Adobe Photoshop, Digital Imaging and Law Enforcement
John Penn
Adobe Systems scientist & solutions architect, John Penn II, will be showing to Law Enforcement many brand new Photoshop and other new Adobe technologies and techniques. All new technologies that are a part of Photoshop Extended CS5 and their effects on law enforcement will be covered. Techniques valuable in ICAC and other law enforcement investigations will be demonstrated. It will provide law enforcement with a balanced understanding of the benefits and costs of digital evidence in their cases. Techniques that can be used by criminals to protect themselves from law enforcement will be addressed. Attendees of previous years sessions will find all new information. Law enforcement attendees will be provided access to law enforcement only training resources.
Cellular Phone Investigations and Field Tools
James Williams & Lauren Wagner/SEARCH
This workshop will introduce students to cellular devices and discuss the many aspects that cellular devices have on investigations. Seizure and examination of devices will also be discussed as well as an overview of field tools used for data extraction. Students will complete hands-on exercises and the use of field tools to extract data from cellular devices.
Collaborative Forensics using FTK (Part 1 & 2)
Nick Drehel/Access Data
This computer lab session will show participates how to utilize the power of FTK Lab in a collaborative environment. Participates will work together as a team to analysis, bookmark, and report on a single case. Students will be exposed to the Lab GUI interface as well as the web-based review functionality.
CPS - Child Protection System
Mitchell Nixon & Bill Wiltse
This lab training will provide investigators with the latest innovations in undercover Peer-to-Peer operations. This free system represents a major change in how law enforcement can easily locate offenders in their jurisdiction, monitor the offender locally and conduct a digital undercover investigation. Leads are no longer relegated only to suspects operating on the Gnutella network. CPS pools criminal data from a variety of other sources such as IRC, Ares, Open FastTrack, eDonkey and Gigatribe. If you are working P2P investigations make sure you don’t miss this major advance in online investigations!
Decryption Strategies (Part 1 & 2)
Nick Drehel/Access Data
This computer lab session will provide the knowledge to participates to prepare a strategy to attack encryption on computer systems such as BitLocker, Microsoft® Office encryption, Microsoft® EFS encryption, and Intelliforms in the NTUSER.dat file.
Facebook: From the Ground Up
Mike Duffey
This class is designed for those individuals who are not familiar with Facebook or only use Facebook for personal use and don’t know what’s available with legal process. This hands-on lab class will begin with creating a Facebook page and progress towards configuring privacy setting. Information in this lab will benefit students who are using Facebook proactively (to back stop and undercover identity), reactively or for personal use. Students will be provided with various tools, which will help them gather additional information on their suspects, not to mention themselves.
FBI eP2P (Part 1 & 2)
Joe Ahmed
Jeff Rich
Students will be provided a basic overview of peer-to-peer networks and how they work, and will discuss how the eP2P system works, including an explanation of the components within the tools, and evidence created by the components of the tool. Students should have a basic knowledge of peer-to-peer networks prior to attending class. Students will engage in hands on exercises to learn how to use eP2P, best case practices and use of the tool.
Forensic Scan (Part 1 & 2)
Steve Anders
Mike Harmony
Tom Heflin
Randy Smith
This computer lab will train attendees on Forensic Scan an on-scene forensic tool for rapid evidence discovery triage and reporting. This hands-on training will provide the investigator with free software to quickly examine the hard drives of suspects. The tools will find previously identified child sexual abuse material by hash value for quick reporting and will then allow the investigator to review other material based on the likelihood of finding locally produced movies and images of child sexual abuse. The software uses new innovations including flesh detection; pattern recognition and proximity reference to quickly reveal images likely to allow the rescue of a local child victim. Attendees will be licensed to use the software at the end of the course.
Google and Firefox as Investigative Tools
Tim Lott
Lauren Wagner
This computer lab will teach students how to effectively use Google and Mozilla Firefox as investigative tools. Students will complete hands-on exercises using Google Advanced Operators as well as Firefox add-ons.
ICAC Roundup for Investigators (Part 1-6 over 1.5 days)
Dennis Carry
Robert Erdely
Michael Hill
David Peifer
This computer lab training is open to state, local and federal law enforcement investigators who are members of a Regional ICAC Task Force or Affiliate Agency. This course is designed for experienced P2P investigators and is open to those who have attended previous P2P classes. It will build on past training and experience. The course will provide advanced information about P2P networks and will introduce students to the latest tools and investigative techniques designed to improve P2P investigations. At the conclusion of the class, the students will have a strong working knowledge of these tools and be able to efficiently identify offenders, gather evidence to make strong cases. Students will also be instructed about the importance of and methods available to contribute investigative leads to other investigators. **Pre-requisite: Students must have already attended a P2P class.
To register for ICAC Roundup for Investigators, go to this link.
Image Scan (Part 1 & 2)
John Pettus
Chris Pyryt
ImageScan is a joint project of the FBI Computer Analysis Response Team (CART) and the Regional Computer Forensics Laboratory (RCFL) Program. CART developed the ImageScan system to help investigators locate the presence of picture and movie files that may contain contraband on a computer in a forensically sound manner that doesn’t alter possible evidence. All materials necessary for using this tool will be provided to attendees of the ImageScan class.
Internet Artifacts (Part 1 & 2)
Nick Drehel/Access Data
This computer lab session will provide the knowledge to recover forensic information from Internet Artifacts, such as Internet Explorer 7, Yahoo! Instant Messenger, Windows Live Messenger, Skype, Safari, and Firefox.
iPhone Seizure and Analysis (Part 1 & 2)
Don Brister
Drew Fahey
The purpose of this lab training is to truly support the forensic examiner who runs across iPhones, iPads and iPod Touch devices in the field and in a lab setting. Starting from the history of the current processes, showing the pros and cons, building to the developmental process that BlackBag follows for its exams today. There will be hands on for the students to learn the tools and processes. Going through each step as they pertain to the capturing and analysis of the device data. The session will feature a hands-on scenario based instructor lead training to support the learning process. Here the student will run a case through its paces.
IRC Investigations (Parts 1 - 3)
Joe Rampolla
Mike Sullivan
This lab will be conducted in three parts. Part One will be an introduction into IRC; its history; nature of criminal investigations. Part Two and Three will include advanced topics, hands on exercises, creating undercover identities, etc, Some of the most dangerous child abusers use one of the oldest methods of chat that has origins since the beginning of the Internet - Internet Relay Chat (IRC). Based on research and investigations, advocates of child abuse and torture find sanctuary in IRC since law enforcement personnel do not focus heavily in this chat medium. This presentation will focus on several key points:
• Basic understanding of IRC chat
• Tracing criminals through IRC
• Effective methods of Criminal Investigations
• Undercover IRC methods - which include obfuscation of an undercover's IP address
• Advanced IRC commands that can localize an investigation (since IRC is a global network)
• Tips and tricks on documenting your investigation
• How to create logging capability with IRC
• Discussions on infiltrating an offender network and illegal Fserve filesharing
Internet Relay Chat/Undercover Persona
Kevin Laws
This lab will provide a basic overview of IRC to include navagation and the logging function of the IRC client (mIRC). Alos addressed will be building you IRC undercover persona, introduction to the various chat rooms dedicated to the sexual exploitation of children. The presenter will provide tips about chatting and building your investigation based on experience as well as suggestions for court presentation to include presenting your evidence and jury considerations.
Investigative USB Apps
James Williams
Lauren Wagner
This computer lab will teach students how to download, install and use portable apps as an investigative tool. Firefox and related add-ons, Open Office, and other programs will be covered.
MAC Artifacts
Nick Drehel/Access Data
This computer lab session will provide the knowledge to recover and analyze forensic artifacts from the Macintosh operating system. Participants will learn how to obtain date and time information from Macintosh systems. In addition participants will learn how to recover user artifacts such as Property Lists (plists) and the SQLite databases, and defeat the File Vault, and much more.
Macintosh Analysis for the Windows Forensic Examiner (Part 1 & 2)
Don Briste
Drew Fahey
Are you looking to take care of the Macs you receive into your lab? Do you want to feel more confident that you found everything? Sit in on this computer lab session and learn from seasoned analysts that can set you on the right path! We will teach you Macintosh processes and tools, then go hands-on with a full scenario.
Mapquest – Mapping Your Way to Missing Children
Don Colcolough
This computer lab presentation focuses on the use of web-based mapping services like Mapquest.com and others. More and more often, both child predators and their victims are using these mapping websites in order to locate each other and/or meeting locations. Investigators and prosecutors should explore, comprehend, and integrate this valuable forensic evidence, which may be located on computers and/or networks. This data will benefit both the location of victims and/or the perpetrators who search for these victims online.
mIRC Investigations
Christopher Armstrong
James Williams
This computer lab teaches the new investigator the basics of Internet Relay Chat, focusing on the software set up to install and capture potential evidence. Students will be taught how to set up and implement the chat program MRIC. Additionally, students will be provided with a demonstration of a new investigative IRC tool developed by TLO.
(The) Online Investigator's Toolbox (Part 1 & 2)
Eliott Cohen
This lab will provide a hands-on environment for students to apply basic investigative techniques and strategies when investigating online child. Students will be exposed to web evidence gathering techniques and programs, proper use of your web browsers to enhance the discovery of readily available evidence, website dismantling techniques, wireless networks and sniffers and other third party applications that might help in online investigations. Areas of investigation to be discussed will include augmented reality environments and how they have become a popular social networking medium. Case examples for pit-falls and success when investigating these crimes will be discussed. Participates are encouraged to bring a Flash Drive to obtain an immediate copy of handouts.
Overview of Apple Forensics (Part 1 & 2)
Nathan Mousselli
This computer lab will provide and of Macintosh Computer Forensics. The following issues are among those that will be discussed: basic imaging and examination techniques; Operating system structure including the 'Library' folders; Internet history and plist examination.
(The) Perils and Pitfalls of Social Networking Child Exploitation Investigations
Jim Kilpatrick
James Podboy
This computer lab will present various forensic tools and techniques related to the live and post hoc investigation of crimes committed using different social networking websites. Primary emphasis will be on crimes associated with child exploitation. A basic knowledge of computers and forensic investigations is required.
Recovering Volatile Data (Part 1 & 2)
Christopher Armstrong
David Bishop
This lecture and lab will address the collection of “Volatile Data”, data that Law Enforcement has historically overlooked or ignored. Students will be provided with free software resources they can use to collect and view the Volatile Data or RAM from a running computer.
Registry Artifacts (Part 1 & 2)
Nick Drehel/Access Data
This session will provide the knowledge to conduct forensic investigations on the
Microsoft® Windows® registry. Participants will gain an insight on key areas of the registry that contains information that can be useful during an investigation, such as the SAM file to identify system user accounts, the SYSTEM file to identify computer name, time zone information, USB devices, and wireless network connections, the SECURITY file to identify current and archived system passwords, the SOFTWARE file to identify OS registration information and wireless network connections, the NTUSER.DAT file to identify user activities.
Social Networking - Introduction and Proactive Investigations
Lauren Wagner
James Williams
This workshop will provide students with an overview of social networking websites and how these websites can be useful to investigations. Students will also learn how to set up an investigative social networking account. This workshop will also cover proactive techniques for social networking websites, specifically the “My #1 Friend is a Cop” program, which can be started in the students’ respective jurisdictions. This workshop is designed for beginners.
Social Networking - Investigative Tools, Tips and Techniques (Part 1 & 2)
Lauren Wagner
James Williams
This workshop will teach participants how to effectively search social networking websites (predominately MySpace, Facebook, and Twitter) using Google Advanced Operators. This workshop will also cover techniques on capturing profiles for evidentiary purposes and well as mapping tools for friend networks in both MySpace and Facebook.
SPADA/Knoppix as a Preview Tool
Chris Armstrong
Tim Lott
SPADA/Knoppix is a Linux bases preview tool, which can be used in a forensically sound manner to collect evidence from a computer at a crime scene. This lab will teach the student how to boot a computer into Linux, preview the suspect computer for items of potential evidence, then save the evidence to external storage media, creating a report for prosecution.
Squeezing the Lime – Forensic Analysis of LimeWire 5.x (Part 1 & 2)
Jason Belanger
Soren Christensen
The forensic examination of LimeWire 5.x is explained and tested in this 180 min computer lab. All files containing crucial evidence are described and the sharing statuses of the single files are revealed. The examination will be conducted both “by hand” and by using free parser software provided. The sharing of files in LimeWire 5.x is done on a file level, where previous versions shared on folder level. This gives the forensic examiner a challenge, as to prove what files are shared. This computer lab teaches the examiners to prove these facts, and build a solid case for the prosecution. The lab will also explain the differences in LimeWire 5.1.x – 5.5.x
Technology Easter Eggs
Don Colcolough
This presentation focuses on the hidden aspects of specific software applications commonly used by those who use computers to facilitate crimes against children. Most law enforcement investigators are, however, unaware of this valuable forensic evidence. This presentation is an overview designed to introduce specific concepts, techniques and tools that will lead criminal investigators to valuable digital evidence within seized computers beyond what modern day computer forensic software can uncover.
TLO-LE
Mitchell Nixon
Bill Wiltse
The creator of investigative tools such as AutoTrack, ChoicePoint and Accurint has developed TLO-LE, the next generation of data aggregation tools for law enforcement. Leveraging the world’s largest and most powerful database, TLO-LE allows investigators to quickly find people when critical incidents occur and seconds count. Leads will come to life through the use of mapping software that lets you decide which records are relevant for display. Track a pursuit, reconstruct a crime scene or find a missing child. TLO-LE will change the way law enforcement is done forever. This lab is for sworn law enforcement only."
Tracking Wi-Fi (Wireless) Devices Down to the User (Part 1 & 2)
Steve Branigan
Laptops and smart phones routinely have Wi-Fi capability that allows users to access the Internet via coffee shops; restaurants, hotels and even residences provide Internet access via Wi-Fi. Attendees of this session will learn how to track individuals using Wi-Fi networks to discover individuals accessing illicit content and with tracking stolen Wi-Fi capable devices without monitoring Wi-Fi content.
Usenet Newsgroups (Part 1 & 2)
Beena Annam
Mike Geraghty
This lab will provide students with a combination of lecture and practical hands-on experience on the Usenet Newsgroups. Topics covered will include the technological make-up of the Usenet, the propagation of child sexual abuse images and movies via news servers, as well as, investigative techniques that can be used to combat these crimes. During hands-on exercises, students will install and configure newsgroup client software, access various newsgroup servers, subscribe to newsgroups, read and post articles, and analyze newsgroup message headers.
Wireless Network Investigation (Part 1 & 2)
Christopher Armstrong
David Bishop
This lecture and lab will introduce wireless technology and teach the attendee how to gather pre- search warrant evidence and evidence from the network at the scene. A portion of this topic will be a hands-on lab, setting up wireless routers, along with collecting evidence in the form of data from the router.