Agenda: The WhatWorks in Forensics and Incident Response Summit 2009

Agenda Overview: Top industry leaders, forensics and incident response professionals, and vendors will discuss the latest strategies and techniques in a series of highly interactive sessions focused on effective incident response and mitigation strategies, core forensic investigative analysis, and criminal prosecution myths, and civil e-Discovery litigation methodologies.

Sunday, July 5

3:00pm - 6:00pm

Pre-Registration for SANS Summit and Courses

Ballroom Foyer - Ballroom Level

Monday, July 6

8:00am - 5:00pm

Pre-Registration

9:00am - 5:00pm

Pre-Summit Course Ð SEC 526: Advanced Filesystem Recovery and Memory Forensics -

Rob Lee — SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

Tuesday, July 7

6:30 am - 8:00 am

Breakfast Sponsored by AccessData

Early Registration

8:00am - 8:30am

Welcome and Introduction to the Forensic and Incident Response Summit 2009

Rob Lee — SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

8:30am - 9:30am

Keynote Address: Incident Response and Forensics: Still Speaking Truth to Power - At the 2008 Summit I asked "Are incident responders part of the problem, part of the solution, or somewhere in between? Are we doing what we can, or what we must? Do we make a difference?" At the 2009 Summit I will examine what has happened since October 2008, and try to determine if anyone is listening. If no one is, how can we improve our justification for incident response?

Richard Bejtlich — Director of Incident Response for General Electric; Author "Real Digital Forensics", "Extrusion Detection: Security Monitoring for Internal Intrusions", and the blog taosecurity.blogspot.com

9:30am - 10:30am

Expert Briefing: Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response -During this presentation, attendees will learn practical, tried, and true methods to review live incident response information. You will obtain the skillful eye required to quickly confirm or dispel if a system is compromised. Recent case data from PCI credit card breaches as well as the Chinese Advanced Persistent Threat (APT) will be used as samples. Armed with this knowledge, you will excel as an initial responder to any incident.

Kris Harms — Senior Consultant, Mandiant Inc.

10:30am - 10:50am

Break

10:50 am - 12:00pm

User Panel: Essential Incident Response Techniques: Panelists will tell which incident response tools and techniques they regularly use, what worked and what didn't work, and they will share the lessons they learned.

Ken Bradley — Incident Handler, General Electric GE-CIRT.

Harlan Carvey — Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis" and the blog windowsir.blogspot.com

Kris Harms — Senior Consultant, Mandiant Inc.

Dave Hull — Owner Trusted Signal LLC.; Editor and Author of the blog sansforensics.wordpress.com

Chris Pogue — Senior Security Consultant, Trustwave; Author of "Unix and Linux Forensic Analysis."

12:00pm - 1:00pm

Lunch

1:00pm - 1:50 pm

Expert Briefing: Registry Secrets Every Investigator Should Know - While Microsoft posts warnings about the dangers of modifying the Window registry in their KnowledgeBase articles, malware authors are making prolific use of this resource to ensure the persistence of their software on compromised systems. The Windows Registry is one of the great untapped resources for analysis...a knowledgeable analyst can locate malware persistence mechanisms and other artifacts, as well as artifacts of user activity and the use of software and attached devices on the system. This presentation will address the basic structure of the registry, pertinent keys and values, as well as extracting data from Windows XP System Restore Points and from unallocated space within Registry hive files.

Harlan Carvey — Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis" and the blog windowsir.blogspot.com

1:50pm - 2:50pm

User Panel: Essential Forensic Tools: Panelists will tell which forensic tools they regularly use, what worked and what didn't work, and they will share the lessons they learned.

Jesse Kornblum — Senior Forensic Scientist, ManTech International Corporation

Troy Larson — Senior Forensic Investigator, Microsoft's IT Security Group

Mark McKinnon — Owner of RedWolf Computer Forensics; Author of the blog cfed-ttf.blogspot.com

Jess Garcia - CEO, One eSecurity

2:50pm - 3:10pm

Break

3:10pm - 4:30pm

Expert Briefing: Memory Forensics and Analysis> - The memory in today's business desktops is now larger than the hard drives that were in systems just a few years ago. Traditionally, forensic analysis has meant taking an image of the hard drive and sifting through files. This is only half of the story and can no longer be considered sufficient. Attackers are writing less to disk and hiding more in the ample memory users now enjoy. Memory analysis- once a niche function performed by only the most advanced forensic investigators- is now mainstream and common in professional investigations. Tools have been written to make memory analysis as easy for the investigator if not easier than hard drive analysis Ð in a fraction of the time. In this talk, we will show you how to quickly identify suspicious things in memory without having to be a reverse engineer. This talk will feature research, use cases, and real world examples.

Jamie Butler - Director Product Development, Mandiant Inc.; Author "Rootkits: Subverting the Windows Kernel"

Peter Silberman - Development Engineer, Mandiant Inc.; Author of M-unition - blog.mandiant.com

Expert Briefing: Registry Analysis and Memory Forensics, Together at Last - The Windows registry can be a gold mine of information for a forensic analyst. Similarly, memory analysis can be a source of critical data, allowing an investigator to reap the benefits of live analysis with a higher degree of repeatability and integrity. New tools have recently become available that allow us to combine these two crucial data sources and extract registry information directly from memory dumps. In this talk, I'll show how you can use these tools to find passwords, uncover evidence of malware, get information about physical media like USB keys, and make your incident response more effective.

Brendan Dolan-Gavitt — Researcher and PhD student at the Georgia Institute of Technology's Information Security Center; Author of the blog moyix.blogspot.com

4:30 pm - 5:30 pm

User Panel - WhatWorks in Forensics and Incident Response

Ray Espinoza — eBay

Sterling Bryan — Federal Bureau of Prisons

5:30pm - 7:30pm

Reception Sponsored by ISFCE - Stop by the Decatur Foyer just outside Summit Ballroom for drinks and hors d’oeuvres after the Summit.

7:30pm - 8:30pm

Live Cyberspeak Podcast - CyberSpeak (cyberspeak.libsyn.com) is your computer forensics, computer security, and computer crime podcast. Join Bret and Ovie for a session of Cyberspeak podcast recorded live from the Forensic Summit 2009.

Ovie Carroll — co-host Cyberspeak podcast

Bret Padres — co-host Cyberspeak podcast

Wednesday, July 8

7:00am - 8:30am

Breakfast Sponsored by Guidance Software

Registration

8:30am - 9:30am

Keynote Address: Law Enforcement Trends and the Future of Computer Forensics and Incident Response - In the unique position to see computer forensics from the law enforcement and prosecution prospective as well as from a state, federal, national and global level.

Ovie Carroll — Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)

9:30am - 10:15am

Expert Briefing: Law Enforcement Case Studies: How is digital evidence changing the way police and prosecutors do their job? - What are the challenges they face on a daily basis relating to digital evidence? How has the definition of "cyber crime" changed over the years? How is law enforcement using digital evidence to secure convictions? All of these questions and more will be answered during this session. Attendees will see and hear how digital evidence has and will continue to change the manner that criminal investigations are conducted. This will be an interactive session, and attendees are encouraged to bring their questions.

Chris Kelly — Assistant Attorney General, Cybercrime Division, Commonwealth of Massachusetts

10:15am - 10:30am

Break

10:30am - 12:00pm

Panel: Working with Law Enforcement Panel - Panelists will tell you the challenges faced by law enforcement, tools and techniques that law enforcement use, what works and what does work, and share their lessons

Andrew Bonillo — Special Agent, United States Secret Service

Richard Brittson — Detective, New York City Police Department, Retired

Ovie Carroll — Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)

Chris Kelly — Assistant Attorney General, Cybercrime Division, Commonwealth of Massachusetts

Jennifer Kolde — Computer Scientist with the FBI San Diego Division's National Security Cyber Squad

Cindy Murphy — Detective, City of Madison, WI Police Department

Ken Privette — Special Agent in Charge of Digital Evidence Services, United States Postal Service Office of Inspector General

Paul J. Vitchock — Special Agent, Federal Bureau of Investigation, Washington Field Office

Elizabeth Whitney — Forensic Computer Examiner, City-County Bureau of Identification, Raleigh, NC

Joshua Black — Deputy Director, Defense Cyber Investigations Training Academy, Linthicum, MD

12:00pm - 1:00pm

Lunch

1:00pm - 1:45pm

Expert Briefing: Forensics in the Courtroom - This presentation describes some current issues facing forensics examiners in the courtroom. Specifically, the focus of the presentation is on key evidentiary approaches which may result in evidence being denied admission to the courtroom in both civil and criminal cases. The presentation talks about being admitted as an expert, chain of custody, privacy, and current cases in 2008 which involved digital forensics evidence based on research with Tom Lonardo, J.D. of Roger Williams University. Additionally, the presentation introduces licensure vs. expert witnesses in the context of the recent movement by certain states towards requiring private investigator licenses for digital forensics examiners.

Dr. Doug White — Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative

1:45pm - 3:15pm

Panel: Forensic Challenges from the Court Room - Panelists will tell you the challenges faced when preparing for and during courtroom litigation involving computer forensics, incident response, and e-discovery. They will discuss common myths associated found in the courtroom. They will discuss critical steps every investigator must know. They will tell you what works and what does work in and out of the courtroom by sharing their lessons they each of them have learned.

Craig Ball — Attorney and Computer Forensic Expert

Larry Daniel — Consultant, Guardian Digital Forensics; Talk Forensics Host; Author of Ex Forensis Blog - exforensis.blogspot.com

Gary Kessler — Associate Professor of Computer & Digital Forensics and director of the M.S. in Digital Investigation Management, Champlain College;

Dave Kleiman — Computer Forensic, E-Discovery, and Litigation Expert

Bret Padres — Director, Digital Forensic Laboratory, Stroz Friedberg

Dr. Doug White — Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative

3:15pm - 3:30pm

Break

3:30pm - 4:30pm

Expert Briefing: Mobile Device Forensics Essentials - Forensic examiners are encountering a wide variety of mobile devices in criminal and civil cases. These devices can contain details about who was doing what, where and when, making them a powerful source of digital evidence. At the same time, new methods and tools for acquiring and analyzing mobile devices are emerging, including remote acquisition and physical memory analysis. Forensic practitioners need an understanding of these new tools and techniques, and the types of evidence that can be recovered from mobile devices. This presentation demonstrates the strengths and limitations of powerful new tools and techniques used to acquire and analyze data from mobile devices, including Flasher boxes and specialized data carving utilities. Case examples are used to highlight how data from mobile devices can be useful in digital investigations. Lessons learned from the field are also covered to help practitioners navigate common challenges.

Eoghan Casey — Author "Handbook of Computer Crime Investigation"; Professor at Johns Hopkins University Information Security Institute

4:30 pm - 5:30pm

Solution Provider and Vendor Panel: Hear about strengths and weaknesses of the leading tools, services, and solutions in a format that enables vendors to interact in interesting ways and users to ask the kinds of questions they have always wanted to ask (but never dared).

Dave Merkel - Mandiant Corp.
Jim Butterworth – Guidance Software
Brian Karney – AccessData
Rich Cummings - HBGary
Ron Gula – Tenable Security
Joe Levy – Solera Networks

5:30pm - 5:40pm

Closing - Forensic and Incident Response Summit 2009

• Rob Lee — SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

Thursday, July 9 - Tuesday, July 14

9:00am - 5:00pm Thursday, July 9, 2009 - Monday, July 13, 2009

Post-Summit Course: SEC408 - Computer Forensic and E-discovery Essentials

Chad Tilbury — SANS Institute, former Special Agent, Air Force Office of Special Investigations

9:00am - 5:00pm Thursday, July 9, 2009 - Tuesday, July 14, 2009

Post-Summit Course: SEC508 - Computer Forensic and E-discovery Essentials

• Rob Lee — SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

9:00am - 5:00pm Thursday, July 9, 2009 - Monday, July 13, 2009

Post-Summit Course: SEC606 - Drive and Data Recovery Forensics

• Scott Moulton — Forensic Strategy Services, LLC