberspace.

using deepnet as a Covert Channel for Communication


Thursday, 1100-1150; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 2 Presenter: Jesse varsalone, Instructor/Course Developer, Defense Cyber Investigations Training Academy Deepnet is an extension for Firefox and Chrome that allows individuals to add content to web pages. Individuals with the Deepnet extension can drop pictures, messages and links on web pages and only users with Deepnet will be able to view their content. By utilizing predetermined web pages, people can communicate covertly by adding and removing messages from these web pages. This presentation discusses the ramifications of this technology, as well as privacy concerns.

vdl slack in nTfs


Thursday, 0930-1020; Location: Grand Hall B; Track: Forensics; Geek Meter: 3 Presenter: David Ferguson, Senior Computer Engineer, Department of Defense Cyber Crime Center This session describes VDL Slack and ways to identify it. Huge areas of slackVDL Slackcan be hidden in Microsoft NTFS. VDL Slack appears to contain zeros when viewed from the native operating system, but contains slack space when viewed from many forensic tools. As a result, examiners may confuse this slack space with deliberate attempts at hiding data.

virtual labs safe environments for analysis, hacking and learning


Thursday, 1500-1650; Location: Kennesaw; Track: Research and Development; Geek Meter: 1 Presenter: Michael Kobett, Instructor/Course Developer, Defense Cyber Investigations Training Academy Using both presentations and demonstrations, the presenter introduces attendees to Virtualbox and how it can be used for analysis, testing and educational purposes. Topics addressed include: installing operating systems, the benefits of creating and restoring snapshots, benefits of using virtual machines to practice hacking techniques and using virtual machines for malware analysis.

using forensic Triage for document and Media exploitation


Wednesday, 1550-1650; Location: Learning Center; Track: Forensics; Geek Meter: 1 Presenter: J.J. Wallia, CEO/Co-founder, ADF Solutions, Inc. Military battles are won and lost on access to the right intelligence. Many defense and intelligence agencies today are exploring using field-based triage tools for their operatives to access this intelligence. This is because traditional methodology involves taking possession of the computers and sending them away for analysis, which may take weeks or even months. The proper triage tools provide instant, actionable intelligence in minutes. Defense and intelligence operatives in the field are able to make the right decisions with inside information, for which enemy combatants are unprepared. This track covers the basic requirements necessary to fulfill these objectives and identify the correct tools for defense and intelligence operatives.

Whats Your authority?


Thursday, 0830-0920; Location: Baker; Track: Legal; Geek Meter: 1 Presenter: Albert Rees, Trial Attorney, U.S. Deptarment of Justice This session provides a brief tour of laws and regulations for protecting the Net. The government cant do anything without authority granted by law or regulation. Whether investigating crime or protecting information and systems, a web of laws and regulations add sticky layers of complexity to already complicated technical matters. This presentation starts to untangle the Constitution; statutes such as FISMA, ECPA; u.S. Code titles 10, 18, 50 and others; Executive Orders; and other important laws and regulations that shape how government deals with cyber issues.

visualization of Mobile forensics data: Techniques and Case studies


Thursday, 0830-0920; Location: Kennesaw; Track: Research and Development; Geek Meter: 2 Presenter: John Carney, CFO, Carney Forensics Digital evidence is usually presented as a stream of bits and bytes in forensics reports that are at best sorted into buckets of similar items. The call logs appear in one section, the text messages in another and the address book in yet another. This primitive presentation technique makes forensics data available to clients, but hard to understand because it is so one-dimensional and out of any context to which users can relate. The authors of this presentation embrace the idea of using software to visualize forensics data and seepatterns and relationships in the contents of mobile devices. In so doing, data is elevated into information, or even knowledge, that clients can use for decision making, strategy formulation and taking meaningful action in a legal, investigative, or corporate context. The conference presenters understand this requirement and are building software bridges between the top mobile forensic extraction tools and the most popular

When did it happen? are You sure about That?


Friday, 0900-0950; Location: Dunwoody; Track: Forensics; Geek Meter: 3 Presenter: Kieth Gould, Cyber Intelligence Analyst, Lockheed Martin - LM-CIRT When? . . . A simple question with a not-so-simple answer when it comes to computer forensics. A primary goal of most forensic analysis efforts is to build a comprehensive incident timeline, with file system date and time-stamps being a key data point. How confident are you though that these time-stamps are correct? If questioned on their creation, behavior and authenticity, can you stand up to the challenge? How does the file system create and store time-stamps, how do they change during normal activity, and how can they be altered? To perform a comprehensive and accurate

using Gmail for data Mining


Thursday, 1330-1420; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This presentation examines the concept of utilizing the data mining efforts of the main stream search engines to uncover relevant intelligence. Many webbased e-mail services, as well as search engines, data mine the contents of their users. The theory is that this practice can uncover relevant information pertaining to intelligence gathering efforts.

48

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sessIon descRIptIons
analysis, and then back it up in court or otherwise, you need to understand how time-stamps work. This presentation begins by laying the foundations of timebased analysis, focusing on the natural behavior of objects in the NTFS file system before moving on to how time-stamps are stored in objects such as the MFT and directory indexes. The discussion ends with advanced concepts such as recovering and decoding timerelated data from unallocated space, comparing and contrasting the functionality of various time records (e.g. the Standard Information Attribute vs. the File Name Attribute), and how these artifacts may be intentionally or inadvertently manipulated. that led the investigators to believe that they were dealing with a criminal utilizing open WiFi networks to annonimize their activities are examined as well. Included in the discussion are issues associated with a suspect conducting criminal activity in different environmentsurban/city, apartment and suburban residential environmentsand associated factors for conducting a WiFi surveillance/investigation in these environments. These factors include physical and environmental restriction while conducting the WiFi surveillance; differing equipment requirements; WiFi tool selection and employment of the tools. One of the case studies details illegal use of open WiFi networks in conjunction with the use of malware to steal personal identifying data and banking information from dozens of victims located around the country. The suspect used this stolen data to establish eBay and PayPal accounts used to facilitate the sale of counterfeit software. innocent corporate laptops using wireless. These forms of extrusion transcend over into the enterprise as well. Data leakage from the wired-side continues to be prominent in enterprise networks, exposing hosts, usernames and even clear-text passwords for critical network infrastructures, thus exposing this data to promiscuous wireless attackers. A case study is provided outlining the anatomy of a wireless attack on a corporate network, showing the basis for the types of attacks that can occur. After covering the anatomy of the attacks and the perpetrators the session outlines steps for an appropriate Wireless Incident Response Plan, both technically and procedurally. Sources for additional information also are referenced and cited.

Where did my data Go? deploying enCase enterprise to a snap server


Wednesday, 1330-1420; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Steven Bolt, Instructor/Course Developer, Defense Cyber Investigations Training Academy This is a real-world case in which data was lost from a Snap Server in a production environment. The solution was to deploy EnCase Enterprise to a default installation of a Snap Server. The details of the response, the problems encountered and lessons learned, are shared in this presentation.

Wireless usb, The forgotten wireless connection


Thursday, 1100-1150; Location: Courtland; Track: Defense Industry Base; Geek Meter: 1 Presenter: James Arnold, Instructor/Course Developer, Defense Cyber Investigations Training Academy This is a one-hour session presenting wireless uSB technology and its possible implications in investigations both in civilian Law Enforcement and in an MI/CI environment.

Windows 7 artifacts
Thursday, 1330-1420; Location: Dunwoody; Track: Forensics; Geek Meter: 1 Presenter: Rob Attoe, Director, Public Sector, AccessData With the release of Windows 7 in 2009 many new PCs are now being shipped with this Operating System preinstalled. This session introduces the key areas of change from the Windows XP/Vista systems from a forensic standpoint and discusses the interpretation of the new artifacts.

Why i dont care how you got hacked?


Thursday, 1500-1550; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Stephen newman, vice President of Product Management, Damballa Lets get real; you will be hacked regardless of the defenses you invest in to protect against it. I dont really care how the hack was accomplished and frankly, you probably shouldnt either. You can chase your tail trying to find the hole the attacker exploited and shut that one down, but theres hundreds of others youre probably not going to be able to find no matter how hard you look or how much time you spend hunting them down. By all means, keep on investing in your defense detection strategy, but figure out how youre going to detect and respond to those hacks that make it through as fast as possible. Which part of detection and remediation should you care about? Lets examine that together.

Wireshark, not Just a pretty interface


Thursday, 0830-1040; Location: Centennial Ballroom 4; Track: Defense Industry Base; Geek Meter: 2 Presenter: Mike Cowan, Instructor/Course Developer, Defense Cyber Investigations Training Academy Wireshark is used by many for network sniffing and capture analysis and it is commonly understood that it falters on large (grander than 100 megabyte) captures. This presentation demonstrates the use of the many command line programs packaged with Wireshark and its Windows partner, WinPcap. Focus is on tshark, dumpcap, editcap, mergecap and the experimental rpcapd.

Windows Memory forensics and direct kernel object Manipulation


Wednesday, 1330-1420; Location: Learning Center; Track: Forensics; Geek Meter: 1 Presenter: Jesse Kornblum, Research Geek, Kyrus Technology Rootkits use Direct kernel Object Manipulation (DKOM) to hide processes, services, files and other things from users, but these techniques are easily exposed through memory analysis. However, what if an attacker performed DKOM in such a manner as to hide from the user AND memory analysis applications? This presentation shows how attackers may be able to accomplish just that and introduces specialized DKOM techniques that not only hide resources from the user but also a few well-known memory analysis applications.

x-Ways, the other White Meat


Wednesday, 1030-1150; Location: Centennial Ballroom 2-3; Track: Forensics; Geek Meter: 2 Presenter: Joseph Fichera, Instructor/Course Developer, Defense Cyber Investigations Training Academy The often overlooked youngest of three has what it takes to get the job done and then some. This presentation provides an overview of X-Ways functionality, including initial case processing, RAID reconstruction and many of the its functions.

Wifi Criminal investigations


Wednesday, 1500-1650; Location: Hanover C-D; Track: Law Enforcement; Geek Meter: 1; Law Enforcement Only Presenters: Tony Onstad, Senior Special Agent/national Program Manager, Department of Homeland Security, Immigration and Customs Enforcement (DHS-ICE), Homeland Security Investigations, national Security Unit; Michael Godfrey, DHS-ICE This presentation discusses techniques used in the surveillance, collection and the analysis of data collected in WiFi investigations. Two successful ICErelated WiFi investigations case studies are then discussed that involve the suspects use of open WiFi networks to manage their Internet-based fraudulent identification document manufacturing/distribution business and Internet based counterfeit software distribution business. Jihadists interests in WiFi hacking and use of WiFi are also discussed. The indicators

Wireless incident response, investigating a Wireless breach


Thursday, 0830-0920; Location: Dunwoody; Track: Forensics; Geek Meter: 2 Presenter: Michael Raggo, Product Manager & Lead Security Researcher, Motorola AirDefense This presentation explains how to investigate a compromise to a corporate network as a result of a wireless exposure. A plethora of sources of information are reviewed, including analysis of online and offline logs, network captures and examination of firewall and wireless IDS/IPS data. Through the analysis and replays of the steps leading up to the compromise (intrusions and extrusions), the presentation then explains the process of identifying the compromised systems and data. New attack vectors and enhancements to Metasploit point toward increased attacks against

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

49

speakeR BIogRapHIes | plenaRy sessIon


ovie l. Carroll
director, CCips Cybercrime lab u.s. department of Justice

William p. bill eber


director defense Cyber Crime institute (dCCi)

Ovie Carroll has 24 years of law enforcement experience, 20 of which he spent as a law enforcement officer/federal agent. He is currently the Director for the Department of Justice, Cybercrime Lab at the Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing cybercrime investigative, computer forensic and other technical support to DOJ attorneys as it applies to implementing the Departments national strategies in combating computer and intellectual property crimes worldwide. Mr. Carroll is also an adjunct professor with George Washington University, teaching two classes: Cyber Crime/Internet Investigations and Interview and Interrogation, in the Masters of Forensic Science program. Mr. Carroll is an instructor and course developer with the SANS Institute, where he teaches the Digital Forensic 408 class. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Technical Crimes unit at the Postal Inspector Generals Office, responsible for all computer intrusion investigations within the uSPS network infrastructure and providing all computer forensic analysis in support of investigations and audits. Within the Technical Crimes unit, Mr. Carroll was also responsible for management the Technical Surveillance Section, whose mission included the deployment, installation and monitoring of technical surveillance equipment surveillance and tracking devices used to track people and devices in support of criminal investigations. Mr. Carroll has also served as the Special Agent in Charge of the Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office, where he was responsible for coordinating all national-level computer intrusions occurring within the united States Air Force. He has extensive field experience applying his training to a broad variety of investigations and operations. As a special agent with the AFOSI, Mr. Carroll has also worked as a computer intelligence agent and resource protection where he protected highly classified information, physical devices and operations. In addition to his career fighting computer crime, Mr. Carroll has led and assisted in the planning and conduct of counterintelligence inquiries and has conducted investigations into a variety of offenses including murder, fraud, bribery, theft, gangs and narcotics.

Bill Eber is the Director of the Defense Cyber Crime Institute (DCCI) at the Department of Defense Cyber Crime Center (DC3). DCCI serves as the RDT&E element within DC3 providing research and development support as well as testing and evaluation services for the Defense Computer Forensics Laboratory (DCFL). Mr. Eber has a Bachelors degree in Mathematics and a Masters degree in Advanced Information Technology and has served in numerous capacities within the Intelligence Community over the past 28 years. Prior to assuming his current position, Mr. Eber served as a Technical Director within the Information Assurance Directorate at NSA.

don flynn
attorney advisor department of defense Cyber Crime Center (dC3)
Don Flynn is the Attorney Advisor for the Department of Defense Cyber Crime Center. His duties consist of developing and teaching computer law-related classes at the DoD Cyber Investigations Training Program, as well as providing legal counsel for that organization, DoD Computer Forensic Laboratory, and DoD Cyber Crime Institute, the National Cyber Investigative Joint Task ForceAnalytical Group, and DoD-DIB Collaborative Information Sharing Environment. A retired Air Force officer, he also is an adjunct faculty member for the Johns Hopkins university Carey School of Business, where he teaches classes concerning digital forensics.

randolph Georgieff
Team lead digital forensic intelligence (dfi) Team futures exploration section, department of defense Cyber Crime Center (dC3)
Randolph Georgieff has 20 years of experience, both in law enforcement and as a Digital Forensics Examiner (DFE) at DC3. He is currently working on digital forensics projects at the DC3 Futures Exploration Section, serving as team lead for the DC3 Digital Forensics Challenge (http://www.dc3.mil/challenge/), working with the secure Law Enforcement Community Portal and the National Repository for Digital Forensic Intelligence (NRDFI) (https://www.nrdfi.net/), and exploring and testing new digital forensic tools and processes with the DF vendor community. Mr. Georgieff coordinates with academia and other digital forensic professionals on finding solutions to the latest DFE challenges.

sa (ret) Jim Christy


director of futures exploration (fx) department of defense Cyber Crime Center (dC3)

Jim Christy is a retired special agent who has specialized in Cyber Crime investigations and digital evidence for over 25 years in 39 years of Federal service. Mr. Christy returned to the Federal government as an IPA and is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired magazine in January 2007. From November 2003 to November 2006, Mr. Christy was Director of the Defense Cyber Crime Institute (DCCI) at DC3. The DCCI is responsible for the research and development and test and evaluation of forensic and investigative tools for the DoD Law Enforcement and Counterintelligence organizations. FX also is charged with intelligence analysis, outreach and strategic relationships for DC3. Mr. Christy is a retired Air Force Office of Special Investigations, Computer Crime Investigator. He consulted with David Marconi (author of Enemy of the State, Mission Impossible 2 and Live Free or Die Hard) and provided technical advice on critical infrastructure attacks used in the movie Live Free or Die Hard. The Association of Information Technology Professionals awarded Mr. Christy the 2003 Distinguished Information Science Award for his outstanding contribution through distinguished services in the field of information management. Previous recipients of this prestigious award include Admiral Grace Hopper, Gene Amdahl, H. Ross Perot, General Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch kapor.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

51

speakeR BIogRapHIes | plenaRy sessIon


John lynch
principal deputy Chief Computer Crime and intellectual property section (CCips)

albert al rees Jr.


Trial attorney Computer Crime and intellectual property section (CCis), Criminal division, u.s. department of Justice
Al Rees is a Trial Attorney in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice, in Washington, D.C. CCIPS is responsible for implementing the Justice Departments national strategies in combating computer and intellectual property crimes worldwide. Section attorneys investigate and prosecute cyber crime and help to develop law and infrastructure to fight it. To pursue network criminals effectively, CCIPS works closely with other government agencies, the private sector and foreign counterparts. Mr. Rees is also an adjunct law professor at Georgetown University in Washington, D.C., where he teaches Law and Measures Against International Terrorism. He served on active duty as a united States Air Force Judge Advocate and remains in the Air Force Reserve. Mr. Rees has presented law programs to government officials, military officers, investigators, prosecutors, judges, journalists and law students in the u.S. and 25 countries abroad.

John T. Lynch, Jr. was appointed as the Principal Deputy Chief in the Computer Crime and Intellectual Property Section (CCIPS) in November 2010. Prior to that, he served as the Deputy Chief for Computer Crime beginning in September 2006. Mr. Lynch entered the Departments Civil Division through the Attorney Generals Honors Program in 1995 and has served in the Criminal Division at CCIPS since 1997. He joined the section as a Trial Attorney before he became Senior Counsel, Litigation Coordinator, and then Deputy Chief. During his time at CCIPS, Mr. Lynch has developed expertise on computer crime and cyber security. He regularly gives assistance and guidance to AuSAs and law enforcement agents in complex investigations involving computer crimes and electronic evidence collection. He has also advised senior Department officials on all aspects of cybercrime and cyber security policy and legislation. He has also contributed to CCIPSs international work, most notably as a member of the team negotiating the first multilateral treaty on computer crime at the Council of Europe, for which the team received the Attorney Generals Distinguished Service Award in 2002. He received his B.A. from the university of Rochester and his law degree from Cornell Law School.

The honorable howard a. schmidt, Cissp, Csslp


special assistant to the president and Cybersecurity Coordinator

alan paller
director of research sans institute (dC3)
The Honorable Howard Schmidt has had a distinguished career in defense, law enforcement and corporate security spanning more than 40 years. He brings together talents in business, defense, intelligence, law enforcement, privacy, academia and international relations. He currently is Special Assistant to the President and the Cybersecurity Coordinator for the federal government. In this role, Mr. Schmidt is responsible for coordinating interagency cybersecurity policy development and implementation for coordinating engagement with federal, state, local, international and private sector cybersecurity partners. Previously, Mr. Schmidt was the President and CEO of the Information Security Forum (ISF). Before ISF, he served as Vice President and Chief Information Security Officer and Chief Security Strategist for eBay Inc. He also served as Chief Security Strategist for the uS-CERT Partners Program for the Department of Homeland Security. Before eBay, he served as the Vice Chair of the Presidents Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House. Prior to serving the White House, Mr. Schmidt was Chief Security Officer for Microsoft Corp., where his positions included Chief Information Security Officer, Chief Security Officer, and where he formed and directed the Trustworthy Computing Security Strategies Group. Before Microsoft, Mr. Schmidt was a supervisory special agent and director of the Air Force Office of Special Investigations (AFOSI) Computer Forensics Lab and Computer Crime and Information Warfare Division. While there, he established the first dedicated computer forensics lab in the government and was responsible for Criminal and Counter Intelligence investigations against Department of Defense systems. Before AFOSI, Mr. Schmidt was with the FBI at the National Drug Intelligence Center, where he headed the Computer Exploitation Team. He is recognized as one of the pioneers in the field of computer forensics and computer evidence collection. Before working at the FBI, Mr. Schmidt was a city police officer from 1983 to 1994 for the Chandler Police Department in Arizona. Mr. Schmidt served with the u.S. Air Force in various roles from 1967 to 1983, both in active duty and in the civil service. He had served in the Arizona Air National Guard as computer communications specialist from 1989 until 1998, when he transferred to the u.S. Army Reserves as a Special Agent, Criminal Investigation Division, serving until 2010 with the computer crime investigations unit at CID HQ. Mr. Schmidt also served as the international president of the nonprofit Information Systems Security Association (ISSA) and was the cofounder and first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He was the Vice-Chair of the Board of Directors for (ISC)2 and Security Strategist for the Board. He is a former executive board member of the International Organization of Computer Evidence, and served as the co-chairman of

Alan Paller is founder and research director of the SANS Institute, a graduate degreegranting college and security training and research institution with more than 120,000 alumni in 70 countries. At SANS, he leads a global security innovation program that identifies people and practices that have made a measureable difference in cyber risk reduction, and illuminates those innovations so other security practitioners can take full advantage of them to improve security in their enterprises. He also oversees the Internet Storm Center (an early warning system for the Internet), NewsBites, the semi-weekly security news summaries that go to 210,000 people, @RISk (the authoritative summary of all critical new vulnerabilities discovered each week), and the identification of the most damaging new attacks being discovered each year. He has testified before both the u.S. Senate and House of Representatives. President Clinton recognized his leadership in the year 2000 by naming him as one of the initial members of the Presidents National Infrastructure Assurance Council. The Office of Management and Budget and the Federal CIO Council named Alan as their 2005 Azimuth Award winner, a singular lifetime achievement award recognizing outstanding service of a non-government person to improving federal information technology. Mr. Paller was one of seven people named by the Washington Post in 2010 as worth knowing, or knowing about in cyber security. The list included General Alexander, who heads the u.S. Cyber Command, Howard Schmidt, the White House Cyber Coordinator, and other national leaders. Earlier in his career Mr. Paller helped build a software company, took it public and merged it into a larger company listed on the New york Stock Exchange. His degrees are from Cornell university and the Massachusetts Institute of Technology.

52

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | plenaRy sessIon


the Federal Computer Investigations Committee. He is a member of the American Academy of Forensic Scientists. He had served as a board member for the Cyber Crime Advisory Board of the National White Collar Crime Center. He served as an augmented member to the President Clintons Committee of Advisors on Science and Technology (PCAST) in the formation of an Institute for Information Infrastructure Protection (I3P). He has testified before Congressional committees, written books on cybersecurity and received numerous awards, including the CSO Magazine Compass Award, Baseline Magazines The 50 Most Influential People in Business IT, and the Federal 100 Award, to name just a few.

Jeffrey l. Troy
deputy assistant director Cyber division, federal bureau of investigation

special agent steven d. shirley


executive director department of defense Cyber Crime Center (dC3)

Mr. Troy, joined the FBI as a Special Agent in 1986. Mr. Troy served in Pittsburgh and New york Offices investigating Cyber, Public Corruption and Financial Criminal matters. As a manager he has served in Wilmington, Delaware and Milwaukee, Wisconsin establishing and enhancing the Cyber Crime Programs and Cyber Crime Task Forces. Mr. Troy manages the Cyber National Security and Cyber Criminal Programs. Mr. Troy has worked aggressively to build strong domestic and international cyber law enforcement partnerships through collocation of investigative, data collection and analytical resources, joint investigations, and development of threat mitigation strategies.

Special Agent Steven Shirley is Executive Director for the Department of Defense Cyber Crime Center (DC3), a national cyber center incorporating five organizations: the Defense Computer Forensics Laboratory, Department of Defenses only accredited lab for conducting deep forensic examinations of electronic media; the Defense Cyber Investigations Training Academy, a training center to create DoD cyber crime investigators and digital forensic examiners; the Defense Cyber Crime Institute, which performs research, development, test and validation for software and hardware in forensic applications; the National Cyber Investigative Joint Task Force/Analytical Group, an interagency collaboration; and the Defense Industrial Base Collaborative Information Sharing Environment, the DoD clearinghouse and focal point for the referral of intrusion events affecting the Defense Industrial Base. DC3 operates under the executive agency of the Secretary of the Air Force. Mr. Shirley served in the Air Force where he commanded counterintelligence, antiterrorism and investigative operations at every level of the Air Force. He was also a counterintelligence support officer to a unified command, and on the Office of the Secretary of Defense staff where he developed positions to protect DoD sensitive programs during arms control treaty inspections. In 2004, Mr. Shirley retired from the Air Force in the rank of colonel and was appointed to the Senior Executive Service. Prior to assuming his current position, he was the Vice Commander, Air Force Office of Special Investigations.

special agent William a. Yurek


senior Counsel u.s. department of Justice

lieutenant Colonel Cindy stanley


deputy staff Judge advocate afosi
Lieutenant Colonel Cindy Stanley is the Deputy Staff Judge Advocate for Air Force Office of Special Investigations. She has served in various positions including staff judge advocate, deputy staff judge advocate, area defense counsel and executive officer. Colonel Stanley was recognized as Air Combat Commands 2004 Outstanding Deputy Staff Judge Advocate of the year and was the 2005 12th Air Force Outstanding Judge Advocate. She is admitted to practice law before the Supreme Court of Nebraska and the united States Court of Appeals for the Armed Forces.

William yurek is a Special Agent and Cyber Program Manager at the Defense Criminal Investigative Service. He also serves as the DCIS representative to the National Cyber Investigations Joint Task Force. Before working for DCIS, Mr. yurek was a Senior Counsel in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice in Washington, D.C. He recently completed military service in the Air Force Office of Special Investigations as the senior military representative to the u.S. National Cyber Investigations Joint Task Force. Mr. yurek has also been a Senior Counsel in the Enforcement Division of the u.S. Securities and Exchange Commission, where conducted the first investigation and prosecution of an internet stock manipulation scheme in SEC history. Mr. yurek was a Team Leader and Investigator for the u.S. House of Representatives Select Committee on National Security and the Peoples Republic of China. He was a Special Assistant u.S. Attorney in the Eastern District of Virginia, the Central District of California, the Southern District of Florida and the District of Columbia. He also served as Counsel and Deputy Director of the Washington, D.C., area Joint Cyber Task Force. Mr. Yurek began his law enforcement career as a Special Agent in the u.S. Air Force Office of Special Investigations. In that position, he investigated felony criminal offenses including terrorism, fraud, narcotics, espionage and computer crime. He is a DoD-certified computer crime investigator and remains a reserve special agent with AFOSI today, assigned to the Office of the Director, Defense Cyber Crime Center.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

53

speakeR BIogRapHIes | BReakout sessIons


senior staff scientist aTC-nY Dr. Frank Adelstein is a senior staff scientist at ATC-Ny, in Ithaca, NY, and provides oversight and guidance to projects at ATC-Ny relating to computer security. His areas of expertise include digital forensics, intrusion detection, networking and wireless systems. He has coauthored a book on mobile and pervasive computing. He received his GIAC Certified Forensic Analyst certification in 2004. Dr. Adelstein is the vice-chair of the Digital Forensics Research Workshop (DFRWS). He is the principal investigator on the NIJ-funded project that created P2P Marshal, a popular forensic tool now used by law enforcement in all 50 states and around the world. He has also worked in the area of live forensics, resulting in the Online Digital Forensic Suite. software engineer department of defense Cyber Crime institute (dCCi) Jason Agurkis is the worlds tallest man. Okay, so that may not be true. Actually, Jason is a software engineer working for Cipher Tech Solutions, Inc. He worked on image processing and device automation of microscopes for polony DNA sequencing at Harvard Medical School before joining the Cipher Tech digital forensics team. Mr. Agurkis experience includes both software and web development, and he is fluent in multiple computer languages. Currently, he is working on development and optimization of DCCI_ICV, an image processing tool for the Department of Defense Cyber Crime Center (DC3). senior Computer network operations policy analyst information assurance Technology analysis Center Rick Aldrich is the Senior Computer Network Operations Policy Analyst for the Information Assurance Technology Analysis Center, a Lead Associate for Booz Allen Hamilton, and a consultant to the DoD CIOs office and the defense-wide Information Assurance Program. He was a lead participant in the 18-month effort to rewrite the banner and user agreement. He has been awarded several grants by the Institute for National Security Studies to study the legal and policy implications of cybercrime and information warfare. He has multiple publications in this field, including a chapter on information warfare in a national textbook on National Security Law. He has presented at several national and international conferences including the High Technology Crime Investigation Associations International Conference and Expo, IANS, Infowarcon, SANSFIRE, FiestaCrow, the DoD Cyber Crime Conference, the DoD Information Assurance Symposium, a conference on Arms Control in Cyberspace in Berlin, Germany, and a forum on cyberterrorism in Bogota, Colombia. He holds a Bachelor of Science degree in Computer Science from the u.S. Air Force Academy, a Juris Doctor from uCLA, and a Masters of Law in Intellectual Property Law from the university of Houston. Cybercrime strategist and director of public sector initiatives Mcafee Dmitri Alperovitch leads McAfees internet threat intelligence analysis, correlation and visualization, as well as the development of real-time, in-thecloud Global Threat Intelligence (GTI) services. With more than a decade of experience in the field of information security, Mr. Alperovitch is a leading

frank adelstein, ph.d.

Jason p. agurkis

inventor of numerous patented and patent-pending technologies and has conducted extensive research on reputation systems, spam detection, public-key and identity-based cryptography, and network intrusion detection and prevention. As a recognized authority on online organized criminal activity, cyber warfare and cybersecurity, Mr. Alperovitch has significant experience working as a subject matter expert with all levels of u.S. and international law enforcement on analysis, investigations and profiling of transnational organized criminal activities and cyberthreats from terrorist and nation-state adversaries. He is frequently quoted as an expert source in national media outlets, including The Associated Press, NBC, The New york Times, uSA Today and The Washington Post. Prior to joining McAfee, Mr. Alperovitch led the research team and the software-asa-service business at Secure Computing. He is a frequent speaker and panelist at law enforcement, academic and leading security industry conferences.
senior Manager bae systems Erica Andren is a Senior Manager for BAE Systems, where she is responsible for the establishment of cyber analysis capabilities at the enterprise level. Prior to joining BAE Systems, she was the Director of Operations for Detachment 1 of the 318th Information Operations Group of the 688th Information Operations Wing (formerly known as the Air Force Information Operations Center) and liaison to the Department of Defense (DoD) Cyber Crime Center (DC3). At DC3 she established a counterintelligence cell in the National Cyber Investigative Joint Task Force and was the Director of the DoD-Defense Industrial Base Collaborative Information Sharing Environment, the first-ever successful collaboration between the u.S. government and the defense industry. She has also served in various Air Force intelligence officer positions, including Senior Watch Officer, Command Briefer, Flight Commander and then intelligence Systems Chief for u.S. Air Forces Central. She has deployed in support of Operations SOuTHERN WATCH, ENDuRING FREEDOM and IRAQI FREEDOM. Ms. Andren holds a Bachelor of Science in Physics from the united States Air Force Academy and a Master of Library and Information Science from the university of South Carolina. digital forensics Team, outreach, Webmaster department of defense Cyber Crime Center/futures exploration (dC3/fx) Brian Andrzejewski is a ManTech SMA employee currently assigned to DoD Cyber Crime Center, Futures Exploration (DC3 FX). He comes to the Department of Defense with over 15 years of IT experience as a consultant, technician, web developer, procurement, informatics, system analyst, network administrator and project manager in the residential, education, commercial and healthcare industries. Mr. Andrzejewskis current duties include serving as webmaster for DC3s websites, Outreach, and serves as the project lead for the National Repository for Digital Forensics Intelligence (NRDFI). He also supports the development and administration of the DC3 Digital Forensics Challenge. Mr. Andrzejewski is a Microsoft Certified System Administrator (MCSA) and Apple Certified Support Professional (ACSP), with training as an Accredited Purchasing Practitioner (APP), a Six Sigma Black Belt, and a Cisco Certified Network Associate (CCNA). He is actively pursuing certification as a DoD Certified Basic Digital Forensic Examiner. He holds

a Bachelor of Science degree in Computer Information Systems from Towson university and an Associates of Arts degree in Computer Information Systems from Harford Community College. In his spare time, he is known to modify hardware and his car, operate as a designated Curio and Relics collector and plays in competitive, team-based online video games.
director, public sector Training accessdata Corporation Rob Attoe is Director, Public Sector Training, at AccessData Corporation. As an instructor for AccessData, he develops digital forensics and decryption training solutions for local, state, federal and international law enforcement agencies, as well as worldwide corporate entities involved in the prevention, investigation and prosecution of high-technology crime. Integral to this role is the coordination of custom curriculum and the management of federal and governmental programs worldwide, which relies heavily on his ability to liase for federal training initiatives along with his expertise in Training Room and Mobile Lab hardware management. Prior to joining AccessData, Mr. Attoe served as a Computer Crime Specialist II in the Computer Crime Section of the National White Collar Crime Center (NW3C) located in Technology Park Fairmont, WV. While presenting the Basic Data Recovery and Analysis BDRA and Advanced Data Recovery and Analysis (ADRA) courses, he worked extensively on the research and design for its development, implementation and maintenance. He was with the NW3C from October 2003 to June 2005. Mr. Attoe is a member of the International Association of Computer Investigative Specialists (IACIS), from which he obtained certification as a Forensic Computer Examiner in 2005 and recertified in 2008. He has also co-authored many digital forensics courses throughout the world, including the Applied NT Forensics class for the National Hi-Tech Crime Unit in the United kingdom. Mr. Attoe has served as an instructor at the annual IACIS conference and regularly presents at other international conferences and organized events such as the HTCIA, DoD and Cybercrime events. founder and Ceo fireeye, inc. Ashar Aziz holds over 20 patents in networking, network security and datacenter virtualization. Mr. Aziz founded Terraspring, which was successfully acquired by Sun Microsystems in 2002, after which he became CTO of the companys N1 program. Before launching Terraspring, Mr. Aziz was a distinguished engineer at Sun, focused on networking and network security. He is a leading authority on botnets and other rampant malware and often speaks at business and industry forums. Mr. Aziz holds an S.B. in Electrical Engineering and Computer Science from MIT and an M.S. in Computer Science from the University of CaliforniaBerkeley, where he was a recipient of the uC Regents Fellowship. His past speaking engagements include ISSA/InfraGard Cornerstones of Trust 2010, uS-CERT GFIRST 2009, ISACA Information Security and Risk Management Conference 2009, DoD Cyber Crime 2009, DoD Phoenix Challenge 2009, DeVenCI Conference 2009, RSA 2007: Peer-2-Peer session host, Internet2 Joint Techs conference, January 2008, InfraGard/FBI Conference, February 2008, and the Morgan Stanley CTO Summit, June 2008.

rob attoe

erica andren

rick aldrich, Cissp

ashar aziz

brian andrzejewski

dmitri alperovitch

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

55

speakeR BIogRapHIes | BReakout sessIons


fredrick barry Jr.
Computer engineer dC3 Fred Barry is a General Dynamics Advanced Information Systems employee currently assiged to the Department of Defense Cyber Crime Institute (DCCI), a division of the Defense Cyber Crime Center (DC3). Mr. Barrys current duties include conducting research, testing software and hardware, and evaluating software tools that support the digital forensic investigations conducted at the Defense Computer Forensics Laboratory (DCFL). Mr. Barry uses his expertise in computer networks and network based communication to support the DCCI software development network, intranet communications system and other DCCI equipment. Prior to working for General Dynamics Mr. Barry was on active duty with the united States Air Force, primarily at Vandenberg Air Force Base in California. Mr. Barrys duties included the proper design, creation and support of software used by Air Force Space Command Instructors who trained students in not only the fundamental skills required for all enlisted Air Force Space personnel but also provided the specialized training required by those assigned to Satellite Operations, Space Surveillance, Ground-based and Space-based Missile Warning, and Space Control career fields. Mr. Barry is a graduate of the Community College of the Air Force and a Cisco Certified Network Associate. In 2011 Mr. Barry will be enrolling in a degree program to further his education in Computer Science and Computer Security. senior engineer saiC Paul Bartruff is an Information Security Engineer, providing incident response, forensic analysis and reverse engineering capabilities within SAICs forensics lab. Mr. Bartruff began his career as a Sonar Technician in the united States Navy, which broadened his experience and put him on a path toward his interests. After nine years of service, he left active duty to pursue his education; however, he entered the information security domain as a reserve Cryptologic Technician. After the Navy, Mr. Bartruff worked for Lockheed Martin as an incident responder providing incident response and malware analysis on a customer contract. He was fortunate to work with professionals who shared with and mentored, allowing him to learn a great deal in a short period of time. Mr. Bartruff has a natural desire to understand how things work, wants to continue learning and has (finally) found what he likes to do. He has a passion for code analysis and spends his free time reading computer security books (currently the freely available Intel Architecture Software Developers Manuals). deputy lead Technical engineer defense Cyber investigations Training academy (dCiTa) Brian Baskin is a digital forensics professional with cmdLabs. He devotes much of his time to Linux and unix forensics, evolving internet crimes, malware analysis and network protocol analysis. He was formerly the Deputy Lead Technical Engineer with the Defense Cyber Investigations Training Academy (DCITA), part of the Department of Defense Cyber Crime Center (DC3) for over ten years. He has also authored and co-authored seven computer security books with Syngress Publishing. Co-founder eC-Council Jay Bavisi is the President and Co-Founder of EC-Council, the worlds largest technical information security education, training and certification organization. Formed following the 9/11 incident, EC-Council addresses issues of cyber terrorism raised at the forefront of security of nations at large. It is the owner and developer of the world famous Certified Ethical Hacker (C|EH), Computer Hacking Forensic Investigator (C|HFI), Secure Analyst (E|CSA) and Licensed Penetration Tester (L|PT) program. Mr. Bavisi led the efforts in establishing the partnership with the International Telecommunications Union (ITU), an arm of the United Nations, via the International Multilateral Partnership Against Cyber Threats (IMPACT) to develop sustainable knowledge and capabilities in information security awareness amongst government agencies in 194 member countries. An information security evangelist and architect, he regularly shares his insights with law and policy makers at various international conferences and seminars such as SwA Software Assurance Forum by the Department of Homeland Security, Interop Las Vegas, CSI, Techno Security and Techno Forensics. Mr. Bavisi also was the Chairman of the keynote Hackers Panel at Infosecurity Europe 2008/2010, the Closing keynote Speaker for ITWeb Security Summit, South Africa, and also the combined keynote Speaker for Techno Security/ Hacker Halted uSA 2008 and much more. His key expertise is in the area of Ethical Hacking, Information Assurance and Computer Forensics with a special focus in the government space. project Coordinator niJ electronic Crime Technology Center of excellence Randy Becker is a retired twenty-nine year veteran Oregon State Police officer. He has extensive computer forensics training and was assigned to the High Technology and Computer Crimes Unit for five years prior to retirement. During assignment to the Computer Crimes unit Randy investigated high technology crimes and conducted computer examinations for city, county, state and federal agencies completing over 200 cases involving computer forensics that involved the examination of over 300 hard drives and over 2600 removable media. Randy has testified as a computer forensics expert in Klamath, Coos, and Jackson County, Oregon Circuit Court. He holds a Certified Computer Forensic Examiner certification issued by the International Association of Computer Investigative Specialists (IACIS). Randy is a former Board of Director member for IACIS and he developed the 2003 certification problem set that IACIS students used to complete their CFCE certification process. He has developed computer forensics training and assisted with the development of cell phone forensics training. He has provided training to state, local, and federal law enforcement officers, as well as taught to International law enforcement personnel. Randy works for a company that designs and develops specialized software that is used world wide in the field of data recovery. Randy is now employed by the Electronic Crimes Technology Center of Excellence and has the duty of Program Coordinator.

sanjay Jay bavisi

director of incident response General electric Richard Bejtlich is Director of Incident Response for General Electric, and leader of the GE Computer Incident Response Team (GE-CIRT, www.ge.com/cirt). Prior to joining GE, Mr. Bejtlich operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporations Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstones incident response team, and monitored client networks for Ball Corporation. Mr. Bejtlich began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). He is a graduate of Harvard University and the United States Air Force Academy. He wrote The Tao of Network Security Monitoring and Extrusion Detection, and coauthored Real Digital Forensics. He also writes for his blog (taosecurity.blogspot.com) and teaches for Black Hat. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Jonathan Bennett is an employee of CSC assigned to the Defense Cyber Investigations Training Academy (DCITA) as an instructor and curriculum developer for DCITAs Technology track. Prior to becoming an instructor, Mr. Bennett worked as a network and computer support technician at DCITA. Prior to coming to DCITA, he worked as a computer technician with a small computer support company. Mr. Bennett has completed a Bachelors degree in Information Systems Management from University of Maryland University College, and has achieved certifications in A+ and Security+ Computer Technology Industry Association (CompTIA), Microsoft Certified Professional (MCP) certification and CISSP from the International Information Systems Security Certification Consortium, Inc. (ISC)2. Chief executive officer Cipher Tech solutions, inc. keith Bertolino is the Chief Executive Officer and cofounder of Cipher Tech Solutions, Inc., a rapidly growing small business comprised of engineers and scientists supporting the defense and intelligence communities. Mr. Bertolino began his technical career in 2001 in IT support, building a company out of his parents basement while in high school. His young company supported many law firms in the suburbs of New york City. As a college undergraduate, he became involved with the Department of Defense, working for DC3. At DC3, he specialized in custom software development and created several tools that are still being used by the Defense Computer Forensics Laboratory. Mr. Bertolino has also published two research papers: the first on wireless security and another on steganography jamming. His research generated international attention in 2008 when it was featured in the August issue of IEEE Spectrum.

richard bejtlich

Jonathan bennett

paul bartruff

randy becker

keith d. bertolino

brian baskin

56

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


senior research analyst damballa Sean Bodmer is an active threat research analyst at Damballa specializing in the analysis of signatures and behaviors used by the botnet and blackhat community. He focuses his time learning tools, techniques and procedures behind attacks and intrusions related to various persistent threats. Mr. Bodmer has worked in several Information Systems Security roles for various firms and customers over the past decade across united States. Most notably, he has spent several years performing black box penetration testing, incident response and intrusion and intruder analysis for Fortune 100 companies, the Defense Department, and other federal agencies. Mr. Bodmer has shared numerous accounts of his findings at various industry conferences relating to the inner-workings of advanced persistent threats (APTs). He has also lectured at industry conferences including Defcon, PhreakNIC, DC3, NW3C and Carnegie Mellon CERT, discussing his interest in analyzing and manipulating the minds and morale of persistent threats without their knowledge. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Steven Bolt is a CSC employee supporting the Defense Cyber Crime Centers training academy as an Instructor/ Course Developer in the Network Investigations Track. Prior to joining the DC3 team, Mr. Bolt gained extensive experience as an Instructor with the SEARCH group, providing instruction to local, state and Federal investigators in the field of cyber crime investigations. Prior to teaching, Bolt was a Senior Deputy Probation Officer where he applied many of the tools and techniques of cyber investigations and digital field triage. He holds a bachelors degree in Biological Sciences, a bachelors degree in Criminal Justice, each from California State university, Sacramento. In addition, he also earned a Master of Science degree in National Security from the university of New Haven. Additionally, he holds the following computer industry certifications: EnCE, CISSP, CompTIA A+ and Network+. public sector CTo symantec Corporation With over a decade of experience in the security industry, John Bordwine is widely recognized as an expert in his field. He currently is the public sector CTO at Symantec where he is focusing on the specific requirements and certifications needed to ensure security solution compliance to the u.S. federal and state/local agencies. Mr. Bordwine serves as a trusted advisor, providing guidance on the development of products and solutions that meet government requirements and certifications, specifically with regard to public sector markets. His responsibilities include all technical activities related to public sector customers and he provides guidance to other Symantec business units around specific requirements to the public sector. Prior to joining Symantec Mr. Bordwine served as public sector CTO at McAfee and director of federal systems engineering at Enterasys Networks. He has spoken at numerous highly acclaimed security events, including SANS Institute events, FOSE, AFITC and u.S. government agency functions. He served in the u.S. Army Signal Corps, where his last assignment was with the White House Communications Agency.

sean bodmer

senior research scientist Georgia Tech Richard Boyd is a senior research scientist at the Georgia Tech Research Institute. Dr. Boyd has over 13 years of professional software development experience. He has been the lead software engineer on projects involving mission planning and simulation, real-time rendering and GPu computing. He worked for Hughes Space and Communications (now Boeing Satellite Systems) prior to joining GTRI in the year 2000. Dr. Boyd has a Ph.D. in physics from the California Institute of Technology. digital forensics analyst u.s. Customs and border protection Sam Brothers is currently working for u.S. Customs and Border Protection as a Digital Forensics Examiner. He has been in the IT field for over 20 years, and currently specializes in cell phone, GPS and computer forensics. He has been featured in uSA Today and currently teaches Digital Forensic Analysis classes around the country for various u.S. law enforcement organizations. He also teaches and helped develop the only GPS Forensic certification in the world. director regional Computer emergency response TeamConus (rCerT-Conus) Kathleen Buonocore assumed the position of Director, Regional Computer Emergency Response Team-CONuS (RCERT-CONuS) December 2000. The mission of RCERTCONuS is to provide for the computer network defense of active Army, National Guard and Army Reserve networks within CONuS. Prior to this assignment, she held positions in the RCERT-CONuS as incident handler, data analyst and section supervisor. Technical Manager software engineering institute/CerT Dawn Cappelli is Technical Manager of CERTs Threat and Incident Management Team at Carnegie Mellon universitys Software Engineering Institute. Her teams mission is to assist organizations in improving their security posture and incident response capability by researching technical threat areas; developing information security assessment methods and techniques; and providing information, solutions and training for preventing, detecting, and responding to illicit activity. Team members are domain experts in insider threat and incident response. Team capabilities include threat analysis and modeling; development of security metrics and assessment methodologies; and creation and delivery of training and workshops. Ms. Cappelli has 30 years of experience in software engineering, including programming, technical project management, information security and research. She is often an invited speaker at national and international venues and is an adjunct professor in Carnegie Mellon s Heinz College of Public Policy and Management. Before joining CMu in 1988 she worked for Westinghouse as a software engineer developing nuclear power systems.

richard a. boyd, ph.d.

sam brothers

Chief forensic officer Carney forensics John Carney is Chief Forensic Officer and a practicing small-scale digital device forensic examiner at Carney Forensics. He has had a 30-year software engineering and information technology career. He was educated at the Massachusetts Institute of Technology (MIT) Media Lab where he earned a Bachelor of Science degree. He is a licensed attorney in Minnesota with a law firm in St. Paul focused on small business and entrepreneurs. He is a Minnesota Qualified Neutral and licensed as a mediator and arbitrator. Educated at Hamline university School of Law, Mr. Carney earned a Juris Doctor degree and Certificate in Dispute Resolution. He is an adjunct professor at Hamline university where he teaches Law Office Technology in the Legal Studies program. His curriculum includes units in computer forensics, mobile phone forensics, electronic discovery and litigation support. director of digital forensics basis Technology Brian Carrier leads the Digital Forensics team at Basis Technology which designs and develops products and custom systems. He is the author of the book File System Forensic Analysis and has developed several open source digital forensic analysis tools, including The Sleuth kit and the Autopsy Forensic Browser. Mr. Carrier has a Ph.D. in computer science from Purdue university and worked previously for @stake as a research scientist and technical lead for their digital forensic labs response team. He is on the committees of many conferences, workshops and technical working groups, including the Digital Forensic Research Workshop (DFRWS) and the Digital Investigation Journal. founding partner cmdlabs Eoghan Casey is founding partner of cmdLabs, a Newberry Group subsidiary specializing in cyber security and digital forensics. For over a decade he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. He provides specialized training in mobile device forensics and network forensics. As a Director of Digital Forensics and Investigations at Stroz Friedberg, Mr. Casey maintained an active docket of cases and co-managed the firms technical operations in the areas of computer forensics and cyber crime response. He also has extensive information security experience as an Information Security Officer at Yale University and in subsequent consulting work. Mr. Casey wrote the foundational book Digital Evidence and Computer Crime, coauthored Malware Forensics, and created the Handbook of Digital Forensics and Investigation. He also conducts research and teaches graduate students at Johns Hopkins University Information Security Institute and is editor-in-chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response.

John Carney

brian Carrier

steven bolt

kathleen buonocore

dawn Cappelli, Cissp

eoghan Casey

John bordwine

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

57

speakeR BIogRapHIes | BReakout sessIons


software engineer dCs Corp/nsu Paul Cerkez is a Ph.D. student focusing on artificial intelligence technologies and is a member of the uPE (upsilon Pi Epsilon), the International Honor Society for Computing and Information Disciplines. His dissertation research area is focused on detecting hidden messages in the visual content of images and graphics (Automated Detection of Semagram Laden Images). Mr. Cerkez recently presented a paper at the SPIe Defense, Security and Sensing 2010 conference on his research area. He is a retired united States Marine and is currently a software developer for DCS Corporation. His experience includes 20+ years of computer experience in the development of custom software, 22+ years of Naval avionics experience in the areas of general aviation electronics support and Automated Test Equipment, and was a project manager/developer for multiple artificial intelligence logistics planning and configuration management software packages. Some of Mr. Cerkezs past work has included an Army Research Lab (ARL) project to develop the cognitive decision process model for a roll based modeling and simulation environment. Mr. Cerkez was the prime investigator for the recently completed Army Small Business Innovation Research (SBIR) program Phase I project entitled Command Decision Modeling in Distributed Combat Simulation. Mr. Cerkez is currently working with the CH-53k program as a contracted software SME for NAVAIR. special agent in Charge, arizona branch office Computer Crime investigative unit Charles Clapper was assigned as the Special Agent in Charge, Arizona Branch Office, Computer Crime Investigative unit in January 2010. The Arizona Branch Office while having been manned and co-located with the RCERT-CONuS since 2000 was designated a separate unit subordinate to CCIu-HQ in 2010. The mission of the Arizona Branch office CCIu is to provide LNO capabilities, Investigative action and immediate support to the RCERT-CONuS, CONuS TNOSC and 9th Signal Command (Army). risk Manager Cni Robert Collins has developed, implemented and reengineered security programs at multiple government agencies. He was a Lead Certifier at the Department of State and now is a Risk and Compliance Subject Matter Expert. He is the Risk and Compliance Contractor Lead for the Food and Drug Administration. With over eight years of experience in information technology, Mr. Collins holds an MBA with a concentration in Information Security and maintains a CISSP. senior forensic/Malware examiner u.s. africa Command Jim Cornell (CFCE, CISSP, CEECS, CTT+, ACE) is the Senior Forensic and Malware Examiner for the Stuttgart Regional Network Analysis Lab, which is part of the AFRICOM Cyberspace Engagement Branch. Previously he was an Instructor/Course Developer at the Defense Cyber Investigations Training Academy (DCITA), where he taught Network Intrusions and Investigations, Online undercover Techniques and Advanced Log Analysis. He has over 26 years of law enforcement and over 35 years of electronics and computer experience. He is a member/

paul Cerkez

coach of the International Association of Computer Investigative Specialists (IACIS) and a member of the International Information Systems Forensics Association (IISFA) and the International Information Systems Security Certification Consortium (ISC)2. He has taught/lectured at the Defense Cyber Crime Conferences (2007-2009), the 4th OLAF European Computer Forensic Training (2010), and numerous specialized training sessions throughout the u.S. and E.u. He has published articles in Military Information Technology, PC Computing and MacWorld magazines and is a contributing author of Mac OSX, iPod, and iPhone Forensic Analysis DVD Toolkit, OS X Exploits and Defense, The Best Damn Cybercrime and Digital Forensics Book Period and the Certified Hacker Forensic Investigator (CFHI) Study Guide.
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Mike Cowan is an employee of CSC, assigned to the Defense Cyber Investigations Training Academy (DCITA). He has over 20 years of experience in information systems and information security. Mr. Cowan is an instructor for DCITAs Network Investigations Track and has an M.S. in Forensic Studies, Information Technologies and a B.S. in Internetworking Technologies and holds CISSP, MCSE, CEH, ECFE certifications. Prior to teaching at DCITA, Mr. Cowan was employed by Verizon as an IT Manager working in technical support, information security and business continuity. He retired from the u.S. Coast Guard in 1997, with 21 years of active duty service. project director advanced response Concepts Ed Cronin is currently the project director for the Condor mobile evidence collection and tracking handheld device at Advanced Response Concepts in Gardner, Massachusetts. He is the former police department chief of the City of Fitchburg, Massachusetts. He earned his Masters degree in Criminal Justice Management at the university of Massachusetts at Lowell. He has studied the British Criminal Justice System at Queens College at Oxford university in England. He is working on completing a Certificate in Advanced Graduate Studies (post masters degree) at Suffolk university in Boston in Organizational Development and Change with a concentration in Systems Thinking. During his 26-year law enforcement career, he was also the Chief of Police in Gardner, Massachusetts. He has worked in several countries of the former Soviet union training police and communities in democratic methods of policing and domestic violence education. He has worked at the u.S. Embassy in Cairo, Egypt, as a police advisor to the Egyptian Police. He is a certified by the Institute for Professional Excellence in Coaching as an executive coach. Member of the Technical staff, CerT program software engineering institute Adam Cummings is currently a member of the technical staff at CERT. He is a critical member of the insider threat team, a team focusing on insider threat research, threat analysis and modeling, assessments and training. Mr. Cummings has over 10 years experience in information systems, information assurance, military communications, project management and information technology education. He is a former Marine officer and holds

an M.S. in Information Security Policy Management from Carnegie Mellon university and a B.F.A. in Visual Journalism from Rochester Institute of Technology.
security engineer CsC Michael Cyr has over five years experience in the Department of Defense and commercial information security program. His expertise is in network penetration testing, web application assessments and wireless network auditing and he has discovered and publicly disclosed several vulnerabilities and exploits. He holds a Masters degree in Information Assurance from Towson University as well as the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), Certified Ethical Hacker (CEH), Nessus Certified, GIAC Certified Penetration Tester (GPEN), FEMA IS-00100.a Intro to the Incident Command System. Mr. Cyr is also part of the www. exploit-db.com exploit verification team. director Tulsa digital forensics Center, institute for information security, university of Tulsa. Mark Davis, PhD., has been working in the field of information assurance, computer security, and digital forensics at the University of Tulsa for the past ten years. During that time, he helped to establish the Tulsa Digital Forensics Center in 2001, a partnership between the University of Tulsa, the Tulsa police departments Cybercrime unit, the Oklahoma State Bureau of Investigation, and several other area law enforcement agencies. These entities work towards a common goal of successfully prosecuting crimes that contain a digital evidence component, through collaboration, research, training and education. Mark Davis received his Doctorate in December of 2009 from the University of Tulsa. Mark Davis is also a member of the NIJ Electronic Crime Technology Working Group, and Volunteers in Police Service. digital forensic engineer defense Cyber Crime institute (dCCi) Christopher Dearing is employed by General Dynamics AIS as a Digital Forensic Engineer for the Defense Cyber Crime Institute (DCCI). In addition to testing and validating forensic tools, he dabbles in research, development and the deformation of phalangeal apical tufts. Prior to his work with DCCI, Mr. Dearing worked as a software developer with Zen Technologies for the Missile Defense Agency in Arlington, VA. He is a graduate of Virginia Tech and currently volunteers his time coaching youth football and lacrosse. He uses mad lax skills (not his own) to uncover interesting things which he has hidden inside other, less interesting things. He is 64 with blue eyes and likes taking long walks on the beach in the moonlight with puppies. digital forensic examiner Cyber Counterintelligence activity Philip Dellorso has worked in the IT field for more than 20 years, the majority of which he spent as a software programmer and web designer. He began programming in assembly on IBM mainframes and has experience with most major programming languages, including fortran, cobol, pascal, visual basic, java, C, C++ and C#. On

Michael Cyr

everett Mike Cowan

Mark davis, phd.

Charles Clapper

ed Cronin

Christopher dearing

robert Collins

James Jim Cornell

adam Cummings

philip dellorso

58

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


the web side he has designed sites using cgi, asp, .NET, vbscript and javascript. Mr. Dellorso has over seven years of service as a counterintelligence special agent for the u.S. Army and is current working as a digital forensic examiner for the Armys Cyber Counterintelligence Activity at Fort Meade, Maryland.
Chief, forensic data extraction section defense Computer forensics laboratory (dCfl) Special Agent William Dent is a civilian agent and computer crime investigator with the Air Force Office of Special Investigations (AFOSI). He is currently the Chief, Forensic Data Extraction (FDE) section, Defense Cyber Crime Center (DC3), Defense Computer Forensics Laboratory (DCFL). SA Dent has over 31 years of service to the u.S. Air Force (20 years of active duty and 11+ years as a civilian). More than 22 years of service has been as an AFOSI agent. dCiTa staff dC3 Bruce is a new instructor at DCITA. After owning his own computer consulting business and teaching for The SANS Institute of Bethesda, Md, for many years, Bruce went into full-time IS education in 2010. A graduate of Drexel University, Bruce is highly regarded for his expertise in all aspects of computer technology. He has been a regular speaker at local and regional security seminars for more than 10 years. With almost 30 years experience in the computer industry (hes been working with computers since the age of 11), Bruce has worked on almost every kind of PC as a technician and as a user, which gives him a perspective most computer people lack. Bruce is a certified (and some would say certifiable) computer and network security specialist. Bruce received his SANS GSEC certification in 2001, CISSP and SANS GPEN certifications in 2009, and SANS GCIH in 2010. Active in numerous professional and community organizations, Bruce is a member of InfraGard, an association of businesses, academic institutions, state and local law enforcement agencies and other participants dedicated to information and intelligence sharing to prevent hostile acts against the united States. senior Counsel u.s. department of Justice Tom Dukes is senior counsel for the u.S. Department of Justice in the Computer Crime and Intellectual Property Section. network analyst u.s. department of defense Josiah Dykstra is an employee of u.S. Department of Defense and a Ph.D. student at the university of Maryland, Baltimore County. He has been involved in intrusion detection, malware analysis and network security evaluation for eight years and is currently researching the effects of cloud computing on digital forensics. Mr. Dykstra received a B.S. in Computer Science and a B.A. in Music from Hope College (Holland, MI), and an M.S. in Computer Science from Iowa State University. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Martin Easton is an employee of CSC assigned to the Defense Cyber Investigations Training Academy (DCITA). A member of DCITAs Technology track, Mr. Easton is an Instructor/Curriculum Developer for the Introduction to Networks and Computer Hardware (INCH) and Wireless Technology (WT) classes. He also assists the Forensics track in teaching the Deployable Forensics (DEF) and Advanced Deployable Forensics (ADEF) classes. Prior to teaching at DCITA, Mr. Easton acquired an A.A.S. degree in Computer Forensics. He has over 10 years of experience in the IT field in various functions, including systems administration, regional network and computer administration, database and file management, and Level 1 and 2 Help Desk support. director of forensics blackbag Technologies, inc. Drew Fahey is the Director of Forensics at BlackBag Technologies, Inc., a Mac forensics, training, software and e-discovery solutions provider. He has spent over 14 years conducting incident response and forensic investigations. His extensive law enforcement and international experience stems from working with a broad cross-section of Fortune 500 corporations and government agencies around the world. Mr. Fahey started as a Special Agent with the Air Force Office of Special Investigations, investigating a variety of computer crimes, including hacking, crimes against children, espionage, identity theft and fraud cases. After leaving the Air Force he created the Helix Incident Response and Forensics bootable CD-ROM, which became a standard triage tool used around the world. He is a graduate of Texas State university and holds a B.S. in Computer Science. professor university of rhode island Dr. Victor Fay-Wolfe is a professor at the University of Rhode Island Department of Computer Science and Statistics. He is the founder and director of the uRI Digital Forensics program which is comprised of educational, research and service components. The research program is the highest funded digital forensics R and D program in the united States. Dr. Fay-Wolfe has authored over 100 research articles and books. director, CTu secureWorks Ben Feinstein is a Director with the SecureWorks Counter Threat Unit. He first became involved in information security in 2000, working on a DARPA/u.S. Air Force contract. He is the author of RFC 4765 and RFC 4767. He has over a decade of experience designing and implementing security-related information systems. Mr. Feinsteins major areas of expertise include IDS/ IPS, digital forensics and incident response, and secure messaging. He has presented at Black Hat uSA, DEFCON, ToorCon, DeepSec, ACSAC and many other events. He earned a CISSP certification in 2005 and a GCFA certification in 2007. He joined InfraGard in 2007 and graduated from the FBI Citizens Academy in 2009.

Martin easton

principal engineer l-3 Communications Mark Fenkner is a senior analyst for the L-3 Communications incident response team. senior Computer engineer department of defense Cyber Crime Center (dC3) David Ferguson has 25 years of experience in the IT field. He is the former Director of the DCFL and was formerly the Deputy Director of the Information Assurance Branch on the Air Staff. He is currently working at DC3 as a Senior Computer Engineer. Mr. Ferguson has B.S. and M.S. degrees in Computer Engineering from Wright State University, Dayton, OH. security practice lead Global knowledge Jay Ferron brings more than 20 years of experience in security, networking, virtualization and high-performance computing. A multi-faceted author, trainer, speaker,- and designer, he has led the development of Windows and uNIX security designs, network infrastructures, enterprise designs and installations for numerous Fortune 500 companies, as well as government and health agencies. As president of the Association of Personal Computer user Groups (APCuG), global board director of Global IT Community Association (GITCA), board member of the CT Information Systems Audit and Control Association, Microsoft Springboard Technical Expert Panel (STEP) member and Microsoft Most Valuable Professional (MVP), Mr. Ferron is a regular presenter at such prestigious events as COMDEX, Microsoft Tech-Ed, Microsoft Worldwide Partner Conference, Web 2.0 Summit and many user groups. He is the author of more than 15 courseware books and papers on security, networking and virtualization technologies for Microsoft and other vendors. In his current work at Global Knowledge, he is building a unique cyber security program that provides a global perspective of the challenges of designing a secure system. Blog: http://blog.mir.net/. He holds the following certifications: CEHI, CISM, CISSP, CWSP, MCITP, MCSE, MCT, MVP NSA IAM. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Joe Fichera is a an employee of CSC assigned to the Defense Cyber Investigations Training Academy (DCITA) as an instructor and curriculum developer for DCITAs Network Investigations track. He is a Certified Computer Examiner (CCE) and member of the ISFCE. He also holds certifications as a Security Certified Network Specialist (SCNS), A+, Network+ and Microsoft Certified Professional (MCP). Prior to coming to DCITA, Mr. Fichera owned and operated Phoenix Digital Forensic Services in Manchester, NH, providing forensic services and network support. He was also the Chief Technical Instructor and Network Administrator at Blended Solutions Technical Institute. He has 20 years of instructor experience and spent 15 years as a law enforcement officer in the State of New Hampshire.

Mark fenkner

special agent William dent

david ferguson

Jayson Jay ferron

bruce diamond

drew fahey

victor fay-Wolfe, ph.d.

Tom dukes

Joseph fichera

Josiah dykstra

ben feinstein

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

59

speakeR BIogRapHIes | BReakout sessIons


attorney advisor department of defense Cyber Crime Center (dC3) Don Flynn, a retired Air Force military lawyer, is the Attorney Advisor for the DoD Cyber Crime Center. He provides legal advice on trial preparation as well as computer search and seizure, teaches at the DoD Cyber Investigations Training Academy, and otherwise provides legal support to the Center and its subordinate organizations. He is also a member of the adjunct faculty at Johns Hopkins Carey School of Business, where he teaches classes on ethical issues in digital forensics and the use of cyber evidence at trial. He speaks frequently at DoD Cyber Crime Conferences and is the chair for the Legal Block. section Chief, saG us-CerT Marita Fowler is the Section Chief for the Surface Analysis Group (SAG). Her team is responsible for the analysis and dissemination of information related to financially/ ideologically motivated cyber activity and emerging threats. She has diverse background in intelligence, security engineering, space program security and cyber threat analysis. associate booz allen hamilton Dr. Bruce Gabrielson is currently a Booz Allen Hamilton contractor at NSA serving as the Senior Technology Advisor in the Computer Network Defense (CND) Research and Technology Program Management Office. His responsibilities include performing CND technology gap analysis, identifying and evaluating evolving technology areas that can potentially be transitioned into useable CND products and advising DoD on emerging CND technology issues. A hardware and software engineer, Dr. Gabrielson has over 38 years experience in the communications security and information assurance fields. Among his contributions are three patents in the telecommunications industry, four books and, more recently, he invented Trickler, a tool widely used by DoD to passively collect information about network platforms. He is also the current Chairman of DoDs Insider Threat Detect Technology Advisory Group. hacker Cni iT Terrence Gareau is a Senior Network Security Architect, Red Team member and product tester. He came from the private sector defending Banks and other large corporate networks. Currently, Mr. Gareau spends a lot of time working with product vendors to validate that their solutions are indeed functioning to specifications, ensuring that the product has security implemented from the inception. president iron vine security Bill Geimer leads a team developing the IS program for the Millennium Challenge Corporation (MCC), a u.S. government agency providing targeted aid to developing countries worldwide. His work supports the MCC Chief Information Security Officer and includes intrusion detection and incident response, computer forensics, risk modeling, vulnerability scanning, FISMA compliance and security awareness training. Prior to joining MCC,

donald don flynn Jr.

he worked for six years as Program Manager for the uSAID Chief Information Security Office, where he helped develop their information security program, information security technologies and their FISMA compliance program. He holds a CISSP certification and has presented at a multitude of industry events.
forensics examiner dC3/fx Mr. Randolph Georgieffs professional career includes the following: Department of Defense Futures Exploration (DC3/FX) / Digital Forensics Challenge Team Lead, Department of Defense Computer Forensics Lab (DC3/ DCFL) / General Dynamics Advanced Information Systems (GD-AIS) / Digital Forensic Examiner (DFE), Department of Defense Computer Investigation Training Program (DC3/D.C.I.T.P) / Computer Sciences Corporation (C.S.C.) / Instructor - Course Developer, PD / Forensic Services Section - Computer Crime unit / Digital Forensic Examiner (DFE). His organizations training received includes the following: International Association of Computer Investigative Specialists [I.A.C.I.S.], National White Collar Crime Center Training and Research Institute, Defense Computer Investigations Training Program [D.C.I.T.P.], Defense Computer Investigations Training Academy [D.C.I.T.A.], George Mason university (GMu) / Regional Computer Forensics Group (RCFG), Microsoft, Perlustro ILook, Access Data (FTk), Guidance Software (EnCase) Training Center, Public Schools / Community Colleges Part Time / Adult Evening Education Instructor. executive director of the Technology services division national Center for Missing & exploited Children Mike is the Executive Director of the Technology Services Division for the National Center for Missing & Exploited Children. In this capacity he is responsible for overseeing the Centers enterprise information technology systems and services. Mike has previous corporate and law enforcement experience, which includes a position as the vice president of High Technology Investigations at Prudential Financial. At Prudential, he was responsible for carrying out and supervising all computer related investigations for Prudential. He is a former New Jersey State Trooper and is responsible for the formation and development of the NJSPs High Technology Crimes Investigations Unit, which has garnered international accolades for its expertise in computer crime investigations. He has provided expert testimony before Congress, and throughout federal, state and international courts in the areas of computer crime investigations and computer forensics. In a partnership with Interpols General Secretariat and the International Center for Missing & Exploited Children, Mike has provided training to over 1000 law enforcement officers from 125 countries in the technical aspects of Internet investigations. Mike has provided technical and investigative assistance to numerous law enforcement agencies throughout the world including the FBI, united States Secret Service, u.S. Customs Service, Naval Intelligence, New Scotland yard, Royal Newfoundland Constabulary Service and local police departments across the country in a wide array of criminal investigations where computers were involved. He has lectured extensively throughout the country on the topic of computer crime investigations. Mike is a past president of the Northeast Chapter of the High Technology Crimes Investigations Association. In addition, he has been involved in leadership roles in organizations such as the National Strategic Policy

Council on Cyber and Electronic Crime, the International Computer Security Association, among others.
founder, Ceo omniangle Technologies Jonathan Gillman was the lead investigator of the Cyber Fraud Division at the Florida Attorney Generals Office. He managed numerous successful investigations into the telecommunications, finance and online marketing industries. During his tenure with the Florida AG, the Cyber Fraud Division entered into multi-million dollar settlements with AT&T, Verizon Wireless, mQube, World Avenue, Media Breakaway and others in the online marketing space. In 2008, he left the Florida AG to manage Compliance and Regulatory Affairs for Epic Advertising. During his time at Epic he led numerous initiatives designed to increase visibility into the marketing activities of affiliates operating within the CPA and broader online marketing ecosystem. In 2009 Jonathan founded Omniangle Technologies, a business intelligence and information security firm. Omniangle currently partners with Fortune 500 companies and government agencies to provide intelligence within the internet marketing space. As CEO of Omniangle, Mr. Gillman directly manages the research and development of automated tools designed to capture evidence of online marketing fraud and identify other information security threats. Jonathan is a graduate of Florida State University with a Bachelors degree in Criminology. software engineer ais, incorporated Richard Gloo is a computer scientist and senior developer. He holds an M.S. in Telecommunications from SuNy Institute of Technology and a B.S. in Computer Science from SuNy Institute of Technology. He has a background in forensics research and development efforts, steganographic techniques and covert communication development. His experience includes reverse-engineering data and protocol formats with the intent of hiding information, as well as data field extraction. His reverse engineering experience consists of exploring and implementing techniques such as statistical analysis and file format fuzzing (a form of black box testing) to discover structure of a data format. incident response Manager Mandiant Christopher Glyer is a Manager at MANDIANT, with over eight years experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, penetration testing and strategic corporate security development. Mr. Glyer has significant experience working with the federal government, defense industrial base, financial industry, manufacturing industry, healthcare industry and Fortune 500 companies. He has performed incident response and forensic analysis for global companies possessing tens of thousands of computer systems throughout the world. Mr. Glyer has led incident response teams in multiple Advanced Persistent Threat and card data theft compromises. national program Manager for internet intellectual property rights enforcement operations immigration and Customs enforcement Senior Special Agent Michael Godfrey has 30 years

Jonathan Gillman

randolph Georgieff

Marita fowler

bruce Gabrielson, ph.d.

Michael Geraghty

richard Gloo

Terrence Gareau

Christopher Glyer

William Geimer

senior special agent Michael Godfrey

60

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


of law enforcement experience. This includes 23 years as a Special Agent with u.S. Immigration and Customs Enforcement (ICE, formerly known as the u.S. Customs Service). Since July 2008 SSA Godfrey has been assigned to the ICE National Intellectual Property Rights Coordination Center where he is a National Program Manager for internet intellectual property rights enforcement operations. SSA Godfrey is responsible for initiating, developing, managing and coordinating complex nationwide multi-agency internet-based Intellectual Property criminal investigations. From July 1999 to July 2008 SSA Godfrey was assigned to the ICE Cyber Crimes Center where he was the National Program Manager for internet intellectual property rights enforcement operations and internet fraudulent identification document enforcement. SSA Godfrey obtained the first trap and trace court order issued by a federal court involving the intercept of WiFi internet signal transmissions. SSA Godfrey is an instructor on internet investigations subject matter, criminal copyright and trademark investigations as well as fraudulent identity document investigations for ICE, the Defense Threat Reduction Agency and the u.S. State Department. SSA Godfrey was the ICE representative to the World Customs Organization (WCO) Electronic Crimes Expert Working Group from 2008-2010. SSA Godfrey is also a lecturer at the u.S. Patent and Trademark Office, Global Intellectual Property Academy for Border Enforcement of IP Rights.
Cyber intelligence analyst, lM-CirT lockheed Martin kieth Gould is a member of Lockheed Martins enterprise Computer Incident Response Team, LM-CIRT. He has worked in both the Banking and the Defense industries, in a computer security role for about seven years. Kieth also holds a Masters Degree in Criminal Justice, as well as both EnCE and GCFA certifications in good standing. He has worked on DOJ grants where he taught law-enforcement how to read email headers, as well as tracking instant messages back to the person on the other end. He has also presented at Academic conferences on how technology works against lawenforcement and helps criminals. red Team Cni Mike Guthrie has 10 years experience in cyber security. He was the Network Security Architect at Boneville Power Administration in the northwest. At Mentor Graphics he spent time as a network engineer providing enterprise networking, firewall and VPN support for a global network comprising of 72 connected sites world wide. Most recently Mr. Guthrie spent his time doing penetration tests on Industrial Control Systems. His background is specifically related to control systems in the bulk power generation and transmission areas. During this time he developed unique perspectives on the areas of compliance and regulation in the power industry. Mr. Guthrie has spoken and taught at security conferences such as the Techno Forensics and Digital Investigations Conference, Black Hat and DEF CON. visiting scientist software engineering institute/CerT Jeff Hamed has a background in video and film production and takes a unique approach to solving the problems and expanding the possibilities that exist in the world of forensic video analysis. His past experience includes extensive work as a freelance videographer and editor in the commercial sector. Currently he is a Visiting Scientist at CERT, where he is developing an advanced video exploitation system that integrates industry standard tools with customized forensic tools that are being developed at Carnegie Mellon University. Mr. Hamed is Final Cut Pro certified and holds an M.F.A. in Motion Pictures and Television from the Academy of Art university in San Francisco. Malware analysis Team lead Mandiant Nick Harbour is a Principal Consultant with Mandiant, where he leads the Malware Analysis Team. He also teaches malware analysis and reverse engineering and specializes in offensive and defensive R&D. His 12-year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL), where he helped pioneer the field of computer forensics. Nick is a developer of both free software including most notably dcfldd, the popular forensic disk imaging tool, tcpxtract, a tool for carving files out of network traffic and Mandiant Red Curtain and FindEvil, tools for identifying malicious binaries. He is also an expert in anti-reverse engineering technologies and has developed binary hardening tools such as PE-Scrambler. He also Is a trained chef. lead examiner, dC3/fx department of defense Cyber Crime Center (dC3) Brian Havens is a retired Special Agent who has worked in various capacities in the digital forensic field since his assignment to the Department of Defense Cyber Crime Center (DC3) in 2000. He has performed duties at DC3 as a Digital Forensics Instructor as well as a Lead Examiner at the Defense Computer Forensic Laboratory (DCFL) and the National Media Exploitation Center (NMEC). Mr. Havens has also worked in a consulting capacity in the commercial sector and is currently assigned as a Lead Examiner in DC3 Futures Exploration.

Mike Guthrie

senior Consultant delta risk Jason Healey is a Senior Consultant at Delta Risk and sits on the Board of Directors of the Cyber Conflict Studies Association. He previously was executive director for Goldman Sachs Asia and served as Director for Cyber Infrastructure Protection at the White House. He also worked at HQ Air Force at the Pentagon, where he coordinated all Air Force efforts to stand up the Joint Task Force-Computer Network Defense. director, Consulting Mandiant Marshall Heilman is a Director at Mandiant with over 11 years of experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, offensive security and strategic corporate security development. Mr. Heilman has extensive experience working with the federal government, defense industrial base, foreign governments, financial industry, telecommunications industry and Fortune 500 companies. He has spoken at multiple security conferences, including OWASP, ISSA, Cybercrime, uSSS MTu, and FIRST. Prior to joining Mandiant, Mr. Heilman was a member of the United States Marine Corps. He possesses a current Top Secret government security clearance. founder spectrum system services, inc. Tim Henderson has over 25 years of experience with systems development and integration projects with a focus on project management, software architectures, application system design and software development, and system security. He is the founder of Spectrum System Services, Inc. and has served as the Chief Technology Officer for Net Commerce. Mr. Henderson has proven record in a wide-range of systems integration activities including project management, workflow analysis and business process reengineering, policy analysis, system requirements definition, application design, development, testing, training and implementation. He has authored white papers, books, and other copyrighted materials describing successful implementation strategies for moving existing enterprise IT infrastructures into new/modern environments. Mr. Henderson is a certified information systems security professional (CISSP). security project Manager, director of security Governance CGi James Hewitt is a security project manager and governance lead for the CGI Federal Enterprise Security Practice. His recent work includes projects for CMS, FCC and the American Reinvestment and Recovery Act. He is actively researching the application of work in other disciplines to the security field, such as process analysis, Earned Value Management (EVM), ITIL and structured capital planning.

Jason healey

Marshall heilman

Jeffrey Jeff hamed

kieth Gould

Tim henderson

nick harbour

Yuri Gubanov
Chief Executive Officer Belkasoft yuri Gubanov is the CEO and owner of Belkasoft, an independent software vendor from Russia. Mr. Gubanov has worked his way up from a junior software developer to a senior developer, then to a project manager and later to a top-manager in the IT industry. He graduated with honors from St. Petersburg State university, one of the best universities of Russia, and he started Belkasoft two years later while he in graduate school. Very soon the company became well-known in the forensic market for their Instant Messenger analysis product so Gubanov has concentrated on forensic products instead of general-purpose ones. Since 2003 he has been a senior lecturer at St. Petersburg State university, teaching various courses like programming essentials, Microsoft. NET basics, usability and human-computer interaction. Besides developing computer forensics software and teaching, Mr. Gubanov is fan of carve snowboarding, slalom roller skating and guitar playing. yuris LinkedIn account can be found at http://ru.linkedin.com/in/ yurigubanov.

James hewitt

brian havens

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

61

speakeR BIogRapHIes | BReakout sessIons


instructor /Course developer defense Cyber investigations Training institute (dCiTa) Steve Hickey is a CSC employee supporting DCITA as an instructor/course developer. He has been working with computers and the people that use them for over 30 years, first as a programmer in the u.S. Air Force then as a network service provider in private practice. For 7 years, Steve has operated his own computer forensics firm performing hundreds of examinations on various digital devices. Prior to his current assignment, Steve taught at the American Academy of Applied Forensics in Charlotte, NC where he trained law enforcement officers in digital forensics and various aspects of cyber crime. Mr. Hickey holds several certifications including EnCase and FTk engineer. president online intelligence E.J. Hilbert is President of Online Intelligence LLC (OI), which provides brand protection and traffic integrity services to Epics advertising clients. He also heads a small consultancy group helping law firms, corporations and film productions understand and navigate the intricacies of cyber space, social networking and online criminal activities. Mr. Hilbert is currently on the advisory board for Clickfacts.com, an online threat analysis company. Before launching OI, he held the position of Director of Security Enforcement for MySpace.com/ Fox Interactive Media. In this role he was responsible for stopping and investigating all attacks against MySpace.com the Fox Interactive Media properties and their users. Prior to joining MySpace, Mr. Hilbert was a Senior Crisis Management, Security and Investigation Consultant for Control Risks Group with Fortune 50 corporations around the world. Mr. Hilbert spent eight years as a Special Agent for FBI and was the lead case agent responsible for numerous cyber crime and counterterrorism investigations. He is considered an expert on all aspects of cyber crime, with a focus on identity thieves, fraudsters, international hacking groups and threats to u.S. critical infrastructure. Mr. Hilbert led one of the FBIs largest cyber crime investigations addressing the computer intrusion, theft of data and extortion of over 600 financial institutions. He also served as an online undercover agent utilizing social media sites, chat rooms and forums to identify hackers and gain intelligence regarding attacks against u.S. corporations, the government and individual persons. Notable cases in that Mr. Hilbert served as a lead agent include the Samantha Runnion kidnapping case, the investigation of Carderplanet.com and the intrusion into the FBI.gov e-mail servers. Mr. Hilberts final case with the FBI involved bringing treason charges against the American Al Qaeda member, Adam Gadahn. Mr. Hilbert has provided cyber crime and security training to law enforcement representatives at the local, state, federal and international levels in Canada, Belarus, the Ukraine, Greece, Russia and the uk, as well as several private corporations. president Working to halt online abuse (Whoa) and WhoakTd (kids/Teens division) Jayne Hitchcock is an author and internationally recognized cyber crime expert. She volunteers with the u.S. Department of Justice Office for Victims of Crime, the National Center for Victims of Crime, and numerous

steve hickey

ernest e.J. hilbert ii

law enforcement agencies worldwide. Ms. Hitchcock is a valued resource to these agencies in solving internetrelated crimes. Additionally, she has worked tirelessly with our legislators in the drafting and passing of many of this countrys internet laws. As president of two all-volunteer organizations, WHOA (Working to Halt Online Abuse) at haltabuse.org and WHOA-kTD (kids/ Teens Division) at haltabusektd.org, Ms. Hitchcock continues a mission to educate adults and children in safety online, conducting law enforcement training seminars for local, county, state, military and federal law enforcement agencies. Her speaking schedule on cyber crime and cyber safety includes many middle/ high schools, universities and colleges. She also lectures at libraries, conferences, corporations and events. She has traveled throughout the united States, Canada and Europe, and as far as Sookmyong university in Seoul, korea, for speaking engagements and workshops. She has been featured on Americas Most Wanted, 48 Hours, Primetime, Good Morning America, Cosmopolitan and TIME magazines, and numerous local, national and international newscasts, and was selected by Lifetime TV as their Champion for Change. Her eighth book is Net Crimes & Misdemeanors 2nd edition, which covers just about anything that can happen to you online and how to stay safer with an accompanying website at netcrimes.net. Her ninth book, True Crime Online: Most Shocking Stories from the Dark Side of the Web is due out in fall 2011. She is also on the editorial board of the International Journal of Cyber Crimes and Criminal Justice (IJCCCJ) at cybercrimejournal.co.nr and writes articles for several magazines. She is a member of Operations Security Professionals Society, Sisters in Crime (national and New England), National Rifle Association (Life Member), The American Legion, and the 3rd Marine Division Association (Life Member).
Certified forensic analyst viaforensics Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm. He divides his energies between investigations, research and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures and trains both corporations and law enforcement agencies. As a recognized expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences and is writing books on Android and iPhone forensics.

charged with developing strategic and tactical plans for the department. He is an experienced computer security professional with proven success in the use of network intelligence for network defense. Prior to joining iDefense, he led the intelligence gathering activities at Counterpane Internet Security and ran Counterpanes global network of Security Operations Centers. He served in the u.S. Army for 23 years in various command and staff positions involving information technology and computer security. He retired as a lieutenant colonel in 2004. He spent the last two years of his career as the u.S. Armys Computer Emergency Response Team Chief (ACERT), coordinating network defense, network intelligence and network attack operations for the Armys global network. Mr. Howard holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the u.S. Military Academy, where he also taught computer science later in his military career. He has published many academic papers on technology and security and most recently contributed as an executive editor to Cyber Fraud: Tactics, Techniques and Procedures, the first book published by Verisign/ iDefense.
project lead, internet isolation project l-3 Communications Bruce Hoy is the project lead for the L-3 Communications internet isolation project. director of security engineering CGi federal ken Huang is the Director of Security Engineering at CGI Federal. Over the last 21 years, he has worked extensively to architect, design, develop and secure mission-critical business applications. Mr. Huangs experience covers various IT security areas, including Security Architecture Planning, Security Architecture Gap Analysis, Managed Service Security Controls Implementations, Security Testing and Evaluation (ST&E), Identity and Access Management (IDM), Secure Code Review for both J2EE and Microsoft based Architecture, Digital Signature, PkI, Encryption, XML, SAML, Hardening for Operating System, Database and Application, and Certification and Accreditation processes. Cyber Threat analyst u.s. department of state Michel Huffaker is a cyber intelligence analyst with the Bureau of Diplomatic Securitys Office of Computer Security in the Cyber Threat Analysis Division, where she specializes in providing in-depth regional computer threat assessments and provides research in order to produce cyber threat forecasts, warnings and trends. She routinely handles incident response and analysis requests from Department of State entities and individuals worldwide. In addition to subject matter expertise in threat arising in both the Western Hemisphere and Africa, Ms. Huffaker also provides analysis and reporting on East Asia Pacific cyber developments. She is a graduate of the Defense Language Institute Foreign Language Center and is a Mandarin Chinese linguist. senior security engineer Cni Chris Hurley has over 10 years of experience performing penetration testing for a variety of commercial and u.S. government clients. He was the Principal Information

bruce hoy

ken huang, Cissp

andrew hoog

Michel huffaker

Chet hosmer

Jayne a. hitchcock

Chief scientist, vp, Wetstone Technologies Chet Hosmer is the Sr. Vice President and Chief Scientist and founder of WetStone Technologies, Inc., WetStone subsidiary of Allen Corporation of America. He has over 25 years of experience in developing high technology software and hardware products, and during the last 15 years, has focused on research and development of information security technologies, with specialty areas including: steganalysis, digital forensics and malicious code examination. intelligence director verisign/idefense Rick Howard is responsible for the day-to-day intelligence gathering and distribution efforts at iDefense and is

Chris hurley

rick howard

62

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


Security Engineer at the Titan Corporation, performing vulnerability assessments and penetration tests for the NASA Earth Observing System satellite program. At the National Security Agency, he performed black box penetration tests against a variety of products as the lead penetration tester for the Commercial Test and Evaluation Facility (CTEF). Mr. Hurley was the Penetration Test Lead for the Department of Energys Independent Oversight program, performing and leading both announced and unannounced penetration tests against both DOE and National Nuclear Security Agency (NNSA) elements, including the three National Laboratories (Los Alamos, Sandia and Lawrence Livermore). Currently, Mr. Hurley performs penetration tests for the Centers for Disease Control (CDC) and the Food and Drug Administration (FDA) and other federal agencies. He has assisted various OPDIVs within the Department of Health and Human Services in multiple investigations into intrusions on their network. He has provided technical assistance in determining the entry vector utilized by the attackers as well as developing programs and scripts to identify compromised systems. Mr. Hurley is the author or co-author of 12 books focusing on penetration testing and information security and is a regular speaker at professional conferences dealing with information security such as Black Hat and DEFCON.
director, CTu secureWorks Don Jackson is an information security community leader with twenty years of professional information security experience in insurance, health care, financial services, military defense, higher education and technology industries. His background includes work in network and application security, audit and compliance, information risk management, security research, law enforcement investigation and digital forensics. Mr. Jackson is the director of the SecureWorks Threat Intelligence service. He is a senior security researcher and charter member of the SecureWorks Counter Threat unit (CTu). principal Consultant Mandiant Ryan kazanciyan, a Principal Consultant with Mandiant, has specialized in incident response, forensic analysis, application security and penetration testing for seven years. He has conducted intrusion investigations and remediation efforts for dozens of organizations in the defense industrial base, technology and financial service sectors. Mr. Kazanciyan has experience with analysis of host and network-based indicators of compromise, disk and memory forensics, and malware triage. He also has an extensive background in executing penetration tests against Windows and Unix environments and black-box application security assessments. In addition, Mr. Kazanciyan has led training sessions on incident response, forensics, and penetration testing for audiences in law enforcement, the federal government and corporate security groups. Cyber intelligence analyst, Cyber Threat analysis division u.s. department of state Neal Keating is a cyber intelligence analyst with the Bureau of Diplomatic Securitys Office of Computer Security in the Cyber Threat Analysis Division, where he specializes in several areas, including reverse engineering malicious software and providing in-depth computer

threat assessment and incident response capabilities. He routinely handles incident response and analysis requests from Department of State entities and individuals worldwide. As a doctoral candidate in computer science (the basis of his undergraduate and post graduate degrees), Mr. Keating holds numerous certifications and lectures frequently in classified and unclassified environments on a wide range of topics including network topography, media forensics, dynamic and static reverse engineering and malware-related security incident mitigation.
vice president, security awareness and strategic partnerships Core security Technologies Tom kellermann is Vice President of Security Awareness and Strategic Partnerships at Core Security Technologies. Mr. Kellermann Chaired the Threats Working Group and was Commissioner of the CSIS Commission on Cyber Security for the 44th Presidency. He also was a Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. Cyber Threat analyst CerT/sei Christopher King is a member of the Insider Threat Team of the CERT Threat and Incident Management group. He currently is researching technical indicators of insider threat, developing new assessment methodologies, and conducting analysis of insider threat cases. Before coming to CERT, Mr. king worked at the Defense Information Systems Agency as an Information Assurance Manager and held roles in other DoD and DHS organizations. He has a B.S. in Information Sciences and Technology from Penn State university, and a M.S. in Information Security Policy and Management from Carnegie Mellon university. He is interested in Information Warfare, Insider Threats, Forensic Acquisition and Counterintelligence. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Michael Kobett is an employee of The Newberry Group and a member of Team CSC assigned to the Defense Cyber Investigations Training Academy (DCITA). He is currently assigned to the Defense Industrial Base track and is a primary instructor/course developer for the Power of Community and Incident Responder Fundamentals courses. Prior to joining the DCITA, he was a manager in the u.S. State Department Computer Investigations and Forensics Laboratory. He has conducted several semester-long A+ certification classes for Anne Arundel Community College in Maryland. He has also taught numerous classes relating to Home PC Repair and Upgrade and Internet-related classes. In addition, Mr. kobett has over 15 years of PC troubleshooting and network support experience. He obtained his M.S. in Telecommunications Management from the University of Maryland, university College. He is a Certified Ethical Hacker, a Certified Computer Forensics Examiner and has obtained several other industry-related certifications, including Security+, MCSA, Network+ and A+.

Tom kellermann

director of product Management bivio networks, inc. Greg kopchinski is a Director of Product Management at Bivio Networks, where he has full responsibility for the companys suite of networking systems. Mr. Kopchinski has a strong background in product management and marketing for embedded computer technologies with several leading companies, including Motorola, Force Computers, Captus Networks and Ziatech (acquired by Intel). he is a graduate of Cal Poly, San Luis Obispo, with a B.S. in Electronic Engineering. Computer forensics research expert kyrus Technology Corporation Jesse kornblum is a Computer Forensics Research Guru for the Kyrus Technology Corporation. Based in the Washington, D.C. area, his research focuses on computer forensics and computer security. He has helped pioneer the field of memory analysis and authored a number of computer forensics tools including the md5deep suite of hashing programs and a system for fuzzy hashing similar files. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum previously served as a computer crime investigator for the Air Force and with the Department of Justice. He has run a three-mile race at 10,000 feet above sea level with a llama. analysis Team lead software engineering institute/CerT Dr. Paul krystosek is the Analysis Team Lead at the Software Engineering Institutes CERT Network Situational Awareness Group. Dr. krystosek joined the SEI in 2008. Prior to that he was at Lawrence Livermore National Laboratory as a member of CIAC, the Computer Incident Advisory Capability, which was Department of Energys incident response team. He also worked at Argonne National Lab and Fermi National Accelerator Laboratory. He taught Computer Science at Bradley University, Illinois Institute of Technology and North Central College. He received his B.A. from Albion College, an M.S. from Bradley university, and his Ph.D. from Illinois Institute of Technology. He is a member of ACM. appellate Counsel afloa/JaJG Captain Joseph kubler is an Appellate Government Counsel for the Air Force Government Trial and Appellate Counsel Division, Bolling AFB, D.C. He represents the Air Force in appellate review of courts-martial before the Air Force Court of Criminal Appeals and the united States Court of Appeals for the Armed Forces. Captain kubler previously served as a Senior Trial Counsel trying Air Force courts-martial worldwide. In his current position he continues to assist the prosecution, providing advice to counsel in the field, trying cases for the government, and defending the convictions on appeal. senior forensic Technician defense Computer forensics laboratory (dCfl) Scott Lalliss is a Senior Forensic Technician at the Defense Computer Forensic Laboratory, where he specializes in Damaged Media Recovery and imaging and extraction of special devices. He has testified as an expert witness in federal court on the subject of damaged media recovery and has had several advanced training courses. His military experience and intelligence background-

Greg kopchinski

Jesse kornblum

Christopher king

don Jackson

paul krystosek, ph.d.

ryan kazanciyan

Michael kobett

Captain Joe kubler

neal keating

scott lalliss

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

63

speakeR BIogRapHIes | BReakout sessIons


-both in the war zone and in garrison environments-has contributed to his knowledge and awareness of techniques and procedures in the fields of damaged media recovery and computer forensics.
Chief, a6 operations af Global strike Command Lieutenant Colonel David Landry is the Chief, Operations Division for the A6 Directorate of AF Global Strike Command at Barksdale AFB, Louisiana. He earned computer science degrees from the united States Air Force Academy and the Air Force Institute of Technology. His masters thesis developed intrusion detection techniques for Unix networks. While assigned to the Joint Task ForceGlobal Network Operations, he wrote plans and orders to defend the largest IP address space in the world. Colonel Landry has presented original research at both the 2005 and 2008 DoD Cyber Crime Conferences. He is a Certified Information Systems Security Professional and an avid programmer. More than 82,000 copies of his software have been distributed to date by Microsoft, America Online, CNET and Ziff-Davis Interactive. director and sans digital forensics Curriculum lead sans institute and Mandiant Rob Lee is a Director for Mandiant, a leading provider of information security consulting services and software to Fortune 500 organizations and the u.S. government. He is also the curriculum lead for digital forensic training at the SANS Institute and has trained over 9,000 professionals in computer forensics over 10 years. Mr. Lee has more than 14 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response. He graduated from the u.S. Air Force Academy and served in the u.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first u.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response and computer forensics. Prior to joining Mandiant, he worked directly with a variety of government agencies in the law enforcement, u.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. He co-authored the bestselling book know your Enemy, 2nd Edition. Mr. Lee earned his M.B.A. from Georgetown university in Washington, D.C. He was awarded the Digital Forensic Examiner of the year from the Forensic 4Cast Awards. He blogs about computer forensic and incident response topics at the SANS Computer Forensic Blog. He also co-authored the Mandiant threat intelligence report M-Trends: The Advanced Persistent Threat. director of federal engineering fortinet forensic engineer defense Cyber Crime institute Timothy Leschke is a ManTech International employee currently assigned to the Department of Defense Cyber Crime Institute. Mr. Leschkes current research interests include portable device forensics (including cell phones and GPS receivers) with an emphasis on chip-level/

lieutenant Colonel david landry

rob lee

flash-memory data extraction and analysis. He is also interested in developing data visualization techniques to support both digital forensic examinations and faster reverse-engineering of digital artifacts. Mr. Leschkes previous experience includes working as an Intelligence Analyst in support of National Security and also as a Forensic Examiner on an FBI Computer Analysis Response Team. Mr. Leschke is an FBI Certified Forensic Examiner and a DoD Certified Basic Digital Forensic Examiner. He holds a Master of Science (M.S.) degree in Computer Science from Loyola university Chicago and is currently pursuing a Doctorate in Computer Science through the university of Maryland - Baltimore County. Mr. Leschkes forensic tool development includes Shadow Miner and Shadow Volume Link Manager. Both tools support the forensic examination of shadow volumes as found in Windows Vista and Windows 7. Mr. Leschkes previous conference papers include An Introduction to the Global Positioning System: A Foundation for GPS Receiver Forensic Examinations, Cyber DumpsterDiving: $Recycle.Bin Forensics for Windows 7 and Windows Vista, and Shadow Volume Trash: $Recycle. Bin Forensics for Windows 7 and Windows Vista Shadow Volumes. Mr. Leschkes most recent publication is a chapter titled The Exokernel Operating System and Active Networks. This chapter was published by IGI Global (2009) in Handbook of Research on Advanced Operating Systems and kernel Applications: Techniques and Technologies.
president lieberman software Philip Lieberman is an outspoken and highly regarded industry influencer who is quoted by national, business and trade press on u.S. cybersecurity as well as specific technology issues including cloud computing and security in the cloud. Mr. Lieberman has recently been featured in stories in The Wall Street Journal, The Los Angeles Times, The Washington Post, uSA Today and Newsday, as well as prestigious industry publications including Dark Reading, Government Computer News, Government Security News, Sarbannes-Oxley Compliance Journal, Redmond Magazine, Computerworld, Network World, CIO Today and Information Week. Over the past year he has further established himself as one of the countrys leading security experts. Keenly attuned to emerging cyber security issues, Mr. Lieberman became a trusted advisor to the u.S. Senates Homeland Security and Government Affairs Committee and is routinely called upon by committee staff to review and comment on proposed legislation that is critical to maintaining the safety and security of the country. In addition, he addressed government and industry audiences at major events including Cyber Security Conference, GovIT Expo, Microsoft Management Summit and the Microsoft Worldwide Partner Conference. Over the years he has personally spearheaded the development of businesscritical identity management policies and procedures for clients at federal, state and local government agencies including the SEC and uSDA, as well as Northrup Grumman, Lockheed Martin, Visa, GMAC, Wells Fargo, Wachovia, Ernst & young, Deloitte, Mutual of Omaha, AIG, The Hartford, Prudential, Pacificare, Humana, Shands Healthcare, Mattel, Johnson & Johnson, Jockey, Sears, Dole, kroger, Petco, Arizona State university, Carnegie Mellon, uCLA, HP, IBM, AT&T, Time Warner, Disney, u-Haul, uPS, Amtrak and Ryder. Mr. Lieberman has published numerous books in the field of computer science, has taught at uCLA, and is the author of many

computer science courses. He has a B.A. from San Francisco State university (1981) in Physics with minors in Computer Science and Business.
associate booz | allen | hamilton Scot Lippenholz works for Booz Allen Hamiltons Digital Forensics Team, which supports the Department of Defense, Intelligence Community, Federal government, Defense Industrial Base and major financial institutions. Mr. Lippenholzs focus is on developing techniques that enhance teams technical skills, responding to and managing large-scale intrusion investigations, and conducting forensic examinations for counterintelligence and counter-terrorism investigations. He has worked in information technology for over 15 years, primarily as a Windows System and Security Engineer. He obtained his B.S. from university of Maryland, Baltimore County, and is working on his M.S. from in Forensic Studies of Information Technology from Stephenson university. vice president of Training accessdata keith Lockhart is responsible for the development of forensic and encryption training solutions for local, state, federal and international law enforcement agencies, as well as worldwide corporate entities involved in the prevention, investigation and prosecution of high-technology crime. Prior to joining AccessData, he served as a computer crime specialist at the National White Collar Crime Center (NW3C) in Fairmont, WV. Mr. Lockhart served as program manager of the INET (Internet Trace Evidence Recovery and Analysis) course, providing the framework of complex research and design for its development and maintenance. Prior to NW3C, he was a police officer with the kent State university Police Department. Earlier in his career, Mr. Lockhart worked in the narcotics division of the Western Portage Drug Task Force in northeast Ohio. In that assignment, he worked cooperatively with the FBI, DEA, ATF, HuD and u.S. Postal Inspection Service to successfully investigate and prosecute over 100 felony cases. He is a member of the International Association of Computer Investigative Specialists (IACIS), the High Technology Crime Investigators Association (HTCIA), and the Narcotics Association of Regional Coordinating Officers (NARCO). Mr. Lockhart has instructed at the FBI National Academy, the ATF annual Computer Information Systems conference, the kennesaw Southeast Crybercrime Institute, and many IACIS conferences. He holds a Bachelors degree in Criminology from kent State university and an A.A. degree in Computer Forensics from Redlands Community College. Chief operating officer d3 services, ltd. Jason Lord is a leading industry Cyber Security Subject Matter Expert with 15 years of expertise in Computer Forensics, Digital Media Investigation, Malicious Code Analysis and Incident Response/Handling. He currently serves as the Chief Operating Officer at d3 Services, Ltd., a veteran-owned small business located in Dumfries, VA. Prior to joining d3 Services, Mr. Lord was the Technical Director of Federal Consulting at Symantec Corporation, and was previously a Forensics Expert at Guidance Software, Northrop Grumman and BAE Systems. He served for eight years in the united States Marine Corps prior to moving into the commercial sector.

scot lippenholz

keith lockhart

philip lieberman

Jason lord

randy lee

Timothy leschke

64

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


Mr. Lord is an active member of the High Technology Crimes Investigation Association (HTCIA), International Information Systems Forensics Association (IISFA) and the FBIs InfraGard.
senior instructor and Manager, Contract Trainer program accessdata As an instructor for AccessData, Rob teaches the AccessData BootCamp and Internet Forensics courses. Prior to becoming a member of the AccessData team, Rob served as a Computer Crime Specialist at the National White Collar Crime Center (NW3C) in Fairmont, WV. Rob served as the Program Manager for the Cybercop 302 (Internet Trace Evidence Recovery & Analysis) and Cyber Investigations 201 (Proactive and Reactive Online Investigations) courses. Rob also represented NW3C as a member of the West Virginia Computer Crime Consortium (WV3C), a partnership between West Virginia University, the WV State Police, and NW3C. Prior to joining NW3C, Rob served for 10 years within the Central Oregon law enforcement community, for both the Deschutes County Sheriffs Office and City of Bend Police Department. Robs law enforcement experience includes service as a Corrections Deputy, Community Policing Program Coordinator, Field Training Officer, Firearms and Use of Force Instructor, Patrolman and Detective. As a Detective, Rob served as a Deputy Medical Examiner, and specialized in the investigation of white collar crime, and offenses involving digital evidence. Rob served on the FBIs Joint Anti-Terrorism Task Force for the Central Oregon region, and regularly provided training to Central Oregon law enforcement agencies in the investigation of computerrelated offenses, and the recovery of digital evidence. Rob also volunteered as an instructor for the Central Oregon Community College (COCC) adult education program, where he taught classes in online safety and identity theft prevention.

rob Maddox

computational work and teaching. He obtained his doctorate in the field of Theoretical Solid State Physics in 1997 from the University of Texas at Dallas. His experience extends to the fields of physics, mathematics, software engineering, computer network defense, artificial intelligence and reverse engineering. He designed and developed several host-based and network-based anomaly detectors on several research programs, and has earned numerous awards. His latest achievement, a Bayesian-based static malware detector has been submitted for a patent.
forensic ops senior program Manager, advanced securities Group nek James McCarter is a Mobile Technologies Engineer and Intelligence Operations Instructor at NEk. His job requires him to develop and teach cell phone forensics and site exploitation courses to the military, law enforcement professionals and other intelligence organizations. His focus of instruction is using forensic software and hardware to conduct exploitation operations in tactical, counterterrorism environments to gather actionable intelligence. Mr. McCarter conducted Signals Intelligence support in Operation Enduring Freedom-Philippines as a Marine. He instructs exploitation procedures on captured enemy cell phones seized by personnel conducting counterterrorism operations and force protection activities, including DoD Agencies, the united States Military, DHS, FBI, and other law enforcement organizations. Mr. McCarter also has instructed over 100 hours of biometric, explosive residue detection and latent print exploitation tactics, techniques and procedures to dozens of students. project developr uri department of Computer science and statistics kristen McCooey is the Lead Information Technologist at the uRI Department of Computer Science and Statistics. Ms. McCooey has completed extensive training from Access Data, X-Ways Software, Guidance Software, and the university of Rhode Island. She holds her ACE Certification from Access Data, her CCE Certification from ISFCE and is a member of the HTCIA.

James McCarter

software architect redWolf Computer forensics Mark Mckinnon is currently the owner of RedWolf Computer Forensics, a software company that creates free and purchased software. Mr. McKinnon has over 20 years experience in IT, ranging from mainframe/ PC programming, database administration and digital forensics. Some of his more notable free programs are Skype Log Parser, Google Chrome Parser, CSC Parser and the Vista Thumbcache Parser. Mr. Mckinnon is the creator of Drive Prophet, a triage program for Windows Systems. He is an adjunct professor at Davenport University teaching Computer Forensics and an associate of Ak+ Computer Consulting LLC, where he does digital forensic examinations and E-Discovery. Computer scientist department of defense Cyber Crime Center (dC3) Andrew Medico is a software developer for Cipher Tech Solutions, Inc. He has been at the Defense Cyber Crime Institute since 2008, where he performs research and develops new tools to support the Defense Computer Forensic Laboratory. He produced several releases of the dc3dd disk imaging utility and recently developed an iPhone/iPod touch forensics application. Mr. Medico holds a B.S. in Computer Science from Northeastern University. director of professional services accessdata Chris Mellen is Director of Professional Services at AccessData Corporation, where he is responsible for the development and management of AccessDatas Professional Services. His staff have varied and extensive backgrounds in digital investigations, coming from law enforcement, counterintelligence and corporate security. Prior to joining AccessData, Mr. Mellen served as a Manager with Guidance Software Professional Services, as a Special Agent with the Department of Defense with the Cyber Counterintelligence Activity and as a Computer Crime Specialist at the National White Collar Crime Center in Fairmont, WV. He also spent 11 years on active duty in the united States Marine Corps with an honorable discharge. While in the Marines, Mr. Mellen served with the Military Police, Customs, the Criminal Investigation Division and the Naval Criminal Investigative Service. He holds a Bachelors degree in Criminal Justice from Colorado Technical University and Masters degree in Computer Information Systems from Boston university. professor polytechnic institute of new York university Dr. Nasir Memon is a professor in the Computer Science department at the Polytechnic Institute of New york university. He is the director of the Information Systems and Internet Security (ISIS) lab at Polytechnic (http://isis. poly.edu). He earned his B.E. in Chemical Engineering and M.S. in Math from BITS, Pilani, India, in 1981. He got his M.S. in Computer Science (1989) and Ph.D. in Computer Science (1992) from the university of Nebraska, Lincoln. Dr. Memons research interests include digital forensics, data compression, computer and network security and multimedia computing and security. He has published more than 200 articles in journals and conference proceedings and holds four patents in image compression and security with six more pending application. He has won several awards,

Mark Mckinnon

andrew Medico

Christopher J. Chris Mellen

kristen McCooey

dan Mares

director, forensic development norcross Group Dan Mares is a retired federal agent now working as a computer forensic examiner. He began writing software programs to facilitate the analysis of seized electronic data in 1986, and developed the Maresware suite of investigative software programs. Mr. Mares provides ongoing technical and programming assistance to state and federal agencies in computer related cases. He assisted in the development of Seized Computer Evidence Recovery Specialist and Computer Investigation in an Automated Environment courses at the Federal Law Enforcement Training Center in Glynco, Georgia, and the Basic and Advanced Data Recovery Classes at the National White Collar Crime Center. In addition to providing instructional classes on forensic processing, and how to use his own suite of software, he has also instructed computer forensics for the following: FLETC (Federal Law Enforcement Training Center), NWCCC (National White Collar Crime Center), FEMA, university of Texas (McCombs Business School), the FBI Academy in Quantico, VA, and the Norwegian National Police Academy. ia Technologist 90th information operations squadron Dr. Mark Mason is a scientist with over 20 years of experience in research/development, analysis, mathematical modeling, reverse engineering,

Christopher Mcdaniels
director, dko, 22 nWs

Mark l. Mason, ph.d.

instructor/Course developer defense Cyber investigations Training academy (dCiTa) Matthew McFadden is an employee of CSC, assigned to the Defense Cyber Investigation Training Academy (DCITA). As a member of the Network Intrusion Track, Mr. McFadden researches, develops and instructs network intrusion and investigation. He has spent several years in the field of Information Technology specializing in Information Assurance and Security, Network Intrusion/ Penetration and Forensics. Mr. McFadden has performed research projects, consulted, presented and has worked in Network Administration. He also holds industry IT certifications, a Bachelor of Science in Network Security, a Master of Science in Information Security and is a candidate for a Doctoral degree in Computer Science.

Matthew Mcfadden

nasir Memon, ph.d.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

65

speakeR BIogRapHIes | BReakout sessIons


including the NSF CAREER award and the Jacobs Excellence in Education award. He has been a PI or Co-PI on research and education grants exceeding $12 million. He has appeared on NBC Nightly News as an expert on steganography and his research has been featured in the New york Times, MIT Review, Wired.Com, New Science Magazine, etc. He is currently the editor-in-chief of IEEE Transactions on Information Security and Forensics. He was an associate editor for IEEE Transactions on Image Processing, the Journal of Electronic Imaging, the ACM Multimedia Systems Journal, the LNCS Transaction on Data Hiding, IEEE Security and Privacy Magazine, IEEE Signal Processing Magazine and the International Journal on Network Security. Dr. Memon is the co-founder of Digital Assembly (http://www.digital-assembly.com) and Vivic Networks, two early-stage start-ups in Polytechnics BEST incubator.
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Jim Meyer, a Senior Computer Professional for CSC, is assigned to the Defense Cyber Investigations Training Academys Forensic track. Prior to joining DCITA, Mr. Meyer was a 20-year law enforcement officer with the Anne Arundel County Police Department in Maryland, performing general law enforcement duties and investigations. In his final years with the police department, he obtained a Master of Forensic Science degree in High Tech Crime Investigations from George Washington University. senior Cyber engineer sra international Adam Meyers is a Senior Principal with the National Products and Offerings Division of SRA International. Mr. Meyers serves as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Mr. Meyers provides both technical expertise at the tactical level and strategic guidance on overall security program objectives. Mr. Meyers has extensive experience in Penetration Testing, Security Engineering and Architecture, Wireless Communication, and Reverse Code Engineering. Mr. Meyers is a recognized speaker who has presented on topics ranging from high level business solutions to deep technical training including industry conferences such as RSA and CSI. He currently supports the Department of State Bureau of Diplomatic Security leading a reverse engineering and cyber threat analysis team charged with investigation and mitigation. director of network forensics accessdata Corporation Jason Mical is a network forensic specialist for AccessData. In this role, he is responsible for the global management of AccessDatas Network Forensic solutions and assists ADs customers with the assessment of IT risk reduction in such areas as electronic intercepts, intrusion analysis, virus detection, incident response, privacy, asset management, policies, standards and guidelines. He also offers his expertise and consulting services to customers and other audiences on issues of electronic, computer and physical security investigations. Mr. Mical has more than 17 years of experience in telecommunications fraud prevention, physical security management and network security investigations. During his career, he has developed and implemented overall network security, physical security and fraud control programs

for several global organizations. He has also developed security and fraud awareness training seminars used to educate employees, as well as federal, state and local law enforcement officials, and has established and operated security incident response teams and forensic investigation units for several large enterprise organizations. Mr. Mical has been an active member with the FBI Infraguard, united States Secret Service Electronic Crimes Task Force, ISSA, HTCIA, ASIS, ANSIR and CTIA Fraud Task Forces.
senior Technical staff sei Soumyo Moitra is a senior member of Technical Staff with CERT Network Situational Awareness Group. He has been involved with modeling and analyzing network traffic for security and monitoring. He is currently working on metrics for the cost-effectiveness of network sensors and modeling network security operations. Prior to his joining the SEI, Mr. Moitra taught Operations Management; worked on telecommunications services and planning at Bellcore, New Jersey; and also taught Policy Analysis at Baruch College, New york. He has an M.A. from Cornell university, an M.S. from Syracuse university and a Ph.D. from SuPA (now Heinz College), CMu. He has been an Alexander von Humboldt Fellow at the Max-Planck-Institute, Freiburg, Germany, and a visiting professor at NTT in Tokyo. He has published journal articles in a number of subject areas and presents regularly at conferences. He is a member of INFORMS (Institute for Operations Research and Management Science), the American Statistical Association and SIGMA XI: The Research Society. president forensic strategy services Scott Moulton is a Certified Computer Forensic Specialist and is president of Forensic Strategy Services and My Hard Drive Died. He has given speeches at some of the biggest conferences, produced videos watched by hundreds of thousands of people, and does podcasts and radio shows to spread the knowledge of how to repair hard drives and recover data for legal cases. Mr. Moulton is a master at Data Recovery working for some of the biggest names. He wrote and is the lead instructor on Data Recovery and Hard Drive Forensics courses. His class been very popular and taught his forensic processes on damaged drives all over the country. As a litigation support expert, Mr. Moulton focuses on collecting and preparing evidence where a computer contains data that may be legal proof in a case. He is skilled in recovering deleted data, researching cases and has testified as an expert witness. In the five years since his companys inception, Mr. Moulton has handled many complex cases that include but are not limited to homicide, embezzlement, theft, divorce and corporate fraud. detective Madison police department Detective Cindy Murphy is employed by the City of Madison Wisconsin Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE/CCFT, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones and other items of digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual

assaults, child pornography, financial crimes and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College and is currently working on her M.Sc. in Forensic Computing and Cyber Crime Investigation through University College, Dublin.
senior lead engineer defense Computer forensics laboratory (dCfl) Sig Murphy has worked for General Dynamics at the DoD Computer Forensic Laboratory since 2000. He is currently serving as a Senior Lead Examiner and the acting CI Section Chief. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Starting his career as a Special Agent with the united States Army Criminal Investigative Division, Jeff became a leading expert in criminal profiling. He continued his innovative techniques as he helped establish one of the first computer crime units in the military. After his tenure in the military, he continued studying criminal behavior with Richland County Sheriffs Department. Next, he established Naylor Investigative and Consulting Firm, focusing on computer forensic. In 2008, Jeff was requested by the South Carolina Attorney Generals Office to train the Internet Crimes Against Childrens (ICAC) Task in computer forensics and write their policy and procedures. Currently, Jeff is employed by CSC and supports the Defense Cyber Investigative Training Academy as a Senior Forensic Instructor. He has been qualified as an expert in federal, State and Military Court in computer forensic, sexual crimes, profiling, crime scene analysis, and collection of digital evidence. Jeff has also published a book developing a new classification system based on the behavior of criminals utilizing the computer for criminal activity. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Lucus Nelson is a CSC employee assigned to the DCITA contract as a Subject Matter Expert/Instructor on the Forensics Track. Prior to joining the DCITA team, Mr. Nelson served as a police officer in Michigan and a member of the Internet Crimes Against Children (ICAC) task force. Mr. Lucus is certified through IACIS and Access Data (ACE) in digital forensics. He currently teaches the following DCITA courses: Windows Forensic Exams with Encase and/or FTk, Macintosh Forensics and the Deployable Forensics course. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Mark Neno is employed by CSC as an Instructor and Course Developer assigned to the Defense Cyber Investigations Training Academy - Forensic Track. He teaches Windows Forensic Examinations-EnCase, Data Recovery, Basic Cyber Investigators Course, Deployable Forensics, Continuing Education-EnCase and Continuing Education-Forensic Toolkit. He has received training in

soumyo Moitra

sig Murphy

James Jim Meyer

Jeff naylor

adam Meyers

scott Moulton

lucus nelson

Jason Mical

Cynthia Murphy

Mark neno

66

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


computer forensics and computer crime investigation from the National White Collar Crime Center, DCITA, Digital Intelligence and Guidance Software. Prior to joining DCITA, Mr. Neno was a Police Officer for the Mobile Police Department, working in almost all areas of the Department: Patrol, Arrest and Detention, Internal Affairs, Criminal Investigation, Planning, and Support Services. He served as the Departments Computer Forensic Examiner for the last eight years of his law enforcement career. Mr. Neno retired from the Mobile Police Department in 2007, with the rank of Captain.
vice president of product Management damballa Stephen Newman brings over 14 years of product management experience to Damballa-designing products and product strategies for leading, innovative technology companies. Prior to joining Damballa, Mr. Newman was Director of Product Management for Secure Computing and McAfee. under his management, his products garnered Leader product recognitions from Forester, Gartner, Secure Computing Magazine, and Radicati. Prior to Secure Computing, Stephen developed and marketed industry leading consumer and business technology products for Boston Acoustics, MegaPath and EarthLink. Mr. Newman holds a Masters degree in Electrical Engineering from Georgia Tech and a Bachelors Degree in Electrical Engineering from Johns Hopkins university.

the Digital Forensics Program for the u.S Customs Service and the Department of Homeland Security, Immigration and Customs Enforcement. Mr. Nick has been an active contributor to the advancement and the recognition of digital forensics as an accredited forensic science. He is a former member of the Executive Board of the Scientific Working Group on Digital Evidence. He is currently an American Society of Crime Lab Directors Certified Digital Evidence Inspector and has trained as an ISO Provisional International Assessor.
software engineer defense Cyber Crime institute (dCCi) Matthew Nolan is a software engineer at DCCI. Hes been with General Dynamics at the Institute for about a year and a half and specializes in trying to bring more advanced statistical analysis to digital forensics. physical scientist, office of science and Technology national institute of Justices (niJ) Martin Novak is a Physical Scientist with the National Institute of Justices (NIJ) Office of Science and Technology, Information and Sensor Technology Division. He manages NIJs Electronic Crime Research and Development Portfolio. Within his portfolio, Mr. Novak is responsible for developing effective program plans, developing and managing solicitations, implementing grants and agreements to execute program plans, ensuring that research and development applications are peer reviewed via fair objective processes, ensuring that project goals and objectives are directly linked to validated criminal justice technology needs, making certain that projects do not unnecessarily duplicate other public and private sector efforts and are focused on those goals and that will provide the highest returns within available funds. Mr. Novak has been with NIJ for 12 years and previously managed several technology centers in NIJs National Law Enforcement and Corrections Technology Center (NLECTC) System. forensic operations senior program Manager nek advanced securities Group, inc. Catherine Okeefe is the Forensic Operations Senior Program Manager and an Intelligence Operations Instructor at NEk. Her job requires her to develop and teach computer forensics and media exploitation courses to the military, law enforcement professionals and other intelligence organizations. Her focus of instruction is using forensic software and hardware to conduct exploitation operations in tactical, counterterrorism environments to gather actionable intelligence. Ms. OKeefe was recently deployed to Iraq in support of Operation Iraqi Freedom. She was a Media Exploitation Analyst and conducted media exploitation on captured enemy digital/analog media seized by personnel conducting counterterrorism operations and force protection activities, including DoD Agencies, the united States Military, DHS, FBI and other law enforcement organizations. The mission required OKeefe to conduct examinations and recovery of data stored on various forms of media in order to gather information meeting Primary Intelligence Requirements and/or evidence of crimes against u.S. and Coalition Forces. Ms. Okeefe also worked as a Computer Forensic Analyst for a private company and has performed work on over 100 civil, criminal, internal and administrative cases including those involving theft of intellectual property, employee misconduct, contract disputes, divorce, child exploitation,

probation violation, harassment, fraud and challenges to estates and wills.


director niJ electronic Crime Technology Center of excellence Robert OLeary, CFCE, DFCP, is the Director of the NIJ Electronic Crime Technology Center of Excellence, established to build the criminal justice communitys capacity to investigate electronic crime, collect digital evidence and conduct forensic examinations on digital evidence. Retired from the New Jersey State Police, High Technology Crimes Unit, he received the Cellular Telephone and Internet Association (CTIA) Law Enforcement Excellence Award. He has conducted, coordinated and supervised criminal investigations involving telecommunications fraud, computer and internet crime and was the lead detective in the Melissa Macro Virus investigation. He developed and conducted training for law enforcement and prosecutors on Computer Crime and Digital Evidence. Robert supervised the first New Jersey Statewide Computer Crimes Task Force and consults with law enforcement on computer crime and digital evidence issues. researcher bloomsburg university of pennsylvania As a current student at Bloomsburg university of Pennsylvania, Tyler Oliver has been studying digital forensics and computer science for the past five years. Mr. Oliver was most recently presented with the opportunity to work as an intern for the DCCI on the topic of Limewire RAM analysis. His goal in the internship was to uncover the layout of information left behind by the popular file sharing application. Along with his internship with the DCCI, Mr. Oliver is employed by the Pennsylvania Center for Digital Forensics at Bloomsburg University. There he does a variety of research including RAM analysis of in-private browsing as well as cell phone analysis. He plans to complete his studies in the spring of 2011 and hopes to obtain a position in the challenging field of digital forensics. vice president of research damballa Gunter Ollmann has over 20 years of experience within the information technology industry and is a veteran in the security space. Prior to joining Damballa, he held strategic positions at IBM Internet Security Systems (IBM ISS), most recently as the Chief Security Strategist. In this role he was responsible for predicting the evolution of future threats and helping guide IBMs security research and protection strategy, as well as being IBMs spokesperson on evolving threats and mitigation techniques. He also held the role of Director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to ISS, Mr. Ollmann was the professional services director of Next Generation Security Software, a vulnerability research and attack-based consulting firm. Mr. Ollmann has been a contributor to leading international IT and security-focused magazines and journals, and has authored, developed and delivered a number of highly technical courses on Web application security. He is a well-known industry speaker worldwide and is often invited to present at international security conferences.

robert oleary

stephen newman

Matthew nolan

Martin novak

Tyler oliver

nicholas r. newman

nW3C Nicholas Newman began his career as a Computer Crimes Specialist with the National White Collar Crime Center in January of 2006, bringing with him nearly a decade of information technology and software engineering experience. Mr. Newman has also represented NW3C in the mass media through such organizations as uSA Today and the MSNBC Today Show and has spoken at the Internet Crimes Against Children and High Tech Crime International Association conferences, among others. Mr. Newman contributes to and regularly instructs NW3Cs ISEE, STOP, STOP-T3, BDRA, ISLEN and LINuX computer forensic courses, and is also the lead developer of NW3Cs TuX4N6 forensic digital triage tool.

Catherine okeefe

Gunter ollmann

Jason nichols
Managing director science applications international Corporation Glenn J. Nick serves as the Managing Director of SAIC Digital Forensics practice, based in McLean, Virginia. Mr. Nick provides more than 27 years of local and federal law enforcement experience with an emphasis in conducting and managing complex multinational hightech investigations. Over the last ten years of his federal service Mr. Nick worked to establish the u.S Department of the Treasurys Computer Investigative Specialist program. He worked jointly with representatives of the Alcohol Tobacco and Firearms, the Internal Revenue Service, the u.S Customs Service, and the u.S Secret Service to develop training curricula, establish best practices, and deploy more than 500 highly trained special agents to their originating agencies. In addition, he was responsible for the design and implementation of the u.S Customs CyberSmuggling Center (C3), the first federal effort to address and combat illegal activity facilitated by the Internet. He also directed the work of approximately 175 digital forensics Agents and managed

Glenn nick

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

67

speakeR BIogRapHIes | BReakout sessIons


national program Manager department of homeland security, homeland security investigations, national security unit Senior Special Agent Tony Onstad has 29 years of law enforcement experience. This includes 22 years as a Special Agent with u.S. Immigration and Customs Enforcement (ICE, formerly known as the u.S. Customs Service). Since May 2006 he has been assigned to the ICE National Security unit as a National Program Manager where he conducts digital media exploitation on persons of national security interest. SSA Onstad is responsible for initiating, developing and coordinating complex multi-agency investigations involving Jihadist use of the internet. Onstad is an instructor on internet investigations subject matters, Jihadist use of the internet, cyber Counter Proliferation and WiFi investigations for ICE, the Defense Threat Reduction Agency and the u.S. State Department. From January 2001 to May 2006 SSA Onstad was assigned to the ICE Cyber Crimes Center where he was a National Program Manager for Internet undercover Counter Proliferation investigations, undercover website use in National Security investigations and Jihadist internet investigations. During this assignment he was responsible for developing and refining investigative techniques used to track suspects who use WiFi to facilitate their criminal activities. These techniques were used in the first two investigations involving court authorized WiFi intercepts resulting in the identification and apprehension of suspects engaged in the distribution of counterfeit software, identity theft and the manufacture of counterfeit identity documents. supervisory special agent department of homeland security Supervisory Special Agent Phillip Osborn has over 30 years of federal law enforcement experience, a significant portion of this experience dating from the early 1990s involving computer and internet related criminal investigations. SSA Osborn is a past chairman of the World Customs Organization Electronic Crimes Experts Group, and during his seven years as a National Program Manager for cyber crimes he established a program which focuses on internet financial sectors and services and their vulnerabilities relating to money laundering and national security threats. SSA Osborn holds a Masters degree in Security Studies from the Naval Postgraduate School completing his thesis on prepaid stored value cards, digital currencies and the threats they pose for money laundering and terrorist financing. senior Cost analyst, naval Center for Cost analysis u.s. navy Steven Oxman has been in the Information Technology field since 1967. He has three B.S. degrees: in Mathematics, Computer Sciences and Business Administration, an MS in Computer Sciences from Worcester Polytechnic Institute, and an M.S. in Management from Troy State university. Mr. Oxman was in the uSAF including a tour with uSAF Intelligence. He also was a civil servant following the uSAF for 11 years. Mr. Oxman then founded and ran the OXkO Corporation for over 24 years, doing IT programs that included forensic analytics work, artificial intelligence and very large data base analytics. He is presently working for the u.S. Navy in the area of Automated Information System Cost Analysis.

senior special agent Tony onstad

Cyber intelligence analyst rCerT-Conus Sean Paul assumed the position of assistant Team Lead for the Threat Analysis Cell (TAC) and lead developer of the QTip Tool Suite in the u.S. Armys Regional Computer Emergency Response Team - CONuS (RCERT-CONuS) since June 2009. The mission of the RCERT-CONuS is to provide for the Computer Network Defense of Active Army, National Guard and Army Reserve networks within CONuS. Prior to this assignment, he held positions in the RCERT-CONuS as an Information Assurance Technician, Computer System Security Analyst and Cyber Intelligence Analyst. senior solutions architect for intelligence, investigation and law enforcement Technologies adobe John Penn is Senior Solutions Architect for Intelligence, Investigation and Law Enforcement Technologies at Adobe Systems, in San Jose, CA. He spent 11 years at Adobe as a Senior Computer Scientist working on Photoshop and is now focused on the development of tools, techniques and training for the intelligence and law enforcement community, as well as for the National Center for Missing and Exploited Children. Mr. Penn has a history in the technology sector extending 30 years. He has been working to foster communication between law enforcement and industry. He hopes his efforts will build a better understanding of law enforcement challenges in industry and bring a better understanding of technology to the law enforcement and judicial system. Malware analyst secure innovations Vincenzo Pierorazio has over five years of experience in the information systems field, two of which are in the Department of Defense. His expertise is in network penetration testing and digital forensics. He holds a Masters degree in Forensic Studies of Information Systems from Stevenson university and has the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP) and GIAC Certified Penetration Tester (GPEN). principal deer run associates Hal Pomeranz is an experienced technology authority, delivering pragmatic Information Technology/Security solutions and Digital Forensic investigation services through Deer Run Associates, the company he founded in 1997. Mr. Pomeranz also is a SANS Institute Faculty Fellow and continues to develop the SANS/GIAC unix Security Certification (GCuX) curriculum. He teaches courses in the SANS/GIAC Certified Forensic Analyst (GCFA) curriculum and is a regular author for the SANS Computer Forensics blog. senior analyst verizon Christopher Porter is a Senior Analyst on the Risk Intelligence team for Verizon Business. In this role, he engages in collecting, analyzing and distributing internal and external data relevant to understanding and managing information risk. The output from these

sean paul

John penn ii

activities is used to improve Verizons services, inform personnel and clients, and provide credible influence to the constant evolution of security planning. Mr. Porter has nearly 15 years of experience in IT and security industries. His background includes work as an economist, in network and system administration, and as an information security consultant. Mr. Porter first joined Verizon Business (Trusecure and Cybertrust) in 2004 and worked as a Senior Consultant for the Security Management Program, where he led a team to deliver security services to several Fortune 500 financial, insurance and health care institutions at over 80 global sites. Since joining the Risk Intelligence team in 2009, Mr. Porter co-authored the 2009/2010 Data Breach Investigations Report and contributed to the 2009 Supplemental Data Breach Investigations Report.
Chief Cybersecurity strategist and Co-director, international Cyber Center CsC and George Mason university Andy Purdy is Co-Director of the International Cyber Center at George Mason University and Is Chief Cybersecurity Strategist for CSC. He was formerly the Acting Director for the National Cyber Security Division/ uS-CERT. He also served as Howard Schmidts deputy as a member of the White House Staff, helping to draft the National Strategy to Secure Cyberspace. Managing director Mandiant Wendi Rafferty is a Managing Director in Mandiants Los Angeles office and is responsible for the west coast region of Mandiants consulting services as well as continued management of Mandiants federal services operations. Ms. Rafferty has more than three years of experience conducting and managing Commercial Incident Response investigations and Federal Cyber Security Operations while at Mandiant, and over eight years of experience in the Computer Security community. Ms. Rafferty has supported network intrusion response with the Department of Defense, federal law enforcement agencies, and the national intelligence community. She has advanced training in computer forensic analysis, computer intrusion investigations, electronic evidence preservation and conducting counterintelligence collections and investigations. Rafferty has been a featured speaker on incident response at SANS, CSI SX, GFirst, DoD Cybercrime, and the FBI National Infragard Conference. She holds a Bachelors degree in Computer Science and a Masters degree in Management Information Systems. product Manager, lead security researcher Motorola airdefense Michael Raggo (CISSP, NSA-IAM, CCSI, SCSA, CSI) applies over 20 years of security technology experience and evangelism to the technical delivery of Wireless Security Solutions, and was a contributor to a new and patented AirDefense product, Wireless Vulnerability Assessment. Mr. Raggos technology experience includes penetration testing, wireless assessments, compliance assessments, firewall and IDS/IPS deployments, incident response and forensics, risk management and security research. He is a former security trainer. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, InfoSec, etc.) and has briefed the Pentagon.

andy purdy

Wendi rafferty

supervisory special agent phillip osborn

vincenzo pierorazio

hal pomeranz

steven W. oxman

Michael T. raggo

Christopher porter

68

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


research scientist Georgia Tech research institute Chris Rankine is a researcher with the Information Technology and Telecommunications Laboratory at the Georgia Tech Research Institute, and is a faculty member associated with the Georgia Tech Information Security Center. Involved predominantly with applied engineering projects, his recent work has involved wireless network interoperability, embedded device exploitation and mesh networking vulnerability analysis. Prior to joining GTRI, Mr. Rankine worked as an Information Technology Consultant, providing mostly intrusion prevention, network security and BCP services to clients in various industries throughout Atlanta. Mr. Rankine holds a B.S. in Computer Engineering from Georgia Tech, an M.B.A. in Computer Information Systems from Georgia State university, a M.S. in Information Security from Georgia Tech, and a CISSP certification. Trial attorney u.s. dept of Justice Al Rees is a Trial Attorney in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice, in Washington, D.C. (CCIPS), which is responsible for implementing the Justice Departments national strategies in combating computer and intellectual property crimes worldwide. Section attorneys investigate and prosecute cybercrime and help to develop law and infrastructure to fight it. To pursue network criminals effectively, CCIPS works closely with other government agencies, the private sector, and foreign counterparts. Mr. Rees is an Adjunct Professor of Law at Georgetown university in Washington, D.C., where he teaches Law and Measures Against International Terrorism. He served on active duty as a united States Air Force Judge Advocate and remains in the Air Force Reserve. He has presented law programs to government officials, military officers, investigators, prosecutors, judges, journalists and law students in the u.S. and 25 countries abroad. Ceo Mobile forensics, inc. Lee Reiber is CEO of Mobile Forensics, Inc. He has been featured in several newspapers, most notably The New york Times and The Washington Post, discussing cellular evidence retrieval and contributes to Law Officer Magazine as a writer, specifically dealing with electronic data discovery and recovery. Mr. Reiber also works as a Computer and Cell Phone Forensic Examiner for a large police department in the northwest united States. Cyber security expert booz | allen | hamilton Randy Robbins has over 15 years experience in operating and securing various IT communication systems. He currently provides technical and operational IT security support for the Defense Critical Infrastructure Program (DCIP) of various DoD organizations, as well as provides support to the Booz Allen Hamiltons Digital Forensics Team. In a previous life, Mr. Robbins led a security operations team for a global energy company, performed security testing for a wide variety of federal agencies and managed regional network operations for a Fortune 500 company. He has a Master of Science degree in Digital Forensics from Sam Houston State university.

Chris rankine iii

Chief information officer dod business Transformation agency Michael Robinson is the Chief Information Officer for the Department of Defenses Business Transformation Agency (BTA). As the CIO, he is responsible for all IT operations, information assurance and computer forensic activities within BTA. In addition to his work with BTA, Mr. Robinson is an adjunct faculty member at Stevenson university in the graduate schools Forensic Studies program. He holds a number of certifications, including CCE, MCSE and Security+. He has two Masters degrees, one in forensic studies and one in information assurance. Additionally, he has a graduate certificate in Intelligence Studies. He has published over a dozen articles in IT, with the most recent article entitled Issues with Cell Phone Forensics. program Manager defense personnel security research Center Andrie Rose graduated from California State university, Fullerton, with a Bachelors degree in Sociology and a Masters in Public Administration. She received a Masters in Criminal Justice from the State university of New york, Albany. While in graduate school, she worked at the New york State Division of Criminal Justice Services and the Orange County Probation Department. In 2003 Ms. Rose joined Northrop Grumman (PERSEREC contractor) as a research analyst. She has collaborated on projects such as an evaluation of military enlistment screening methods, an assessment of best practices for preventing and detecting identity fraud, and an evaluation on the extent to which people self-report criminal offenses when applying for security clearances. Ms. Rose is currently working to identify cyber vetting guidelines for law enforcement personnel and national security positions. She is a member of the International Association of Chiefs of Police, the Association of Certified Fraud Specialists and the American Society of Criminology. She was also certified by the American Association of Motor Vehicle Administrators as a fraudulent document recognition instructor. research scientist Georgia Tech Paul Royal is a Research Scientist at the Georgia Institute of Technology, where he engages in collaborative research on various facets of the online criminal ecosystem. Prior to joining Georgia Tech, he served as Principal Researcher at Purewire, Inc., where he worked with other researchers to identify threats and design methods that enhanced the companys web security service. Mr. Royal is a frequent press resource on security issues and has been quoted in uSA Today, The Washington Post, Forbes and others. incident response section chief 33 nWs Christi Ruiz is the Incident Response section chief. Her team is responsible for handling all AF computer intrusions, from discovery to secure and recover. Her team works 24/7 to ensure AF networks are secured and that compromised systems are cleaned and placed back online as quickly as possible.

Michael robinson

andrie rose

albert al rees Jr.

Ceo paraben Corporation Throughout the past two decades as CEO of Paraben Corporation, Amber Schroader has been the driving force behind some of the most innovative Digital Forensic technology to be introduced into the industry. She has developed over two-dozen software programs designed for recovering digital data from handheld devices such as cellular phones and PDAs, computer hard drives, and large-scale computer networks capable of storing data from several thousand computers. With an aggressive development schedule, Ms. Schroader continues to bring forth new and exciting technology to the computer forensic community worldwide. Ms. Schroader coined the concept of the 360-degree approach to digital forensics, pushing for a big-picture consideration of the digital evidence acquisition process. An accomplished curriculum developer and instructor, Ms. Schroader has written and taught numerous classes for this specialized field. She continues to support the industry through speaking engagements at DoD Cybercrime, HTCIA, CSI and a variety of other events. forensic analyst department of defense Elizabeth Schweinsberg is a Digital Forensics Analyst who specializes in Intrusion Analysis for the Department of Defense. She hunts for malware that tries to stay hidden and determines how it got there. Ms. Schweinsberg has been in the computer industry for over a decade and in digital forensics since she received her M.S. in Information Security, Technology and Management from Carnegie Mellon University. When not behind the computer, she works on her avian millinery. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Christian Scott is an employee of CSC assigned to the Defense Cyber Investigations Training Academys (DCITA) Technology Track. Prior to joining DCITA, Mr. Scott worked in the private sector as a project engineer and security consultant, working primarily on intelligence community and Fortune 500 company contracts. Mr. Scott established his experience as a security professional while serving in the united States Army as a Counterintelligence Agent, specializing in Technical Intelligence. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Christopher Shanahan is an employee of CSC assigned to the Defense Cyber Investigations Training academy (DCITA) in Linthicum, Maryland as an instructor and course developer in the Forensics Track. With more than eighteen years of experience in law enforcement -- nine as a detective responsible for digital forensics and electronic crimes, Mr. Shanahan has extensive experience in cyber crime investigations and digital forensics. In addition, Mr. Shanahan was responsible for building a state-of-the-art digital forensics lab for a County police department in Northern Delaware -- a busy lab that still operates successfully today. Mr. Shanahan holds a BS in Computer and Network Security and maintains a number of industry-recognized technical certifications. In 2009 Mr. Shanahan coached the winning team in the

amber schroader

elizabeth schweinsberg

Christian scott

lee reiber

paul royal

Chris shanahan

randy robbins

Christi ruiz

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

69

speakeR BIogRapHIes | BReakout sessIons


undergraduate category for the DC3 Computer Forensics Challenge.
special agent in Charge, Computer Crime investigative unit u.s. army Cid Special Agent David Shaver is the Special Agent in Charge of the Digital Forensics and Research Branch for the u.S. Army CID, Computer Crime Investigative unit (CCIu), Fort Belvoir, VA. The mission of CCIu is to investigate any intrusion into any u.S. Army computer worldwide. analyst sei/CerT Aaron Shelmire is an analyst working in the Network Situational Awareness group of CERT. His work has been focused on detecting malicious behavior through network indicators. instructor/Course developer defense Cyber investigations Training academy (dCiTa) Erik Sherman is an employee of CSC, assigned to the Defense Cyber Investigations Training Academy. He has over 20 years of experience in IT. Mr. Sherman is an instructor for DCITAs Technology track with a B.S. in Computer Information Technology and holds A+ and CTT+ certifications. Prior to teaching at DCITA, Mr. Sherman was an Intrusion Detection analyst for CSC. He has also worked for the worlds largest web host as a Customer Compliance Operative, monitoring for fraudulent and malicious activity. senior Consultant Mandiant Mary Singh is a Senior Consultant at Mandiant with nine years of experience in computer and information security. She has significant experience in military information operations, intrusion detection and network assessments. Her specialties include vulnerability assessment, incident response, IDS signature development, system optimization and forensic analysis. Ms. Singh is now focused on finding evil for Mandiants commercial and government clients via forensic examination and analysis. She discovered several new malicious backdoors and malware used by sophisticated attackers commonly referred to as the advanced persistent threat. She also identified specific military data that was targeted at several major defense contractors. In addition, she discovered malicious software that was unknowingly being hosted and distributed from a legitimate website. Prior to joining Mandiant, Ms. Singh spent eight years developing and implementing security strategies and solutions for the u.S. Air Force as both a military officer and government contractor. She was actively involved in defending the operational network at the Air Force Computer Emergency Response Team and then transitioned into an information warfare support role. There she helped develop some of the tools and strategies currently in use by Air Force network defenders. research scientist Georgia Tech research institute Christopher Smoak is a Research Scientist at the Georgia Tech Research Institute (GTRI). Prior to joining GTRI, he

special agent david shaver

worked for Science Applications International Corporation (SAIC) as a network and security engineer within the Intelligence Community. His research focuses primarily on malware analysis and subversive software development techniques, working to identify common attack methodologies utilized to compromise computer systems and operate undetected. He received his B.S. in Computer Science from the Georgia Institute of Technology and is currently pursuing his M.S. in Information Security. Additionally, he holds the Certified Information Systems Security Professional (CISSP) certification.
instructor/Course developer defense Cyber investigations Training academy (dCiTa) Bryan Spano is a course developer and instructor in the Forensics Track at the Defense Cyber Investigations Training Academy (DCITA), part of the Defense Cyber Crime Center (DC3). Prior to joining DC3, Mr. Spano gained extensive experience as a federal law enforcement agent, specializing in cyber crime investigations and evidence response. He holds a Bachelors degree in Physics from the u.S. Naval Academy. senior Consultant/engineer accessdata With ten years of experience in the e-discovery sector as a practicing attorney, electronic discovery consultant, and computer forensic specialist, David Speringo serves as a senior consultant on staff with AccessData. Prior to joining AccessData, Mr. Speringo held senior-level management and consulting positions at both ends of the e-discovery spectrum: within a law firm and at a national e-discovery litigation support company. Within these roles he has taught classes providing continuing legal education for attorneys and has been a guest speaker at several legal conferences on the topics of litigation support technologies, best practices, and litigation technology cost management. Within the forensics world, Mr. Speringo is a certified computer examiner (CCE) and has led forensic teams on the investigative acquisition and analysis of data for clients composed of several AMLAW 100 firms and Fortune 500 companies over the past seven years. He received his B.A. in Political Science/ History from the University of Connecticut in 1997, and his law degree (J.D.) from Roger Williams Law School in 2000. forensic lead specialist defense Cyber Crime Center (dC3) Robert Spitler is a Forensic Lead Specialist with the Defense Cyber Crime Center. He is an Air Force veteran with over 20 years of law enforcement and over nine years of digital forensics experience. Mr. Spitler has experience investigating major criminal offenses at the state and federal level, as well as experience in intelligence exploitation and corporate investigations. He has testified as an expert witness in digital forensics on several occasions. Mr. Spitler has certifications in digital forensic examination through IACIS (CFCE), Guidance Software (ENCE), and DoD (CBDFE). He is a certified Law Enforcement Instructor (VA) and Instructor in Computer Forensics (IACIS). He has been directly involved with the continued advancement of digital forensics during his career through training and association involvement, including numerous hours of computer crime and forensic instruction for local, state, federal and foreign law enforcement as well as corporate investigators.

Mr. Spitler served on the Board of Directors for the International Association of Computer Investigative Specialists for five years. He has conducted forensic training with IACIS and HTCIA and co-developed and taught cyber classes for the u.S. Department of State Anti-Terrorism Assistance Program for law enforcement in foreign countries.
deputy staff Judge advocate air force office of special investigations (afosi) Lieutenant Colonel Cindy Stanley is the Deputy Staff Judge Advocate for Air Force Office of Special Investigations. She has served in various positions including staff judge advocate, deputy staff judge advocate, area defense counsel and executive officer. Colonel Stanley was recognized as Air Combat Commands 2004 Outstanding Deputy Staff Judge Advocate of the year and was the 2005 12th Air Force Outstanding Judge Advocate. She is admitted to practice law before the Supreme Court of Nebraska and the united States Court of Appeals for the Armed Forces. project Manager niJ electronic Crime Technology Center of excellence Donald Stewart, CFCE, is a Project Manager with the NIJ Electronic Crime Technology Center of Excellence. The ECTCoE staff works with the NIJ Office of Science & Technology Electronic Crime Portfolio and colleagues in law enforcement, academia and the private sector to provide state and local law enforcement with the electronic crime and digital evidence tools, technology and training they will need to serve the public with the highest degree of expertise, increase the number of successful investigations involving electronic crime and digital evidence, and achieve the highest possible prosecution to conviction rate. In 2000 he established Computer Forensic Section for the Forensic Services unit at the Prosecutors Office in Berks County, Pennsylvania while he was employed there as a Detective. He worked for 32 years in Law Enforcement prior to his retirement. He is a member of HTCIA and IACIS. He currently serves on the Law Enforcement Advisory Board for Berks Technical Institute. Wyomissing, PA. (5 yrs.), where he advises on the Criminal Justice Course content. He holds a Bachelor Degree in Criminal Justice Administration from Alvernia university, Reading, PA. analyst, network situational awareness Group CerT Ed Stoner is an analyst working in the Network Situational Awareness group of CERT. His work has been focused on detecting malicious behavior through network indicators. senior investigator, Crucial security programs harris - Crucial security programs Christopher Taylor is a forensics practitioner and researcher whose work has supported various arms of the federal government for the last 12 years. He has worked both traditional, dead-drive forensics and incident response on live networks, with special focus on dealing with long-running intrusion cases. project Manager niJ electronic Crime Technology Center of excellence Michael Terminelli is a Project Manager of the NIJ

lieutenant Colonel Cindy stanley

bryan spano

aaron shelmire

erik sherman

don stewart

david speringo

Mary singh

robert spitler

ed stoner

Christopher Taylor

Christopher smoak

Michael Terminelli

70

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


Electronic Crime Technology Center of Excellence (ECTCoE), a project established to build the capacity of the State and Local Criminal Justice Community to prevent, investigate and prosecute Electronic Crime. He served as the Project Coordinator of the Electronic Crime Partnership Initiative, an NIJ funded project to assist and define the NIJs electronic crime research agenda. In 1989, Michael graduated from the Morris County Police Academy and served as a patrolman for the Mount Olive Police Department. He then went on to become a Detective at the Warren County Prosecutors Office, working as an undercover officer in the county Narcotics Task Force and later working in the Major Crimes Unit. He is a member of the HTCIA (High Technology Crime Investigation Association) and holds an Associate in Science Degree in Environmental Science and a Bachelor of Science in Ecology and Natural Resource Management from Rutgers University.
senior Computer forensic instructor; Manager, Contract Trainer program accessdata Corporation Buddy Tidwell is a Senior Computer Forensic Instructor and Manager of the Contract Trainer Program at AccessData Corporation. Previously, he was the Senior Computer Forensic Examiner for Dickson County Tennessee Sheriff, assigned to the Office of District Attorney General. Mr. Tidwell served as Lab Manager at the Joint Computer Forensics Lab for Law Enforcement with forensic computer examination and computer crime assistance as his primary function. He established the Joint Computer Forensics Lab for Law Enforcement in Middle Tennessee, which was funded federally by the united States Department of Justice for the first three years of operations. The lab serves approximately 14 law enforcement agencies and a population of 135,000. He is also the founder of TechForce Consulting, a computer forensic consultancy. Mr. Tidwell has extensive specialized training and certifications in the field of computer forensics and holds current certifications by the International Association of Computer Investigative Specialists (IACIS) as an Electronic Evidence Collection Specialist and a Certified Forensic Computer Examiner. He has received extensive training and is an AccessData Certified Examiner (ACE) and AccessData Certified Instructor (ACI). He is currently engaged as a trainer in the Certified Forensic Examiner Training Program for IACIS and has developed training materials and taught at the Basic Examiners training class for the years 2005 to 2009. Additionally, he has developed specific computer forensic curriculum for the University of Tennessee at knoxville used in the Law Enforcement Innovations Center and instructed Microsoft Office Applications, Digital Evidence Issues and Computer Crime Issues to government employees, including the law enforcement officers and District Attorney General staff. forensic investigator northrop Grumman Alissa Torres is a forensic investigator for Northrop Grumman Information Systems. Prior to working as an investigator, she was an instructor and course developer at the Defense Cyber Investigations Training Academy, where she authored and delivered instruction in incident response and introduction to networking and computer hardware. Ms. Torres has over seven years of experience in the information technology field, including time served as a desktop and network support analyst. She holds

certifications as an EnCE, MCSE, MCT, and CompTIAs A+, Network+, Security+ and CTT+. Her professional background includes four years of active duty service in the Marine Corps as a communications officer.
Manager Mandiant Tim Treat is a Manager at Mandiant. He runs the San Francisco office and serves as the lead consultant supporting the Security Operations Center for a large government client in California. As lead consultant, he ensures operational cohesion exists between incident response teams, network traffic analysts, network operations teams and other network experts to secure the clients enterprise. His emphasis on operational security is paramount to ensuring the clients security personnel have adequate situational awareness and network security capabilities that are synchronized to engage threats and attacks effectively. Prior to joining Mandiant, Mr. Treat served 13 years in the united States Air Force as a tactical communications engineer assigned to the 607th Air Support Operations Group, the 5th Combat Communications Group and the 820th Security Forces Group. He also served as the Director of Operations for the Air Force Space Command Network Operations and Security Center, where he was responsible for providing secure network services to over 30 locations around the globe. Tim continues to serve today as a uSAF Reservist assigned to the Air Force Frequency Management Agency in Alexandria, VA. Technology Consultant viaforensics Christopher Triplett is a Technology Consultant for viaForensics and manages the Android R&D and training program. He has been instrumental in the implementation of new methods for extracting data from Android devices and has trained investigators from all over the world on mobile device forensics. In addition, Mr. Triplett maintains a military top secret clearance as an Air Force pilot and has worked closely with intelligence agencies during overseas combat operations. senior Technical lead, intrusions General dynamics Jason upchurch is the Senior Technical Lead, Intrusion Forensics, for General Dynamics Advanced Information Systems Cyber Systems commercial forensic practice. Prior to joining the Commercial practice, he was the technical lead for the Intrusions and Information Assurance Section and Intrusions group at the DoD Cyber Crime Center. Mr. Upchurch is responsible for leading incident response and forensics relating to computer intrusions. In addition, he provides mentoring/coaching to other cyber systems personnel, develops automation techniques for digital forensics and provides training both internally and externally on Malware Analysis and Large Dataset Forensics. He has presented at conferences at the national and international level. Computer forensic specialist saiC Ryan Valencik is an ACE certified Computer Forensic Specialist in the Cyber and Digital Media division of SAIC. He graduated holds a B.S. in Computer Forensics from Bloomsburg university of Pennsylvania and is currently enrolled at Nyu Polytechnic pursuing his M.S. in Cyber

Security. Mr. Valencik has spent more than two years studying the forensic implications of Windows Media Player and the databases and file structures employed by the program.
vice president, information assurance nCi information systems Dan VanBelleghem is a recognized leader in network security research and engineering. He currently leads the information assurance and cybersecurity practice at NCI Information Systems. His prior experience includes Systems and Security Engineering for clients in the DoD, Department of State, Department of Justice and Fortune 100 clients. His past client engagements include security-related research and consulting activities in penetration testing, incident response, security strategic planning, and enterprise security architecture design. Mr. VanBelleghem is a certified information systems security professional (CISSP) and a certified computer examiner (CCE). He also holds the IAM and IEM certifications from the National Security Agency (NSA). instructor/Course developer defense Cyber investigations Training academy (dCiTa) Jesse Varsalone is a Computer Forensic Senior Professional at Computer Sciences Corporation and Is assigned to the Defense Cyber Investigations Training Academys Network Investigations Track. His certifications include the following: A+, Linux+, Net+, iNet+, Security+, Server+, CTT+, CIW Professional, CWNA, CWSP, MCT, MCSA, MSCE 2000/2003, MCSA/ MCSE Security, MCSD, MCDBA, MCSD, CNA, CCNA, MCDST, Oracle 8i/9i DBA, and Certified Ethical Hacker. Prior to joining DCITA, he severed as the Director of the MCSE and Network Security Program at the Computer Career Institute at Johns Hopkins University. For the 2006 academic year, he served as an Assistant Professor of Computer Information Systems at Villa Julie College in Baltimore, Maryland, where he taught courses in Networking, Active Directory, Exchange, Cisco and Forensics. He holds a Bachelors degree from George Mason University and a Masters degree from the university of South Florida. lead Cyber security forensic examiner General dynamics Ryan Vela is a Lead Cyber Security Forensic Examiner for GDAIS and is based in San Antonio, TX. He has been in the cyber security field for over 10 years. He spent four years working at the Defense Cyber Crime Institute (DCCI) and three years working at the Defense Computer Forensics Laboratory (DCFL), where he assisted with both ASCLD/LAB Legacy and ISO Accreditation. During his tenure, Mr. Vela rewrote and restructured all procedures and policies and created a document management system. He then implemented a Professional Development Program including proficiency and competency testing as well as a QA Section. Mr. Vela now consults with private industry in planning, building, managing and accrediting forensic laboratory capabilities. director of defense programs raytheon Daniel Velez is the Director of Defense Programs at Raytheon Oakley Systems, and is responsible for the delivery and support of insider threat monitoring and

Tim Treat

dan vanbelleghem Jr.

buddy k. Tidwell

Jesse varsalone

Christopher Triplett

Jason upchurch

ryan vela

alissa Torres

ryan valencik

daniel velez

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

71

speakeR BIogRapHIes | BReakout sessIons


investigation solutions and services to Raytheons customers. Prior to joining Raytheon, Mr. Velez served as a Senior Cyber Counterintelligence Investigator specializing in insider threat detection and investigations. He is a retired from the u.S. Navy Submarine Force where he served in duties from nuclear reactor operations to strike group operations and antisubmarine warfare.
software engineering institute CerT forensics Todd Waits is a Visiting Scientist at CERT. With a background in broadcast, film and video game industries, he applies solutions and workflows from the entertainment sector to solve the problems faced in the government and law enforcement media exploitation environments. Mr. Waits has a Masters degree in Entertainment Technology from Carnegie Mellons Entertainment Technology Center. Ceo/Co-founder adf solutions, inc. J.J. Wallia is the CEO and co-founder of ADF Solutions and has been working with law enforcement and defense/intel agencies since 2000. Mr. Wallia co-founded ADF Solutions in 2005 solve the critical issues facing digital forensics today. He is primarily responsible for sales and overall business strategy. ADF Solutions has established clients in 10 countries and has a network of resellers and training partners worldwide. Under his leadership, ADF Solutionssoftware and training products have become widely regarded as having revolutionized digital forensics by providing automated tools that reduce forensic backlogs and convict criminals faster. Prior to founding ADF Solutions, Mr. Wallia sold enterprise software solutions for several software companies, includluding Sungard Data Systems. analyst department of defense Training director accessdata ken Warren is an instructor for AccessData, specializing in the investigation and examination of computer related crime. He also assists with the development of innovative training solutions for law enforcement agencies as well as worldwide corporate entities. Prior to joining AccessData, Mr. Warren served as a police officer and detective for the Greeley Colorado Police Department. His experience with the police department includes service in SWAT, homicide, financial and complex crime and major crime scene investigation. Working both as an investigator and examiner on hundreds of cases, Mr. Warren was responsible for the creation of department policy and training regarding the collection of computer related evidence and the investigation of computer and internet related crime. Ken designed and implemented the Computer Crimes Section at the Greeley Police Department and the Digital Evidence Section at the Greeley/Weld County Forensic Laboratory. ken is a member of the International Association of Computer Investigative Specialists (IACIS), The American Society of Crime Laboratory Directors Laboratory Accreditation Board (ASCLD/LAB), The High Tech Crime Consortium (HTCC), and the Colorado Association of Computer Crime Investigators (CACCI), where he served as Secretary and President.

Matt Watchinski

Todd Waits

senior director, vulnerability research Team sourcefire Matt Watchinski serves as the Senior Director of the Vulnerability Research Team (VRT) at Sourcefire, where he leads the Sourcefire VRT to ensure that the open source Snort community and Sourcefire customers are consistently and proactively protected from the latest threats as quickly as possible. Mr. Watchinski works in conjunction with hundreds of thousands of security specialists worldwide who contribute Snort rules for new and evolving threats every day, often in record time. Prior to joining Sourcefire, he held similar roles with Hiverworld (now nCircle) and Farm9 (now Ambiron Trustwave). law enforcement program specialist federal law enforcement Training Center Top Watson is a Law Enforcement Program Specialist with the Technical Operations Division (TOD), which is a division within the Office of Training Operations at the Federal Law Enforcement Training Center. TOD is mandated with designing, developing, coordinating and administering training programs related to the prevention, detection, investigation and prosecution of crime through the use of electronic surveillance equipment, digital imaging and the seizure of digital evidence through computer forensics. Mr. Watson has been active in the field of law enforcement for over 30 years, working at the local, state, military and federal levels. His assignments have ranged from patrol, investigations, physical security, protective service operations and high-risk special operations. His current assignment includes performing Program Specialist duties in support of TODs 10 advanced training programs at the FLETC. Wan pM l-3 Communications Jay Weinstein is the L-3 Communications Wide Area Network Program Manager. director, Center for Telecommunications and network security (CTans) oklahoma state university Dr. Mark Weiser is the Fleming Professor in Technology Management and Director of Oklahoma State universitys Center for Telecommunications and Network Security (CTANS). Dr. Weiser teaches Telecommunications Systems, Information Assurance, Digital Forensics and hands-on Telecommunications and Networking laboratory classes. He has published in the Journal of Management Information, Communications of the ACM and other leading journals, focusing on the areas of upper-layer network protocols, security, forensics and technology supported teaching. CTANS was created to serve as the focal point for research, teaching and outreach at OSu. In the past year, CTANS faculty have garnered research and development funding from DoD, NSA, AFOSR and NSF, as well as multiple private contracts. The work spans from secure wireless communications to trust mechanisms, to detecting deception in written documents. Under Dr. Weisers leadership, the graduate and undergraduate Information Assurance and Forensics curricula were developed and have grown into popular offerings, such as a Graduate Certificate, multiple Options and an undergraduate minor. OSu is home to the National Repository of Digital Forensic Information, which is a collaborative effort with

the DoD Cyber Crime Center. OSu was in the first group of institutions in the country to obtain the designation of Center of Academic Excellence in Information Assurance Education and Research.
engineering Manager Cisco systems Jeff Wells is a Consulting Systems Engineer for Cisco Systems. He has over 30 years in IT, 20 years in application development and security and 25 years in network design, implementation and security. He has been with Cisco for 10 years and is currently working for their DoD Information Assurance advanced technology team. software engineer lockheed Martin Samuel Wenck works for Lockheed Martin as a software engineer supporting custom tool development for Lockheeds Computer Incident Response Team (LM-CIRT) within the Security Intelligence Center. He co-presented Agile Development for Incident Response at last years DC3 Conference. He has more than 20 years experience in IT working in many areas including web application development, network security, INFOSEC and vulnerability/risk assessment. director CaCi, inc., federal Michael Whitaker has over 30 years of software application development and project management experience. After serving in the u.S. Air Force developing war game simulations, Mr. Whitaker joined CACI in May of 1986. He has worked various projects for the DoD and commercial companies while working for CACI. His expertise in application development is well known within CACI. He co-authored CACIs software reengineering methodology, RENovateSM, which consists of seven volumes describing the technical and management approach to software reengineering. Technical director Mandiant Chuck Willis is the leader of the Open Web Application Security Project (OWASP) Broken Web Applications Project and a Technical Director with Mandiant, where he concentrates in application security, research and development. Prior to joining Mandiant, he performed security software engineering, penetration testing and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a u.S. Army Counterintelligence Special Agent. Mr. Willis holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings, the OWASP AppSec Conference, the IT underground security conference in Europe, DefCon and ShmooCon. He has contributed to several open source security software projects and is a Certified Information Systems Security Professional and a Certified Forensic Computer Examiner.

Jeffrey M. Jeff Wells

victor Top Watson

samuel Wenck iii

J.J. Wallia

Michael Whitaker

Jay Weinstein

Matt Warnock

ken Warren

Mark Weiser, ph.d.

Chuck Willis

72

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

speakeR BIogRapHIes | BReakout sessIons


digital forensic examiner department of defense Cyber Crime Center/futures exploration (dC3/fx) Ricky Windsor served six years in the u.S. Army as an enlisted member in the Signal Corpse providing tactical network communications. During that time he was part of the fielding team for the 24th Infantry Division. He had several short-term overseas exercise deployments supporting national partners. He completed three tours in South korea, after which he supported the uSFk J65 as a contractor. Mr. Windsor delivered coalition solutions for the DoD focusing on classified and coalition networks; providing protocol analytics, certification and accreditation; modeling and simulation; and attributing to the Joint information assurance posture for delivering high throughput systems in austere environments. Returning to the united States to work in the digital forensics field and working within the Intelligence Community for cyber threat/advanced persistent threat reporting. Mr. Windsor managed a technical evolution program for the Information Assurance Directorate to advance DoD collaboration and streamline IA resourcing. He now leads multiple programs within DC3 Future Explorations, focusing on digital forensics education, resource sharing and consolidation across the Law Enforcement, Counter Intelligence, Intelligence Community, Academia and the Department of Defense. He holds a B.S. in Computer Management, a Masters degree in Information Assurance from Norwich university, and multiple certifications (CISSP, CISA, NSA IAM/IEM, Security +, A+, IT Project +, PMP). senior associate booz | allen | hamilton Stephen Windsor leads Booz Allen Hamiltons Advanced Persistent Threat Team, which supports the federal government, intelligence community, military, defense industry and major financial organizations. His primary focus is on responding to and managing Advanced Persistent Threat intrusion investigations, providing digital forensic support for criminal, counterintelligence, and counter-terrorism cases, and conducting proactive threat identification investigations. Mr. Windsor holds a Bachelor of Science degree from Towson university and is an adjunct faculty member at Stevenson university. vice president and director, sarC backbone security James Wingate, CISSP-ISSEP, CISM, CHP, CHSS, is Vice President of Backbone Security and Director of Backbones Steganography Analysis and Research Center (SARC). He is leading efforts in the SARC to expand the worlds largest commercially available database exclusive to digital steganography applications and to develop state-of-the-art forensic and network security steganalysis tools. He is a member of HTCC and HTCIA and regularly gives presentations on the threat from insider use of digital steganography to exfiltrate classified or sensitive information or otherwise conceal evidence of criminal activity at major conferences across the united States. He retired from the u.S. Air Force after more than 24 years service as a Communications and Information officer. He holds a B.S. in Computer Science from Louisiana Tech university, Ruston, and an M.S. in Computer Engineering from the university of South Florida, Tampa.

ricky Windsor

senior Technical forensics Manager saiC kristi Witsman is the Senior Technical Forensics Manager of the Digital forensics Practice at SAIC. She has been performing advanced Cyber Forensics for 10 years, and worked in the u.S. Department of Justice criminal divisions High Technology Investigative unit as a computer forensics specialist. She has worked extensively at the Department of State Computers Investigative and Forensics branch as a senior forensic Analyst. Ms. Witsman has published numerous articles regarding advanced forensics detection and analysis. She also has provided training to the International Association of Computer Investigative Specialists (IACIS) Certified Computer Forensic Examiner Courses, Trial preparation training/courtroom testimony and forensics media training. She has testified in federal court in more than 50 courtroom cases. Ms. Witsman holds Masters and undergraduate degrees in Information Systems form Virginia Polytechnic Institute and State university and has numerous certifications. internet security analyst CerT Malicious Code Team/sei Jonathan Woytek has been a member of the CERT Malicious Code team since August of 2006. His duties have included handling malware analysis requests from government, law enforcement and civilian agencies, monitoring public sources for new malware tradecraft and trends, and collecting and analyzing new samples of interest. Examining in-the-wild attacks has lead to an interest in script and plug-in content-based attack methodologies and ways for analysts to defeat them. Prior to coming to CERT, Woytek worked as a Systems Administrator in academia and commercial organizations since 1996. In addition to security, he maintains interests in digital media and disaster recovery. infosec analyst CerT Charles Yarbrough has been a systems administrator and Information Security Incident Handler for the university of North Carolina at Chapel Hill and is currently a Computer Security Information Specialist with CERT. He is currently based at the Defense Cyber Crime Center (DC3). Mr. yarbrough holds the CISSP, SANS, GSEC and GCIH certifications and has worked in the IT industry for over 15 years. He is also actively involved in ISSA and Infragard. Chief investigator, office of prosecution services state of alabama Russell yawn, CFCE, is the Chief Investigator in the Office of Prosecution Services for the State of Alabama and is responsible for managing the three digital forensic labs for the State of Alabama, as well as assisting the District Attorneys in developing high-impact graphics and exhibits for use in the court room in high profile cases.

kristi Witsman

Jonathan Woytek

stephen Windsor

senior Counsel u.s. department of Justice William yurek is a Special Agent and Cyber Program Manager at the Defense Criminal Investigative Service. He also serves as the DCIS representative to the National Cyber Investigations Joint Task Force. Before working for DCIS, Mr. yurek was a Senior Counsel in the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, u.S. Department of Justice in Washington, D.C. He recently completed military service in the Air Force Office of Special Investigations as the senior military representative to the u.S. National Cyber Investigations Joint Task Force. Mr. Yurek has also been a Senior Counsel in the Enforcement Division of the u.S. Securities and Exchange Commission, where conducted the first investigation and prosecution of an internet stock manipulation scheme in SEC history. He was a Team Leader and Investigator for the u.S. House of Representatives Select Committee on National Security and the Peoples Republic of China. He was a Special Assistant u.S. Attorney in the Eastern District of Virginia, the Central District of California, the Southern District of Florida and the District of Columbia. Mr. Yurek also served as Counsel and Deputy Director of the Washington, D.C., area Joint Cyber Task Force. Mr. Yurek began his law enforcement career as a Special Agent in the u.S. Air Force Office of Special Investigations. In that position, he investigated felony criminal offenses including terrorism, fraud, narcotics, espionage and computer crime. He is a DoD-certified computer crime investigator and remains a reserve special agent with AFOSI today, assigned to the Office of the Director, Defense Cyber Crime Center. senior faculty Member and director of security Consulting sans institute and savvis Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Mr. Zeltser frequently speaks on information security and related business topics at conferences and private events. He also writes articles and has co-authored several books. Mr. Zeltser is one of the few individuals in the world who have earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. He has an M.B.A. from MIT Sloan and a Computer Science degree from the university of Pennsylvania. For more information about his projects, see http://zeltser. com and http://twitter.com/lennyzeltser.

special agent William a. Yurek

lenny zeltser

Charles Yarbrough Jr.

James e. Wingate

russell Yawn

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

73

specIal event lIstIng


friday-sun day Morning reception
07300830 | Conference level foyer

T ue s day exhibit hall hours


11301900 (exhibit hall is not open during General session)

Morning Coffee break


09301015 | Conference level foyer

Cyber Caf hours


07001900 | Grand hall foyer

afternoon break
14001445 | Conference level foyer

Morning reception
07000745 | Centennial foyer

saturday night Training reception its five oclock somewhere


saturday | 16301800 | Grand hall West
you may purchase a Hawaiian shirt at Conference Registration (while supplies last)

Morning Coffee break


09301015 | Centennial foyer

southern bbQ luncheon


11301300 | exhibit hall
network with attendees and visit exhibits; Silent Auction begins.

Mon day Morning reception


07300830 | Conference level foyer

afternoon dessert social


14451530 | exhibit hall

Morning Coffee break


09301015 | Conference level foyer

opening night reception


17001900 | exhibit hall
All attendees are invited to a special reception inside the Exhibit Hall. Dont miss this opportunity to connect with colleagues and learn about the IT products and service solutions that our exhibitors have to offer. Hors doeuvres and drinks will be served. Sponsored By:

afternoon break
14001445 | Conference level foyer

Cyber Caf hours


07001700 | Grand hall foyer

Beverage Station Sponsored By:

M on day f ri day s P on s ors


Morning reception sponsor Morning/afternoon break sponsor Cyber Caf sponsor

Wednesday

Tuesday & Thursday

74

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

specIal event lIstIng


W ed n esday exhibit hall hours
07301900

T hurs day exhibit hall hours


07301320

Cyber Caf hours


07302100 | Grand hall foyer

Cyber Caf hours


07001730 | Grand hall foyer

Morning reception
07300830 | exhibit hall

Morning reception
07300830 | exhibit hall

Morning Coffee break


10301100 | exhibit hall

Morning Coffee break and raffle drawing


10301100 | exhibit hall raffle winners will be announced at 1045
See page 76 for more event information.

italian luncheon
12001330 | exhibit hall

afternoon break
14301500 | exhibit hall

lunch, silent auction and exhibit hall Closing


12001330 | exhibit hall silent auction closes at 1250 $5 pizza luncheon purchase your tickets at registration
Silent Auction winners will be posted 1430 at Conference Registration. See page 77 for more event information.

Wednesday night receptionCyber Crime stadium


17001900 | exhibit hall
Show your team spirit! Get your uniforms pressed, your face painted and be ready for the Cyber Crime Stadium Reception. Most fanatical fan will win the new nano Touch! Play sports-related games at the following booths: Damballa Inc., (522), Lockheed Martin (118), and SAIC (404) and earn raffle tickets towards the grand prize, Wii, Xbox 360 4GB with Kinnect Console, and nook WiFi E-Reader. Reception Sponsor: Game Sponsors:

afternoon break
14301500 | Conference level foyer

f ri day Cyber Caf hours


07001200 | Grand hall foyer

Cyber Crime olympics 2011


19002100 | Centennial ballroom 2-3
Proceeds Go to the national Center for Missing and Exploited Children (nCMEC) For detail about the two events, see page 78. Sponsored By:

Morning reception
07000800 | Centennial foyer

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

75

eXHIBIt Hall RaFFle


dont Miss the raffle: Win fabulous prizes!
drawing during Morning Coffee break Thursday | 1045 | exhibit hall
Participate in the Exhibit Hall Raffle for a chance to win great prizes. Inserted in this program guide is the raffle form. If you need a replacement form, please go to the Conference Registration Desk. Complete the form and visit exhibitors to have them put an X on their logo. Once you get 30 X marks, return your completed entry form to the Registration Desk or to the raffle bin in the Grand Hall Foyer. You must have marks from 30 different exhibitors and all drawings are random and players must be present to win. The following companies have generously donated the raffle items: (as of 1/11/11):

Win Great including Prizes, Amazon K indle, iPod BestBuy G Touch, ift Card, O ne night S Baltimore tay at Marriott, T -shirts, and more !!!!

A Chance

to

AccessData (Booth 105) At Ease Computing (Booth 514) BlackBag Technologies, Inc (Booth 510)

Amazon Kindle Edge to edge, 700MB, 52X, bulk 100/pack, 600/carton, MAM-A Silver CDR BlackBag Forensic Kit: BBT OGIO Laptop bag, BBT notebook, BBT Pens, BBT Mug, voucher for BBT Forensic Software Bundle-BlackLight, Mobilyze, SoftBlock and MacQuistion USB WriteBlocker iPod Touch 8GB GD Goody Bag EnCase Portable 1 Copy of HBGary Responder Field Edition; 3 copies of Call of Duty: Black Ops Free night stay @ Baltimore Marriott TBD Oxygen Forensic Suite 2010, Analyst license iRecovery Stick $50 Best Buy Gift Card $50 Best Buy Gift Card 3 books from our catalog TeelTech Power Tip Kit Shirt

CRU Dataport (Booth 609) FireEye, Inc (Booth 512) General Dynamics (Booth 604) Guidance Software (Booth 303) HBGary (Booth 310) Marriott (Sponsor) norman Data Defense (Booth 509) Oxygen Softtware (Booth 109) Paraben Corporation (Booth 204) Solera networks (Booth 617) Sunbelt Software (Booth 309) Syngress (Booth 218) Teel Technologies (Booth 215) vound Software (Booth 322)

76

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

sIlent auctIon
silent auction
{ please see the silent auction insert for details and a list of auction items. } silent auction starts: Tuesday, 1130 | silent auction bidding ends: Thursday, 1250 | bids posted by: Thursday, 1500 Winners Claim bid and donate Money----Thursday, 1500, through friday, 1000, Conference registration desk
The Silent Auction begins Monday night during the Opening Reception and ends Tuesday night in the Exhibit Hall during the reception. Visit exhibitors and areas around the exhibits to view the items being auctioned and enter your bid on the Silent Auction form. The highest bid at the cutoff will be the winner. All monies raised go to the National Center for Missing and Exploited Children (NCMEC). NCMECs mission is to assist in the prevention of child abduction and sexual exploitation; help find missing children; and assist victims of child abduction and sexual exploitation, their families, and the professionals who serve them. NCMEC was established in 1984 as a private, nonprofit 501(c) (3) organization to provide services nationwide for families and professionals in the prevention of abducted, endangered, and sexually exploited children.

The following companies have generously donated prizes (as of 1/11/11):


ADF Solutions, Inc. (Booth 211) AccessData (Booth 105) At Ease Computing, Inc (Booth 514) BestBuy (General Auction Table) Bit9 (Booth 111) BlackBag Technologies, Inc. (Booth 510) CED Solutions (Booth 618) Cenzic Inc (Booth 112) CRU DataPort (Booth 609p) CSC (Booth 610) Deloitte (Booth 212) Digital Intelligence Inc. (Booth 205) FireEye, Inc (Booth 512) Forensic Computers (Booth 318) General Dynamics Advanced Information Systems (Booth 604) i2 (General Auction Table) Imperva (Booth 216) Image Technical Services (General Auction Table) Intelligent Computer Solutions (Booth 613) Katana (Booth 215) Mandiant (Booth 209) MH Service GMBH (Booth 314) Oxygen Software (Booth 109) Paraben Corporation (Booth 204) Solera networks (Booth 617) Spirent Federal Systems (Booth 623) Sunbelt Software (Booth 309) Syngress (Booth 218) Teel Technologies (Booth 215) The newberry Group (General Auction Table) vound Software (Booth 322) William yurik (General Auction Table) Triage-Examiner FTK Software 1 year with SMS 3 Pairs of Kevlar Gloves 1 Guidance Software Encase Portable Device, One Barnes and nook eReader, and a Barnes and noble Gift Flip Mini HD video Camera 16GB Apple iPod nano 5 day Ethical Hacking Class and 5 day Forensic Investigator Class Kindle ToughTech Secure mini-Q 32 Sony Internet/Google Tv 16GB iPad with WiFi Super Chief 8GB iPod Touch Black and Gray Samsonite Sports; Backpack Computer Bag 16GB iPad with Wi-Fi + 3G $100 American Express Gift Card $75 Amazon Gift Card TBD DisCypher Hard Drive Encryption Lab Kit Lantern v2.0 Flip Ultra HD Tableau TK9 Oxygen Forensic Suite 2010, Analyst license Level 2 Mobile Training voucher Xbox 360 Kinect Bundle Apple iPod Touch 32GB (newest model) Kinect for X-box 5 books from Syngress Catalog TeelTech Power Tip Kit Kinect for XBox 360 Intella software Instant Cyber Library U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

77

cyBeR cRIme olympIcs 2011


sponsored by the national Center for Missing and exploited Children (nCMeC)
The Cyber Crime Olympics is a series of activities that take place each evening throughout conference. It consists of unique games in which conference attendees have an opportunity to compete for points. Held on Wednesday night in the Centennial Ballroom, the Cyber Crime Olympics includes the CD Toss/Inverted Ring Toss and the Floppy Disk Throw and offers a cash bar. Let the games begin! It is time to determine the 2011 DoD Cyber Crime Olympic Champion. All proceeds go to the national Center for Missing and Exploited Children (nCMEC).

Cd Toss/inverted ring Toss


Wednesday, 1900-2100, Centennial ballrooms 2-3

floppy disk Throw


Wednesday, 1900-2100, Centennial ballrooms 2-3

The object of this game is to toss a CD into the top of the container.
Rules: A series of 10 plastic containers are arranged in a reverse bowling pin setup. Each container has a point value assigned. A chair is placed approximately 8 feet from the containers. While sitting, each individual tosses three CDs. Individuals may buy Mulligans for $5 for 3 tosses. Scoring: The winner is the individual with the highest combined total score (see bottom of Olympics description for scoring points). Prizes: 1st: Medal and Popup Speakers 2nd: Medal and Waterproof Flashlight 3rd: Medal and Digital Keychain Sponsored By:

The object of the game is to throw the diskette as far and as accurately as possible.
Rules: A line will be drawn the length of the room. Each individual gets 3 complimentary tosses. Mulligans may be purchased for $5 each. Scoring: The distance from where the diskette first hits, off the center line is subtracted from the length of throw. The winner is the individual with the highest score in feet. Prizes: 1st: Medal and Popup Speakers 2nd: Medal and Waterproof Flashlight 3rd: Medal and Digital Keychain

prizes for The overall olYMpians Cyber Crime Survivor determines the Cyber Crime Olympic Champion. The event takes place in General Session on Friday from 0730 to 0855 (prizes will be awarded at 0830). prizes: 1st: Trophy and nintendo Wii 2nd: Trophy and iPod Touch 3rd: Trophy and Flip Camcorder General rules The Conference Chair may adjust the rules as necessary and at any time, and there are no appeals Individuals compete against all other registered individuals Events occur Wednesday evening following the reception sChedule of evenTs held in exhibiT areas Wednesday Evening (1900): Floppy Disk Throw and CD Toss following the Reception Friday (0830): Cyber Crime Survivor in the General Session sCorinG for all evenTs (Points will be awarded based on rank against other individuals.) 1st 50 pts 2nd 45 pts 3rd 40 pts 6th 25 pts 7th 20 pts 8th 15 pts 4th 35 pts 9th 10 pts 5th 30 pts 10th + 5 pts

78

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

dc3 dIgItal FoRensIcs cHallenge


dC3 digital forensics Challenge award presentation
Tuesday, Plenary Session, 1055-1130, Centennial Ballroom

dC3 introduces the 2011 Challenge and discusses several 2010 submissions
Thursday, Forensic Track Session, 0830-0900, Centennial Ballroom 1

university of Texas at san antonios Writeblockers presents Their solutions and Methodologies
Thursday, Forensic Track Session, 0940-1005, Centennial Ballroom 1

u.s. Team Williams Twins forensics presents Their solutions and Methodologies
Thursday, Forensic Track Session, 0850-0915, Centennial Ballroom 1

Grafton high schools Crash override presents Their solutions and Methodologies
Thursday, Forensic Track Session, 1005-1030, Centennial Ballroom 1

Wilmington universitys Team name presents Their solutions and Methodologies


Thursday, Forensic Track Session, 0915-0940, Centennial Ballroom 1

idaho falls high schools pwnage presents Their solutions and Methodologies
Thursday, Forensic Track Session, 1000-1030, Centennial Ballroom 1

The objectives of the annual DC3 Digital Forensics Challenge are to establish relationships, resolve technological issues, and develop new tools, techniques and methodologies for the digital forensic community. This year 71 teams submitted solutions, a significant increase from the 44 teams that submitted the previous year. The Challenge presented problem-solving scenarios in the following areas of forensic studies:
Missing File Header Reconstruction Detect Suspicious Software Registry Analysis Metadata Audio Steg keylog Cracking Password Cracking Steg S-Tools NTSF File Record PCAP Data Recovery Compromised Host Disk Image PAX Cracking Accessing the Shadow Volume on Password Protected Vista Platform Windows 7 uSB Thumb Drive Encryption Extracting Hidden Evidence in a VMWare WinXP Virtual Machine Steganography MFT File Reader Development Text String Searching Tool Development Language Identifier Tool Development Data Recovery from HPA as a universal Tool or per Manufacturer Tool Development Data Recovery from unmarried TPM Hard Disk Tool Development VSC Parser Tool Development

2010 aWard reCipienTs


department of defense Cyber Crime Center (dC3) overall u.s. Champion Team & international Council of electronic Commerce Consultants (eCCouncil) international Civilian Winner Williams Twins forensics Successful in providing for DC3 Grand Champion prize the most correct solutions to the scenarios and won an all-expense paid trip to Atlanta in January to attend the DoD Cyber Crime Conference. sysadmin, audit, network, security (sans) institute undergraduate Champion Team: Wilmington universitys Team name Successful in providing for the SANS undergraduate prize the largest sum of correct solutions to the scenarios and won an all-expense paid trip to Atlanta in January to attend the DoD Cyber Crime Conference. sysadmin, audit, network, security (sans) institute Graduate Champion Team: university of Texas, san antonio, Writeblockers Successful in providing for the SANS Graduate prize the largest sum of correct solutions to the scenarios and won an all-expense paid trip to Atlanta in January to attend the DoD Cyber Crime Conference. sysadmin, audit, network, security (sans) institute high school Champion Team: Grafon high school Crash override Successful in providing for the SANS High School prize the largest sum of correct solutions to the scenarios and won an all-expense paid trip to Atlanta in January to attend the DoD Cyber Crime Conference. international Multilateral partnership against Cyber-Threats (iMpaCT) Champion Team: CisT, korea university dfrC Successful in providing tor the IMPACT Non-u.S. Team prize the largest sum of correct solutions to the scenarios, in addition to being the DC3 Grand Champion Winners with the top point score for the entire DC3 Challenge submissions international Council of electronic Commerce Consultants (eC-Council) u.s. Government Winner: long beach police department lbpdCCid Successful in providing for the EC-Council uS Government Team prize the largest sum of correct solutions to the scenarios international Council of electronic Commerce Consultants (eC-Council) us Military Winner: u.s. navy batcheej Successful in providing for the EC-Council uS Military Winner Team prize the largest sum of correct solutions to the scenarios international Council of electronic Commerce Consultants (eC-Council) international Civilian Winner: Williams Twins forensics Successful in providing for the EC-Council International Civilian Winner Team prize the largest sum of correct solutions to the scenarios international Council of electronic Commerce Consultants (eC-Council) international Commercial Winner: little Tree Successful in providing for the EC-Council International Commercial Winner Team prize the largest sum of correct solutions to the scenarios

For more information about the Challenge, visit the website at www.dc3.mil/challenge

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

79

eXHIBIt Hall FlooRplan and eXHIBItoR lIstIng


WEST HALL
EXIT
121 122 221 222 321 322 323 421 422 521 522 621 622 623

EXIT

Aisle 100

Aisle 200

Aisle 300

Aisle 400

EXIT
115 113 111 109

Aisle 500

118 215 116 213 112 110 211 209

218 216

317 315 313

318 316 314 312

417 415

418 416 414 412

517 515

518 516 514

617 615 613 611 609

Aisle 600

618 616

212 210

311 309

511 509

512 510

409 310 410

612 610 802

105 205 104 203 204 303 404 603 604 805 807

806

809

811

813

EXIT

EXIT
STORAGE

OFFICE

0'

5'

10'

20'

30'

AccessData .............................Booth 105 ADF Solutions, Inc. ..................Booth 211 At Ease Computing, Inc ...........Booth 514 Belkasoft .................................Booth 622 Bit9 .........................................Booth 111 BlackBag Technologies, Inc......Booth 510 Blue Coat Systems, Inc. ...........Booth 516 CED Solutions .........................Booth 618 Cellebrite USA Corp ................Booth 612 Partnering with nEK Advanced Securities Group Cenzic Inc................................Booth 112 Champlain College ..................Booth 518 Chickasaw nation Industries ..Booth 312 Clearwell Systems ...................Booth 805

Core Security Technologies ......Booth 313 CRU DataPort ..........................Booth 609 CSC .........................................Booth 610 Damballa Inc. ..........................Booth 522 Data Security Inc. ....................Booth 116 DC3 .........................................Booth 819 DC3 Recruiting ........................Booth 817 Dell .........................................Booth 511 Deloitte Services LP .................Booth 212 DFI news.................................Booth 809 DFLABS ...................................Booth 414 Digital Intelligence Inc.............Booth 205 Fernico ....................................Booth 410 FireEye, Inc ..............................Booth 512 Forensic Computers, Inc. .........Booth 318

Fortinet, Inc. ............................Booth 113 General Dynamics Advanced Information Systems .............Booth 604 GFI Software ...........................Booth 309 Global Knowledge...................Booth 210 Guidance Software..................Booth 303 Harris ......................................Booth 315 HBGary, Inc..............................Booth 310 High Tech Crime Institute ........Booth 409 IATAC ......................................Booth 110 ImmixGroup ............................Booth 616 Imperva ...................................Booth 216 Intelligent Computer Solutions ...............................Booth 613 Katana Forensics .....................Booth 215 Partnering with Teel Technologies

80

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

eXHIBIt Hall FlooRplan and eXHIBItoR lIstIng


hours of operaTion
exhibiT hall Tuesday, January 25
917 915 918 916 1017 1015 1018 1016

1100 1900 1130 1300 1445 1530 1700 1900 0730 1900 0730 0830 1030 1100 1200 1330 1430 1500 1700 1900 0730 1330 0730 0830 1030 1100 1200 1330 1330

(not open during General Session)

Lunch: Afternoon Break Reception Wednesday, January 26 Morning Reception Morning Break Lunch Afternoon Break Reception Thursday, January 27 Morning Reception Morning Break and Raffle Closing Lunch and Silent Auction Exhibit Hall Closing

EAST HALL
911 909 912 910 1011 1009 1014 1012

812

818 906 904

815

817

819

Entrance
STORAGE

Exhibitor Service Desk


--

Exhibitor Sales Office

CYber Caf The Cyber Caf is located in the Grand Hall Foyer on the Exhibit Level. Monday, January 24 1000 1700 Tuesday, January 25 0700 1900 Wednesday, January 26 0730 2100 Thursday, January 27 0700 1700 Friday, January 28 0700 1200

Lieberman Software Corporation ...........................Booth 203 Lockheed Martin .....................Booth 118 Logicube, Inc. ..........................Booth 418 MacAulay-Brown, Inc. (MacB) ..................................Booth 416 MAM-A ...................................Booth 514 Partnering with At Ease Computing, Inc Mandiant ................................Booth 209 ManTech International Corporation ...........................Booth 104 Merlin International, Inc..........Booth 412 MH Service GMBH ..................Booth 314 nCMEC ...................................Booth 815 nEK Advanced Securities Group ....................................Booth 612

nitroSecurity ...........................Booth 517 norman Data Defense .............Booth 509 north Central Sight Services ..Booth 807 nW3C .....................................Booth 904 Oklahoma State University......Booth 811 Oxygen Software.....................Booth 109 Palo Alto networks .................Booth 415 Paraben Corporation ...............Booth 204 Passware, Inc...........................Booth 316 Raytheon Company .................Booth 603 SAIC ........................................Booth 404 SAnS Institute .........................Booth 311 Software Engineering Institute, Carnegie Mellon University ...Booth 615 Solera networks......................Booth 617

Spirent Federal ........................Booth 623 Stevenson University ...............Booth 317 Syngress ..................................Booth 218 Technology Pathways ..............Booth 621 Teel Technologies ....................Booth 215 The newberry Group ...............Booth 611 University of Maryland University College .................Booth 421 US Army Threat Systems Management Office ..............Booth 515 valid Edge ...............................Booth 213 vound Software ......................Booth 322 WetStone Technologies, Inc. ....Booth 115 Wounded Warriors ..................Booth 813

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

81

company pRoFIles
accessdata .................................................................booth 105
www.accessdata.com
AccessData has pioneered digital investigations for 20+ years, serving law enforcement, government agencies and corporations worldwide. AccessData delivers state-of-the-art computer forensics, network forensics, password cracking and decryption solutions. Its Forensic Toolkit and enterprise solutions allow organizations to search, preserve, process, analyze and produce evidence for investigations, incident response, eDiscovery and information assurance. www. accessdata.com

bit9 .............................................................................booth 111


www.bit9.com
Bit9 is the leader in Advanced Endpoint Protection named Best Anti-Malware Solution in GSNs 2010 Homeland Security Awards and InfoWorld 2010 Technology of the year. Bit9 Parity provides continuous monitoring with real-time visibility and situational awareness across all endpoints and prevents advanced threats by ensuring only trusted, approved software can run.

blackbag Technologies, inc. .......................................booth 510


www.blackbagtech.com

adf solutions, inc. .....................................................booth 211


www.adfsolutions.com
ADF Solutions, Inc. is the global leader in forensic triage tools for rapid evidence recovery and intelligence extraction from computers and peripheral devices. The tools have a proven track record of reducing forensic backlogs, securing fast convictions, and identifying suspects who are a threat to national security.

BlackBag Technologies, Inc. provides Mac-based data forensic and eDiscovery solutions to law enforcement and private sector clients. BlackBag offers clients a comprehensive and secure suite of services, software and training solutions.

blue Coat systems, inc. ..............................................booth 516


www.bluecoat.com

adobe ............................................................................ sponsor


www.adobe.com/government
With Adobe solutions, DoD and intelligence agencies can collect, collaborate on, share and protect information more easily, enabling them to address security threats faster. The solutions support various communication aids such as satellite mapping, teleconferencing, and document-based collaboration, creating a more engaging experience for participants.

Blue Coat Systems offers an Application Delivery Network infrastructure that optimizes and secures the flow of information to any user, on any network, anywhere.

Ced solutions .............................................................booth 618


www.cedsolutions.com
CED Solutions is a Microsoft Gold Learning Solutions Partner, as well as partners with Cisco, CompTIA, EC-Council, Novell, Oracle, SCP, Adobe, Linux/unix, ISC and more. Our Mission is to be the best provider of technical and application training in the united States and Canada. CED Solutions, LLC provides training on over 100 programs throughout the world.

at ease Computing, inc ..............................................booth 514


www.at-ease-inc.com
With our government customers in mind, At Ease maintains copyright to pre-printed classifications on a line of silk screened CDRs/DVDRs. At Ease also offers pre-printed classifications on a line of uSB flash drives.

Cellebrite usa Corp ...................................................booth 612


www.cellebrite.com Partnering with NEk Advanced Securities Group

bae systems .................................................................. sponsor


www.baesystems.com
BAE Systems delivers operational cyber solutions to the war fighter and the u.S. intelligence community-from computer network operations mission planning to execution of defense attack tools to analysis. We work closely with customers to understand their initial requirements and help them identify how long-term cybersecurity trends and challenges will impact their missions.

Cellebrites mobile forensics products enable extraction and analysis of invaluable evidentiary data including deleted and hidden data for military, law enforcement, governments, and intelligence agencies across the world. Cellebrites uFED provides fast and secure mobile data extraction and analysis from mobile phones and GPS devices, in the lab or in the field. For more information visit www.cellebrite.com.

Cenzic inc ...................................................................booth 112


www.cenzic.com

belkasoft ....................................................................booth 622


http://belkasoft.com
Belkasoft is a computer forensics software vendor. With our slogan Forensics made easier, we are trying to help IT security experts and forensic investigators by creating the tools with out-of-the-box solutions which do not require deep specific knowledge to operate.

Cenzic provides software, managed service, and cloud security products that help organizations secure their websites against hacker attacks. Cenzic focuses on Web application security, automating the process of identifying security defects at the Web application level where more than 75% of attacks occur; helping customers in remediating those defects, managing risk and attaining compliance with regulations such as PCI.

82

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

company pRoFIles
Champlain College .....................................................booth 518
cps.champlain.edu
Champlain College has helped students succeed in business and technology careers for over 130 years. In 1993, Champlain introduced its first online courses and in 1996 offered its first degree program entirely online. The Computer Forensics Online degree program was introduced in 2001. Visit cps.champlain.edu to learn more.

CsC .............................................................................booth 610


www.csc.com/publicsector
CSC is a global leader in providing technology-enabled solutions and services through three primary lines of business. These include Business Solutions and Services, the Managed Services Sector and the North American Public Sector. CSCs advanced capabilities include system design and integration, information technology and business process outsourcing, applications software development, Web and application hosting, mission support and management consulting.

Chickasaw nation industries ....................................booth 312


http://www.chickasaw.com
Chickasaw Nation Industries specializes in solving Federal Government requirements in IT and INFOSEC. CNI employs over 100 Information Security professionals who protect the u.S. Governments data and networks. Come by Booth #312 and test your hacking skills with a chance to win a Macbook Air.

damballa inc. .............................................................booth 522


www.damballa.com
Pioneering the fight against cyber threats, Damballa provides the only network security solution that detects the remote control communication criminals use to breach networks and steal personal and intellectual property, or conduct espionage. Damballa solutions protect any network with any device PCs, Macs, mobile or embedded.

Clearwell systems ......................................................booth 805


www.clearwellsystems.com
Clearwell Systems is transforming the way enterprises, government agencies, and law firms perform e-discovery in response to litigation, regulatory inquiries, and internal investigations. The Clearwell E-Discovery Platform streamlines end-to-end e-discovery, enabling leading government organizations such as the FBI, uSDA, IRS, and FDIC to solve investigations rapidly, discover case winning evidence, and defend investigative results with full process transparency.

data security inc. .......................................................booth 116


www.datasecurityinc.com
Work with our security professionals to identify the best technology for safeguarding information. Learn information assurance guidelines and procedures per the latest DoD/Federal standards. Understand liabilities associated with improper sanitization. Save time and money while eliminating information exposure! With over 25 years of experience, we are the leader in NSA/DoD-approved degaussers and destruction devices. Our products ensure data is irretrievable!

CompTia/pearson vue ................................................... sponsor


www.PearsonvUE.com/CompTIA/Cybe
CompTIA certifications ensure professionals have the knowledge and skills to perform in IT job roles. Pearson VuE provides the opportunity to earn respected IT industry credentials that are recognized in both government and civilian careers. For more information on delivering exams at your government agency, visit PearsonVuE. com/CompTIA/Cyber.

dC3 .............................................................................booth 819


www.dc3.mil
The Defense Cyber Crime Center (DC3) is the DoDs center of excellence for digital forensics and the investigation of computer related crimes. DC3 is comprised of the Defense Computer Forensics Laboratory (DCFL), Defense Computer Investigations Training Program (DCITP) and Defense Cyber Crime Institute (DCCI).

Core security Technologies ........................................booth 313


www.coresecurity.com
Core Security Technologies provides automated security testing and measurement solutions that organizations use to validate the efficacy of their security controls and proactively determine their overall exposure to real-world threats. Using Cores products and services, our customers perform comprehensive security assessments that connect IT-based risks directly to critical business risks.

dC3 recruiting ...........................................................booth 817


www.dc3.mil
The Defense Cyber Crime Center (DC3) is the DoDs center of excellence for digital forensics and the investigation of computer related crimes. DC3 is comprised of the Defense Computer Forensics Laboratory (DCFL), Defense Computer Investigations Training Program (DCITP) and Defense Cyber Crime Institute (DCCI).

Cru dataport .............................................................booth 609


www.cru-dataport.com
CRu-DataPort develops and markets computer data security and storage devices. The DataPort brand of removable hard drive enclosures has become the preferred design-in for physical data security and drive removal in Military/Government, Education and corporate Information Technology departments. Products are available through major distributors, OEMs, VARs and a host of resellers.

dell .............................................................................booth 511


www.dell.com/fed
For more than 26 years, Dell has empowered government agencies, communities, and people everywhere to use technology to realize their missions. Our integrated solutions are used to protect the information assets of governments and citizens. Customers trust us to deliver technology solutions that help them do and achieve more, whether theyre at home, work, school or anywhere in the world.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

83

company pRoFIles
deloitte services lp ...................................................booth 212
www.deloitte.com/federal
Deloitte is proud to work with the Department of Defense to deliver extraordinary advantages to the 21st Century Warfighter. Drawing upon extensive experience serving government and industry, and a deep understanding of the Department of Defense, Deloitte provides clients with unique and integrated solutions in areas including IT integration, financial management, human capital, strategy and operations, and enterprise resource planning.

forensic Computers, inc. ............................................booth 318


www.forensic-computers.com
Forensic Computers develops and builds workstations specifically for conducting investigations on hard drives, thumb drives, iPods, and cell phones. We conduct Computer Forensics Training, Dead hard drive recovery, and will integrate the customers choice of forensic software for a true turn-key system. Forensic Computers, Inc. is a small veteran owned business and is operated by retired Computer Crime Investigators.

dfi news ....................................................................booth 809


www.dfinews.com
DFI News is a weekly e-newsletter for digital forensic professionals working in academic, government, law enforcement, and corporate settings. DFI News subscribers will get the content they need to know to stay attuned to the latest in digital forensics and incident response. Subscription is free to qualified professionals at www.dfinews.com.

fortinet, inc. ...............................................................booth 113


www.fortinet.com
Fortinets security solutions provide integrated, multi-layer protection that enables government institutions to safeguard their networks, content, and applications against increasingly sophisticated threats. FortiGate systems provide full, multilayered security that scales from remote-office appliances to multi-gigabit core network or data center platforms.

dflabs .......................................................................booth 414


www.dflabs.com
DFLabs IncMan Software manages information security incidents, digital forensics and case management. Incident Management manages artifact analysis, cost, evidences, notes, messaging, tasks, and security infrastructure. Digital Investigation Manager manages COC, acquisition, evidence tracking (barcode), clones, deliverables, lab management and notes.

General dynamics advanced information systems ..booth 604


www.gd-ais.com
General Dynamics is a leading provider of cyber security solutionsfrom digital forensics, to network protection, and indications and warning systems. We offer both unmatched human expertise and gold-standard technical solutions necessary for real-time, round-the-clock protection of critical networks and systems.

digital intelligence inc. ..............................................booth 205


www.digitalintelligence.com
Digital Intelligence provides state of the art digital forensic hardware to investigators and analysts all over the world. Additionally, we provide in depth training and forensic services to our customers both in house and on site in the areas of digital forensics and eDiscovery.

Gfi software ..............................................................booth 309


www.gfi.com/ATG
GFI Software is a leading IT security provider with advanced technology solutions for endpoint security and malware analysis. GFIs Advanced Technology Group (ATG) delivers specialized tools for malware threat analysis and defense. Products include GFI Sandbox malware analysis, ThreatTrack data feeds and VIPRE anti-malware SDks giving government defense agencies, security vendors, ISPs and enterprises the ability to rapidly analyze malware.

fernico........................................................................booth 410
www.fernico.com
Fernicos new ZRT 2 is the leading system to manually examine any cell phone to record evidential data with high definition video capture. FAR Pro Blu Ray is the premier system for archiving digital evidence to DVD or Blu Ray discs automatically .Far Pro Imager is the most cost effective automated solution to acquire bulk quantities of discs.

Global knowledge .....................................................booth 210


www.globalknowledge.com
Global Knowledge is the worldwide leader in IT and business skills training. Our broad-based security curriculum includes the latest in skills-building and vendorspecific training from Cisco, Microsoft, Red Hat Linux, Foundstone, and EC-Council. Combine expert instruction with hands-on labs for results-oriented training.

fireeye, inc .................................................................booth 512


http://www.FireEye.com
The FireEye Malware Protection System is the industrys first solution that breaks the full Modern Malware infection lifecycle stopping zero-day, targeted attacks, spear phishing, and blocks outbound malware data transmissions while inoculating networks from future attacks. FireEye blocks the 90% of Modern Malware that conventional defenses miss and features near-zero false positive rates for a rapid security ROI.

Guidance software ....................................................booth 303


www.guidancesoftware.com
Guidance Software, Inc. (NASDAQ: GuID) is the worldwide leader in digital forensics, e-discovery and cybersecurity software and hardware. Its EnCase software and Tableau hardware as well as its professional services, training and support -- help government agencies, businesses and law enforcement agencies conduct thorough, networkenabled and court-validated digital computer investigations.

84

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

company pRoFIles
harris ..........................................................................booth 315
www.harris.com
Since its inception in 2000, Crucial Security has delivered innovative technology and technical services solutions to federal government customers. Today, Crucial Security is a wholly owned subsidiary of Harris Corporation. Our motto: Crack it. Code it. Change the Game. touts our cutting-edge yet practical network security practices supported by seasoned experts with a variety of intelligence and law enforcement backgrounds.

imperva ......................................................................booth 216


www.imperva.com
More companies trust Imperva to secure their data than any other vendor. Impervas proven solutions deliver activity monitoring, real-time protection and risk management of critical business data and applications. The global leader in Application Data Security, Impervas unmatched governance and protection solutions provide full visibility and control of enterprise data from the database, through the application, to the accountable end user.

hbGary, inc. ................................................................booth 310


http://www.hbgary.com
HBGary, Inc. was founded in 2003 by renowned security expert and successful entrepreneur Greg Hoglund. HBGary offers a complete, continuous protection product suite that counters advanced cyber-threats such as APT while reducing costs for security operations. Customers include Fortune 500 financial, pharmaceutical, and u.S. government agencies including Department of Defense. Headquartered in Sacramento with offices in Washington D.C. Please visit http://www.hbgary.com.

intelligent Computer solutions .................................booth 613


www.icsforensic.com
Intelligent Computer Solutions is the technology leader in the design and manufacture of high-speed Hard Drive Duplication and Computer Forensic tools. ICS products help the efforts of Private Corporations and both Federal and Local Law Enforcement Agencies to fight computer crime around the world.

katana forensics ........................................................booth 215 high Tech Crime institute...........................................booth 409


www.gohtci.com
A global leader in the field of Computer Crime Investigation and Computer Forensics, HTCI is uniquely qualified to provide expert instruction, proactive security management and computer forensic platforms to both the private and public sectors.

www.katanaforensics.com Partnering with Teel Technologies


Katana Forensics goal is to design affordable, intuitive tools for extracting data and artifacts from Smartphone devices without altering the evidence. katana Forensics is a uS-based company with an extensive background in law enforcement and computer forensics. Unlike similar products, our software does not require extensive training or costly service agreements and ever-changing hardware devices.

i2 .................................................................................. sponsor
www.i2group.com
i2 is the leading provider of intelligence and investigation management software for law enforcement, defense, national security and private sector organizations. For over 20 years, 4,500 organizations in 150 countries have relied on i2s proven technology to investigate, predict, prevent and defeat crime and terrorism.

lieberman software ..................................................booth 203


www.liebsoft.com
Lieberman Software is a technology leader in the fast-growing privileged identity management and security management markets with more than 20 years of product innovation and more than 1000 enterprise customers worldwide. Our products help organizations secure their multiplatform enterprises from internal and external security threats and comply with regulatory mandates.

iaTaC ..........................................................................booth 110


http://iac.dtic.mil/iatac/
The Information Assurance Technology Analysis Center (IATAC) provides DoD with emerging scientific and technical information in support of Defensive IO. IATAC provides DoD a central point of access for information on IA emerging technologies and focuses on defensive activities related to information use processes and systems.

lockheed Martin ........................................................booth 118


www.lockheedmartin.com/careers
powered by innovation guided by integrity everything is possible. Certain qualities are in a companys dna. At Lockheed Martin, we are driven by innovation and integrity. We believe that by applying the highest standards of business ethics and visionary thinking, everything is within our reach and yours. Get started today on your Lockheed Martin future. www.discoverlockheedmartin.com/cybersec/index.asp

immixGroup ...............................................................booth 616


www.immixgroup.com
immixGroup brings commercial technology products and services to the public sector. Since 1997, we have helped hundreds of large and emerging companies grow and manage their government business while providing federal, state, and local agencies with reliable access to leading commercial technologies through the contract vehicles and partners they prefer.

logicube, inc...............................................................booth 418


http://www.logicubeforensics.com
A worldwide manufacturer of digital forensic data capture solutions, Logicube delivers feature-rich products designed specifically for digital forensic investigations. Logicube works closely with government and military organizations to ensure that our solutions keep pace with advanced digital technology used in criminal activities. Our eForensic product family includes data capture solutions for computers,cell phones,GPS & PDA devices.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

85

company pRoFIles
Macaulay-brown, inc. (Macb) ....................................booth 416
www.macb.com
MacB is an advisory & assistance and technical services company with over 30 years of professional service to the uS government and prime contractors, in EW, Intel, Cyber, NetDef and IA capabilities. MacB was part of the original AFCERT in San Antonio and is a major contributor to the standup of 24 AFs CITS Blk 30 Mission Assurance upgrade.

Mh service GMbh ......................................................booth 314


www.mh-service.de
Founded in 1993 in karlsruhe / Germany, today mh SERVICE GmbH is one of the leading providers for Computer Forensics. Our customers belong to Federal and Country Authorities as well as European and International facilities, mid-size companies, big concerns and also universities. All our products are Made in Germany and come with minimum 36 Months Warranty.

MaM-a .......................................................................booth 514


www.mam-a.com Partnering with At Ease Computing, Inc
The only manufacturer of Made in uSA Recordable CDs & DVDs. Based in Colorado Springs, MAM-As professional grade product line includes Silver and 24k Archival Gold CD-Rs, DVD+/-Rs, Dual Layer DVD+R, Recordable Blu-ray discs. All available with Printable surfaces or Custom Logos.

nCMeC .......................................................................booth 815


www.missingkids.com
The National Center for Missing & Exploited Childrens (NCMEC) mission is to help prevent child abduction and sexual exploitation; help find missing children; and assist victims of child abduction and sexual exploitation, their families, and the professionals who serve them.

Mandiant ....................................................................booth 209


www.mandiant.com
MANDIANT is a recognized leader in enterprise threat detection and incident response. We provide services, managed services, education and incident response management software to financial institutions, Fortune 500 corporations, energy companies, government agencies, domestic and foreign law enforcement and several of the united States leading law firms.

nek advanced securities Group ................................booth 612


www.nekasg.com
NEk Advanced Securities Group specializes in National-Level Special Operations Force and Law Enforcement Agency support initiatives. NEk provides highly qualified personnel to train and instruct in areas of computer and wireless forensics, intelligence collection/analysis, biometrics/DNA collection, cyber tradecraft & security, site exploitation, tactical operations and numerous other areas where SOF expertise is applicable in support of operational units worldwide.

ManTech international Corporation ..........................booth 104


www.mantech.com
Headquartered in Fairfax, Va., with approximately 9,800 professionals in 40 countries around the world, ManTech is a leading provider of innovative technologies and solutions for mission-critical national security programs for the intelligence community; the departments of Defense, State, Homeland Security and Justice; the space community; and u.S. federal government customers.

nitrosecurity ..............................................................booth 517


www.nitrosecurity.com
NitroSecurity is the leader in high-performance, content-aware security information and compliance management solutions. NitroSecuritys integrated SIEM solutions provide single pane of glass visibility into events and logs and monitor networks, databases and application payload information.

MarrioT ....................................................................... sponsor


www.marriott.com
MARRIOTT INTERNATIONAL, INC. is a leading lodging company with over 3,500 properties in 70 countries. The company is headquartered in Bethesda, Maryland and had approximately 137,000 employees in 2009. It is ranked as the lodging industrys most admired company and one of the best companies to work for by FORTuNE, and by Newsweek as one of the greenest companies in America.

norman data defense ...............................................booth 509


www.malwareanalyzer.com
Norman delivers products protecting government and enterprise networks and consumer desktops, and is the global leader in proactive content security solutions and forensics malware tools. Normans solutions are powered by Norman SandBox technology and used by security solutions providers around the world. For more information, visit www.norman.com.

Merlin international, inc ............................................booth 412


www.merlin-intl.com
Merlin is the leading provider of innovative technology solutions serving the u.S. federal government. Merlin delivers high-value IT solutions based upon our proven best practices, experienced and trusted staff and extensive knowledge of the federal government and its unique IT challenges.

north Central sight services ....................................booth 807


www.ncsight.org
Imation Corporation and North Central Sight Services through the AbilityOne program, will showcase its Defender Collection of secure storage devices. Engineered to meet rigorous encryption standards, the entire line is FIPS 140-2 validated up to level 3 and TAA compliant. AbilityOne helps thousands of people who are blind or have other severe disabilities find employment.

86

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

company pRoFIles
nW3C ............................................................................ sponsor
www.nW3C.org
The National White Collar Crime Center (NW3C) provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of economic and high-tech crime.

raytheon Company ....................................................booth 603


www.raytheon.com
Raytheon is a technology and innovation leader specializing in defense, homeland security and other government markets worldwide. Raytheon leverages decades of experience in cybersecurity, information operations and information assurance (IO/IA) to successfully protect our global customers critical information and infrastructures from the most complex threats.

oklahoma state university ........................................booth 811


okstate.edu
The National Repository of Digital Forensic Information is an information sharing resource for sworn law enforcement agencies in the united States, Canada, Australia, New Zealand, and the United Kingdom. Whitepapers, techniques, tools, and documents that are not widely available can be found on this site after being individually vetted for access. A new version will be released at this conference.

saiC ............................................................................booth 404


www.saic.com
SAIC is a FORTuNE 500 scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. For more information, visit www.saic.com.

oxygen software .......................................................booth 109


www.oxygen-forensic.com
Oxygen Software was founded in year 2000. Oxygen Forensic Suite is a result of our 10-years experience in PC-to-Mobile communication software development. Oxygen Forensic Suite is really smart forensic tool for smart phones, cell phones and other mobile devices.

sans institute ............................................................booth 311


www.sans.org
SANS is the best and most trusted source for information and computer security training. Our computer security courses are developed by industry leaders in numerous fields including network security, forensics, audit, security leadership, and application security.

palo alto networks ....................................................booth 415


www.paloaltonetworks.com
Palo Alto Networks offers a family of innovative, next generation firewalls that provide enterprise IT organizations with visibility and policy control of all applications, users, and content on the network, while delivering throughput of up to 10Gbps. These firewalls also deliver significant, measurable savings in capital and operational costs.

software engineering institute, Carnegie Mellon university .......................................booth 615


www.sei.cmu.edu
The CERT Program at Carnegie Mellon universitys Software Engineering Institute (SEI) engages in cutting-edge research and development and also provides robust training and education programs focused on ensuring that software developers, internet security experts, network and system administrators, and others are able to resist, recognize, and recover from attacks on networked systems.

paraben Corporation..................................................booth 204


www.paraben.com
Paraben specializes in comprehensive digital forensic solutions for handhelds, hard drives, and enterprise networks. Premier products for the 360 degrees of the examination process showcase Parabens skills in digital forensics. From technology to services Paraben provides effective results and forensic-grade data.

solera networks ........................................................booth 617


www.soleranetworks.com
Like a surveillance camera for your network, Solera Networks enables real-time network forensics and threat prevention by recording all network traffic on both physical and virtual networks. Every network packet is stored, indexed, and can be searched and replayed at anytime to determine the full source and scope of any event. For more information, visit www.soleranetworks.com.

passware, inc. .............................................................booth 316


www.passware.com
Passware, Inc. is the worldwide leader of password recovery and e-Discovery software for Federal and State agencies, Fortune 500 corporations, law enforcement, military organizations, and consumers since 1998. Passwares flagship product Passware kit Forensic is included with the key Computer Service, CCE Bootcamp Training. Passware kit Forensic is a complete evidence discovery solution, providing immediate password recovery for any protected file detected on a PC or over the network while scanning, as well as instant decryption of hard disk images from the seized computers.

spirent federal ...........................................................booth 623


www.spirentfederal.com
Spirent Federal is the leader in lab and live network TEST & MEASuREMENT of 40/100 gigabit, cyber security, virtual servers, routers, switches, and network impairment ... with full layer 2-7 network test capability.

U.S. DEPARTMEnT OF DEFEnSE CyBER CRIME COnFEREnCE 2011Cyber Hunters: Predators and Prey... |

87

company pRoFIles
stevenson university .................................................booth 317
accelerate.stevenson.edu
Stevenson university offers undergraduate and graduate degrees to adult students seeking to establish careers, enhance existing careers or change careers. Stevenson offers degrees in Forensic Science, Forensic Studies, Criminal Justice, Information Systems, Business, and Nursing.

us army Threat systems Management office...........booth 515


www.gdc4s.com
The mission of the u.S. Army Threat Systems Management Office includes the Acquisition, Development, Fielding, Operations & Sustainment of Threat Equipment for Army Testing. Current products include the Network Exploitation Test Tool (NETT), which is in its tenth year of development and is available to test organizations in the DoD.

syngress .....................................................................booth 218


www.elsevier.com
Syngress Security for a Digital World. We are for professionals who want theoretical as well as tactical information on securing in the digital world. We publish high-quality content in the areas of Digital Forensics, Hacking & Penetration Testing, Information Security/System Administration and more.

validedge ...................................................................booth 213


www.validedge.com
ValidEdge offers the worlds first appliance with separation-kernel technology for very fast and in-depth malware analysis. ValidEdge solutions protect networks from zero hour and single target malware attacks by detecting, analyzing and healing infected systems. ValidEdge is ushering in the next generation of malware awareness.

Technology pathways .................................................booth 621


www.techpathways.com
Technology Pathways makes ProDiscover, a comprehensive, affordable computer forensic software solution for corporate and government users. ProDiscover is currently being utilized extensively in many military and DoD agencies as well as civilian government departments to conduct incident response and internal investigations.

vound software .........................................................booth 322


www.vound-software.com
Vound develops, markets and sells Intella Desktop, a software product for digital forensic investigation and electronic discovery. Vound is fast becoming a world leader in the development of applications for file and email investigation, computer forensics and ediscovery. Vounds software products are recognized for its easy to use interface aimed at tactical detectives that want to review their own data.

Teel Technologies .......................................................booth 215


www.teeltechnologies.com
Focused exclusively on mobile device forensics, Teel Technologies is a provides the tools and training Federal, State and Local law enforcement require to acquire data from mobile devices. Offering the widest selection of tools in one place, we are dedicated to ensuring our customers get the right kit for the job, and are well supported after the sale.

Wetstone Technologies, inc........................................booth 115


www.wetstonetech.com
WetStone Technologies has been a global provider of innovative cyber security solutions since 1997. We continue to equip our customers with cutting edge research, robust technology, and challenging training courses that are needed to defend against todays cyber criminals.

The newberry Group .................................................booth 611


www.thenewberrygroup.com
The Newberry Group is 100% employee-owned, nationally recognized, IT Services and Cyber Security firm, serving both government and commercial clients. Newberry provides comprehensive Enterprise IT, Cyber Security, Network/Systems Design and Development, Service Desk/Call Center Management, Applications Engineering, and Mission Support Staffing services.

Wounded Warriors .....................................................booth 813


www.woundedwarriorsproject.com
Wounded Warriors Project (WWP) is a nonprofit, nonpartisan organization headquartered in Jacksonville, FL with additional program offices located in New york City and Washington D.C. WWP was founded in Roanoke, Virginia by a group of veterans and friends who took action to help the injured service men and women of this generation

university of Maryland university College................booth 421


www.umuc.edu
University of Maryland University College (UMUC), a global leader in online adult education, offers career-advancing undergraduate and graduate programs in cybersecurity. The National Security Agency and the Department of Homeland Security have designated uMuC as a National Center of Academic Excellence in Information Assurance Education.

88

| Conference and Exposition Produced by Technology Forums || www.GovernmentMeetings.com

Vous aimerez peut-être aussi