Skip Navigation Links
Home  >  Program  >  Last Year's Conference  >  2011 Computer Labs
2011 Computer Labs

Advanced Gigatribe (Part 1 & 2)
Jeff Rich, Eric Zimmerman
This lab will cover advanced tools to make investigating Gigatribe easier. This class assumes familiarity with Gigatribe. Due to the information that will be presented, this class is limited to law enforcement personnel only.
CPS v.2 - Enhanced Features
Mitchell Nixon, William Wiltse
This lab is designed for currently licensed and experienced peer-to-peer investigators, this course will showcase the newest functionality built into the Child Protection System (CPS). Beyond it's updated interface, the new CPS features include target identification by IP range, task-force commander tools, and  cutting-edge analytics.  This lab is for demonstration only. A current CPS license is not required.
Decryption Techniques
Nick Drehel
This lab will examine cryptographic algorithms and systems commonly encountered during examinations of digital media, and techniques for their successful decryption. Employing the interoperability of the Forensic ToolKit, FTK Imager, Registry Viewer and the Password Recovery ToolKit (PRTK), students will learn the non-linear process of collecting and incorporating user-specific intelligence into their attack methodology.
E-Phex: Automated P2P Investigative Tool, Part 1 & 2
Terry Paddon, Joseph Versace
In this lab investigators will learn how to configure and use E-Phex, an automated tool for Gnutella peer-to-peer investigations. Attendees are required to have already attended a basic peer-to-peer investigative class and have a Roundup and/or TLO license.
Evidence in the CLOUD 
Michael Sullivan
This computer lab will examine how storage in the CLOUD will affect the possession, distribution, and forensic recovery of digital evidence. Using a hands-on model, sites in the CLOUD will be created, populated with data, and the data accessed by multiple viewers. A secondary program will be used to transfer large volumes of data via the CLOUD. 
Facebook and Me
Michael Duffey
This lab is geared towards those individuals who have never used Facebook, or are new to using it. Among the topics that will be covered in this class are setting up the account, and understanding the basic functionality.  Also included will be a discussion of the information that might be available to a law enforcement officer along with how various applications work with your profile and account settings.
Field Triage (Part 1 & 2)
Christopher Armstrong, Timothy Lott
This lecture and lab will address the collection of “volatile data”, data that law enforcement has historically overlooked or ignored. Students will be provided with free software resources they can use to collect and view the volatile data or RAM from a running computer.
ForensicScan (Part 1 & 2)
Michael Harmony, Chauncey Wilder, Terry Wright
This computer lab will train attendees on ForensicScan, an on-scene forensic tool for rapid evidence discovery triage and reporting. This hands-on training will provide the investigator with free software to quickly examine the hard drives of suspects. The tools will find previously identified child sexual abuse material by hash value for quick reporting and will then allow the investigator to review other material based on the likelihood of finding locally produced movies and images of child sexual abuse. The software uses new innovations, including flesh detection; pattern recognition and proximity reference to quickly reveal images likely to allow the rescue of a local child victim. Attendees will be licensed to use the software at the end of the course.
Gigawatch: The Future of Gigatribe Investigations
Mitch Nixon, William Wiltse
Designed for currently licensed and experienced peer-to-peer investigators, this course will showcase the newest software tools in the field of Gigatribe investigations. Students will use the Child Protection System (CPS) to identify Gigatribe leads in their jurisdiction and discover the method by which those leads were gathered using GigaWatch. Students will see the newest features such as complete file list capture, real-time chat logging and thumbnail download, target deconfliction, and online email notification. This lab is restricted to law enforcement only and is being held for software demonstration only, not licensing.
Google and Firefox as Investigative Tools
Lauren Wagner, Elizabeth Tow
This computer lab will teach students how to effectively use Google and Mozilla Firefox as investigative tools. Students will complete hands-on exercises using Google Advanced Operators as well as Firefox add-ons.
Google Voice for Undercover Operations
Wayne Nichols
Google Voice is a relatively new and free resource that law enforcement is taking advantage of. It allows users to create a phone number and have the same abilities you would with a regular cell phone.  For undercover operations, Google Voice is essential because you can communicate with a suspect from your computer (or combination of computer and cell phone) and the suspect will never know the difference. Google Voice also makes it simpler to archive all communication versus having to have an undercover cell phone forensically dumped. Attendees of this lab will learn to set up their account(s), manage settings, and receive tips and tricks on how to make the service work best for your undercover operations.
ICAC Roundup for Investigators (Part 1-4, All Day)
Robert Erdely, David Peifer
In this lab students will learn about the Gnutella network and how to find and investigate people sharing child pornography in this network. Attendees are encouraged to have already attended the ICACCOPS for Investigators and Gnutella Basics lecture. You must be a member of an ICAC task force or affiliate to attend this lab.  This lab will require a special registration to verify your eligibility.
ImageScan, Part 1 & 2
Jim Hogg, Chris Pyryt
ImageScan is a joint project of the FBI Computer Analysis Response Team (CART) and the Regional Computer Forensics Laboratory (RCFL) Program. CART developed the ImageScan system to help investigators locate the presence of picture and movie files that may contain contraband on a computer in a forensically sound manner that does not alter possible evidence. All materials necessary for using this tool will be provided to attendees of the ImageScan class.
Internet Artifacts
Nick Drehel
This presentation will introduce students to some common client and user artifacts found in several Internet browsers, instant messaging, and social networking applications.  An examination of Windows system files, and user profiles, will assist in providing students with an understanding of the forensic relevance of the artifacts, and the behavior patterns that generate them.
Introduction to AD Triage
Nick Drehel
This lab introduces participants to the new AD Triage, an on-scene preview and acquisition tool for forensic and non-forensic personnel. Built on FTK technology, AD Triage is ideal for users who are not trained in the use of computer forensics software, but need to preserve evidence in the field.  This lab will demonstrate some of the features of the application, and how it can be beneficial in acquiring volatile and all, or targeted, data from a live or "dead box" system.
Introduction to Cell Phone Investigations and Field Tools
Tim Lott, Lauren Wagner
This workshop, designed for beginners, will introduce students to cellular devices and discuss the many aspects that cellular devices have in investigations.  Seizure and examination of devices will also be discussed, as well as an overview of field tools used for data extraction. Students will complete a hands-on exercise using CelleBrite as a field tool to extract data from cellular devices.
Introduction to Mac Computers
Michael Duffey
This lab instruction is aimed at those individuals who have little or no experience using an Apple computer.  Covered in this block of instruction will be the comparison between the PC world and the Mac world along with using virtual machines on a Mac. Different applications such as iLife, iPhone, iMovie, Photo Booth as well as various Mac hot keys and short cuts will be demonstrated.
Introduction to Mac Forensics
Nick Drehel
This module introduces students to the Macintosh OS X operating system artifacts and file system mechanics, including a brief comparative analysis of Windows-based systems. Students will discuss the Macintosh architecture, HFS(+) based file systems, alternate methods of data acquisition, plist and SQLite artifact processing, email, chat, Internet artifacts related to Safari and Firefox, as well as iPod® and iPhone™ analysis.  Attendees should be conducting computer-related investigations, and be familiar with the AccessData suite of tools.
Introduction to Social Networking
Tim Lott, Lauren Wagner
This workshop will provide students with an overview of social networking websites and how these websites can be useful to investigations. Students will also learn how to set up an investigative social networking account to search for information. This workshop is designed for beginners.
Introduction to Windows 7 Forensics
Nick Drehel
This lab introduces students to the Microsoft® Windows7® operating system artifacts and file system mechanics. A comparison of consistencies and changes from earlier versions of the OS will be explored.  Participants will explore the GUID partition table (GPT) scheme, Jump Lists, User Account Control, Libraries, Home Groups, Solid State Drive, event logs, Virtual Hard Drive support, and Registry artifacts. 
Investigative USB Apps
Lauren Wagner, Elizabeth Tow
This computer lab will teach students how to download, install and use portable apps as an investigative tool. Firefox and related add-ons, LightScreen, and other programs will be covered.
iOS Device Seizure and Analysis (Part 1 & 2)
Don Brister, Mark McLaughlin
This computer lab will provide the investigator with detailed information about the seizure, preservation, and data extraction from an iOS device (iPhone, iPod Touch, iPad). The use of BlackBag's iOS investigative tool will be included. As of June 2010, Apple has sold over 100 million units of the iPhone, iPad, and iPod Touch. Additionally, there are over 300,000 applications available for download, proving it imperative that forensic professionals have knowledge to effectively work with these devices as evidence. At the conclusion of this course, the student will be able to identify which model iOS device they are presented with, successfully identify the best way to obtain a forensic image of the device, demonstrate a working knowledge of the important evidentiary files, and demonstrate a proficiency in conducting an investigation using data from an iOS device.
Microsoft Office 2007 Forensics
Chris Ard
Microsoft Office is the most widely used desktop productivity suite of applications. This session will introduce investigators to the digital evidence they hold, and tools and techniques to extract the evidence. Topics include a deep dive into the metadata in Word documents, PowerPoint presentations, and Excel spreadsheets.
mIRC Investigations
Christopher Armstrong, Timothy Lott
This computer lab will teach the new investigator the basics of Internet Relay Chat, focusing on the software set up to install and capture potential evidence.  Students will be taught how to set up and implement the chat program mIRC.
NamUs: Using the National Missing and Unidentified Persons System
Carrie Sutherland, Billy Young  
This computer lab will include a hands-on walkthrough and demonstration of the NamUs system with the ability to enter or edit your own cases.  A NamUs Regional System Administrator (RSS) will guide you through the registration process, as well as the case entry process, and the cross-matching comparison process.  If you have a missing person or unidentified person case that you would like entered into the system, please bring it with you and the RSS will guide you through the process.
osTriage: A Next Generation, 0n-Scene Preview Tool (Part 1 & 2)
Jeff Rich, Eric Zimmerman
This lab will provide instruction on osTriage, why it was written, how to use it, and what it can do for you.  In short, osTriage will quickly find, extract, and display key information from a computer which will enable to you get a better first interview, conduct a better search, and more. Some of the information extracted includes operating system details, registry details, USB device history, browser history for all major browsers, search engine search terms, cloud storage applications, encryption, P2P and other applications, and passwords.  osTriage displays thumbnails of images and videos and categorizes images/videos against a list of over 500,000 SHAs of interest and 300+ keywords.  Any contraband can be copied off the target computer with a few clicks.
Recovering the Unrecoverable – Inside NTFS
Chris Ard
This lab will discuss NTFS, one of the longest existing single components of Windows-based computers and yet still is one of the least understood features. This session will be a brief introduction to NTFS internals including how data is stored on hard drives, how it is indexed, and how knowledge of NTFS can enhance your recoverability of data from target systems, including times when traditional forensic tools come up short. 
Social Networking: Investigative Tools, Tips and Techniques (Part 1 & 2)
Lauren Wagner, Elizabeth Tow
This workshop will teach participants how to effectively search social networking websites (predominately MySpace, Facebook, and Twitter) using Google Advanced Operators. This workshop will also cover techniques on capturing profiles for evidentiary purposes, as well as mapping tools for friend networks in both MySpace and Facebook.
Turbocharge Your Forensic Tools
Andrew Rosen
This lab will include lecture, case study and hands-on training. It will teach attendees how to work faster and more efficiently conducting their work with their existing forensic tools.
Using Google in Your Investigations (Part 1 & 2)    
Miles Rutkowski, Peipei Yu Pollmann
This computer lab will teach law enforcement how to better use Web and Image Search and other Google products to help them in their investigations of reported online child abuse cases.
Using Virtual Machines in an Investigative Capacity
Christopher Armstrong, Timothy Lott
The lab will introduce the concept of the virtual computer environment for testing, research and undercover investigations. Students will set up and install VirtualBox, an open source virtualization software package developed by Sun Microsystems and distributed under the GNU - General Public License. The students will then be walked through the process of setting up a virtual environment, before opening an existing instance of Windows XP for testing.
Windows Registry Artifacts
Nick Drehel
This lab will introduce participants to the Windows Registry files, and their forensically significant artifacts. Attendees will gain an understanding of the structure and function of the SAM, System, Software, Security, and NTUSER.DAT files.  Emphasis will be placed on interpreting the values within the files, and what system and user behavior generate the values.
Windows 7 USB Storage Analysis
Chris Ard
Having trouble associating a specific USB device (or SD card, Firewire, PCMCIA or Bluetooth) with a specific Windows based machine? What about an exam that seems to come up empty? Are you sure you are looking at all possible removable media devices? This lab session will answer those questions and more, such as how you can show when a device was first plugged into a machine.
Windows 7 Volume Shadow Copy
Chris Ard
This lab will discuss forensic tools available with Windows 7. Windows Vista introduced the ability to recover previous versions of existing (or deleted) files. Windows 7 has enhanced this capability. For any forensic investigator, knowledge of how to leverage Volume Shadow Copies will be the most useful tool in the Windows tool chest since it allows you to recover files that would otherwise be unrecoverable, including index.dat files, browser history files, old copies of the registry, thumbnail cache files, etc.
Wireless Network Investigations (Part 1 & 2)
Christopher Armstrong, Elizabeth Tow
This lecture and lab will introduce wireless technology and teach the attendee how to gather pre-search warrant evidence and evidence from the network at the scene. A portion of this topic will be a hands-on lab, setting up wireless routers, along with collecting evidence in the form of data from the router.





Hosted by: