[Full disclosure - I was a speaker at PFIC.]
I recently attended PFIC 2008 (www.pfic2008.com), hosted by Paraben. I found it to be on par with other conferences (CEIC, TechnoForensics) except it was free. Kudos to Paraben.
Their lab machines consisted of mostly Macs. They were donated, I believe, by BlackBag. They were dual boot allowing one to run either in the Mac environment or Windows environment. If you could get past the change in keyboard (which made shortcuts using CTRL or ALT difficult) and the yoga maneuver required for right clicking, they worked very well. But with that being said, I think it is good for forensic examiners to get out of their comfort zone and work with hardware and software with which they do not have a lot of experience.
Paraben provided speakers with a bag of goodies containing a jacket and knit cap. Always nice to feel appreciated!
They had a very nice reception one evening. Lots of good food and of course vendors touting their tools. Not as many vendors as CEIC or other conferences I've been at, but this was their first year.
I sat in on a lab for Paraben's P2 Commander. While I haven't tested it completely, I liked some of the features I saw. The application is Paraben's answer to GSI's Encase Enterprise (EE) and Technology Pathway's ProDiscover IR. Unlike ProDiscover IR, P2 does incorporate a "safe" like function similar to EE. This feature allows for setting privileges to let examiners perform only certain functions on certain suspect machines.
With administrative rights to a suspect machine, you can push an applet onto the suspect machine. Paraben claims that it is undetectable (although someone with their support staff claimed he could find it). You can view the following on the live computer:
1. Mounted registry
2. Current screen (setting the auto refresh creates a "movie" at a rate of 1 frame per 5 seconds)
3. Current applications and processes running
4. Memory
5. All files, unallocated space, etc.
You can capture memory, files, etc. You can also clone the disk. Paraben claims that once you start cloning, it intercepts writes to the disk and stores those in a RAM disk until such time that the areas that are being written to have been cloned. Then the portions in the RAM disk are emptied. P2 is also flexible in its cloning and will clone specific areas of the hard drive if it sees there are numerous attempts to that portion of the drive.
My point for providing all of the detail to the above tool is to give you, the reader, an idea on how in-depth the labs would get. Plenty of time to play around with the tools being discussed and a good deal of sample data to run the tools over.
I also sat in on a great talk by Troy Larson of Microsoft who spoke on Vista Forensics. This presentation was the second one of Troy's I attended and found him to be very engaging, knowledgeable and down to earth.
Jim Jaeger of General Dynamics gave some great war stories regarding intrusion detection cases he has been involved in. Finally, Greg Kipper gave a unique presentation on future trends and technologies. If you think the iPhone with its Loopt application is totally innocent, think again. In the hands of a predator, the more social and personal information they have on you, the more dangerous they become.
Lunch was provided for and the food was very good. The hotel where the conference was held was very accommodating. However, there was a downside to the conference. The location, Park City, UT, was over a 30 minute drive from Salt Lake City Airport. Being a speaker my shuttle ride was paid for but it wasn't too cheap for everyone else.
All in all, I was pleased with the conference. Very well put together being in its first year. I believe they are charging for the conference this year, but it is less expensive than similar conferences.
Greg Kelley, Vestige, Ltd
This review can be discussed here.
Membership:
Latest: 
New Today: 0
New Yesterday: 13
Overall: 20808
Members: 3
Visitors: 30
Staff: 0
Forensic Technology Preview Day 2011 - Germany