by Scar de Courcier
This article is a recap of some of the main highlights from the Techno Security & Forensic Investigation Conference 2018, which took place in Myrtle Beach, SC from the 3rd-6th June 2018.
Under the sunny skies of South Carolina, the digital forensic community got together at the beginning of June this year to discuss topics ranging from international espionage to the admissibility of evidence obtained from the cloud. The conference was split into several streams: audit / risk management; forensics; information security; and investigations. There were also labs run by Cellebrite and Magnet Forensics, and various sponsor demos throughout the conference. The exhibition hall was open at various points throughout the day, allowing attendees to meet representatives from universities, forensics companies and law enforcement agencies and discuss current industry trends.
The first session Forensic Focus attended was conducted by Richard Spradley from Whooster, who was discussing how to decode investigative data in real-time. Spradley talked about how VOIP and burner phones are the hardest devices to investigate, but there are ways of identifying people using such phone numbers. Often a person will use a burner phone for more than one thing; while they might not use it to call their friends, they may place a personal ad, for example. Geographical identifiers are also important and may be able to give you a back door into a phone, especially if you have a partial name or frequently used alias.
Mark Spencer from Arsenal Consulting then spoke about what happens when things go wrong in a digital forensic investigation, particularly in a high stakes case. Attendees discovered the full story behind the forged digital forensics report which was discussed in our forums last year: a fascinating and definitely high-stakes investigation! The main takeaway? Timelines can lie to you. It is possible, in certain cases, that every timestamp has been forged and there is no ‘hidden’ timestamp that will help you in these situations.
Yulia Samoteykina and Mokosiy from Atola discussed the need for speed in digital investigations, and demonstrated how their new Atola TaskForce tool can help to ease the pain of large-scale investigations. They quoted the results of Forensic Focus’ 2015 survey, specifically the response to the question ‘What is the biggest challenge facing digital forensic investigators today?’
The proliferation of devices and the number of damaged drives investigators are having to look at are both important challenges in digital forensics. It was interesting to see Atola’s latest offering and its ability to address these issues, particularly for cases that require very quick turnaround times.
The keynote address on the second day of the conference was by Roman Yampolskiy, who looked at AI and its implications for the future of cybersecurity. Sticking with the subject of new advances in technology, Jerry Diamond from MSAB discussed drone forensics and some of the unique challenges of extracting data from drones.
Admissibility of evidence from the cloud is something that affects law enforcement agencies around the world, and in the afternoon on Monday a panel session convened to discuss this topic. One of the main areas of concern is that case law is being developed as we go along, so it can be hard to understand what is and what is not allowed to be admitted as evidence. Consent is another issue: if a suspect won’t give you access to their device but their spouse gives you access to the cloud account to which they know the password, will that stand up in court? The concensus seemed to be that it generally would, especially if the cloud account was shared by both parties, but there were questions around exactly what could be gathered from the cloud without compromising investigative integrity.
John Wilson from Discovery Squared presented an interesting talk about investigations involving Bitcoin and other cryptocurrencies. While these are in theory anonymous, it can sometimes be possible to trace a trail and end up with more information than you might have expected.
Abdul Hassan from the International Counter Terrorism Forensics Foundation opened the day on Tursday with an Early Riser Session about counter terror forensics. International law was a big point for consideration in this session: terrorists know where INTERPOL faces restrictions and they deliberately locate their servers in these territories in an attempt to foil investigations.
Magnet Forensics’ Jessica Hyde then ran an invigorating session about using operating systems, memory and other artifacts to piece together elements of an investigation. There will be a webinar on the subject later this month – watch this space!
After lunch, retired SSA FBI Bob Osgood talked attendees through the investigation into Robert Hanssen, an FBI agent who was also working as a Russian spy. Digital forensics were instrumental in his arrest and eventual conviction: the final nail in the coffin was his PDA, which contained notes in which he’d written the locations of the drop-offs for the Russians.
The final day of the conference began with Amber Schroader from Paraben demonstrating some of the key challenges in smartphone investigation, and how they can be eased with comprehensive investigative procedures and intelligent outsourcing. Wednesday ended with a fascinating session about how deep learning techniques can be used to detect indecent images and videos of children, and some attendees dispersed while others stayed on for the training sessions which were taking place on Thursday.
The next Techno Security & Forensic Investigation conference will take place in Texas in September – register here.
Brilliant Pie Chart by the way. I love the way that “Encryption” and “New Applications / Artifacts” not only have the same colour but are next to each other in the Pie. It makes the results really clear. Well done on checking your work before posting it.
Very nice recap. Would it be possible to share the actual percentages used for the pie chart? Digital data always beats analog. Thanks.