Advanced Website Investigations Michael Geraghty As the distribution of child pornography continues to increase via commercial for-profit web services, this lab will provide students with a strong foundation of some of the investigative techniques and methodologies that may be employed when investigating such sites. Students will be tasked with investigating a live website with the goal of identifying the owner and location of the site. Topics that will be covered include web site creation and hosting; hypertext markup language (html); the domain name system; javascript and activex controls; and redirection.
Cell Phone Forensics Laura Wagner Keith Daniels Most current cases obtain at least one cell phone, from which data needs to be recovered. This block will cover the issues and tools that need to be considered when building a mobile device data recovery toolkit. The topics that will be covered include proper handling and seizure of cell phones, the positive and negative aspects to current mobile device data recovery tools, and a hands on exercise using 1 of the field triage tools. The investigator can leave this class with a clear cut understanding of what issues are when handling mobile device data recovery and a broad knowledge of which tools to start with in building their toolkit.
Conducting Undercover Chat Room Investigations Mike Sullivan Michael W. Bruns This lab session will look at the use of the chat clients MIRC, AOL and the logging software necessary to document the undercover chats for court presentation.
Creating Your Own MySpace Page Shing Khor With more than 110 million active users, MySpace can serve as an integral tool for online investigations. This workshop is an overview of the MySpace page creation process and an introduction to the site's features.
eP2P: The FBI's Peer to Peer Investigative Tool Jacqueline Dougher Brooke Donahue Michael Gordon This block will discuss how the eP2P software works, including an explanation of the software components and tools, and a review of the evidence folder and its contents.
Field Search Greg Brown Tim West About 70 percent of all sex offenders are placed on probation nationwide, and most have access to the Internet. The management and monitoring of sex offenders' computer use is important for many reasons. First, it can alert authorities to a new crime such as possession of child pornography. Second, it can provide proper supervision and containment of the offenders by reinforcing treatment prohibitions against access to sexual material and by reducing community risk by increasing the offender's perception of containment. Lastly, monitoring computer use is essential to help the treatment agency understand the offender. Conducting an examination of the offender's computer early in supervision provides the officer and the treatment agency with valuable information regarding the offender's sexual interest and intensity. Therefore, effective management of the offender's computer use requires a thorough understanding of what to look for and how to find it. To assist community corrections agencies in this effort, the National Law Enforcement and Corrections Technology Center-Rocky Mountain (NLECTC-Rocky Mountain) created Field Search software. The Center developed Field Search for use by agencies as part of an overall strategy to gather computer use information to diagnose, treat, monitor, and manage the sex offender in the community. Field Search is designed specifically to help nontechnical law enforcement officers and probation and parole officers quickly and efficiently search an offenders' computer and create a detailed report of their findings.
It should be noted that Field Search is NOT a forensic software application. It is designed as a fast and user-friendly investigation and management tool for field agents not trained in computer forensics. This software is provided free of charge to law enforcement agencies and community corrections agencies. However, Field Search should be approved for use and supported by your agency's policies and procedures before it is used in the field. For more information on Field Search 3.0, released 5/12/08 go to www.KBsolutions.com.
The Field Search Computer Labs are available only to Criminal Justice.
Image Scan v. 3.0 Rod Gregg John Pettus Image Scan 3 is a system developed by the FBI CART Unix Program for child exploitation field investigators to accurately view a variety of graphics and movie files on a subject’s computer. Image Scan 3 allows access to all Windows and Unix platforms and Intel-based Macintosh ( Apple ) platforms. This version has a new and improved graphic user interface that previous users will appreciate. Image Scan uses a customized Linux boot CD system in conjunction with a USB device that allows investigators to access files on a subject’s computer while making absolutely no changes. As used for consent searches, this system maintains the forensic integrity of the computer viewed for subsequent forensic examination in a lab environment. Since 2003, the Image Scan system has been offered to all US law enforcement agencies. The NTRCFL, in conjunction with the FBI CART Unix Program, designed and developed the training curriculum for Image Scan versions 1 - 3. A number of FBI Special Agents have already been trained and are using Image Scan on consent searches across the United States. All components needed to run Image Scan are provided, including the USB device, Boot CD and training manual. A practical examination completes the training.
Email Investigations Keith Lockhart Rob Maddox Email is one of the most significant sources of evidence in the vast majority of today's forensic and eDiscovery investigations, and yet, most forensic tools do a fairly poor job of dealing with it. Many corporate and forensic investigators have had to go outside the industry entirely to find email analysis tools that can sufficiently handle the most common corporate email servers and formats, including Exchange and Lotus Notes. This lab will introduce AccessData's new technological approach to tackle these issues and deliver true enterprise-class email investigative capabilities. The lab will pay particular attention to the analysis of email using FTK 2, focusing on filtering, sorting, bookmarking and reporting of data found in a variety of popular email clients found in corporate and personal email clients today.
Internet Registry Artifacts Keith Lockhart Rob Maddox The session provides students with the knowledge and skills necessary to conduct an effective Internet-based investigation of the Microsoft Windows registry. This advanced, hands-on intensive course is intended for Forensic Investigators and Law Enforcement Personnel who desire a greater understanding of the collection, and analysis of Internet trace evidence. Attendees will also learn the steps necessary for processing Internet-related trace evidence from computers running Internet Explorer (Version 7). Through the interoperability of FTK and PRTK, students will identify the files and techniques needed to successfully decrypt the Windows DPAPI encryption algorithm, behind which Internet Explorer (V7) trace evidence is protected.
IRC Investigations Joseph Rampolla 1st half of lab as introduction into IRC / history / criminal investigation techniques 2nd half - Advanced topics - hands on - creating undercover identities - getting hands dirty. Some of the most dangerous child abusers use one of the oldest methods of chat that has origins since the beginning of the Internet - Internet Relay Chat (IRC). Through my research and investigations, advocates of child abuse and torture find sanctuary in IRC since law enforcement personnel do not focus heavily in this chat medium. My presentations will focus on several key points:
* Basic understanding of IRC chat * Tracing criminals through IRC * Effective methods of Criminal Investigations * Undercover IRC methods - which include obfuscation of an undercover's IP address * Advanced IRC commands that can localize an investigation (since IRC is a global network) * Tips and tricks on documenting your investigation * How to create logging capability with IRC * Discussions on infiltrating a perv network * Hands on Lab experience to create an undercover identity. * Students will learn all the necessary commands to preserve evidence. * Learn how the pedo subculture operates and what rules they follow in this secret world
Introduction to Second Life Joseph Rampolla Second Life, the virtual world created by Linden Labs, is growing every day. It is not a video game but a virtual world that parallels our real lives (1st Life). Facebook and YouTube rule young kid’s lives but Second Life is possibly the newest biggest threat that teens will be facing. When the video game Grand Theft Auto -San Andreas Fault first came out, parents were outraged at the adult content which caused quite a controversy. Second Life is much worse, and the most frightening thing about it for kids is that it is live (in real time). The characters are real people from all walks of life. Real people who have created avatars are controlling them. The presentation will take the audience deep into the world of Second Life and show you things that Linden Labs does not want you to see. Rape, torture, bondage, and toilet sex are just a few of the sickening things that young kids can be exposed to. We will take a perverted adventure into this world. Some users are creating child avatars which can virtually interact with adult ones. This in itself creates a slippery slope, especially for people that are attracted to child molestation and abuse. Since Second Life is based on an open-source concept, users can create their own buildings and devices which is only limited to ones imagination. Even Linden labs cannot predict where or how this world will change in the future. Law enforcement and child advocates should be concerned and alarmed on how this virtual life will affect kids and the predators who prey upon them. This lab will get the user into SL and learn tips & tricks on how to take the fast track around this growing world.
Mac Analysis Keith Lockhart Rob Maddox The Macintosh platform continues to gain in popularity and market share. This has increased the likelihood of forensic investigators accustomed to Windows based computers encountering a Mac. This presentation will provide the experienced Windows forensic investigator with a broad approach to the acquisition and analysis of Macintosh computers. Attendees will leave with information on some acquisition options and with information enabling them to identify the most common areas in which evidence may be located in the OS X environment.
Microsoft XBox Forensics Chris Ard Jim Moeller The Xbox and Xbox 360 enjoy a place in the hierarchy of gaming consoles that are becoming almost commonplace in our homes. These technologies have the potential to house information that may be pivotal to an investigation and must be handled in the same way. This session will introduce investigators to the Xbox, Xbox 360 and the Live! Service and then explore some of the investigative techniques that must be employed to conduct a successful investigation of this technology. MySpace Investigations Mike Duffey Participants will be given a brief history of Social Networking. Hands-on exercises will entail setting up a “MySpace account” along with how to utilize Social Networking Sites as an investigative tool. Emphasis will be placed traversing “MySpace” for potential information relating to a citizen complaint or a current investigation. Other areas covered will include the type of information MySpace retains i.e. logs, profiles, photos, instant messaging, adding friends and search restrictions based on the account holders age. Similar issues with Facebook, Xanga and Bebo will also be addressed.
(The) Online Investigator's Toolbelt Mike Geraghty This lab will provide students with hands-on instruction into the use of various tools that are essential in the investigation of online crimes against children. These tools include operating system utilities, third-party software programs and online sites that assist the investigator in collecting evidence and identifying the offender.
Operation Fairplay Flint Waters Randall Huff Robert Leazenby You will apply techniques to find high volume offenders with a high likelihood of rescuing children. This block will provide hands-on application involving P2P undercover operations. Attendees will apply techniques discussed in the classroom block (Required prerequisite). Attendees will use Grid Sleuth to quickly identify recent offenders by volume and then conduct focused browse / download operations. The auto-log functions of Grid Sleuth will be trained to improve efficiency and insure data accuracy.
Using Google, MySpace and the Firefox Browser as Research Tools Keith Daniels Laura Wagner Using Google, MySpace and the Firefox Browser as Research Tools Research is a critical part of all case work. Providing an understanding of tools that can be utilized to effectively conduct research is the goal of this presentation. Google is a very powerful search tool that information can be whittled down with very effectively with, if Boolean and advanced operators are used. This block will begin by delving into what information can be found using Google and how to most effectively obtain this information. MySpace has become an overarching information source, from which information about suspects, victims and witnesses can be obtained, images and videos can be viewed and connections between people can be made. A basic understanding of social networking websites, what information can be found on MySpace, how to search MySpace and various investigative tools will be covered. Firefox is a powerful web browser that can make the investigative process more powerful and effective. This section will cover the basics of Firefox, how to download Firefox and what extensions can be used to aid in investigations.
Using the Firefox Browser as an Investigative Tool Elliot Cohen This lab will introduce learners to the Firefox browser (web) and how it can be a valuable tool during online investigations. Technology facilitated crimes are often link to internet activity. Persons engaging in these crimes often leave information on the internet about whom and where they are. Social networking sites have allowed criminals to hide in the open, while limiting access to their information. We often unwittingly expose information about ourselves while online. The use of Firefox can help identify investigative leads that while using Internet Explorer you might have overlooked or not had accessed to. This lab show learners discuss some differences between IE and Firefox. Briefly show how to smoothly transition from IE to Firefox without losing years worth of bookmarks, passwords & etc. Finally, this lab will provide learners with ways to enhance the discovery and validate information developed throughout their investigation through a hands on experience.
Using the GNU Watch Toolkit William Wiltse This course will give investigators a hands-on look at automated P2P tools developed for Operation Fairplay. The first block will demonstrate how high numbers of leads are currently being generated in P2P undercover operations using 'Peer Spectre'. Investigators will then learn how to use the automated tool 'GnuWatch' to download leads in their own jurisdiction and establish probable cause with minimal effort. Other topics include educating prosecutors on automated P2P tools and tips for testifying. This is an advanced session. Attendees must have already attended the Operation Fairplay Lab or been previously trained in 'Peer Precision' through Wyoming DCI.
Vista Artifact Decryption Keith Lockhart Rob Maddox In this hands on computer lab, attendees will get up to speed on the analysis and decryption of Vista artifacts including Bitlocker recovery and Internet Explorer 7 artifact decryption.
Who Did It? Pinning Down the Offender when Possession of the Computer is Unclear Jim Fottrell This presentation will provide an overview of the computer forensic evidence used to establish who is using the computer to commit child exploitation offenses. In many prosecutions, the defense will raise the "Some Other Dude Did It" (SODDI) defense. In other cases, it may be necessary to identify a particular user when computer access is shared by different people. This presentation will highlight forensic evidence contained in the seized computer to demonstrate that the defendant is the person using the computer at relevant times charged in the indictment. The presentation will cover topics including web browsing activity, the windows registry, system restore points, email, thumbs.db files, recent and link files, time line charts, and other digital evidence used to identify the user of the computer. Hands-on lab sessions will be provided to further illustrate these topics.
Windows Forensics Gems: Windows XP Chris Ard Jim Moeller This session will provide students with an understanding of the forensic approaches to the Windows XP operating system. Topics focus on potential evidentiary data such as log files, the Windows registry, system restore points, EFS, USB storage device analysis, Prefetch, and file system analysis.
Windows Forensic Gems: Windows Vista Chris Ard Jim Moeller This session will provide students with an understanding of the forensic implications of the Windows Vista operating system. Topics focus on items such as BitLocker Full Volume Encryption, Volume Shadow Copy, Thumbcache, Recycle bin, Event Logging, Transactional NTFS, Transactional Registry, File System and Registry Virtualization and Windows Search artifacts.
