jessekornblum: HTCIA Report, Day 1

jessekornblum (

jessekornblum) wrote,
@ 2006-10-31 02:03:00

Entry tags:

geek, hashing, running, travel

HTCIA Report, Day 1
The first day of the HTCIA conference was not quite what I expected. ........ ....... ...... .... .................... .... .... .... ... .... ........... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ ....... ...... ....... ...........

Somehow my conference registration got lost and the organizers had no record of my existence. Thankfully the staff working the desk recognized my name as a speaker and got me a badge. It took a few minutes, but gave me a chance to have a cup of coffee and schmooze. At this point, however, things threatened to go downhill.

The first speaker I hoped to see did not check in to the conference; I hope he's ok. The second called in on Sunday to say he'd broken his leg. The lunch speaker overlapped with the first session of the afternoon so I didn't get to hear much of what he said. Finally though, I caught some good talks in the afternoon and early evening.

I'm now back in my room furiously rewriting my presentations on fuzzy hashing and Windows memory analysis. Although the talks were good, they were far too impractical for the crowd here. Right now I'm surrounded by cops from the Lower Elkswhich County Police. They have no use for which functions are O(n) versus O(n²), but care greatly about what can be taken to court and what can't.

(11 comments) - (Post a new comment)

	caereala 2006-10-31 03:44 am UTC (link)
	What were you expecting? (Reply to this) (Thread)

	jessekornblum 2006-10-31 06:14 am UTC (link)
	Sadly it's been a long time since I've been to a conference with real forensic practitioners. Either I've been presenting at academic conferences or haven't had the opportunity to really meet the audience. I think that "Ivory Tower" is a little too strong, but perhaps "being unfamiliar with my user base" is appropriate. (Reply to this) (Parent)

	thewronghands 2006-10-31 07:42 am UTC (link)
	It's great that you care enough to rewrite it and want to make it good and helpful to your audience. One of the biggest flaws I've seen in technical presentations is a lack of awareness of the audience, their interests, and their level of expertise. Break a leg with your talk! (Reply to this) (Thread)

	jessekornblum 2006-10-31 09:04 am UTC (link)
	Break a leg with your talk! Thanks! In deference to my natural proclivity to damage myself, I am refraining from running this morning. I suspect that a bout of insomia would not help in that regard. (Reply to this) (Parent)(Thread)

	Is this what the HTCIA is? (Anonymous) 2006-10-31 11:29 am UTC (link)
	I thought it was for technical people? Was it always this way? (Reply to this) (Parent)(Thread)

Re: Is this what the HTCIA is?

jessekornblum
2006-10-31 12:24 pm UTC (link)

I think it's a little unfair to differentiate between technical and practical. For example, one talk I saw yesterday talked about checking for evidence of whole disk encryption when doing incident response. The instructor talked about the normal NTFS signature on the volume in sector 0, offset 3, and what other signatures say about encryption software. Practitioners don't necessarily care about algorithm key length or the number of S-boxes. For them it's sufficient to know that it will be quite hard to break the volume's encryption later on, so you need to gather as many files as possible before turning the machine off. It's still very technical, but just has a different focus.

(Reply to this) (Parent)

Re: Is this what the HTCIA is?

caereala
2006-10-31 02:22 pm UTC (link)

As someone a little more technically focused, but not as technical as Jesse, I have always felt that HTCIA was always more "cop" focused. However, you do have your geeks in there which were always the presentations I gravitated towards. I don't have any figures to back me up, but I think a bulk of the membership is still investigators-turned-forensic-practitioners as opposed to technical people with a forensic specialty.

(Reply to this) (Parent)(Thread)

	Re: Is this what the HTCIA is? (Anonymous) 2006-11-01 05:01 pm UTC (link)
	So is it an organization you are (or would choose to become) involved with? I wasn't trying to "knock" it - just trying to figure out if it is an "old boys" club. Not sure if that came out right, but you get the idea. (Reply to this) (Parent)(Thread)

Re: Is this what the HTCIA is?

caereala
2006-11-01 05:09 pm UTC (link)

I have been a member for a few years now. I don't get an "old boys" vibe from it. I feel that it still primarily has a law enforcement focus but it did start as predominantly law enforcement organization. I think that has started to change lately though as the membership has expanded to include more people from the private sector. I find the mailing list to be a great resource and the chapter meetings (I am in the mid-atlantic chapter) usually appeal to me more often than not. And at the last international meeting I went to I found enough sessions to keep me occupied.

(Reply to this) (Parent)(Thread)

	Re: (Anonymous) 2006-11-01 06:49 pm UTC (link)
	Thank you for your reply. I appreciate your taking the time to explain this to me and you are very kind to do so. (Reply to this) (Parent)(Thread)

	caereala 2006-11-01 06:53 pm UTC (link)
	Not a problem! (Reply to this) (Parent)

(11 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store