Best Practices in Recovering Data from Water-Damaged Devices

Mobile devices are everywhere. The evidence they hold can be the key to a successful investigation outcome, if you are able to acquire it. Water-damaged phones add even more complexity. How successful have you and your agency been in responding to water-damaged devices?

Steve Watson, a technologist focused in the areas of e-discovery, forensics, risk and compliance, posed this question to a full house at Enfuse (CEIC 2015) earlier this year. The popularity of his session, “Water-Damaged Devices – An Analysis of Evidence Locker Corrosion,” made a clear statement that EnCase® users are ready and eager to learn how best to tackle the data that resides on damaged devices.

My Thoughts on CEIC 2015

CEIC 2015 is Over

This year’s CEIC is over. After a long and relaxing holiday weekend, it feels almost like it was months ago. I really enjoy being involved with CEIC every year because it gives me a chance to catch up with old friends and meet new ones. The real reason (at least the one we tell our bosses) we all go to CEIC is for the great sessions. There were so many of them this year that I wish I could have cloned myself to see them all. To make it a bit more difficult, CEIC is not just a training conference for me since I am part of the team putting it on. I wanted to put down some of my experiences from this year.

The most rewarding thing to me during the entire conference is to hear from past students about their success in completing the EnCE certification. The only way to achieve that cert is by dedication and perseverance. I get thanks from them for teaching classes they attended, but I didn’t take the test. Their excitement and enthusiasm is infectious and I love it! Congratulations to everyone who passed the 1^st phase during CEIC, and good luck on the 2^nd.

If you didn’t get to attend CEIC this year, you missed a good one. Try again for next year, and I think you will be well rewarded.

Some Sessions

Because I am part of the setup and operations of CEIC, I am not usually able to attend full session, but there are a few that I really enjoyed that I wanted to give mention to.

Monday started off great hearing about new features in IEF from Jamie McQuaid and Rob Maddox of Magnet Forensics in Investigating a User’s Internet Activity across Computers, Smartphones and Tablets. This team knows how to stay on top of industry trends and to enhance their tools with a quick response. It is great to know that Guidance has a partner dedicated to examiners like we are.

A must-see for me is Tracking the Use of USB Storage on Windows 8 by Colin Cree. He has been researching USB artifacts on Windows for many years, and somehow seems to find new intricacies every year. No disappointment this year!

It’s a safe bet on the SANS crew. I enjoyed APT Attacks Exposed: Network, Host, Memory and Malware Analysis since you can never learn too much about how others operate and think. It helps us all grow, and I am glad that Rob Lee, Anuj Soni, Chad Tilbury, and Jake Williams are sharing their experiences.

I am a firm believer in everyone learning to code as a skill. Mari DeGrazia and Ron Dormido laid out a great foundation in Practical Python Forensics for those wanting to learn Python as their language. Extra points since they showed how to integrate EnCase and Python!

Memory forensics has become a huge source of information in all types of investigations, and Jamie Levy knows this better than most. As a part of the Volatility team, she is an immense resource and shared it in Rootkits, Exfil and APT: RAM Conquers All to help us all. I learned a lot about using Volatility from this session. I also learned about her twitter handle outside of the session, but leave it to her to spread that.

My Sessions

I had a lot of fun this year talking in my sessions. I talked about how you can expand EnScript with .NET and Python code. It was exciting to me since everyone seemed to also be excited about the possibilities. I also got a chance to speak with Matt McFadden about EnCase Portable and the huge potential it has for examiners. Got to share how I used Portable on a case to handle a location with 4 examiners and 60+ computers, and we were done before dinner! Talked to many after the session that were excited about using it at home.

Deserved Recognition

Lastly, I wanted to give some recognition for a couple people from the Guidance Software team that really make CEIC the conference that it is. The entire Guidance team works really hard for this event, but these two really make it shine.

There is a technical team that I am part of every year, and it is managed by Jamey Tubbs from the training division. He puts in a ton of hours, before many of you even register for CEIC, in working with the event team, hotel technical staff, and our computer rental vendor. Our conference is unique from many others because of the large scale labs with supplied computers, and it would not be the same without him.

Until you read from me again!

James Habben

@JamesHabben 

Digital Forensic Notables and Top-flight Instructors On Tap at CEIC 2015

(This is Part 3 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC 2015.)

The first post in this series talked about how we're expanding on the core competency of the EnCase community who converge on CEIC each year. The second post drilled down into the plethora and diversity of digital artifacts and showcased sessions designed to address these exploding challenges. In this final post, we present the marquee of acclaimed industry experts who will be on hand to teach new technologies and tools and share hard-earned insight from decades of experience in digital investigations.

Learn to Expand on the Value of EnCase at CEIC 2015 with EnScripts and Third-Party Apps

Robert Batzloff

This year at CEIC®, we’re committing more training and trainer resources than ever before to help you boost the benefits of EnCase® in your company’s deployment.

Our goal is to show you the brawn behind power EnCase users and apps, and by learning more about the EnScript® language, help you get to that same level.

With an expanded conference track called EnCase Apps and Integrations, we’ve added 12 sessions that will showcase some of the most dynamic apps developed by EnCase forensic investigators that are easy for you to integrate. We’re also boosting the App World booth hosted by EnScript gurus from Guidance Software and developers from the EnCase community, so you’ve got more experts close at hand during all hours of the conference day.

The Good, the Bad, and the Diverse: Gain More Visibility into the Growing Diversity of Devices, OS’s and Artifacts

(This is Part 2 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC® 2015. Read Part 1 here.)

One of the biggest challenges for investigators today is not only the number of devices or the amount of data (the average hard drive has just crossed the 1TB threshold), but the number and diversity of applications and artifacts that are on a system.

Frankly, we feel your pain. We know there’s no single tool that investigators can rely on to support all applications, browsers, and file systems. We get it when practitioners tell us they require a larger toolbox and deeper skill set to support the overwhelming challenges in digital investigations.

Guidance Software uses CEIC to bring together all of the speakers with their tools and apps that integrate with EnCase and provide you with better visibility into systems, applications and artifacts.

There are four tracks that focus on digital investigations:

• Digital Forensics Labs
• Advanced Digital Forensics Labs
• Topics in Digital Forensics
• Mobile Devices and Cloud Investigations

We want to remind you that the hands-on labs fill up fast, as 70 percent of attendees say that labs are the number one reason they attend CEIC. So, click here to register now.

You can view the agenda here to read session descriptions and speaker bios on the 44 lab, lecture, and panel sessions that focus on digital forensics.  You can also get a sneak preview on a few of the hands-on lab topics that are sure to warrant a packed room, such as the ones we've highlighted here below.

Digital Forensics Session Highlight: File System Journaling Forensics

David Cowen and Matthew Seyer of G-C Partners, LLC, will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. You will learn:

• What data is stored by your file systems?
• How to gather the data using EnCase.
• How to use a free parser to understand the data.

Digital Forensics Session Highlight: Vehicle Systems Forensics

Ben LeMere, CEO of Berla Corporation, is back by popular demand this year. We know students of vehicle forensics will be glad to hear that you'll be able to get your hands on the data stored in several different infotainment and telematics systems in his practical, hands-on lab session. Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This is cutting-edge technology that is quickly becoming more pervasive in the field of investigations.

Digital Forensics Session Highlight: Windows ShellBag Forensics in Depth

Vincent Lo, Digital Forensics and Incident Response Investigator, knows that ShellBag behavior is a challenging task for “forensicators.” The problem of identifying when and which folders a user accessed arises often and investigators attempt to search for them in the ShellBag information because it may contain registry keys indicating which folders the user accessed previously. Their timestamps may demonstrate when they were accessed. Nevertheless, a lot of activities can create/update the timestamps. That’s why you won’t want to miss this hands-on lab, where you’ll understand the details of ShellBag information, review various activities across Windows operating systems and learn how to interpret it correctly.

If it wasn’t obvious before this blog, now it should be loud and clear: this year’s sessions on digital forensics pull no punches when it comes to providing more visibility to the good, the bad, and the sometimes very ugly and diverse applications and artifacts you face every day.

Stay tuned for Part 3 of this blog topic on digital forensics, where we’ll shed light on the caliber of speakers we’re bringing in to teach these sessions mentioned here. We're confident that these are experts whom you know and trust.

In the meantime, be sure to visit the CEIC website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now. Also, be sure to follow us on Facebook, Twitter, and LinkedIn for the latest CEIC buzz and conversation.

CEIC Sessions on Digital Forensics Deliver on the EnCase Community's Core Competency

(This is part 1 of a three-part series on the all-new, enhanced digital forensics labs and lectures at CEIC 2015.)

Our conversations at CEIC usually dwell on how best to uncover data that will provide evidence to prove a wrongdoing. Today that data and those artifacts are found amongst hundreds of thousands of files on a target system. Only through tens of thousands of investigations by the EnCase community over 18 years and through the application of your hard-won expertise are we able to design a curriculum that serves your most vital needs.

The DNA of CEIC: 18 Years of Digital Forensics Leadership at One Event

Best-in-class digital forensics technology and best-in-class investigators come together at CEIC. Together, we've built a proud heritage, and we're pleased that thousands of you will travel from many parts of the world to attend CEIC 2015 with us.

CEIC 2015: New EnCase Basics Track Shortens Your Learning Curve

Let's talk a little bit about basic training. Nothing is more critical to the success of your EnCase® implementation than the buy-in and performance of the people who use it. After all, if your IT, security, or litigation support specialists fail to successfully learn the software, you can't truly maximize your organization's investment.

If you're one of our newer customers, our new EnCase Basics track at CEIC 2015 makes perfect sense. With four days of focused training and over 1,400 professional peers and experts, CEIC can help you or other new EnCase users in your organization gear up to address new challenges head-on.

Build New Skills while Rubbing Shoulders with the Industry’s Brightest at CEIC 2015

This year when the best minds in security and digital forensics converge at CEIC May 18-21, 2015, you have an unprecedented opportunity to gaining skills and knowledge on real solutions to your biggest data-related challenges, as well as to collaborate with like-minded professionals who bring to CEIC plenty of war stories not unlike your own.

We’re excited to feature this year’s “EnCase in Action” conference track in today’s blog. We worked hard to pack it with sessions that will put real-world context around some of the EnCase capabilities you've heard so much about.

CEIC 2014 / EnCE Myth Busted

Thank the interwebs for making what was once old new again. Earlier this week, denizens of the #DFIR hashtag on Twitter dredged up an old blog post from May 2014 about CEIC 2014.

At the risk of provoking the Streisand effect, I'd like to offer a contrasting perspective on what I can only describe as an emerging conspiracy theory. Let's walk while we talk (in case someone is listening...).

CEIC 2014: The Car of the Future May be a Forensic Gold Mine

Move over KITT, it looks like you have some competition.

Automotive leaders like Chrysler, Ford, BMW and General Motors are investing in technology that incorporates text-to-voice solutions, enabling drivers to check email and text messages as they drive. With Ford SYNC, drivers can make hands-free phone calls, control their music and more with voice commands.

In his session on vehicle forensics at CEIC 2014, Berla Corporation CEO Ben LeMere discussed new and emerging technologies that are being adopted by automobile companies. These companies are now developing vehicles that create an experience to entertain and inform drivers and passengers while also facilitating voice and data communications on the road.

Suzanne Widup: The 2014 Verizon DBIR, a New EnCase v7 Book, and a Two-Part Webinar Series

How do you define an EnCase expert? Having worked on over 400 forensic, e-discovery, and information security cases, Suzanne Widup fits our definition. President and founder of the Digital Forensic Association and a senior analyst on the Verizon RISK Team, she will be joining us at CEIC this month to present a session on “2014 Verizon Data Breach Investigations Report (DBIR) Lessons Learned”–the seventh Verizon DBIR report and the latest in a series released annually that many incident response and information security professionals look forward to reviewing each year.

The 2014 DBIR revealed, among many insights, that although cybercriminals can bypass an organization's security within days, it takes months before malware is detected. Guidance Software contributed to the DBIR and invited Verizon to present highlights of the report at CEIC.

Announcing our CEIC Caption Contest Winner

Guidance Software

Congratulations to Paul Webel from Vestige. His caption won our caption contest by a landslide! Thank you to all who participated. Your captions generated quite a few chuckles around Guidance Software.

Again, congratulations to Paul!

CEIC Caption Contest

Guidance Software

Submit your caption for this cartoon! The caption with the most votes will win an Apple iPad! Winner will be announced June 10, 2013. Be original and have fun! Enter on our Facebook page.

Attendance at CEIC is not required to participate so join in!

The Road to CEIC 2013: EnCase in Action!

Jessica Bair

The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.

The final agenda for @CEIC_Conf #CEIC was just released. Some breaking news: Guidance Software will unveil and describe in-depth EnCase® Analytics, our new security intelligence product employing big data analytics. EnCase Analytics empowers customers to find and expose cyber-threats hiding behind complex relationships in the wealth of data that exists within the sum of all endpoints of an enterprise. Presentations and demonstrations about EnCase Analytics will be available throughout the conference. I have been looking forward to this big announcement for months, and I will be creating the EnCase OnDemand training for EnCase Analytics this summer.

The Road to CEIC 2013 – Digital Forensic Lab Focuses on Automation

Jessica Bair

The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.

For each release of EnCase®, I re-write the free EnCase Essentials course manual, a resource for getting started with EnCase® products. The past few weeks, I’ve had the opportunity to alpha and beta test the upcoming EnCase® Forensic v7.07 software while working on the manual update. As part of the beta testing, I have had the chance to work with the development team and Ken Mizota, product manager, who is dedicated to making EnCase Forensic more efficient, easier to use and incorporate new forensic features.

EnCase v6 to v7 CEIC Session Recap

Guidance Software



It is hard to believe CEIC 2012 was almost two months ago. Since CEIC we have been hard at work on EnCase, in fact recently we released an update to v7, v7.04.1. If you did not receive the email notification about this release you can request the software download links by registering your dongle. Look for another great update to v7 coming in the fall, v7.05.