by Mattia Epifani, Forensic Focus
The Enfuse Conference, organized by Guidance Software, took place between 21st and 24th May at Caesar Palace Conference Center in Las Vegas. More than 1,500 attendees were present, coming from different fields like digital forensics, e-discovery, incident response and cybersecurity. Most of the attendees were from the US and Canada but many people from Central and South America, Asia, Africa and Europe were also present.
Forensic Focus was present for the entire conference and documented it in real time on Twitter. This article is a wrap-up of the conference highlighting some of the most interesting talks.
The first day started with a “First Timers” session where Guidance illustrated the history of the conference (previously named CEIC) and a guide on how to move within the conference itself. At the end of the session Welcome Reception cocktails were organized at the Caesars Palace pool.
Starting from day two, most of the talks were run in parallel so we were able to attend only some of them. What follows below is a short overview of the talks we were able to attend; and more information is available on the conference website.
Day two started with “Internet of Things Forensics” held by Jonathan Rajewski, Director & Digital Forensics Professor at Champlain College. The talk illustrated the results of some research done at Champlain College on various IoT devices, and in particular on techniques for acquiring and analyzing specific devices to recover interesting forensic artifacts. The featured devices were the Amazon Echo, the Nest Camera, Canary and Google Home. Professor Rajewski also did a TED talk last December on this topic, which is available on YouTube.
After the first talk there was the Opening Keynote by Patrick Dennis, CEO of Guidance. The keynote focus point was on how “cybercrime” should now just be labeled ‘crime’. There is no longer a boundary between the two and the best prevention technology in the world is insufficient: everything is about managing the continuous compromises affecting us every day. “If you believe this,” states Dennis, “there is zero room left for fear”.
After the keynote we attended the “Tips and Tricks” talk held by Mark and Mike Menz and Kip Loving. The talk illustrated software, techniques and resources that “help make your job easier and the bad guys easier to find.” The latest forensics tricks and innovations were shown along with new investigative techniques.
The third talk was “Dealing with Degraded Media in Forensic Investigations” held by Scott Gibbs (Direct Data Discovery) and Glenn Sakaguchi (We Recover Data). It illustrated the options regarding corrupted or damaged media (age of device, head contact with media, disk crash, platter shift, and so on) and exhibited case studies of recoveries performed.
The fourth talk, which was also voted by the conference attendees as the most interesting talk on digital forensics, was “Smartphones and Connection to IoT: Finding the Data” held by Amber Schroader, CEO at Paraben Corporation. The session was focused on the primary smartphone operating systems and how their connection to IoT (Internet of Things) devices poses risks to the device, and allows access to new forensic fingerprints. A review of the issues associated with smartphones and their new IoT devices was discussed, as well as techniques and tactics to deal with the new threats that are coming.
The last talk was “Digital Forensic Readiness: From Reactive to Proactive Process” held by Jason Sachowski Director, Security Forensics & Civil Investigations, Scotiabank. The presentation demonstrated how digital forensics aligns strategically within an organization’s business operations and information security program. It illustrated how the proper collection, preservation, and presentation of digital evidence is essential for reducing potential business impact as a result of digital crimes, disputes, and incidents. It also explained how every stage in the digital evidence lifecycle impacts the integrity of data, and how to properly manage digital evidence throughout an entire investigation.
At the end of the day a happy hour took place in the Expo Hall, where all the sponsors had booths.
Day 2 started with a talk on EnCase Endpoint Security, held by Ashley Hernandez. EnCase® Endpoint Security helps companies to implement both risk-assessment plans and rapid-response processes that complement current security measures in order to identify, mitigate and respond to threats. On a normal day, a corporate network can experience over a million attempted cyber-attacks. Response times are growing along with costs, frequency of events, and the number of alerting tools a team must manage.
After this first talk the Industry Keynote by Theresa Payton took place. Theresa Payton is one of America’s most respected authorities on internet security, data breaches and fraud mitigation. The first woman to serve as White House CIO, Payton now works with organizations in the public and private sectors to protect their most valuable resources.
After the keynote we attended the talk “A Primer on Current Android Device Forensics” by Ronen Engler, Sr. Manager of Technology & Innovation, Cellebrite. This session covered current extraction technology, potential additional sources of data to supplement extraction limitations, encryption issues and challenges facing mobile device examiners. A current breakdown of options for devices running the most recent version of Android was provided, including obtaining a physical extraction, bypassing locked devices, and identifying and handling device encryption to obtain the most data possible.
Then we attended the talk “Know Normal, Find Evil – Windows 10 Edition” by Jake Williams. In this session, the expected behavior on Windows 10 systems was illustrated so you can pull the signal out of the noise.
In the evening the SANS DFIR NetWars took place: three hours of a DFIR challenge CTF with a lot of people playing!
At the beginning of Day 3 we attended a really interesting talk titled “MAC Time, Mac Times, and more” held by Lee Whitfield, Director of Forensics, Digital Discovery. The objective of the talk was to educate investigators as to the need to look closely at all available dates and times on both Windows and MacOS systems., in order to correctly determine the origin and use of copied files. A real case was illustrated, with particular regard to how the expert reached his conclusion and how the correct interpretation of the available data was used to reach a more accurate conclusion. The presentation also detailed the date and time transactions that occur when copying files on a MacOS computer.
The Closing Keynote was held by Dr. Timothy Chou. “As companies are increasingly digitizing and moving and interacting with sensitive data and applications in the cloud every day, cybersecurity is more important now than ever before,” said Chou. “Precision technology powering an industrial Internet of Things has the potential to reshape the planet, but security must be a key consideration.”
The last session was “Efficient Decryption”, held by Dmirty Sumin, CEO at Passware. Decryption of electronic evidence is a common problem for many computer examiners. New challenges of getting access to encrypted evidence were covered – from now-standard full disk encryption for Windows and Mac OS X to new TrueCrypt successors. The use of memory artifacts found in live memory images and hibernation files was also covered during the talk.
Apart from the talks, we also visited the Expo Hall where all the sponsors presented their new products. Some of these included:
- EnCase Mobile Investigator by Guidance, a new tool that integrates with EnCase to acquire and analyze mobile devices. More information here.
- Evimetry Imager by SchatzForensic, a new tool to acquire faster and analyze immediately digital evidence, developed by the author of the AFF (Advanced Forensic Format), Bradley Schatz. More information here.
- Sumuri Talino, forensic workstations with various configurations available; more information here.
- Tableau TX1, a new forensic imager by Guidance; more information here.
- Talon Ultimate, a new forensic imager by Logicube; more information here.
- Ditto DX, a new forensic imager by CRU-Inc; more information here.
- UFED Touch 2, a standalone mobile forensics solution by Cellebrite; more information here.
- SecureView, a mobile forensics solution by Susteen with innovative techniques for LG and Burner phones. More information here.
The next Enfuse conference will be held in Las Vegas, NV, USA from the 21st – 24th of May 2018. Anyone interested in attending should consult the official website for details.