by Mattia Epifani
The Enfuse Conference, organized by OpenText, took place from the 11th-14th of November 2019 at the Venetian Conference Center in Las Vegas. More than 1,000 attendees from 40 countries were present, coming from different fields like digital forensics, e-discovery, incident response and cybersecurity. Most of the attendees were from the US and Canada, but many people from Central and South America, Asia, Africa and Europe were also present.
Forensic Focus was present for the entire conference and documented it in real time on Twitter. This article is a wrap-up of the conference highlighting some of the interesting talks from the more than 100 available.
11th November 2019 – Day One
The first day was dedicated to OpenText’s partners, and officially started with a “First Timers” session where OpenText illustrated the history of the conference and a guide on how to move around within the conference itself.
Then the Welcome Reception took place at Lagasse’s Stadium in the Venetian resort.
During the reception OpenText announced a donation to Michael’s Angel Paws, a charity organization based in Nevada that provides service dog and therapy dog programs to people with different needs.
12th November 2019 – Day Two
Starting from day two, most of the talks were run in parallel, so we were able to attend only some of them. Below is an overview of the talks we attended: more information on all the sessions is available on the conference website.
The day started with an early session: the “APFS – Review & Updates” talk by Simon Key (Course/Curriculum Developer at OpenText). During the presentation a high-level technical review of APFS and its examination was discussed, including how to process APFS snapshots. Simon did also a webinar on this topic that is available at GuidanceSoftware.com.
Then the opening keynote by Mark J. Barrenechea, CEO and CTO of OpenText, took place. The keynote was entitled “It’s your Edge: Own It” and focused on the continuous integration between different devices and how everything must now be managed, with IT security as the first port of call. The 10 most important value cases were illustrated, including endpoint security, threat intelligence, forensics, e-discovery, secure cloud collaboration, and eSignature.
After the keynote we attended an interesting talk by Pierson Clair, Associate Managing Director at Kroll. He discussed “What’s New in maxOS Security & Forensics” and included different interesting aspects of macOS investigation, such as extracting and parsing system logging; and Unified Logging; processing .FSEventsD; and querying the KnowledgeC.db. More information on this session can be found on Kroll’s website.
At the end of the first day we attended an interesting session by Manfred Hatzesberger, Director of Professional Development and Training at OpenText, dedicated to creating examination and investigative reports and how to write them in an effective way for different audiences and users.
13th November 2019 – Day Three
Day three started with a presentation by James Eichbaum from MSAB, discussing mobile app anatomy. SQLite databases were discussed, with particular attention to understanding the different types of data found within them; how the WAL and SHM files work; and how they may be the key to a successful investigation. A lab was also conducted demonstrating how to manually recover deleted entries from an SMS database.
Then the keynote by Muhi Majzoub, Executive Vice President & Chief Product Officer at OpenText, took place. Various interesting topics were discussed here, and some of the latest solutions from OpenText were introduced, like the latest Tableau TX1 Imager; the integration between the Axcelerate platform and Magellan; and the CoreSignature system for eSignature of documents.
Brad Robin from Belkasoft then took to the stage, for a talk entitled “Modern Encrypted Instant Messenger Investigations: Telegram on Mobile Platforms.” He presented an interesting overview of the Telegram application, including a description of the internal structure of the relevant SQLite databases that an analyst can find on Android and iOS devices.
At the end of the day we attended a round table entitled “Collection and Analysis of Ephemeral Data,” where best practices and tools to interface with ephemeral messaging systems and ’email killers’ were discussed. These messaging and file storage systems have made their way into corporate environments, and consultancies, law firms and solo examiners need to be prepared to collect, verify and analyze these data sources for use in investigations and litigations.
14th November 2019 – Day Four
Day four started with an early session by Lisa Stewart, OpenText’s Manager of EnCase Training, entitled “The Value of Link Files in Forensic Investigations”. The presentation looked at LNK files in Windows and how they may assist in identifying media used, and files and folders currently or once residing, within the computer system.
The closing keynote was presented by James Clapper, the former US Director of National Intelligence, discussing cyber threat intelligence and digital investigations.
Aside from the talks, we also visited the Expo Hall where OpenText and all the sponsors presented their new products.
Some of these included:
- OpenText™ EnCase Forensic features time-saving workflows and updates to indexing and search for improved performance and reliability. Collection of Microsoft OST artifacts is included, and users can now also parse and browse the Apple File System (APFS) snapshot to allow discovery of modified and deleted data.
- OpenText™ Tableau Forensic Imager (TX1) provides the ability to pause and resume any forensic imaging job, even after a power cycle.
- Reveille Software, a go-to solution for watching, visualizing, managing, and protecting enterprise content management platforms.
- Webroot, providing multi-vector protection for endpoints and networks and threat intelligence services to protect businesses and individuals.
The next Enfuse conference will be held in Las Vegas from the 29th of September to the 1st of October 2020, in conjunction with OpenText Enterprise World. Anyone interested in attending should consult the official website for details.