Like so many conferences this year, including some of its smaller chapter events, the High Technology Crime Investigators Association (HTCIA) annual event had to pivot its offerings to a virtual environment. During its week-long event from September 28 to October 2, HTCIA connected attendees, speakers and sponsors through a combination of Crowdcast, Zoom, and a bespoke conference “hub.”
In an effort to cover as many time zones as possible, the single-track conference ran from afternoon well into the evening Eastern time. While we assume the succession of one-hour sessions was designed to allow people to come and go as they pleased, the format — and lack of planned breaks — made it challenging for some attendees to participate.
The conference kicked off on Monday, September 28th with a brief opening statement by Todd Shipley, HTCIA International President. Shipley spoke about the organization’s 35-year mission and function as a worldwide training organization.
For its 2000 corporate, law enforcement, or military investigator members worldwide, this includes the library of online trainings launched just this year, along with local in-person and virtual meetings and webinars — as well as the annual conference planned next year for Phoenix, Arizona.
The state of the industry, and its future
Although her talk came Wednesday, Julie Clegg, founder and CEO of Human-i Intelligence Services Inc., offered a keynote-level overview of “Why we are losing the war against cybercrime” — and what organizations like HTCIA can do to turn the tide.
“We’re more powerful working together than alone,” Clegg said, adding that curiosity has to be directed constructively to be useful and that “radical change” is needed to take control “on the edge of a cybercrime war that we won’t be able to win unless we fundamentally change the way we think.”
For instance, she said, cryptocurrency features in half her firm’s investigations, but most law enforcement officers don’t understand it. Rather than spiral into secrecy and competition, she said, information sharing is about cross-generational mentorship, increasing everyone’s capacity in terms of both investigative and computer skills.
To combat these and other kinds of skills gaps, a number of initiatives have sprung up. We covered several of them in our recent article about training up the next generation, which covered Professor Tobi West’s HTCIA presentation about two initiatives that aim to help girls to get into the industry; and another article about knowledge sharing.
The skills and knowledge needed to share were the subject of “Hacking Your Way Into Security.” Jason Azzarella, a Bechtel incident responder, described some of the key concepts relevant to the field and how to start or switch careers. Interest and curiosity, he said, are key to any role in malware reversing, social engineering, pen testing, or digital forensics.
To get around challenges associated with recruitment, education, and “traps” like impostor syndrome, Azzarella spoke about the importance of finding a mentor — whether you’re a new entrant, or shifting into an entirely new role. Apprenticeship can figure in here too, as can social networking as a way to record your progression through research and CTF participation.
Cloud forensics and investigation
Seven talks covering various aspects of cloud forensic investigations were featured at HTCIA this year, with an emphasis on how the cloud is changing the ways businesses operate — and thus how fraud, employee misconduct, incident response, and intellectual property theft investigations are conducted.
Alex Dow, a SANS Community Instructor of cloud security architecture and operations, echoed many of the points David Cowen raised in his DFRWS-US keynote this year. Dow’s presentation described different types of cloud services and their challenges for investigators, including true chain of custody and forensic tools applied to a software-defined network.
Andy Joyce, a manager with the British Columbia Securities Commission, focused on Amazon Web Services (AWS) as a possible digital crime scene location. He covered the structure and procedure that allows for data preservation and acquisition. Saying that legal advice is needed regarding data location, access and extraction, Joyce added that the actual acquisition process is the same as it is for physical data.
Microsoft 365 and OneDrive were the subjects of talks by Magnet Forensics’ forensic consultant Tarah Melton and Spyder Forensics’ founder Rob Attoe.
Attoe focused on recent updates to Microsoft (formerly Office) 365 and OneDrive forensics, including how the two are linked. Noting that OneDrive is “the personal version of Sharepoint,” Attoe said lots of synchronized data is available through here — though the encrypted OneDrive Personal Vault may require live collection, if the vault is open on a system. He also went through key folders of interest, log file analysis, artifacts of usage that can show culpability and intent, and demo’d Eric Zimmerman’s Registry Explorer.
For her part, Melton spoke more generally about forensics in corporate cloud environments, including Office 365 and a special Microsoft Teams acquisition implementation, GSuite, Box.com, and Slack using Magnet AXIOM Cyber. She went through the particulars of accessing data and a brief product demonstration using a hypothetical case study.
In spite of other forms of messaging and collaboration, email continues to be crucial to many organizations. Arman Gungor talked about forensic investigation of emails whose body and/or metadata have been altered on the server using any email client. Both email and server metadata, user IDs, packet capture, and IMAP commands are all necessary to determine this type of activity. Gungor also highlighted timelines as part of a preservation strategy to acquire and examine emails in context (rather than just a single message of interest).
Echoing Melton’s presentation was John Wilson, chief information security officer (CISO) at Haystack ID, who spoke about emerging data types in ediscovery; the rapid, exponential growth of data volumes in the world; and what it all means for custody and search authority, privacy, compliance, and data integrity. One of his key insights: to keep track of data sources in use by companies, talk to employees of different age groups to find out what they’re using.
Digital Mountain’s president and CEO, Julie Lewis, co-presented with David Dang, senior manager of data discovery solutions, about the kinds of digital evidence retrievable from social networking sites and their smartphone app counterparts. They echoed Wilson in terms of the need to balance the collection and visualization of massive amounts of online data — including location information — with legal and regulatory concerns.
Open source investigative skills
Keith Elliot, a partner and CEO of Reed Research Investigations Limited, recommended “cyber sleuthing” or open source intelligence (OSINT) resources to identify fraud suspects based on clues from a video. His takeaways: it’s important to obtain the information early, properly document a case file, and provide frequent status updates to clients so they know where the data fits under the Rules of Evidence or Civil Procedure (metadata preservation etc.).
OSINT expert Kirby Plessas got even more specific, showing how to identify a fraud network from a single website or email address. She described different kinds of fraudulent sites, which can be examined based on phishing links that redirect to “account verification” or similar sites.
Going through many of the tools she uses to examine / investigate these sites, Plessas also described so-called “bulletproof” sites: ones that can’t be taken down through legal means, either because they’re located in a country without legal reciprocity, or because they’re buried in a legitimate site.
These skills are also valuable when it comes to assessing risk and protecting domestic violence victims from their abusers. Will Baggett, an independent cybersecurity consultant and fraud examiner, spoke about mitigating risks to personal and data security from our own devices.
Referring to the organization Operation Safe Escape, Baggett talked about how survivors of domestic violence can minimize what he called “social leaks,” limiting others’ access to information and devices, including third-party tracking capabilities. A version of this talk is available on YouTube.
Mobile forensics and investigation
Belkasoft founder and CEO Yuri Gubanov took to the virtual stage to present “The Cat and Mouse Game with iOS Forensics.” Various acquisition methods for iOS-based devices in this talk covered iTunes acquisition, picture / media transfer (PTP/MTP) protocols, jailbreaks, agents, and the checkm8 exploit.
In a separate presentation focused on beginners, Belkasoft sales engineer Brad Robin added details about Android OS acquisitions: ADB backup, ODIN mode, MTP/PTP, and agent-based backups among others. He also mentioned the value of understanding different iOS and Android versions, and what features each introduced.
Both Robin and Gubanov talked about the importance of acquiring data using multiple methods. Gubanov said this is important because each method has own limitations; Robin added that a given method — specifically, jailbreaking — could be deemed inadmissible in court.
Going deeper on full iOS file system extractions and the checkm8 and checkra1n methods was Cellebrite’s senior manager of technology and innovation, Ronen Engler. Differentiating between checkra1n’s reliance on jailbreaking and checkm8’s file system extraction, Engler also covered app usage artifacts and their locations, along with comparisons of number of artifacts from each.
Even though default device encryption has rendered advanced methods like JTAG and chipoff extractions less useful nowadays, that doesn’t mean the skill isn’t still needed. RuSoLut’s development team lead Sasha Sheremetov discussed how NAND Flash memory — found “everywhere” from smartphones to IoT and flash storage devices — stores and updates data, as well as what can and cannot be realistically carved from “garbage” blocks and pages (hint: not audio/video) and damaged eMMC chips.
Chip-off forensics was also the subject of a talk by Dusan Kozusnik, CEO of Compelson Labs, makers of MOBILedit. Referring to the 2017 paper “Improving the reliability of chip-off forensic analysis of NAND flash memory,” Kozusnik spoke about how both evidence storage times (owing to backlog) and heating the chip can degrade the data and increase the risk of errors. He additionally spoke about MOBILedit’s performance in tests against leading extraction tools.
In a pre-recorded session, Oxygen Forensics’ director of training, Keith Lockhart, presented “What if an app is not supported?” With only 500-600 apps out of millions supported by tool vendors, a SQLite viewer can be an indispensable tool. Investigators can use it to write queries for data that isn’t “beautified,” Lockhart said, additionally reminding attendees that some app data could remain remote via cloud platforms.
In a different twist on mobile forensics, Kenrick Bagnall, a Detective Constable with the Toronto Police Service (TPS) spoke about SIM swap fraud investigations, their scope and impact. He went through the investigative roadmap for when a person loses phone or account access and/or experiences financial losses.
Wireless and Bluetooth network investigations
Chet Hosmer, a Professor of Practice at the University of Arizona in the Cyber Operations program and founder of Python Forensics, Inc., discussed Bluetooth Low Energy Mesh threats to law enforcement.
Three specific mesh-related threats include passive eavesdropping, man in the middle (MitM) attacks, and criminal communication that rely on the mesh. Hosmer described the need for investigators to understand mesh networks’ legitimate behavior in order to differentiate illegitimate behavior — especially as the internet of things (IoT) goes mainstream.
Belkasoft’s Gubanov presented about wifi connection analysis. Investigative challenges with the most popular wifi standard, 802.11, include different artifact locations and files — both variable in different devices, operating systems, and OS versions.
Moreover, not all sources are trustworthy. Gubanov spoke about the need to collect data from the wireless access point as well as various locations on the Windows OS or mobile device file system, and to corroborate the data, if possible, with the wireless router.
Artificial intelligence and facial recognition
Sgt. Daniel Heltemes, of the Arizona Department of Safety, spoke about how and why facial recognition is being used by law enforcement agencies — chiefly, to assist agencies in identifying unknown subjects, as well as missing and exploited children, for investigations. Both video and still images are used in this effort.
Pointing to what he called misconceptions about facial recognition, Heltemes described how his agency relies on a combination of state statutes, regulation, standards, and written policy when it comes to using facial recognition responsibly. Additionally, he said, it’s used only to generate leads, not come to conclusions, and still requires a trained human examiner to adjudicate images based on what they do or don’t see.
Another pre-recorded talk by Oxygen Forensics’ Lockhart described how artificial intelligence is currently used in digital forensic investigations to cut through backlog by getting through and making sense of large, complex datasets.
In other words, Lockhart said, AI allows an investigator to free their mind of repetitive tasks and instead focus on more subjective investigative tasks, “putting clues together.” Demonstrating Oxygen Forensic Detective, Lockhart talked about image and facial categorization, as well as optical character recognition (OCR).
Geolocation investigation and analysis
As the importance of GPS location data in digital forensic investigations grows, and cybercriminals begin to target mobile GPS data, an “IoT primer” offered by Ross Worden, director at The Crypsis Group, and Anna Chung, a principal researcher at Palo Alto Networks’ Unit 42, might prove instructive.
Worden demonstrated the Kepler open source tool, which helps visualize data and contextualize speed, the full path of a journey, and other data points, making it possible to compare two individual paths, create timelines — and prove or disprove alibis.
On the other hand, Chung said, GPS signals are limited by reflective surfaces and high rise buildings or interiors that can impact GPS satellite signals. Mobile GPS spoofing apps can create false coordinates, she said, while GPS jammers, though illegal, can block signals within a certain radius.
To her observations, in a separate talk, Pier Luigi Putton of SecurCube added the need to correlate call detail records (CDRs) and in depth cell site analysis to geolocate suspects. By mapping base transceiver station (BTS) infrastructure and using tools like SecurCube’s BTS Tracker, it’s possible to understand cellular networks; validate CDR evidence; and even map what Putton called the “broader evidentiary landscape”: CCTV cameras, traffic logs, etc.
Overcoming cybersecurity’s complex challenges
Jeff Hamm, a technical director at Mandiant, spoke about breach detection based on past investigations. In speaking about the forensic analysis of credential harvesting and attacks that targeted crucial systems, Hamm’s lessons included the need for properly timed investigations, secure managed services providers, and inventory control — and overall security culture within every organization, which he said is the industry’s “biggest weakness.”
Domingo Montanaro, co-founder of Ventura Enterprise Risk Management and Ventura Academy, presented a case study of a large-scale cyber attack against a chain of stores in Brazil. This presentation described the threat actors’ entire scheme as well as the postmortem forensics performed on recovered rogue devices, which provided critical counterintelligence.
CybernetIQ’s Joe Cummins led a security-focused discussion about the complex problems of cybersecurity and how teams can find it difficult to mitigate against the evolving threat landscape. A significant noise-to-signal ratio and high false positive rate from an abundance of tools, siloed organizational layers, and other challenges all contribute, Cummins said, to a need for a lightweight risk analysis framework and a simple unified solution for mapping resilience.
Rob Roj, Senior Solutions Architect at Shape Security, zeroed in on app fraud insights. He went in depth on how “click farm” fraudsters deploy credential stuffing, account takeover and fake accounts, and other methods against financial, telco service, retail, and insurance businesses. Because fraudsters exploit communication gaps between a company’s segments, Roj stressed the need for security teams to communicate regularly with fraud teams — before fraud happens.
Computer forensics still factors in the industry
Ilia Lvovski, a Senior Computer Forensic Analyst with the Government of Canada, discussed the “media cache”: a buffer zone used to rewrite data on a Seagate solid state hybrid hard drive. An 80-90 GB separate area on the outer rim of a drive’s platter(s), the media cache stores file system records, temp data, and most recent files. Lvovski demoed ACELabs’ PC3000 Portable for an example of drive recovery that targets the media cache.
Magnet Forensics’ Trey Amick went through some of the forensic artifacts and techniques that are essential for Mac investigations. He compared the new APFS with the previous HFS+ and offered APFS fundamentals, as well as imaging considerations — including T2 encryption — and some crucial artifacts including the KnowledgeC database, Finder MRU, FSevents — what he called a “goldmine of data” like $UsnJrnl — and many others.
Belkasoft’s Gubanov spoke also about how to analyse USB connections on desktops and laptops. Still used to steal data and infect devices with malware, USBs leave artifacts behind in the Windows Registry, event logs, and memory as well as (potentially) prefetch and jumplist files. However, not all of those artifacts are reliable, so Gubanov stressed the importance of corroborating them with other system files and creating timelines.
Video forensic evidence
Brandon Wahl’s session on common errors in interpreting video evidence focused on prosecutors’ need to be able to play videos in court: as “the silent witness,” video purports to capture exactly what happened. However, it’s a mistake to assume video is accurate 100% of the time. Wahl described a variety of challenges including decoding, compression, frame rate variances, and much more — all of which can affect a viewer’s perceptions.
Chet Hosmer returned to speak about “deep fake” forensics. An update from his talk at the Techno Security & Digital Investigations conference in June 2019, this presentation covered the ways in which machine learning can be used to identify the alteration of images. Although they can also result in false positives and negatives, he said, they can also improve over time through additional training.
Legal and courtroom issues
Haystack’s John Wilson returned with a high-level presentation on walking the line between privacy and security. Calling the enactment of various privacy laws a “big shift” in recent years, Wilson said privacy as a concept continues to evolve as organizations collect more data — and are more interconnected than ever. Wilson argued for an approach that integrates privacy and security for true resilience.
Brian M. Chase, an attorney at ArcherHall, discussed the Fourth and Fifth Amendments to the U.S. Constitution, as well as relevant case law applied to digital data. As search warrants are required for more and more searches, he said, various exceptions will come under greater scrutiny. While both attorneys and judges continue to struggle to apply these issues, their guidance is still necessary and should be sought on every case.
Mary Mara and Henry McGowan spoke about legal concepts when it comes to seizing, searching, and analyzing unmanned aerial vehicle (UAV, or drone) data. With miniaturized cameras that can be linked to facial recognition and other AI technologies, UAVs’ surveillance range is much greater than traditional aircraft used to surveil private property. Thus Fourth Amendment protections may change, Mara and McGowan argued, and require more guidance.
Actually communicating digital evidence so that attorneys can understand it, of course, is part of this. Steve Whalen, Product Officer and co-founder of SUMURI, discussed the need to “think about who it is we’re serving,” he said, when it comes to forensic reporting. Rather than rely on bookmarks in tools that take events out of order, Whalen said, examiners should use artifacts’ timestamps to create understandable timelines.
An example came from Jeff Shackelford, Product Manager and Digital Forensics Specialist for PassMark Software, who spoke about creating virtual machines from forensic images for courtroom presentation. By booting an image on a VM, he said, it becomes possible to recreate and examine the live environment through the suspect’s eyes. Not only does this allow deeper analysis and the potential discovery of additional artifacts; it also supplements a standard forensic report, bringing testimony to life with visual aids such as jumplist artifacts, URL page settings, and in-app search history.
The 2021 HTCIA International Conference & Expo is planned for late September in Phoenix, Arizona. Learn more at the conference website.