Conference Agenda and Descriptions

8:00 AM – 5:00 - Free Cellebrite UFED Reader Training Class for registered attendees! The Cellebrite training department is hosting a full day (7hrs) Pre-Conference training class featuring UFED READER! Space is limited to first registered! A limited number of computers will be available to attendees, but you can bring your own computer as the provided executable is all you will need to run and participate!

(No installation is required but you must be using an intel-based Microsoft Windows computer or Virtual Machine). * Pre-registration is required for credits towards CPEs and access to the certificate.

8:00 AM - Registration/Breakfast 

9:00 AM to 9:15 AM - General Session Welcome - Warren Kruse

9:15 AM to 10:15 AM - Keynote Speaker Heather Mahalik – Under Pressure – How to Make Sure You Don’t Burn Yourself in DFIR

• Pressure may mean different things to all of us. Does pressure stress you out? Does pressure help you do your best work? What if you agreed to “find the smoking gun” and you can’t? Whoever said we must be perfect is greatly mistaken. We are human and we all make mistakes, and we must learn how to handle the pressure we put on ourselves and what other push upon us. This keynote is going to discuss several things to include mistakes Heather has made during her 20+ years in DFIR and how she overcame them. Why were these mistakes made and how can you potentially avoid them from happening to you? In addition, how can we learn to deal with the pressure of not being able to solve a case or “find a smoking gun” that is being asked of us? Sometimes we grow when the evidence doesn’t speak to us. This talk will help you learn to manage expectations, accept that mistakes will be made, and see the growth in what happens when the evidence isn’t what someone told us it should be.

10:15 AM 10:45 AM - Networking Break / Visit Vendors

10:45 AM - 11:45 AM - Breakout Sessions 

• Vehicle System Forensics: Damaged and Unsupported Devices - Shanon Burgess

Over the past two decades, digital data stored within vehicle systems has been highly useful in determining the events leading to a crash, especially when combined with traditional accident reconstruction techniques. With the proliferation of Internet of Things (IOT), the sources of that data have grown exponentially and techniques for applying that data have been refined and expanded. These sources of data range from engine control modules (ECM), airbag control modules (ACM), infotainment modules, telematics modules, etc. For these reasons, the demand for successful retrieval of vehicle systems data is increasing. Berla being the only mainstream commercial tool targeted directly at the vehicle system forensics community. While Berla does a great job and continues to add support for new vehicles every day, what about all the unsupported vehicles? Severe crashes are no exception either and often present a unique challenge to reconstruction experts because these vehicle system modules-which contain the crash data-are often damaged in serious crashes. When the modules themselves are unsupported and/or damaged; whether it be physical, fire, or water damage; standard techniques for data retrieval may be impossible without performing chip level forensics. Specifically, chip-off, in-system programming (ISP), and chip-swap forensics–wherein the data bearing components from a damaged module/device are transplanted onto a surrogate module/device. This presentation addresses the challenges of data retrieval from unsupported and damaged vehicle system modules based on prior research and current work on the subject.

• Platinum Sponsor OpenText Lab - The Power of EnCase & Keys to Collecting Forensic Images - Victor De La Pena

As the number of devices and the amount of information on those devices increases, digital forensic investigators are overwhelmed with the places the need to search for evidence.  This is resulting in increased case backlogs and strain on both corporate and law enforcement investigation resources.  Learn how EnCase digital forensic investigation solutions help examiners get to the truth faster and more reliably. The increasing diversity, size and sophistication of digital media complicates evidence collection. Investigators need to be able to quickly image suspect devices, improve their efficiency and ensure forensic integrity. Learn about the new capabilities Tableau Forensic delivers in providing cost-effective, reliable, portable standalone forensic imaging of physical media for digital forensic investigations.

• Disk Images are Gamblers and Virtualization is Vegas - Mark Spencer

While there are many obvious benefits to interacting with disk images running in virtual machines, there are less obvious (but no less important) benefits if you truly appreciate the incredible control you have over a disk image running in a virtual machine. Attendees of this presentation will be exposed to these less obvious benefits via a combination of lecture and demonstrations. While Arsenal Image Mounter will be used to demonstrate launching Windows domain controllers and workstations into virtual machines to unlock secrets on workstations without any credentials, bypassing the Windows Data Protection API, and more, some of the concepts discussed during this presentation will apply regardless of the particular tools being used.

• Investigating Linux Systems - Ali Hadi & Mariam Khader

Linux forensics is an important skill for anyone looking to work in the field of digital forensics. It provides a powerful set of tools and techniques to investigate and analyze digital evidence, allowing experts to uncover data that may be hidden or deleted from a computer system. It is also useful in law enforcement, intelligence, and other areas of investigation.

This workshop aims to help digital forensic investigators to effectively identify and analyze digital evidence on a Linux system and gain a better understanding of incidents that occurred on the system. The goal of this workshop is to learn more about:

1. The Linux operating system and its file system hierarchy
2. How to locate and acquire evidential data from a Linux system
3. How to analyze Linux file systems and system log files
4. The forensic tools that can be used to investigate a Linux system

11:45 AM - 12:45 PM - Lunch

12:45 PM - 1:45 PM - Breakout Sessions

• Memory Forensics with Volatility 3 - George Bell

In 2020, the Volatility Foundation publicly released a complete rewrite of its framework, Volatility.  Three years on and in my experience, people still struggle with the implications of this rewrite.  Most notably, Volatility 3 uses symbols, not profiles.  This poses severe challenges when one's analysis must be done in a disconnected environment with no access to the symbol servers.  The intent of this briefing is to discuss methodologies for overcoming these challenges.

• Platinum Sponsor OpenText - Elevating Investigations with Targeted Collection - Seine Ly

Organizations are now tasked with more types of investigations than ever; HR issues, compliance violations, regulatory inquiries, IP theft and more. To solve these issues, organizations may need to look deeper into an employee’s activity discreetly and even remotely without sacrificing employee productivity.  But often these investigations can lead to collecting an overwhelming about of data that puts a strain on already overburdened investigation teams.  Join this session to learn how to combine digital forensic investigation capabilities with targeted collections in order to improve the efficiency and effectiveness of your investigations.

• Hunting Threat Actors using OSINT Forensics - Abi Waddell

Little attention is given to tracking the perpetrators of cyber-attacks in the world of forensics. Using real world examples, I will present some OSINT methods to trace the location and identity of threat actors, including revealing deleted parts of screenshots/PDFs, discerning fake accounts, finding suspicious VPN addresses, uncovering identities from pseudonyms; using account leaks, search engine analytics, maps, social media, images and more. I will also present the results of my original research of thousands of leaked accounts, into identifying gender, age and predicted passwords in use, which can assist in threat actor identification.

• Unraveling Cybercrime: Harnessing the Power of ChatGPT in Criminal Investigations - Cynthia Navarro and Laura Chappell

The rapid development of artificial intelligence and natural language processing technologies has introduced novel methods for solving complex problems in various domains, including cybercrime investigations. This presentation delves into the capabilities, versions, and applications of ChatGPT, a state-of-the-art language model developed by OpenAI, to assist law enforcement agencies in combating cybercrime.

We begin by providing an overview of ChatGPT's evolution, highlighting the major enhancements introduced in each version, and discussing how these advancements have improved the model's performance in generating accurate and coherent responses. Subsequently, we explore the various ways in which ChatGPT can been employed in cybercrime investigations, including but not limited to: analyzing digital evidence, generating investigative leads, deciphering encrypted communications, and identifying potential criminal patterns.

To further illustrate the practical application of ChatGPT in an investigative context, we present a case study detailing the creation of a murder mystery lab. This interactive simulation harnesses the power of ChatGPT to generate complex, multi-layered narratives that challenge investigators to practice their prompt-writing skills, critical thinking, and deductive reasoning. Participants in the lab are required to utilize ChatGPT to solve the murder mystery, as well as to identify additional leads and connections to other potential criminal activities.

 By showcasing the remarkable potential of ChatGPT in tackling real-world problems, our presentation aims to demonstrate the importance of integrating AI technologies into modern investigative strategies and to inspire further research into the development of more advanced and specialized tools for the cybercrime investigation domain.

1:45 PM - 2:15 PM - Networking Break / Visit Vendors

2:15 PM - 3:15 PM - Plenary- Cryptocurrency Crimes and Investigations - Robert Whitaker

Romance Scams, Investment Scams, and ATM related Scams

3:15 PM - 3:30 PM - Networking Break / Visit Vendors

3:30 PM - 4:30 PM - Breakout Sessions

• Input and Output + Syslog (iO+S) Accessing Locked iOS Devices - Jessica Hyde and Nick Dubois
• A Case Study in the Daisy-Chain Compromise of a Lawyer - Mark Spencer

Arsenal has found the only known case of an attacker leveraging the compromised email account of a high-value target (a lawyer) to then compromise that same target's computer and deliver incriminating documents. The particular technique used by the attacker involved the abuse of IMAP functionality over a significant period of time. The attacker in this case was successful, and the consequences for the victim were (and continue to be) devastating. Due to the sensitive nature of this presentation, it is only available in-person and recording will not be allowed.

• Forensic Analyses of Audio and Video Evidence - Herbert Joe

Audio, acoustics, voice and video evidence are common in civil and criminal litigation. Such evidence is often extracted from computer or mobile devices. All parties must at least be generally familiar with what can (and cannot) be done forensically and legally with such evidence, e.g., forensic authenticity analyses, digital signal processing (enhancement), etc. Learn generally what can and cannot be done, whether you're the proponent or opponent of the evidence, and whether a case needs a consulting, rebuttal or testifying expert witness.

• How Security Ninjas Hunt Threats in Response - Roberto Martinez

When a cyber-attack impacts an organization, Incident Responders needs to use threat intelligence and an arsenal of tools to hunt and contain the threats.
In this workshop, the participants will learn how to use different tools like Yara and Sigma Rules, and apply the basic concepts of Detection Engineering, Threat Intelligence, and Threat Hunting.

5:30 PM - 7:30 PM - Networking Reception

Wednesday, September 20

8AM - Registration/Breakfast

9:00 AM - 10:00 AM - Keynote Speaker - Enterprise Cloud Forensics - David Cowen

10:00 AM - 10:30 AM - Networking Break/Visit Vendors

10:30AM - 11:30 AM - Breakout Sessions

• Leveraging Chat GPT During Forensic Investigations - Chester Hosmer

ChatGPT and other AI technologies have emerged over the past few years.  I have been researching and teaching the application of GPT 3,4 and now ChatGPT at the University of Arizona. During this lecture I will share the results of our research, development, and application of these emerging technologies to digital investigation challenges.  You will learn the truth about what these technologies can and cannot do, and most importantly how we can leverage them during the investigative process. 

• Peering Behind the Curtain of Mobile Forensics - Jessica Hyde and Ricky Johnson

How do you determine if a mobile forensic analysis is complete? How do you know what you don’t know? What if the nefarious actor is using an unsupported app? In this session Jessica Hyde and Ricky Johnson will discuss how to improve your team’s analysis of mobile forensics through peer review. We will share not only why this type of review is critical but provide practical tips, methods, and a checklist to ensure your lab is getting the most out of your mobile data extractions.

• Forensic Investigation of Email Client Tool Marks - Arman Gungor

Email forensics has become a vital part of digital forensic investigations. In this presentation, we will explore subtle marks that email clients leave on email messages as they interact with them and how such marks can be used to obtain crucial timing information, determine how and when an email was modified, and whether or not it is authentic.

• Expert Witness Lab - Craig Ball

Q&A discussion about testifying and report writing with a veteran trial lawyer, Special Master and expert witness in electronic evidence and digital forensics.

11:30 AM - 12:30 PM - Awards Lunch and Whose Slide Is It Anyway

12:30 PM - 1:30 PM - Breakout Sessions

• Nation State, Supply Chain and Linux Backdoor Risks - John Palmisano and Austin Larsen

Discussion of Chinese nation state TTP's, Supply Chain compromises, Linux malware and hardening Linux environments to enhance prevention, detection and response capabilities.

• Investigating Digital Footprints on Websites and Social Media Platforms - Aaron Reyes

This presentation will provide an overview of Website and Social Media forensics, which are crucial aspects of digital investigations. The presentation will provide an explanation of the concepts of website and social media forensics and their significance in modern digital investigations. It will then delve into the various techniques and tools used in website and social media forensics, along with real-world examples of their application. The presentation will also address the challenges that investigators face in website and social media forensics, including privacy concerns, changing technology, and jurisdictional issues. The presentation will conclude with a summary of best practices for conducting website and social media forensics investigations, including preservation of evidence, documentation, analysis and interpretation of evidence, and reporting. Attendees will gain a comprehensive understanding of website and social media forensics and their role in modern digital investigations.

• Mock Trial - Part 1 - Craig Ball 

1:30 PM - 2:00 PM - Networking Break/Visit Vendors

2:00 PM - 3:00 PM - Breakout Sessions

• Digital Forensics at Scale: Lessons Learned from the Bhima Koregaon Case - Robert Jan Mora

In 2018 a brawl broke out near Pune, India, between various groups during the 200th anniversary of the Battle of Bhima Koregaon. This brawl resulted in one death and multiple injuries. The Indian authorities eventually arrested 16 people (including activists and lawyers) for allegedly stoking the violence and planning to overthrow the Indian government. One of the defendants, an 84-year-old Jesuit Priest named Stan Swamy, died while in custody. During the investigation, initially managed by the Pune Police, the Regional Forensic Science Laboratory in Pune performed digital forensics on a large volume of electronic evidence. Later the investigation was transferred to the National Investigation Agency (NIA). Arsenal Consulting, a Boston-based digital forensics company, was retained by the defense team for some of the defendants to analyze the same electronic evidence. After Arsenal was provided with forensic images of the seized computers, they found evidence planted by a threat actor now known as “ModifiedElephant.” In addition, Arsenal produced five public reports detailing high-quality digital forensic techniques like memory forensics, where it became clear that all of the crucial “digital evidence” was fabricated.

How could the Regional Forensic Science Laboratory in Pune miss such blatant evidence tampering? This presentation will outline our involvement in this case as we reviewed Arsenal’s fifth report and additional documents related to the case at the request of the Washington Post. For example, in an additional document from the Regional Forensic Science Laboratory, we found a file listing that included a piece of malware that was not identified as such - in other words, it was just mentioned as if it was a typical file. The Bhima Koregaon case provides a horrifying example of poor digital forensics performed by a government and should be a red flag for our forensic community. Could this happen in our countries as well?

• Windows Search Index: The Forensic Artifact You've Been Searching For - Phalgun Kulkarni & Julia Paluch

For examiners investigating cyber-crimes on Windows endpoints, the Windows Search Index artifact can reveal information about a user’s Internet history, emails, file interactions, and even deleted user files. Originally created as a tool to enable searching for user files across the Windows operating system, the Windows Search Index as a forensic artifact provides insight into file existence and user activity. In this presentation, we will discuss how the Windows Search Index can be used as a source of evidence in DFIR investigations. 

This presentation will provide an overview of the data recorded in the Windows Search Index by default and user actions that trigger modifications of the index. Next, we will introduce the structure of the index in Windows 10 and prior, and how it has changed with the release of Windows 11. We will also discuss use cases for the information found in the index, such as finding evidence of website access, deleted files, and activity from users of interest. Finally, we will introduce Stroz Friedberg's open-source tool, which will help investigators parse the Windows Search Index at scale.

Attendees of this presentation will gain a better understanding of how the Windows Search Index can be used as a forensic artifact and the insights it can provide to bolster your next investigation.

• Mock Trial - Part 2 - Craig Ball 

3:00 PM - 3:30 PM - Networking Break/Visit Vendors

3:30 PM - 4:30 PM - Closing Keynote Speaker Devon Ackerman – 2023 Cyber Threats, Trends & Tactics

• Regardless of the tools they deploy, the methods they leverage, or the speeds at which they move, cyber threat actors today still make their way through a networked environment like trespassers entering your home office through an open window in the living room. In this presentation, I’ll share the most recent trends Kroll has seen in attacker behavior from investigating over 3,000 incidents annually, e.g., the initial access vectors that actors are using, the most targeted industry sector(s), and top two or three attacks to be on guard for. I’ll also share the clear and distinct stages that Kroll has mapped for common attacker behavior, processes, and intrusion steps — what we call the Kroll Intrusion Lifecycle; knowing these stages can help organizations and their leaders understand and anticipate different types of cyber threats. We’ll also cover the three main categories of threat actors — nation-state actors or APTs, organized crime groups, and insider threats and rogue employees — as well as their motivations and typical attack patterns.

4:30 PM - 4:45 PM - Conference Closing President Warren Kruse

5:00 PM - 8:00 PM - Captured the Flag Sponsored by Cellebrite
Cellebrite Worldwide CTF Party 

Cellebrite’s world famous CTF is back! It’s time to GET YOUR GEEK ON!  

An HTCIA and Cellebrite hosted CTF Party designed for everyone! With a brand new case, brand new data, and our toughest new challenges yet! Thousands of people around the world will take the challenge to see if they have what it takes to find the digital forensic artifacts and compare themselves to other participants. Cellebrite provides “Trial versions” of the Physical Analyzer, however you may choose your own tools as well as open-source ones! A great way to test your geek skills!

Location(s) & ways to participate:

1)    Live In-Person: Registered attendees of the HTCIA 2023 International Conference and Expo in Phoenix AZ 
2)    Virtual Online (Worldwide)

The event will be held live and in person at the HTCIA 2023 International Conference and Expo in Phoenix AZ. 

Note this event is a Bring your own Computer (BYOC) event. Cellebrite will provide the setup guidance and links to download the large extractions ahead of time so people can process them before the event day.  The event will run into the evening and might even be streamed live from the conference!