CTIN Digital Forensic Conference March 24-26, 2014

CTIN14 – Computer Technology Investigators Network is having another Digital Forensics and CyberSecurity conference March 24-26, 2014

www.ctinconference.org : $350 for 3 days of training and education in digital forensics. Speakers include experts and published authors in the field of digital forensics and cybersecurity.

Topics include: Internet Forensics, Cell Towers, Observation Skills, Mac Forensics, Ethics, E-Discovery, Volume Shadow Services, Data Recovery and more. Door prizes include forensic software suites from various commercial vendors.KeyNote

Don’t Let Your Tools Make You Stupid (Troy Larson);

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Other topics

Mac Forensics 101 and 201 (Allison Goodman and Ryan Kubasiak); E-Discovery and International Law and Comparing E-Discovery Software (Amelia Phillips); Anatomy of Banking Trojans (Anna Truss and Paul Padilla); Mobile Device Forensics: Application Analysis Tools and Techniques (Brandon Leatha and Arnold Garcia); Ethics (Brian Muchinsky); Electronic Evidence/ Case Law, Exercising Your Incident Response Plan, and Legal Considerations around Mobile Computing in the Workplace (David Matthews); Mobile Device Forensics (David Stenhouse); Volume Shadow Services (VSS) in Microsoft Operating Systems (Fred Wiechmann); Encryption, Timelines and Jumpbag, and Photography and Dumb Things I Have Done in Court (Gordon Mitchell); Defragging the Defrag (John Cotton); Data Recovery (Beyond the Software), Why The Bad Guys Win, Web Page Reconstruction, Fly Away Kits, and Computer Forensics in the Court Room (Kevin Ripa); An Analysis of Microsoft Event Logs (Michelle Mullinex); C3CM – Defeating the Command, Control, and Communications of Digital Assailants and Understanding Web Application Security Attacks for Investigators (Russ McRee); I Spy With My Little Eye and GPS Technology (Terry Lahman); Digital Forensics and Incident Response/Compromise Investigations (Troy Larson); Potential for Volatile Memory Persistence (Walter Hart)

Please see www.ctinconference.org for more information regarding registration.

For vendor/sponsor possibilities, see Randall Karstetter at [email protected]

For speaking opportunities, please see Vickie Brazil at [email protected]

About CTIN

CTIN has been providing high tech crime fighting training since 1996 in the areas of high-tech security, investigation, and prosecution of high-tech crimes for both private and public sector security and investigative personnel and prosecutors. CTIN is a 501© non-profit association.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...