EnCase® Webinar Features SANS Lead Instructor Rob Lee

A Triage and Collection Strategy for Time-Sensitive Investigations
November 19 at 11:00 a.m. Pacific

With the average hard drive now averaging one terabyte in size, the fallout from the explosion of user-created data has become an overwhelming volume of potential evidence that law-enforcement and corporate investigators spend countless hours examining. Lee will demonstrate a triage and collection strategy that can significantly reduce the amount of digital information you collect, revealing critical evidence faster, including:

• Identify the folders and files that often contain key insights
• Triage effectively to reduce the time spent sifting through collected information
• Eliminate backlogs by over 80 percent by efficiently culling case data

Presenters:
• Rob Lee, SANS Digital Forensic Curriculum Lead, the SANS Institute
• Robert Bond, Product Marketing Manager, Forensics, Guidance Software

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Click here to register: www.encase.com/conducting-triage


FULL STORY
EnCase® Webinar Features SANS Lead Instructor Rob Lee

Computer crimes expert to share collection strategy to reveal critical evidence faster

PASADENA, Calif. (November 12, 2014) – Guidance Software, (NASDAQ:GUID), the World Leader in Digital Investigations™, announced a webinar featuring Rob Lee, the curriculum lead and author for digital forensic and incident response training at the SANS Institute and foremost expert in digital computer crimes investigations.

A Triage and Collection Strategy for Time-Sensitive Investigations
November 19 at 11:00 a.m. Pacific

With the average hard drive now averaging one terabyte in size, the fallout from the explosion of user-created data has become an overwhelming volume of potential evidence that law-enforcement and corporate investigators spend countless hours examining.

Lee will demonstrate a triage and collection strategy that can significantly reduce the amount of digital information you collect, revealing critical evidence faster, including:

• Identify the folders and files that often contain key insights
• Triage effectively to reduce the time spent sifting through collected information
• Eliminate backlogs by over 80 percent by efficiently culling case data

Presenters:
Rob Lee, SANS Digital Forensic Curriculum Lead, the SANS Institute
Robert Bond, Product Marketing Manager, Forensics, Guidance Software

Click here to register: www.encase.com/conducting-triage

Lee has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. A graduate of the U.S. Air Force Academy, Lee served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information warfare. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. He also co-authored the book Know Your Enemy, 2nd Edition. Lee earned his MBA from Georgetown University in Washington DC.

Please visit www.encase.com/conducting-triage for more information.

About Guidance Software, Inc.
Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response and forensic analysis. Its EnCase® Enterprise platform, deployed on an estimated 22 million endpoints, is used by more than 70 percent of the Fortune 100, more than 45 percent of the Fortune 500, and numerous government agencies to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading cybersecurity, IT help desk, and electronic discovery solutions, EnCase® Cybersecurity, EnCase® Analytics, EnCase® Remote Recovery + and EnCase® eDiscovery. They empower organizations to conduct speedy and thorough security incident response, reveal previously hidden advanced persistent threats or malicious insider activity, recover lost files, perform sensitive data discovery for compliance purposes, and respond to litigation discovery requests. For more information about Guidance Software, visit www.encase.com.

EnCase®, EnScript®, FastBloc®, EnCE®, EnCEP®, Guidance Software™, LinkedReview™, EnPoint™ and Tableau™ are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.

Guidance Software
Brigitte Engel, 626-229-9191
[email protected]

or

Ross Levanto/Davida Dinerman
MSLGROUP
781-684-0770
[email protected]

GUID-F
# # #

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...