This article is a recap of some of the main highlights from the Techno Security and Forensics Investigations Conference (TSFIC) held in Myrtle Beach, South Carolina, from the 31st of May until the 3rd of June 2015.
The conference began at midday on Sunday 31st of May, with six main strands running throughout the duration of the event. Attendees received a colour-coded programme which allowed them to easily see which of the talks were part of the Audit, Forensics, Information Security, Investigations, Cellebrite Lab or Nuix Lab parts respectively.
The Information Security session by Chris Pogue was one of the talks that introduced the conference. Pogue discussed the recent spike in reported data breaches around the world, and questioned whether more data breaches had actually been happening in recent years, or whether the media were just reporting on them more frequently. One point that was strongly emphasised was the importance of penetration testing in all businesses; paying someone to perform a penetration test will be cheaper than paying out after a breach, Pogue elaborated, adding that it is important for the computer security industry to move towards a more holistic, strategic approach to security planning.
The following talk by David Vargas gave a high-level overview of Tor and how it is used to facilitate cybercrime. Particularly interesting were the case studies of the investigations into Eric Marques, who distributed indecent images of children online, and Dread Pirate Roberts, the former owner and manager of Silk Road.
Oleg Davydov from Oxygen Forensics then went on to demonstrate methods of investigating messaging services on Android devices, with a focus on discovering social connections that are shared between the users of various mobile devices, and how this can be used in an investigation.
Jad Saliba’s talk followed on nicely from this, providing an interesting look into how criminals use anti-forensic methods and how investigators can find evidence that suspects have attempted to hide. Topics covered included how to investigate a machine that is running a VM, and the importance of checking for encryption software when processing a crime scene.
On Monday morning, James Wiebe from CRU demonstrated a number of ways in which forensic investigators can capture information from remote networks, and the use of logical imaging to reduce the amount of time needed to analyse this evidence.
This was followed by a dual presentation from Derek and Roxanne Ellington, who gave an insight into the minds and actions of the “digital native” generation. The discussion also covered the differences between investigating young people and adults, whether as suspects, victims or witnesses, and touched upon some of the legal considerations investigators must take into account when seizing devices from adolescents.
Bruce Hartley from Celerity Consulting Group then talked about gaps and challenges in the digital forensic landscape at present, with a strong focus on social media. One of the main items of discussion was the way in which evidence is presented to non-technical law enforcement agents and to juries: when data has been gathered from a social media application, for example, many people expect it to look the way it would look if they were viewing it within the application itself. Confusion surrounding presentation issues like this can lead to significant delays and challenges during investigations.
The ‘cyber cold war’ was the last item on the agenda for Monday, with David Vargas once again taking to the stage to talk about patriotic hacking. The session provided a good overview of some of the major patriotic hacker groups and individuals from around the world, including case studies from Russia, China, Syria and the United States. Vargas concluded the session with the comment that patriotic hacking will only grow over time, as it affords plausible deniability to a nation state, which proved to be a hot topic of conversation among conference attendees.
The terrorism session on Tuesday morning was one of the most well-attended at the conference. Majid Hassan took attendees through a graphic and detailed presentation of the nature of modern terrorism, including the current situation in the Middle East. Although the discussion touched on the technological aspects of counter-terror, it did not go into great depth, instead providing an insight into the actions of terrorists around the world. The topic could easily have taken up a day in its own right; had there been more time for the presentation, the technological side would no doubt have been explored more thoroughly.
Social media was back on the agenda during the latter part of the morning, with Howard Williamson from X1 Discovery asking how forensic investigators can be expected to keep up with the amount of data that is shared every hour across social networking sites. The challenges of device proliferation are only increasing, and with social media sites and applications changing their terms and updating their software on a near-constant basis, acquiring and analysing the necessary data for an investigation can be a challenge, to say the least. Williamson discussed some recent cases that used social media as evidence, and put forward some suggestions to help with data triage in investigations.
Vehicle Systems Forensics by Ben Lemere from Berla was an interesting presentation on a topic that is not often covered at forensics conferences. The session began with some demonstrations of the number of computers within an average vehicle and the amount of data that modern vehicles in particular can provide to an investigator. The discussion of how rental cars can be repositories of data in themselves was particularly of interest, and Lemere gave several case studies to demonstrate the importance of not overlooking vehicle systems as part of a forensic strategy.
The following talk centred around mobile forensics, with Lee Papathanasiou presenting survey results showing that 95% of forensic specialists believed mobile devices to be their most important data source. This was followed by a discussion of how the Riley v California case in 2014 impacted forensic practitioners, increasing the risk of evidence being discounted in court. Once again the importance of standardisation was mentioned, including in the areas of training, policy and technology used.
An interesting presentation by Blake and Melody Haase and Chad Gough wrapped up the conference. They discussed how to pull together data from disparate sources to create a holistic view of a suspect or an event. Topics covered included methods used to capture data from mobile devices, how to use open source intelligence to supplement acquired data, and how to authenticate the various pieces of evidence in an investigation to ensure that it stands up in court.
TSFIC was a useful source of information and networking opportunities, with the exhibit hall remaining open throughout the day, allowing attendees to meet the presenters and find out more about the products and solutions that were being shown during the conference. The wide variety of items on the programme made it difficult to decide on a single talk to attend at any given time, but with so much to choose from and a smoothly organised series of events, TSFIC is certainly a recommended item for the digital forensics calendar.
The next Techno Security and Forensics Investigations Conference will be held in Myrtle Beach, South Carolina from the 5th – 8th of June 2016. Anyone interested in attending should consult the official website for details.