High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those large events, since many times you never see the same person in two different sessions. But, at an event like HTCIA's, you really get a chance to talk and interact with other forensicators, compare notes on a previous talk, and you can probably sit next to a speakers during a lunch break.

One of the speakers attendees did interact with with The SANS Institute's very own Rob Lee. Rob Lee taught a number of sessions on digital forensic timelines at the conference. During one of the evening breaks, Rob "held court" where this blogger observed fans of the SANS Forensics program talking with Rob and sharing their success stories. The reach and influence of the SANS community is reaching deep into may organizations. Another day of the conference, this blogger even observed a forensicator asking a bald attendee wearing a SANS shirt, "Are you Rob Lee?" He wasn't, but it was great to see the word getting out.

Another SANS Forensic instructor lectured at the event: Scott Moulton. Scott Moulton is one of the leading experts in hard drive forensics. He didn't disappoint at the HTCIA Conference. His seminar on Solid State Drivers (SSD) was standing room only. In the Good Reads/ Good Listens section below, you may hear an interview on SSD forensics, and their unique challenges.

Duncan Monkhouse, President of HTCIA told The SANS Forensic Blog that the conference's goal was "To provide a broad range of training and labs, and still try to keep the event vendor neutral. The conference has 14 forensic lab streams, and seven lecture streams." HTCIA Executive Director Carol Hutchings said there was a 30% increase in attendance versus last year, and the HTCIA expects another sizable increase in next year's conference.

As the information security industry matures, we are really starting to see a bifurcation of events: Huge, well known shows with "Rock Star" speakers and large vendor participation; Smaller events with more of a "small town feel." This year's HTCIA Conference did have a "Rock Star" Keynoter, though, and he really started the show off with a bang. Back in the 80s, Dr. Cifford Stoll worked at a US Government research lab came under a cyber attack. There was not a rule book for the response. Dr. Clifford Stoll was assigned the task, and had to create a response largely on his own. His content and presentation was electrifying. Unlike the dull, but well known keynoters that kicked off most of the other information security conferences this year, Dr. Stoll gave a keynote that made this forensicator WANT to go to the labs and sessions to learn more.

Tools:

• From HTCIACon: For iOS forensicators, The iDevice Physical Imaging Utility. A free tool scheduled for release this month for Government, LE and other forensicators. This tool will conduct physical acquisition of iPhone4, 3GS, iPod Touch 4G, iPad, and "more to follow" (one could assume iOS5). Brute forcing of the iOS password, using the device's own chip, is required to image these devices. According to the company's president, Sean Morrissey, this tool uses this brute forcing technique to crack the password. Sean Morrissey told CyberJungle Radio, "I think imaging tools should be free, it's the analysis software that should cost money, not the imaging tools."

Good Listens / Good Reads:

• From HTCIA Conference: Dr. Clifford Stoles at down with CyberJungle Radio for a far ranging interview on security and digital forensics.

• From HTCIA Conference: Scott Moulton talk with CyberJungle Radio about the unique challenges of doing forensics on solid state drives (SSD). Beware, it's not your father's hard drive.

• CyberJungle Radio's Samantha Stone would love to have a discussion about the oddball psychology behind this promotion drummed up for Toyota by its marketing firm, Saatchi & Saatchi, but she settled for a discussion of the legal questions it raises. Both companies are in court now with Amber Duick, who was terrified by the "prank" they perpetrated, which took the shape of disturbing emails from someone who claimed he was anxious to see Amber "again" ? although she had no idea who he was ? and that he was headed for her house (he had her correct address). By the way, he also said he was running from the law. Bottom line, Amber now has Toyota on the run in the California courts. CyberJungle Radio's Samantha Stone spoke with her attorney, Nicholas Tepper from Tepper Law Firm in Los Angeles. This case has potentially far reaching digital law implications.

• Anti-Forensics: Reliably Erasing Data From Flash-Based Solid State Drives

• This might come in handy in an OS X investigation or audit: Cracking OS X Lion Passwords

News:

• Vehicle Forensics: OnStar Begins Spying On Customers' GPS Location For Profit. And, will provide data to LE

• Hacktivism Incident Response Planning Part I: Anonymous Promises Retaliation for Troy Davis Execution

• Hacktivism Incident Response Planning Part II: Anonymous Declares Sept 24 "Day Of Vengeance" In The US, Plans A "Series Of Cyber Attacks"

• Smartphone Forensics: 'Stingray' Phone Tracker Fuels Constitutional Clash . The ACLU on a related smartphone forensics issue: Cell Phone Location Tracking Public Records Request.

• Reported SSL/TLS flaw, real threat or hype?

• DigiNotar goes belly up from certificate attacks

• Urgent Adobe Flash patch released. One zero-day flaw maybe targeting popular cloud/webmail logins

• Report: Countywide employees used scissors, tape, and Wite-Out to fake bank statements

Levity:

• Windows8 Hack: Take an old HTC UMPC Shift, add free developer edition of Windows8, and you have an interesting tablet with a physical keyboard. See this how-to on the XDADevelopers Site. Amazon seller has the shown used Ultra Mobile PC hardware here.

Events:

• 21st Virus Bulletin International Conference in Barcelona-Spain - October 5 - 7th, 2011
• G Guard Con, organized by InfraGard and GMIS - Carson City Nevada Oct 21st 2011.
• SANS Gulf Region-Dubai, United Arab Emirates - October 8th - 22nd, 2011
• SANS Baltimore 2011- Baltimore, MD - October 9th - October 15th, 2011
• Mandiant's MIRcon-Alexandria, VA - October 11 - 12, 2011
• French Digital Investigation in 2011- Quebec, Canada - October 12 - 14th, 2011
• SANS Chicago- Chicago, IL - October 23rd - 28th, 2011
• 3rd International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)- Dublin, Ireland - October 26 - 28th, 2011
• TechnoForensics Conference 2011- Myrtle Beach, SC - October 31st - November 1st, 2011
• Paraben Forensic Innovator's Conference-Park City Utah - November 5th-9th 2011

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 22, Sep 2011 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT, CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.