My Thoughts on CEIC 2015


CEIC 2015 is Over

This year’s CEIC is over. After a long and relaxing holiday weekend, it feels almost like it was months ago. I really enjoy being involved with CEIC every year because it gives me a chance to catch up with old friends and meet new ones. The real reason (at least the one we tell our bosses) we all go to CEIC is for the great sessions. There were so many of them this year that I wish I could have cloned myself to see them all. To make it a bit more difficult, CEIC is not just a training conference for me since I am part of the team putting it on. I wanted to put down some of my experiences from this year.

The most rewarding thing to me during the entire conference is to hear from past students about their success in completing the EnCE certification. The only way to achieve that cert is by dedication and perseverance. I get thanks from them for teaching classes they attended, but I didn’t take the test. Their excitement and enthusiasm is infectious and I love it! Congratulations to everyone who passed the 1st phase during CEIC, and good luck on the 2nd.

If you didn’t get to attend CEIC this year, you missed a good one. Try again for next year, and I think you will be well rewarded.

Some Sessions

Because I am part of the setup and operations of CEIC, I am not usually able to attend full session, but there are a few that I really enjoyed that I wanted to give mention to.

Monday started off great hearing about new features in IEF from Jamie McQuaid and Rob Maddox of Magnet Forensics in Investigating a User’s Internet Activity across Computers, Smartphones and Tablets. This team knows how to stay on top of industry trends and to enhance their tools with a quick response. It is great to know that Guidance has a partner dedicated to examiners like we are.

A must-see for me is Tracking the Use of USB Storage on Windows 8 by Colin Cree. He has been researching USB artifacts on Windows for many years, and somehow seems to find new intricacies every year. No disappointment this year!

It’s a safe bet on the SANS crew. I enjoyed APT Attacks Exposed: Network, Host, Memory and Malware Analysis since you can never learn too much about how others operate and think. It helps us all grow, and I am glad that Rob Lee, Anuj Soni, Chad Tilbury, and Jake Williams are sharing their experiences.

I am a firm believer in everyone learning to code as a skill. Mari DeGrazia and Ron Dormido laid out a great foundation in Practical Python Forensics for those wanting to learn Python as their language. Extra points since they showed how to integrate EnCase and Python!

Memory forensics has become a huge source of information in all types of investigations, and Jamie Levy knows this better than most. As a part of the Volatility team, she is an immense resource and shared it in Rootkits, Exfil and APT: RAM Conquers All to help us all. I learned a lot about using Volatility from this session. I also learned about her twitter handle outside of the session, but leave it to her to spread that.

My Sessions

I had a lot of fun this year talking in my sessions. I talked about how you can expand EnScript with .NET and Python code. It was exciting to me since everyone seemed to also be excited about the possibilities. I also got a chance to speak with Matt McFadden about EnCase Portable and the huge potential it has for examiners. Got to share how I used Portable on a case to handle a location with 4 examiners and 60+ computers, and we were done before dinner! Talked to many after the session that were excited about using it at home.

Deserved Recognition

Lastly, I wanted to give some recognition for a couple people from the Guidance Software team that really make CEIC the conference that it is. The entire Guidance team works really hard for this event, but these two really make it shine.

There is a technical team that I am part of every year, and it is managed by Jamey Tubbs from the training division. He puts in a ton of hours, before many of you even register for CEIC, in working with the event team, hotel technical staff, and our computer rental vendor. Our conference is unique from many others because of the large scale labs with supplied computers, and it would not be the same without him.

On the event team, we are lucky to have Jennifer Iwata take on CEIC this year. She has been involved for a couple years, but she was the boss this year and knocked it out of the park. I think this was the smoothest CEIC yet for the operational staff and I heard the same from many others as well. I am sure that she is already on top of planning an even better CEIC for next year!

Until you read from me again!
James Habben

Digital Forensic Notables and Top-flight Instructors On Tap at CEIC 2015

(This is Part 3 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC 2015.)

The first post in this series talked about how we're expanding on the core competency of the EnCase community who converge on CEIC each year. The second post drilled down into the plethora and diversity of digital artifacts and showcased sessions designed to address these exploding challenges. In this final post, we present the marquee of acclaimed industry experts who will be on hand to teach new technologies and tools and share hard-earned insight from decades of experience in digital investigations.

Learn to Expand on the Value of EnCase at CEIC 2015 with EnScripts and Third-Party Apps

Robert Batzloff

This year at CEIC®, we’re committing more training and trainer resources than ever before to help you boost the benefits of EnCase® in your company’s deployment.

Our goal is to show you the brawn behind power EnCase users and apps, and by learning more about the EnScript® language, help you get to that same level.

With an expanded conference track called EnCase Apps and Integrations, we’ve added 12 sessions that will showcase some of the most dynamic apps developed by EnCase forensic investigators that are easy for you to integrate. We’re also boosting the App World booth hosted by EnScript gurus from Guidance Software and developers from the EnCase community, so you’ve got more experts close at hand during all hours of the conference day.

Learn to Unleash the Power of EnScript--and Write Your Own

The new EnCase Apps and Integrations track this year will help you build and then flex your own EnScript muscles so you can easily use the unique language for automating, customizing, and expanding the value of EnCase.

For the advanced developer: We’ve designated James Habben, a popular Guidance Software instructor and experienced EnScript programmer, to share techniques for using EnScript to perform advanced customizations, such as modifying the EnCase UI to automate common tasks and integrating EnScript with existing .NET applications.

For the beginning developer: Lance Mueller, a widely recognized senior forensic analyst with IBM’s Emergency Response Services, will join us to teach the basic skills of writing and using EnScripts. And we're offering other labs that will walk you through basic tasks like using EnCase App Central, running an EnScript, installing an EnScript plug-in, and more.

Learn New Efficiencies from Specialty App Developers

We’re excited to feature Jessica Bair, who worked with Guidance Software for 13 years and is now with Advanced Threat Solutions at Cisco Security, in a lab on “AMP ThreatGRID for Law Enforcement.” You'll learn about and then get your hands on Cisco’s new program for dynamic malware analysis and threat intelligence.

You can also sit down with the technical team from Magnet Forensics in a hands-on lab using Internet Evidence Finder (IEF) to recover and analyze a wide variety of Internet-related artifacts.

Don’t miss the opportunity in the EnCase Apps and Integration track to hear from Belkasoft's Yuri Gubanov, a renowned computer forensics expert and frequent speaker at industry events around the world. He’ll help you extend EnCase functionality with third-party tools and show you how to jump-start an investigation and receive a result in a matter of minutes, not hours, with the help of Belkasoft Evidence Center.

Because of the rapidly growing interest in the high-level programming language Python, we are offering two sessions to address what you need to know: Chet Hosmer with WetStone Technologies will demonstrate how to apply natural language understanding and heuristic reasoning using Python. Mari DeGrazia with Verizon RISK Team will help you step up your game with practical applications for Python to automate repetitive DFIR tasks and quickly parse digital forensics artifacts.

And finally, to save you time in learning to use the most popular apps, we’ve got three sessions titled “EnCase App Central Showcase” that will highlight a variety of apps related specifically to malware investigations, forensics, and general utilities.  Click here to see the full agenda with speaker bios for the EnCase Apps and Integrations track.

App World Provides Interaction with EnScript Developers and EnCase Trainers

So much of CEIC booth traffic hovers around the EnCase App Central booth every year, so this year we’re making it more accessible.  It will be located in the expo hall next to the Guidance Software main booth and will feature three stations each hosted by a rotating group of training staff, product managers, and third-party developers and EnScript professionals. It will also include several demonstrations and tutorials, including how to use the EnScript language, download EnScripts from EnCase App Central, or expand the power of your own EnCase deployment.

Isn’t it Time You Became an EnScript Developer, Too?

And finally, we want you to know that the App World team has the time to meet with you at CEIC, as well as the resources and reasons to help you take that step to become an EnScript developer yourself. We’d like to encourage you to join the EnCase forensic investigators from around the world who are part of a thriving community that create case-cracking EnScripts and specialty apps.

You can meet with us at CEIC to discuss our program for developers, email me. or click here to apply for the program today.

Here’s a sampling of the benefits you’ll receive when you become part of our EnCase Developer Network:

  • EnCase developer license (dongle)
  • Exclusive access to the v7 SDK
  • Up-to-date information on programing EnCase EnScripts
  • Pre-release builds of EnCase
  • Code samples
  • Sample evidence files for testing
  • Access to Guidance technical support
  • QC of your work by Guidance professionals
  • Exclusive rights to publish your EnScripts on EnCase App Central
  • Worldwide visibility for your EnScript
  • Management of the purchase of your work by Guidance
  • Valuable customer feedback on your EnScript
  • Choice to offer your EnScripts for free or for a fee
    Be sure to visit the CEIC website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now.
Robert Batzloff is the Associate Product Manager for EnCase App Central at Guidance Software.

The Good, the Bad, and the Diverse: Gain More Visibility into the Growing Diversity of Devices, OS’s and Artifacts

(This is Part 2 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC® 2015. Read Part 1 here.)

One of the biggest challenges for investigators today is not only the number of devices or the amount of data (the average hard drive has just crossed the 1TB threshold), but the number and diversity of applications and artifacts that are on a system.

Frankly, we feel your pain. We know there’s no single tool that investigators can rely on to support all applications, browsers, and file systems. We get it when practitioners tell us they require a larger toolbox and deeper skill set to support the overwhelming challenges in digital investigations.

Guidance Software uses CEIC to bring together all of the speakers with their tools and apps that integrate with EnCase and provide you with better visibility into systems, applications and artifacts.

There are four tracks that focus on digital investigations:

  • Digital Forensics Labs
  • Advanced Digital Forensics Labs
  • Topics in Digital Forensics
  • Mobile Devices and Cloud Investigations
We want to remind you that the hands-on labs fill up fast, as 70 percent of attendees say that labs are the number one reason they attend CEIC. So, click here to register now.

You can view the agenda here to read session descriptions and speaker bios on the 44 lab, lecture, and panel sessions that focus on digital forensics.  You can also get a sneak preview on a few of the hands-on lab topics that are sure to warrant a packed room, such as the ones we've highlighted here below.


Digital Forensics Session Highlight: File System Journaling Forensics

David Cowen and Matthew Seyer of G-C Partners, LLC, will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. You will learn:

  • What data is stored by your file systems?
  • How to gather the data using EnCase.
  • How to use a free parser to understand the data.

Digital Forensics Session Highlight: Vehicle Systems Forensics

Ben LeMere, CEO of Berla Corporation, is back by popular demand this year. We know students of vehicle forensics will be glad to hear that you'll be able to get your hands on the data stored in several different infotainment and telematics systems in his practical, hands-on lab session. Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This is cutting-edge technology that is quickly becoming more pervasive in the field of investigations.

Digital Forensics Session Highlight: Windows ShellBag Forensics in Depth

Vincent Lo, Digital Forensics and Incident Response Investigator, knows that ShellBag behavior is a challenging task for “forensicators.” The problem of identifying when and which folders a user accessed arises often and investigators attempt to search for them in the ShellBag information because it may contain registry keys indicating which folders the user accessed previously. Their timestamps may demonstrate when they were accessed. Nevertheless, a lot of activities can create/update the timestamps. That’s why you won’t want to miss this hands-on lab, where you’ll understand the details of ShellBag information, review various activities across Windows operating systems and learn how to interpret it correctly.

If it wasn’t obvious before this blog, now it should be loud and clear: this year’s sessions on digital forensics pull no punches when it comes to providing more visibility to the good, the bad, and the sometimes very ugly and diverse applications and artifacts you face every day.

Stay tuned for Part 3 of this blog topic on digital forensics, where we’ll shed light on the caliber of speakers we’re bringing in to teach these sessions mentioned here. We're confident that these are experts whom you know and trust.

In the meantime, be sure to visit the CEIC website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now. Also, be sure to follow us on Facebook, Twitter, and LinkedIn for the latest CEIC buzz and conversation.

Ask the Expert: Yuri Gubanov, CEO of Belkasoft

In our recent webinar with Yuri and Oleg from Belkasoft, we had quite a few interesting questions and even more interesting answers. They presented three case studies that leveraged EnCase Forensic and Belkasoft digital forensics tools to uncover critical evidence. You can watch the on-demand webinar here.

Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?