| BitLocker To Go, Google Earth Forensics at DoD Cyber Crime Conference |
[Sep. 9th, 2009|10:29 am] |
I have been selected to give two presentations at 2010 DoD Cyber Crime Conference in January 2010 in St. Louis, MO. Unfortunately the St. Louis Blues will be out of town during the conference. Does anybody have some ideas on what to see and do during the off hours? The Stella Artois Anheuser-Busch tour? The gourmet burger bar? What else?
My first talk will be on BitLocker To Go, how Microsoft has extended BitLocker Disk Encryption to removable devices like USB sticks. You can learn how the technology works, how it uses passwords and smart cards, its applications for force protection, and how the protected data can be accessed during forensic examination. The second talk will cover Google Earth cache file forensics. You'll see what data is in the file, how it's stored, and how it can be viewed.
Speaking of BitLocker, we discussed the tool in the most recent CyberSpeak podcast, published on Monday. The show was recorded live at the SANS What Works in Computer Forensics conference a few months ago. You can listen as Ovie and Bret interview me, Harlan Carvey, Ken Bradley, and Rob Lee on a host of topics. |
|
|
| See you in St. Louis |
[Jan. 13th, 2008|09:15 pm] |
I will be presenting this week at the DoD Cyber Crime Conference in St. Louis, MO. See you there! |
|
|
| DoD Cybercrime Wrapup |
[Jan. 28th, 2007|08:26 pm] |
I had a fantastic time at the DoD Cybercrime conference but was completely wiped out by the time I got home. It was great to catch up with old friends and to make some new ones. Unfortunately I missed a few people as they were deployed to the 'stan*. Being out the Air Force for a few years, I think I was thinking about that less.
The conference was two days of training, one day of plenary sessions, and then three days of hardcore law enforcement style geekery; perfect! So perfect, in fact, that I spent all of my waking hours (and there were a lot of them) deeply involved in tech. That was fun, but when I got to the airport on Friday afternoon I realized that it had been six days since I had felt sunlight on my skin and three days since I had been outside.
The slides from my presentation, Recovering Executables from Windows Memory Images, are now available. It's a 5MB PDF file, so please be patient with my slow little web server.
In other news, the DC3 is going to make the Digital Forensics Challenge an annual event. Registration for the 2007 challenge will begin in just a few weeks!
* "The 'stan" is a generic way to refer to the various countries of southwest asia where US military members get deployed. It's not intended as an insult to any of them, but whether my friends get killed in Turkmenistan or Tajikistan, it doesn't so much matter to me. |
|
|
| HTCIA Report, Day 3 |
[Nov. 4th, 2006|02:17 pm] |
My apologies for never posting a third report from the HTCIA conference. The third day ending with my returning home and I didn't think to post until now.
I spent the morning bouncing from one talk to another. Unfortunately the conference book program didn't provide very detailed descriptions of the talks or the speakers. I understand that running one of these events is not easy, but having a small paragraph in lieu of a single sentence would have greatly helped decide which talks I wanted to attend.
Because of the last minute changes I made, the slides I presented with at the conference are not on the official CD. I have sent them to the organizers who promised to post them on the conference web site in the near future. Please note that you will need the password you received with the conference CD to access this area!
..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ........ ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ....... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... |
|
|
| HTCIA Report, Day 2 |
[Oct. 31st, 2006|08:39 pm] |
Sadly my second day at the HTCIA Conference was not as productive as my first. If my posts last night at 0200 and 0400 didn't give it away, I had some trouble sleeping last night. I finished up my slides but couldn't relax afterward.
This morning I attended an excellent talk on acquiring physical memory. It led perfectly into mine about what can be recovered from a memory image. I wish we could have followed each other directly! My four talks (fuzzy hashing and memory analysis, each repeated twice) went quite well. I think my use of the Raven was appropriate for Halloween. My slides should be posted on the HTCIA web site in a few days; my apologies for not getting them on the conference CD.
I'm going to bed now; hopefully Wednesday will be kinder to me. |
|
|
| HTCIA Report, Day 1 |
[Oct. 31st, 2006|02:03 am] |
The first day of the HTCIA conference was not quite what I expected. ........ ....... ...... .... .................... .... .... .... ... .... ........... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ .......... ....... ...... .... .................... .... .... .... ... .... ........ ....... ...... ....... ...........
Somehow my conference registration got lost and the organizers had no record of my existence. Thankfully the staff working the desk recognized my name as a speaker and got me a badge. It took a few minutes, but gave me a chance to have a cup of coffee and schmooze. At this point, however, things threatened to go downhill.
The first speaker I hoped to see did not check in to the conference; I hope he's ok. The second called in on Sunday to say he'd broken his leg. The lunch speaker overlapped with the first session of the afternoon so I didn't get to hear much of what he said. Finally though, I caught some good talks in the afternoon and early evening.
I'm now back in my room furiously rewriting my presentations on fuzzy hashing and Windows memory analysis. Although the talks were good, they were far too impractical for the crowd here. Right now I'm surrounded by cops from the Lower Elkswhich County Police. They have no use for which functions are O(n) versus O(n2), but care greatly about what can be taken to court and what can't. |
|
|
| Hello from Cleveland |
[Oct. 29th, 2006|11:00 pm] |
I'm in Cleveland, OH for the HTCIA Conference. It looks to be a productive week, although I may need to extend my presentations. I was expecting to fill half hour blocks, but for my two talks I've been allocated 90 and 120 minutes each! eep! Extra fuzzy hashing for everybody! |
|
|
| Speaking at DoD Cybercrime |
[Sep. 20th, 2006|12:58 pm] |
My presentation for the DoD Cybercrime conference, "Recovering Executables from Windows Memory Images," has been accepted. I will be speaking at 1330 on Thursday, so mark your calendars now. You don't want to miss how you can recover, from a Windows memory image, an executable essentially as it existed on the disk. See you in St. Louis!
The full agenda and the track listings have been published too. |
|
|
| Hacker Court is on! |
[May. 29th, 2006|02:59 pm] |
This summer is rapidly shaping up to be extremely busy. I just got word that we will be presenting another Hacker Court mock trial at this year's BlackHat Briefings Las Vegas. Being out of AFOSI for so many years, I will probably switch from "agent" to "expert witness," but it should still be a great time.
Here's how my public speaking schedule is shaping up:
August 2-3: BlackHat, Las Vegas NV, doing Hacker Court
August 4-6: DEFCON, Las Vegas NV
August 8: RCFG/GMU 2006 International Training Symposium, Fairfax VA, presenting Fuzzy Hashing
August 14-16: DFRWS 2006, West Lafayette, IN, presenting Fuzzy Hashing
October 30-November 1: HTCIA International Training Conference and Expo, Cleveland OH, presenting both Fuzzy Hashing and Windows Memory Analysis. |
|
|
| Saved Passwords in Internet Cafe |
[Dec. 14th, 2005|07:38 pm] |
Sitting in an Internet cafe tonight, I noticed that my browser was offering to remember saved passwords for me. I obviously declined, but wondered, would anybody store their passwords on a widely shared computer? Yes. Two, in fact. Scary scary scary. |
|
|
| Hacker Court ROCKS! |
[Jul. 29th, 2004|12:08 am] |
We had such a great time tonight in our Hacker Court presentation. Our testimony went well, but was punctuated with enough jokes to keep it lively and entertaining. For example:
Q: Did Mr. Martin tell you where to find the boat?
A: Yes, he said it was docked in Pier 51.
Q: Did you find it at Pier 51?
A: No, it was at Pier 53?
Q: What did you conclude from this?
A: They appeared to be using some kind of pier-to-pier technology.
[rim shot]
One of the witnesses high-fived the judge when he tried to swear the witness in, and when a Roman warrior and a scantily-clad Cleopatra entered, our judge jumped off the stand to have his picture taken with them. (I loaned my camera to .... ...... ..... who got some great shots of this. I won't be able to post them for a few days, but will blog again here when I do.)
All in all it was a smashing success. I'm so tired right now I can hardly type. A few of us went out for dinner and could barely keep from falling asleep in our crab rangoons. But now we can sit back, relax, and enjoy the rest of BlackHat and DEFCON. (Although I'm going to SLEEP for now!) |
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| |
|
|
