Find Out What We’ve Got Lined Up for #MVS2021

Our full agenda is available for you to view. Every presentation will also feature a Q&A and Discord activity — so be sure to join us live to get the most out of every session.

VIEW BELOW

MVS21 AGENDA

Discover What You’ll Learn at MVS2021

RESULTS:

May

03

TYPE

Hands-on Lab

THEME

Cloud

Criminal Investigations

TIME

09:00 EDT

Law Enforcement and the Cloud “Now Data versus Then Data”

Larry McClain

In this Hands-on Lab:

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

03

TYPE

Hands-on Lab

THEME

Cloud

Computer

Mobile

TIME

13:00 EDT

Magnet AXIOM Tips & Tricks

Erich Schmidt

In this Hands-on Lab:

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

03

TYPE

Hands-on Lab

THEME

Computer

Corporate Investigations

TIME

16:00 EDT

macOS/APFS Examinations with AXIOM

Hoyt Harness

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

04

TYPE

Lecture

THEME

Computer

TIME

09:00 EDT

Leveraging AXIOM to assist in the decrypting of bitlocker and filevault2 encrypted volumes

Dave Shaver

In this Lecture:

Learn from Dave Shaver, Senior Digital Forensic Analyst the methodology to assist you in decrypting a forensic image of an encrypted volume (bitlocker or filevault2).

Expand

REGISTER NOW

May

04

TYPE

Featured Lecture

THEME

Magnet Forensics Product Lecture

TIME

10:00 EDT

MVS Welcome and Feature Presentation

Geoff MacGillivray Jad Saliba

In this Featured Lecture:

Join Jad Saliba, Magnet Forensics Founder & CTO and Geoff MacGillivray, Vice President of Product Management, as they kick off Magnet Virtual Summit 2021 with a feature presentation.

Expand

REGISTER NOW

May

04

TYPE

Lecture

THEME

Corporate Investigations

TIME

14:00 EDT

DFIRs Role in Global Elections

Stephen Boyce

In this Lecture:

For years, there was a disconnect between the security research community and election technology manufacturers. In recent times, the two have opened dialogue and begin working with each other, but what role does the Digital Forensic & Incident Response (DFIR) community play? This presentation will address DFIRs’ role in securing global elections by examining cyber-attacks on electoral systems.

Expand

REGISTER NOW

May

04

TYPE

Lecture

THEME

Cloud

Computer

TIME

15:00 EDT

CMD42 Lock: Bypassing Embedded System Security for Forensic Data Acquistion.

Gareth Davies

In this Lecture:

Security of digital data is of paramount importance to individual security and national security. The ability to access protected or deleted data from embedded systems memory puts the security of sensitive data at risk. This talk will demonstrate the bleeding-edge of what is possible in overcoming embedded hardware security in the most common forms of NAND flash storage.

A case study will be presented on a mobile digital device that we commonly use to store sensitive data relating to our daily lives that isn’t a Smart Phone!

The presentation will include elements of:

  • Embedded Memory Types & Hardware Security
  • NAND Memory Interface and Internal Structure
  • Physical Image Extraction
  • Data Reconstruction Obstacles and Challenges
  • Reverse Operations
  • Logical Image Reconstruction Process
  • Uncommon Filesystem Analysis
  • SQL Scraping
  • Data Stored on Modern Vehicles (inc. Recovered Protected Data)

Expand

REGISTER NOW

May

04

TYPE

Lecture

THEME

Computer

TIME

16:00 EDT

Hang on! That’s not SQLite! Chrome, Electron and LevelDB

Alex Caithness

In this Lecture:

SQLite has become a ubiquitous data storage format for digital forensic practitioners to consider. First popularised by smartphone platforms it now forms part of almost every investigation in one form or another. SQLite’s ubiquity was built upon the growing market share of the platforms that used it extensively so it’s interesting to ask the question: what’s the next platform, and what’s the next data format?

Expand

REGISTER NOW

May

05

TYPE

Featured Lecture

THEME

Corporate Investigations

TIME

11:00 EDT

Liberators of the Just: How the Forensicator Plays a Special Role in Social Justice

Matt Mitchell

In this Featured Lecture:

Join one of our featured speakers, Matt Mitchell, as he walks through how forensics impacts social justice. Known for his impressive work with the Ford Foundation, CryptoHarlem and Tactical Tech – Matt Mitchell is not to be missed.

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Cloud

TIME

11:00 EDT

The Internet of Things (IoT) is now ubiquitous, but the analysis of IoT data is not...Yet.

Kenneth Oliver Norman Rankis Patrick Bland Robert Fried Warren Kruse

In this Lecture:

Join Warren Kruse, Robert Fried, and Kenneth Oliver from Consilio for a discussion on the potential relevance of IoT data to different corporate or civil case scenarios, and the potential need for obtaining discovery from, for example, internet-connected cameras; home automation systems; smart speakers, TVs, and refrigerators, and wearables.

This discussion will also touch on aspects of the industrial realm such as the challenge of IoT data generated in factories, warehouses, and pipelines, among other settings.

  • What is IoT?
  • Consumer IoT
  • Wearables
  • Digital Assistants
  • Smart Home devices (thermostats, light bulbs, doorbells, refrigerators, e.g.)
  • Industrial IoT
  • Safety and maintenance monitoring
  • Supply Chain tracking and monitoring
  • Productivity tracking and monitoring
  • Unique IoT Challenges
  • Use in Civil cases
  • Preserving Data
  • Helping clients understand what IoT data they have
  • Who to send preservation request to?
  • How to preserve?
  • Collecting Data
  • How to collect and from whom?
  • Possession, Custody, and Control
  • Consumer IoT – who owns the data? How and where is it stored
  • Industrial IoT – cloud-based monitoring systems or manufacturer IoT or LEASED IoT equipment
  • Subpoenaing data from third parties
  • Different formats and potential need to convert the data for review

Assessing Accessibility, Relevance of IoT Data

  • Often less accessible, but also more ephemeral, more danger of spoliation
  • Is same data available from other, more easily accessible sources?
  • Is all IoT data relevant? Can it be “untwined” if it’s massive?

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Corporate Investigations

Magnet Forensics Product Lecture

TIME

13:00 EDT

Introducing AXIOM Cyber 5.0

Drew Roberts Geoff MacGillivray

In this Lecture:

The next phase of AXIOM Cyber is coming: version 5.0!

Join Magnet Forensics’ Geoff MacGillivray, Vice President of Product Management and Drew Roberts, Sr. Product Manager, as they unveil the latest major release of AXIOM Cyber. Hear how Magnet Forensics has helped private sector organizations address their unique challenges with modern solutions including its artifacts-first approach. And be the first to see AXIOM Cyber 5.0 in action during a live demo of the latest features!

Since AXIOM Cyber’s official debut in January of 2019, we’ve ruthlessly and incrementally added functionality to help businesses address the unique digital forensics challenges that they have. Some of those highlights include:

  • Off-network collection – Reliable remote acquisition of endpoints not connected to the corporate network
  • Open source forensically sound container – Save remote collections to an AFF4-L container
  • Support for eDiscovery – Generate a load file—complete with OCR scans—that can be ingested into an eDisco review platform

Sign up and save your spot today to hear about what’s new with AXIOM Cyber!

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Magnet Forensics Product Lecture

TIME

13:00 EDT

Introducing Magnet AXIOM 5.0 

Curtis Mutter Trey Amick

In this Lecture:

Join us as we unveil the next generation of Magnet AXIOM!

Magnet Forensics’ Sr. Product Manager Curtis Mutter and Trey Amick, Director of Forensic Consultants, will be on hand to share the latest innovations we’ve brought to Magnet AXIOM with version 5.0 to help streamline and strengthen your digital investigations.

Digital forensics examiners today face considerable challenges as data volumes and sources continue to grow in both size and complexity, and the need for solutions that can help quickly find, analyze, and report on the most relevant evidence required for an investigation is more critical than ever. Curtis and Trey will show how we’re continuing to help you stay ahead with Magnet AXIOM 5.0 and beyond by providing new ways to enhance your investigations, recover data from sources, and get to the evidence.

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Cloud

Corporate Investigations

TIME

14:00 EDT

Forensic Considerations for Cloud Storage Data

Jamie McQuaid

In this Lecture:

Do you have a response plan for dealing with data stored in the cloud? Do you have the necessary accounts, access, logging, and knowledge on what to do if you need to collect evidence stored in AWS, Azure, or other provider or service? Maybe your organization has fully shifted to a cloud first approach or perhaps it’s still thinking about it (likely somewhere in the middle) but understanding and preparing for that time is best done beforehand and not during an incident. Does it make sense to preserve and download all the relevant data and conduct your investigation completely on-premise or is there a time where you may want to do your analysis in the cloud? Your answer is likely somewhere in the middle for that as well.

In this talk, Jamie McQuaid will detail the various sources of evidence that may reside in the cloud, the prerequisites needed to access it, and discuss the best ways to collect and analyze that data to ensure integrity is maintained and you get all the relevant data you need for your investigation. The focus will be on data sources stored in AWS and Azure but we will also call out situations where cloud data may need to be collected elsewhere as well. As with anything in DFIR, there isn’t always one answer that fits every situation so we’ll discuss several options and will likely say “it depends” a lot.

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Computer

TIME

15:00 EDT

The AFF4 Evidence Container: Why and what’s next?

Bradley Schatz

In this Lecture:

In recent times the next-generation evidence file format, AFF4, has transitioned from niche to broad support across the forensic tool ecosystem. Targeted at intermediate examiners, this presentation will provide an introduction to new users of the format, allowing one to understand the format’s advantages, how it differs to existing approaches, independently assess its forensic soundness in comparison to existing formats, and identify where current forensic workflows might benefit. It will also examine where the format is headed next in solving emerging challenges such as logical acquisition.

Expand

REGISTER NOW

May

06

TYPE

Lecture

THEME

Corporate Investigations

TIME

16:00 EDT

Big Game Hunting from a Forensic Point of View

Oleg Skulkin

In this Lecture:

Ransomware attacks on huge enterprises, also known as Big Game Hunting, were the hottest topic in 2020. As it is impossible to image every drive you want during incident response engagements, it’s extremely important for forensic analysts to know which sources of artifacts are the most important for attack reconstruction, as well as what to look for during such investigations. This talk will shed light on most common techniques used by adversaries during such attacks, and which forensic artifacts to look to successfully uncover them.

Expand

REGISTER NOW

May

10

TYPE

Hands-on Lab

THEME

Criminal Investigations

TIME

09:00 EDT

Time To Evidence: Improve Your ICAC Investigations with AI, Media Categorization, Cloud, OUTRIDER and More

Larry McClain

In this Hands-on Lab:

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

10

TYPE

Hands-on Lab

THEME

Cloud

Corporate Investigations

TIME

13:00 EDT

AXIOM Cyber and the Corporate Cloud

Chris Vance

In this Hands-on Lab:

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

10

TYPE

Hands-on Lab

THEME

Computer

Criminal Investigations

TIME

16:00 EDT

macOS/APFS Examinations with AXIOM

Hoyt Harness

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Lab Management

Magnet Forensics Product Lecture

TIME

10:00 EDT

How to Solve Today’s Evidence Review Challenges with Magnet REVIEW

Cody Bryant Craig Guymon

In this Lecture:

Evidence review has often been plagued with hurdles regardless of the agency’s size, location, or budget. Some of these challenges include shipping evidence which can be costly and may introduce security risks, requiring investigators to travel to the lab to review evidence on workstations, training investigators on multiple tools, and now (more than ever) enabling remote work as pandemic restrictions limit access to the lab. That’s why we’ve built Magnet REVIEW, a single web-based platform purpose-built for non-technical investigators to securely review evidence from anywhere with an internet connection. Overcoming these challenges with a centralized platform like REVIEW enables teams to get to the truth quickly, without being limited by physical distance or technical tools, all while reducing evidence distribution costs and improving overall security posture.

Join Cody Bryant, Director, Product Management, and Craig Guymon, Director of Solution Consulting, to learn why and how we built Magnet REVIEW for the non-technical investigator, see a live demo of REVIEW’s intuitive interface, and learn how to enable teams of non-technical investigators to review evidence from anywhere.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Cloud

Criminal Investigations

TIME

13:00 EDT

Finding Evidence of Cloud Data ‘Footprints’ in Existing Evidence

Tim Moniot

In this Lecture:

Cloud data has quickly become the new frontier in DFIR. More and more data is being stored in the Cloud, by the various cloud storage, cloud communication, social networking, and mobile computing platforms. Join Tim Moniot from Magnet Forensics during this discussion and demonstration of how you can begin identifying evidence of cloud platform usage, as a component related to your investigations. Once identifying that Cloud data is related to an investigation, Tim will discuss options for gaining access to and subsequently collecting relevant Cloud source data so that it too can be analyzed within AXIOM. This presentation will be relevant to both law enforcement and corporate DFIR professionals.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Cloud

Corporate Investigations

TIME

13:00 EDT

Enhancing Digital Investigations using Cloud and Endpoint Collections

Rhys Tooby

In this Lecture:

The complexity of digital investigations and the increasing volume of data requires you to need an enhanced approach to your digital investigations, so that you can better serve your customers without increasing headcount or requiring drastic investments in new digital forensic equipment.

In this session Rhys Tooby, Solutions Consultant at Magnet Forensics, will perform covert remote collection of Windows and macOS devices with an ad hoc agent and you’ll learn how to perform advanced cloud acquisition from Office 365, G Suite, Box, AWS S3, EC2 and Azure virtual machines.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Corporate Investigations

TIME

14:00 EDT

If we do not have it we should build it (Forensic Readiness in Application Security)

Veronica Schmitt

In this Lecture:

The design of life saving software plays a vital role in the Medical Manufacturing industry. The way in which medical devices are being revolutionized is staggering and breathtaking, but it hasn’t necessarily resulted in a corresponding revolution in how these devices are built. With the advancement and evolution of research into chronic illness; newer, more advanced, methods are found to more effectively treat these chronic illnesses. Medical technologies can be defined as products, services, or solutions which are used to improve and prolong life. Statistics done in 2019 showed that there are more than 500,000 medical technologies such as implantable devices, patient monitors, and robotic surgery aids are available to hospitals and patients. The medical device industry is poised for a steady increase in growth, with a global forecasted annual sales growth of over 5% a year and estimated to reach 800 Billion US dollars by 2023. The question is how prepared are we to deal with medical device forensics and additionally how mature is the data on these devices. This talk focuses on the frustrations that Veronica has faced as a patient, hacker, and forensicator in realizing that forensic readiness should be build into these devices as they contain little to no forensic value currently. When nothing goes right, go left. By influencing the way the devices are built and the developers that build them has shown an increase in the forensic readiness of devices. We need to create a team of Forensic Developers to enable future forensicators to have success in dealing with breaches on these devices.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Computer

Corporate Investigations

Criminal Investigations

TIME

15:00 EDT

Countering the USBKill Switch

Ali Hadi

In this Lecture:

The USBKill switch is a software that was created to respond to having the computer system falling within the hands of law enforcement, bullies, or individuals that might steal it from while working at a public place. It is well known as an anti-forensics kill-switch software that could be configured to power-off a system, but could do others such as deleting files from the system.

This research is an attempt to counter the USBKill switch by sharing how it works, what artifacts can be found, and how investigators and incident responders can counter systems that are configured to use it.

Expand

REGISTER NOW

May

11

TYPE

Lecture

THEME

Lab Management

TIME

16:00 EDT

How much can we automate in digital investigation?

Joshua James

In this Lecture:

Join Dr. Joshua James, Digital Forensic Consultant to learn how automation is currently used in digital investigations and what limits there are to current automation methods. He will explain the state of the art on technical automation as well as applied, automated reasoning. He will conclude his presentation by formalizing automated reasoning in digital investigations and making explicit challenges to completely automating a digital investigation process.

Expand

REGISTER NOW

May

12

TYPE

Featured Lecture

THEME

Criminal Investigations

TIME

11:00 EDT

A Fireside Chat With Brian Krebs

Brian Krebs

In this Featured Lecture:

Join us for a fireside chat with American journalist and investigative reporter, Brian Krebs. This will be a unique opportunity to talk to Brian live about his insights on cybercrime prevention and detection.

Expand

REGISTER NOW

May

12

TYPE

Special Event

THEME

TIME

16:00 EDT

MVS 2021 Capture the Flag Challenge

In this Special Event:

Magnet Forensics is excited to bring you their 4th annual CTF!  This CTF will be a 3 hour timed event to test your skills and learn while competing with others from around the world to win prizes. This CTF promises to introduce an entirely new image set and scenario with different data sources than have been presented in other Magnet Virtual Summit CTFs. We don’t want to give away too much, but we promise that Jessica Hyde, Director of Forensics, and students from the Champlain College Digital Forensics Association have created a challenge that will be fun, frustrating, and full of learning opportunities.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Criminal Investigations

TIME

09:00 EDT

Officer Wellness: Prioritising your Personal Mental Health and Wellness in IIoC investigations

Elizabeth Strong

In this Lecture:

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Cloud

Criminal Investigations

TIME

10:00 EDT

Enhancing Digital Investigations with Cloud-based Evidence

Doug Gartner Matt Melton

In this Lecture:

The cloud can be your best friend in conducting digital investigations. Increasing volumes of digital evidence, budget constraints and talent shortages can make it difficult for your lab to keep up with demand. The cloud provides practically unlimited storage capability, computing power, and tools to ensure that your data remains secure and protected. We will discuss how the cloud enables an enhanced approach to digital investigations so that you can better serve your agency, without increasing headcount or drastic investments in new forensic equipment. Join us as we discuss the challenges and solutions enabling digital forensics labs today.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Computer

TIME

11:00 EDT

Add “Protobuf Expert” to your examiner’s resume

Mike Williamson

In this Lecture:

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

  • examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
  • an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
  • reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Cloud

Computer

Mobile

TIME

13:00 EDT

Integration and Validation of Third Party Tool Outputs Within AXIOM

Alexis Brignoni

In this Lecture:

A single wrench a toolset does not make. By leveraging multiple tools we can enrich our investigations in two major ways:
1) Bring new insights and unique tool capabilities to the forefront.
2) Make sure overlapping analysis between tools are consistent.

AXIOM provides multiple ways to easily achieve these goals in one place providing unified analysis and reporting capabilities. Testing and validation in one place. Come and learn how.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Criminal Investigations

Mobile

TIME

14:00 EDT

The Order of Things – Timeline Analysis of a Complex Investigation

Matthew Sorell

In this Lecture:

This case study looks at the importance of validation of timelines and log processes in a complex investigation. It is concerned with piecing together the activities of a person of interest.

The case study will consider extractable logs from an iPhone 5c circa late 2016, billing records in which shortcuts have been made in billing mediation, a phone with a manually modified clock, a massive thunderstorm and state-wide blackout, suspicious gaps in the record, and anomalous records after securement of the scene.

The case study is real, presented with sanitised data. It demonstrates the importance of understanding the big picture of a complex telecommunications system – the links between data sources and the subtleties of their compilation.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Mobile

TIME

15:00 EDT

Digital Evidence from Social Networking Sites & Smartphone Apps

Julie Lewis

In this Lecture:

According to Statista.com in 2019, the global social penetration rate reached 45 percent, with East Asia and North America both having the highest penetration rate at 70 percent, followed by Northern Europe at 67 percent. Mobile device usage for social media has increased to 91% of social channel accesses in 2018 according to Marketing Profs. Many technology thought leaders believe social networking will displace traditional email as the leading communication medium. This presentation will provide a practical walkthrough of preservation of top social media sites and how to effectively utilize tools for evidentiary collection across the Web, PCs/desktops and smart devices. It will look at social media apps on smartphones and what digital evidence exists compared to what can be found on the cloud. It will also explore innovations in emoji/avatar Apps such as Bitmoji.

Expand

REGISTER NOW

May

13

TYPE

Lecture

THEME

Criminal Investigations

TIME

16:00 EDT

Officer Wellness: Prioritising your Personal Mental Health and Wellness in IIoC investigations

Elizabeth Strong

In this Lecture:

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

Expand

REGISTER NOW

May

17

TYPE

Hands-on Lab

THEME

Cloud

Computer

Mobile

TIME

09:00 EDT

Magnet AXIOM Tips & Tricks

Justin Almanza

In this Hands-on Lab:

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

17

TYPE

Hands-on Lab

THEME

Cloud

Criminal Investigations

TIME

13:00 EDT

Law Enforcement and the Cloud “Now Data versus Then Data”

Larry McClain

In this Hands-on Lab:

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

17

TYPE

Hands-on Lab

THEME

Computer

Corporate Investigations

TIME

16:00 EDT

macOS/APFS Examinations with AXIOM

Hoyt Harness

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Lab Management

Magnet Forensics Product Lecture

TIME

09:00 EDT

New Approaches to Digital Forensics Investigations

Geoff MacGillivray

In this Lecture:

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Computer

TIME

10:00 EDT

Add “Protobuf Expert” to your examiner’s resume

Mike Williamson

In this Lecture:

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

  • examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
  • an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
  • reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Lab Management

Magnet Forensics Product Lecture

TIME

13:00 EDT

New Approaches to Digital Forensics Investigations

Geoff MacGillivray

In this Lecture:

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Lab Management

TIME

14:00 EDT

Automation in digital forensics – the good, the bad and the preconceptions

Aaron Sparling

In this Lecture:

Automation is not a new concept, it comes in numerous forms some of which are already in use in almost every digital forensics lab in the DFIR community. But, are all forms of automation right for all types of cases? What will happen to the forensic examiner role if we introduce workflow automation? Will automation decrease the quality of digital investigations? Join Aaron Sparling, Officer, Investigations Branch, Digital Forensics Unit at the Portland Police Bureau, for a thought-provoking presentation where he challenges common preconceptions about automation in digital forensics, presents some of the real ways automation is successfully being used today and where lab managers and examiners might face issues.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Cloud

TIME

15:00 EDT

Tick Tock Ya Don’t Stop – Examining Google’s Wear OS

Josh Hickman

In this Lecture:

Google created the descendent of their wearables operating system, Wear OS, back in 2014, a full year before the arrival of the Apple Watch and watchOS. Since that time, several OEMs such as Fossil, Motorola, and Mobvoi have released multiple smart watches that run Wear OS, and Google has acquired FitBit, which could mean a push towards a Google-made smart watch similar with what it did with the Google Nexus and Pixel lines of phones. With that in mind, this presentation takes a look at what artifacts are available in Wear OS, including hardware information, recently launched applications, used watch faces and complications, location data, paired phone information, account information, and Google Assistant data. These artifacts will also be compared to what is available on the paired Android phone.

Expand

REGISTER NOW

May

18

TYPE

Lecture

THEME

Cloud

TIME

16:00 EDT

No logs, no problem: Leveraging User Access Logging on Windows Server systems

Patrick Bennett

In this Lecture:

Not to be confused with Office 365’s Unified Audit Log, the User Access Logging (UAL) database is included with Server editions of Microsoft Windows starting with Windows Server 2012. Designed to provide system administrators with insight into service usage on Windows servers, it contains valuable forensic data which remains largely untapped by DFIR professionals. Among other things, the UAL database maintains a record of the types of services accessed on a server; the username associated with the access; and the source IP address from which the access occurred. With default settings, the UAL database retains this information for two years. The database is stored in the Extensible Storage Engine (ESE) format, and can be parsed offline or accessed from a live system via PowerShell cmdlets.

Expand

REGISTER NOW

May

19

TYPE

Lecture

THEME

Mental Wellness & Mentorship

TIME

10:00 EDT

Paying it Forward: Mentorship in Digital Forensics

Jason Jordaan

In this Lecture:

Many of us in the field of digital forensics have been lucky to have a senior practitioner to look up to as we began our journey into digital forensics, and some of us have not. But regardless the reality is that having a mentor to guide you as you gain your journey is a crucial part of knowledge transfer, and has been a key part of effective knowledge and skill transfer for centuries.

In this presentation we will explore the importance of mentorships in digital forensics in not only developing the next generation of digital forensic practitioners, but also enhancing the skills of existing practitioners. We will explore this from two perspectives. The first being how to be an effective mentor to a digital forensics practitioner, and the second, how to be an effective mentee.

The presentation will also explore various mentorship programs and equip you with the knowledge to set up your own mentorship programs, and how to find the correct mentor for you.

Expand

REGISTER NOW

May

19

TYPE

Lecture

THEME

Mental Wellness & Mentorship

TIME

11:00 EDT

Easing the Path for Girls into STEM

Dr. Kimberly Clay

In this Lecture:

Play Like a Girl leverages the collective power of women athletes, coaches and executives to serve as role models and mentors to middle school girls with an interest in STEM.
This session will detail how Play Like a Girl uses its educational programs and strategic partnerships with hundreds of corporate volunteers to deliver a coordinated, multi-year program where middle school girls are exposed to practical lessons in leadership and engage in hands-on STEM education, all through the lens of a confidence-building curriculum.

Expand

REGISTER NOW

May

19

TYPE

Lecture

THEME

Mental Wellness & Mentorship

TIME

12:00 EDT

How Being a Terrible Manager Has Led to Innovative Solutions for Digital Forensic Investigations

Mitch Kajzer

In this Lecture:

I am the Director of the St. Joseph County, IN Cyber Crimes Unit. The unit consists primarily of college students. We’ve all heard the horror stories about this generation of workers, which currently accounts for over 50% of the workforce. Among other things, they are entitled, lazy, unmotivated, disloyal, and selfish. Combine that with the fact that I am a terrible manager and it sounds like a recipe for disaster. But it hasn’t been. This model has led to innovative solutions to digital forensics investigations. We analyze over 700 devices a year. We haven’t had a case backlog in over four years. Our turnaround time is routinely same day. This talk will discuss a new paradigm in the workforce and our forensics lab. When I became the Cyber Crimes Director, I had no formal training or experience as a manager. So I bucked the convention wisdom of management and decided not to manage at all. Instead, I took the approach of being a leader and mentor. What I’ve learned through leadership is that if you take care of the people taking care of the work, the people taking care of the work will excel beyond expectations. This simple concept that you manage things, but you lead people, will be discussed. Lessons from this talk can be applied by anyone in any industry to usher in a new area of the end of management and a focus on leadership at every level.

Expand

REGISTER NOW

May

19

TYPE

Lecture

THEME

Mental Wellness & Mentorship

TIME

13:00 EDT

Cybersleuth Labs – Introducing High School Girls and Underrepresented Minorities to Digital Forensics

Daryl Pfeif

In this Lecture:

This talk will share the Cyber Sleuth Science Lab (CSSL) research findings on the effectiveness of combining ethical and social lessons with technical education to engage the next generation. CSSL is geared to reach all students in high school with an emphasis on engaging more young women and underrepresented youth in STEM. This approach leverages DFIR as a unique opportunity to inform learners about security and privacy issues and encourage responsible and ethical behavior in our digital society while preparing them for success in a variety of STEM career pathways.
In addition, this project built on the foundational work of the National Girls Collaborative Project and the FabFems network by encouraging learners to work with peers, near peers and interact with mentors and role models. In particular, Cyber Sleuth Science Lab, showcases the variety of jobs in the DFIR and Cybersecurity industry by bringing experts across these domains into the classroom to discuss the unique ways this expertise is applied in their day-to-day work and to share more in-depth information about the individual pathways they took to get into the field.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Computer

TIME

09:00 EDT

GNU/Linux Examinations with AXIOM

Hoyt Harness

In this Lecture:

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Computer

TIME

11:00 EDT

Alternative Approaches to Windows Memory Analysis

Tarah Melton

In this Lecture:

Did you know that there are alternative techniques for Windows memory analysis? In this session, you’ll see how utilizing MemProcFS in conjunction with Magnet AXIOM can help to enrich your investigation with both a mounted logical file structure of memory output alongside carved artifacts from memory. Join Tarah Melton who will demonstrate these techniques and apply them to solving memory analysis questions.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Criminal Investigations

TIME

11:00 EDT

Conducting Android & iOS Investigations with Graykey & AXIOM: Finding Support for Unsupported Applications

David Smalley Trey Amick

In this Lecture:

Device users are no longer relying on default applications to communicate, often migrating to 3rd party applications with additional features. Unfortunately, these same types of applications can be used by actors involved in criminal investigations to encrypt and obfuscate their activities.

In this webinar, join David and Trey, digital forensic experts from Grayshift and Magnet Forensics, for a hands-on deep dive into modern approaches to digital forensics that help enable you to achieve same-day results (often within hours), extract more data from locked and encrypted mobile devices, and get the most out of GrayKey + Magnet AXIOM. We’ll also review decryption methods for third party applications, securing critical evidence that is admissible and discoverable, and how to accelerate your investigations.

GrayKey labs are restricted to law enforcement and government attendees only. Please note that all submissions are being validated and approved by Grayshift. If you are approved, you will receive the joining details 24 hours before the session starts.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Cloud

TIME

13:00 EDT

Hiding in Plain Sight

Brian Moran Jessica Hyde

In this Lecture:

With more devices having onboard storage capability than ever before, it is imperative that analysts work with investigators to ensure that every possible medium of digital storage is collected during the course of an investigation. “Traditional” mediums, such as hard drives, flash drives, tablets, cell phones, and multimedia cards, are straightforward and at the forefront of most investigations. However, one must also take into account items such as televisions, smart speakers, smart watches/fitness trackers, digital photo displays, and even exercise equipment, often referred to as the Internet of Things (IoT) devices.

This talk will cover both identifying these additional sources and a methodology to acquire and analyze these possible storage mechanisms during the course of an investigation. Brian and Jessica will also lay out baselines of a few “obscure” mediums for forensic analysts to be aware of during the course of their investigation.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Mobile

TIME

14:00 EDT

PinePhone forensics

Kathryn Hedley

In this Lecture:

The PinePhone is one of the first functioning open source smartphone projects to truly put the choice of operating system into the user’s hands. It has been designed to run the Linux operating system, and can be purchased with a number of smartphone-specific Linux variants pre-flashed, so the phone can be used out of the box. Whilst this device is still very much in the development phase, and not everything functions exactly as expected, just yet, it’s still fun to play with, and to try and work out what it might mean to a digital forensic investigation if one of these devices was seized as part of a case. Kathryn will talk through an introduction to the device, potential methods to acquire data, and where some key data may be stored based on my research so far.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Computer

TIME

15:00 EDT

GNU/Linux Examinations with AXIOM

Hoyt Harness

In this Lecture:

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Expand

REGISTER NOW

May

20

TYPE

Lecture

THEME

Corporate Investigations

TIME

16:00 EDT

Introducing Network Forensics with Wireshark

Eduardo Santos

In this Lecture:

Join Eduardo Santos, Computer Network Analyst for a demonstration on how powerful the Wireshark tool is for analysis during forensic investigations and incident response. You will learn how protocol concepts in the TCP / IP stack can support an investigation. This talk will also cover setting filters, creating different profiles, analyzing patterns and checking statistical data. In addition Eduardo will discuss perceiving and analyzing recurring attacks on a computer network, such as DoS, malware traffic, HTTP malicious traffic, Command and Control artifacts. These are attributes that make Wireshark a powerful Open Source traffic analysis tool, which can support a forensic investigation and security incident response process.

Expand

REGISTER NOW

May

21

TYPE

Special Event

THEME

TIME

12:00 EDT

The Forensic Lunch

In this Special Event:

Join us for a live recording of the Forensic Lunch.

Expand

REGISTER NOW

May

24

TYPE

Hands-on Lab

THEME

Cloud

Corporate Investigations

TIME

09:00 EDT

AXIOM Cyber and the Corporate Cloud

Chris Vance

In this Hands-on Lab:

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

24

TYPE

Hands-on Lab

THEME

Cloud

Computer

Mobile

TIME

13:00 EDT

Magnet Forensics Custom Artifacts Lab

Jessica Hyde

In this Hands-on Lab:

In this lab we will show you how to extend your capabilities with Magnet AXIOM by utilizing and creating custom artifacts. In this hands-on lab we will learn how to create and install custom artifacts including custom artifacts from the Artifact Exchange or those shared within your organization. We will review multiple ways to create custom artifacts including using XML Templates, Python Custom Artifacts, and the Magnet Custom Artifact Generator. We will show how XML templates can be created for both SQLite Artifacts and Fragmented Artifacts. At the end of the session, attendees will know the techniques necessary to create their own custom artifacts and bring in custom artifacts created by others.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

24

TYPE

Hands-on Lab

THEME

Criminal Investigations

TIME

16:00 EDT

Time To Evidence: Improve Your ICAC Investigations with AI, Media Categorization, Cloud, OUTRIDER and More

Larry McClain

In this Hands-on Lab:

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

25

TYPE

Lecture

THEME

Computer

Corporate Investigations

TIME

09:00 EDT

Duck Hunt! Hunting Qakbot Malware with AXIOM

Aaron Sparling

In this Lecture:

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

Expand

REGISTER NOW

May

25

TYPE

Lecture

THEME

Cloud

Mobile

TIME

10:00 EDT

Exploring Apps in the Back Country

Christopher Atha

In this Lecture:

In 2020 there was a dramatic growth in outdoor activity with millions exploring the great outdoors according to a report from the Outdoor Foundation*. With the increased interest in activity, there was also exponential growth in fitness apps – that helped consumers find trails, parking, weather conditions and much more. As you can imagine, accidents happened, people got lost, went missing and crime occurred. As Investigators and digital forensics analysts, we have a grasp of most fitness applications and their value to the overall crime story. Have we kept up with the top downloads from the App Store and the Google Play store for; mountain biking, trail running, skiing, and other outdoor activities?

This talk will hit the outdoor adventure applications and explore their forensic artifacts just as they allow you to explore this wonderful planet. We will weave together a few real-world examples of how these little-known applications can shed light on what really happened. How fast was a skier going when they lost control and left the marked trail and collided with tree? When did a trail runner quit uploading their runs to one of the popular services, which may not be popular to everyone? Join in and prepare to explore the apps that help you explore!

*Ref: https://outdoorindustry.org/press-release/forthcoming-reports-outdoor-foundation-outdoor-industry-association-provide-unprecedented-insight-trends-outdoor-participation/

Expand

REGISTER NOW

May

25

TYPE

Lecture

THEME

Computer

Corporate Investigations

TIME

13:00 EDT

Duck Hunt! Hunting Qakbot Malware with AXIOM

Aaron Sparling

In this Lecture:

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

Expand

REGISTER NOW

May

25

TYPE

Lecture

THEME

Corporate Investigations

TIME

14:00 EDT

Rapid Ransomware Response: A Survival Guide

Heather Smith

In this Lecture:

2020 came with many challenges, least of which was the emergence of more aggressive ransomware tactics — doubling down on extortion via encryption and exfil, new vectors (ESXi), and the adaptation of deployment techniques. This talk will give a fast-paced walk through of how to contain the attack, find evil, and bring critical business infrastructure back up as a rapid responder.
While this talk focuses on attack techniques seen in ransomware, it is important to note similar techniques are seen utilized by other malicious actors, including nation state APT’s.
The end goal of this talk is to provide immediate take-aways for listeners, both for security posture strengthening and additions to current response run books based on the latest mutations of e-crime adversaries.

Expand

REGISTER NOW

May

25

TYPE

Lecture

THEME

Computer

TIME

15:00 EDT

Applying the MITRE ATT&CK Framework to Dead Box Forensics by Mary Ellen Kennel

Mary Ellen Kennel

In this Lecture:

A lot has been shared about the MITRE ATT&CK framework and how it can be leveraged as a powerful hunting resource and a threat modeling foundation. In this presentation, Mary Ellen will cover a different way of using MITRE ATT&CK – during a forensic investigation.

This talk will walk the audience through a complete investigation plan, A-Z, built from the MITRE ATT&CK framework. Unlike a lot of MITRE ATT&CK implications, the contents will be less about proactive threat hunting, and more as an aid to a forensic investigation. We’ll begin with an example incident that was just dropped on your desk, and all you have is an ip address. Your company had a visit from a three-letter agency, and you’ve now found out through a third party, that your org was popped; it doesn’t get much worse than that. The “suits” leave, and all you’ve got is an ip address and strict orders to piece together what happened. The order of events will be based loosely off of a paper Mary Ellen published in 2016 entitled, “IR A-Z“.

Expand

REGISTER NOW

May

26

TYPE

Special Event

THEME

TIME

09:00 EDT

Get Moving with Magnet Forensics

In this Special Event:

Grab your water bottle and favourite workout gear and join us for a Magnet Virtual Summit group fitness class. This fitness class requires no equipment and can be done anywhere that you have space to move. We’ll combine strength training, cardio and stretching for a one hour full body workout.

Expand

REGISTER NOW

May

26

TYPE

Featured Lecture

THEME

Corporate Investigations

Criminal Investigations

TIME

11:00 EDT

Surviving and Thriving in DFIR, Game of Thrones Style

Brett Shavers

In this Featured Lecture:

We are in a seemingly never-ending battle to learn, enter, survive, and hopefully thrive in the realm of Digital Forensics and Incident Response. Everyone’s path is different, strewn with obstacles that feel like they are intended to make your journey more difficult than anyone else. But you are not alone! Using personal successes and tragedies, Brett will share lessons he learned that you can apply to your path of success, whether new to the field or transitioning from one level to the next. From mistakes, general advice, and tips on forensic analysis, Brett will be an open book to share some of the great and the not-so-great aspects of our chosen profession, including some of the best words of advice that you can put to use in less than two minutes after the presentation.

Expand

REGISTER NOW

May

26

TYPE

Lecture

THEME

Criminal Investigations

Mental Wellness & Mentorship

TIME

14:00 EDT

Finding Your 1%

Kim Bradley Sheryl Woolverton

In this Lecture:

What is 1%? Forensic Examiners and Investigators are used to giving 100% of themselves to their examinations and case load. While examiners are quick to share “how to’s”, the stress of the work is not often discussed or acknowledged. Many enjoy immersing themselves in their case load and mission of their work, however it often comes at great sacrifice. Staying late to look through one more device or start one more case processing or try one more method to search for the data (or absence of data) for an examination is all too common. Deadlines, case implications and backlog can influence how not only work time is spent, but also mental energy at home. By dedicating just 1% of the day to something fun, something different, something to step back for just a moment, physical and mental energy can be renewed to continue to embrace work with less burnout and fatigue. Join us as we discuss how you can use your 1%, the importance of regularly scheduled time for your 1% and how to identify times you need to take an unplanned 1%.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Corporate Investigations

TIME

09:00 EDT

Ransomware: Current Trends and Updates

Cindy Murphy

In this Lecture:

Cindy Murphy, President of Tetra Defense, will be presenting insights on the cyber incidents she investigates daily, including a behind-the-scenes look at the trajectory from incident to millions of dollars of damage for unsuspecting businesses. Ransomware has always been prevalent, and because of many changes made to networks to allow working from home during COVID-19 and throughout 2020, attacks have become even more frequent. Some takeaways will include specific COVID-related incidents, the “business” structure of ransomware threat actors, and the latest intel from the Tetra team regarding ransomware threats and how to thwart them.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Mobile

TIME

10:00 EDT

Snapchat – A False Sense Of Security?

James Duffy

In this Lecture:

James will explore the local data storage of ‘Snapchat’ for iOS, the implications of the chosen data protection mechanisms that Snapchat have implemented while dissecting the various application databases, exploring how they inter-operate and how the databases are manipulated during execution. This will provide a valuable insight for forensic analysts, allowing for both a further understanding of Snapchat internals and how to detect local data manipulation prior to device filesystem acquisition.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Computer

Corporate Investigations

TIME

11:00 EDT

Managing Digital Evidence in the Microsoft Azure Cloud

David Williams Trey Amick

In this Lecture:

The exploding growth of digital data is flooding digital forensics labs with valuable evidence that needs to be collected, stored, and analyzed in an efficient and timely manner. By leveraging the cloud, forensics teams can enable powerful, scalable, and cost-effective solutions for managing investigations and storing and safeguarding digital evidence.

Join Microsoft’s David Williams, and Trey Amick, from Magnet Forensics, as they discuss how you can leverage secure, future-ready cloud solutions on Microsoft Azure, backed by a team of experts and proactive compliance, to more easily adjust to meet the changing investigative challenges and evidence storage requirements of today’s law enforcement agencies.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Lab Management

Magnet Forensics Product Lecture

TIME

13:00 EDT

Magnet AUTOMATE: Transforming your DF Lab with Automation

Greg Ward Tarah Melton

In this Lecture:

Over the past year, Law Enforcement Agencies and Digital Forensic Units have accelerated their modernization efforts to re-imagine how they handle growing challenges such as increasing data volumes, evidence complexity, skilled talent shortages and remote work.

Magnet AUTOMATE, an orchestration and automation platform, helps agencies create efficient workflows to tackle these challenges and meet the demands for service from their agency. Automate repetitive/manual tasks to complete more investigations faster with your existing resources while allowing examiners to focus on complex analysis. Join Greg Ward, Product Manager, and Tarah Melton, Solutions Consultant, to learn more about Magnet AUTOMATE, see it in action, and check out recent advancements such as new mobile workflow capabilities and stats & management dashboards to help Lab Managers measure, act and report on lab efficiency.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Criminal Investigations

TIME

14:00 EDT

Using Triage Tools in Different Phases of an Investigation

Hans Ehren

In this Lecture:

Join Hans Ehren from the Dutch Police for a discussion on the importance of triage during COVID-19. With a large number of people are working from home, children are spending more time online increasing the need for the availability of computers. Unfortunately, the spread of CSAM also increases in this situation making effective and fast triage even more important. It ensures that the suspected systems are identified and that other systems remain available for home working and home schooling.

Expand

REGISTER NOW

May

27

TYPE

Lecture

THEME

Corporate Investigations

TIME

15:00 EDT

Detection in the Dark – Exploiting XSS Vulnerability in C&C Panels to detect Malwares

Shay Nachum

In this Lecture:

Numerous defense techniques exist for preventing and detecting malware on end stations and servers (endpoints). Although these techniques are widely deployed on enterprise networks, many types of malware manage to stay under the radar, executing their malicious actions time and again. Therefore, a more creative and effective solution is necessary, especially as classic threat detection techniques do not utilize all stages of the attack kill chain in their attempt to detect malicious behavior on endpoints. In this presentation, the novel approach for detecting malware is proposed. The approach uses offensive and defensive techniques for detecting active malware attacks by exploiting the vulnerabilities of their command and control panels and manipulating significant values in the operating systems of endpoints – in order to attack these panels and utilize trusted communications between them and the infected machine.

Expand

REGISTER NOW
Date Details Speaker Session Type Content Theme Timezone

May

03

Law Enforcement and the Cloud “Now Data versus Then Data”

Larry McClain

Hands-on Lab

Cloud

Criminal Investigations

09:00 EDT

In this Hands-on Lab:

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

03

Magnet AXIOM Tips & Tricks

Erich Schmidt

Hands-on Lab

Cloud

Computer

Mobile

13:00 EDT

In this Hands-on Lab:

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

03

macOS/APFS Examinations with AXIOM

Hoyt Harness

Hands-on Lab

Computer

Corporate Investigations

16:00 EDT

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

04

Leveraging AXIOM to assist in the decrypting of bitlocker and filevault2 encrypted volumes

Dave Shaver

Lecture

Computer

09:00 EDT

In this Lecture:

Learn from Dave Shaver, Senior Digital Forensic Analyst the methodology to assist you in decrypting a forensic image of an encrypted volume (bitlocker or filevault2).

Expand

REGISTER NOW

May

04

MVS Welcome and Feature Presentation

Geoff MacGillivray Jad Saliba

Featured Lecture

Magnet Forensics Product Lecture

10:00 EDT

In this Featured Lecture:

Join Jad Saliba, Magnet Forensics Founder & CTO and Geoff MacGillivray, Vice President of Product Management, as they kick off Magnet Virtual Summit 2021 with a feature presentation.

Expand

REGISTER NOW

May

04

DFIRs Role in Global Elections

Stephen Boyce

Lecture

Corporate Investigations

14:00 EDT

In this Lecture:

For years, there was a disconnect between the security research community and election technology manufacturers. In recent times, the two have opened dialogue and begin working with each other, but what role does the Digital Forensic & Incident Response (DFIR) community play? This presentation will address DFIRs’ role in securing global elections by examining cyber-attacks on electoral systems.

Expand

REGISTER NOW

May

04

CMD42 Lock: Bypassing Embedded System Security for Forensic Data Acquistion.

Gareth Davies

Lecture

Cloud

Computer

15:00 EDT

In this Lecture:

Security of digital data is of paramount importance to individual security and national security. The ability to access protected or deleted data from embedded systems memory puts the security of sensitive data at risk. This talk will demonstrate the bleeding-edge of what is possible in overcoming embedded hardware security in the most common forms of NAND flash storage.

A case study will be presented on a mobile digital device that we commonly use to store sensitive data relating to our daily lives that isn’t a Smart Phone!

The presentation will include elements of:

  • Embedded Memory Types & Hardware Security
  • NAND Memory Interface and Internal Structure
  • Physical Image Extraction
  • Data Reconstruction Obstacles and Challenges
  • Reverse Operations
  • Logical Image Reconstruction Process
  • Uncommon Filesystem Analysis
  • SQL Scraping
  • Data Stored on Modern Vehicles (inc. Recovered Protected Data)

Expand

REGISTER NOW

May

04

Hang on! That’s not SQLite! Chrome, Electron and LevelDB

Alex Caithness

Lecture

Computer

16:00 EDT

In this Lecture:

SQLite has become a ubiquitous data storage format for digital forensic practitioners to consider. First popularised by smartphone platforms it now forms part of almost every investigation in one form or another. SQLite’s ubiquity was built upon the growing market share of the platforms that used it extensively so it’s interesting to ask the question: what’s the next platform, and what’s the next data format?

Expand

REGISTER NOW

May

05

Liberators of the Just: How the Forensicator Plays a Special Role in Social Justice

Matt Mitchell

Featured Lecture

Corporate Investigations

11:00 EDT

In this Featured Lecture:

Join one of our featured speakers, Matt Mitchell, as he walks through how forensics impacts social justice. Known for his impressive work with the Ford Foundation, CryptoHarlem and Tactical Tech – Matt Mitchell is not to be missed.

Expand

REGISTER NOW

May

06

The Internet of Things (IoT) is now ubiquitous, but the analysis of IoT data is not...Yet.

Kenneth Oliver Norman Rankis Patrick Bland Robert Fried Warren Kruse

Lecture

Cloud

11:00 EDT

In this Lecture:

Join Warren Kruse, Robert Fried, and Kenneth Oliver from Consilio for a discussion on the potential relevance of IoT data to different corporate or civil case scenarios, and the potential need for obtaining discovery from, for example, internet-connected cameras; home automation systems; smart speakers, TVs, and refrigerators, and wearables.

This discussion will also touch on aspects of the industrial realm such as the challenge of IoT data generated in factories, warehouses, and pipelines, among other settings.

  • What is IoT?
  • Consumer IoT
  • Wearables
  • Digital Assistants
  • Smart Home devices (thermostats, light bulbs, doorbells, refrigerators, e.g.)
  • Industrial IoT
  • Safety and maintenance monitoring
  • Supply Chain tracking and monitoring
  • Productivity tracking and monitoring
  • Unique IoT Challenges
  • Use in Civil cases
  • Preserving Data
  • Helping clients understand what IoT data they have
  • Who to send preservation request to?
  • How to preserve?
  • Collecting Data
  • How to collect and from whom?
  • Possession, Custody, and Control
  • Consumer IoT – who owns the data? How and where is it stored
  • Industrial IoT – cloud-based monitoring systems or manufacturer IoT or LEASED IoT equipment
  • Subpoenaing data from third parties
  • Different formats and potential need to convert the data for review

Assessing Accessibility, Relevance of IoT Data

  • Often less accessible, but also more ephemeral, more danger of spoliation
  • Is same data available from other, more easily accessible sources?
  • Is all IoT data relevant? Can it be “untwined” if it’s massive?

Expand

REGISTER NOW

May

06

Introducing AXIOM Cyber 5.0

Drew Roberts Geoff MacGillivray

Lecture

Corporate Investigations

Magnet Forensics Product Lecture

13:00 EDT

In this Lecture:

The next phase of AXIOM Cyber is coming: version 5.0!

Join Magnet Forensics’ Geoff MacGillivray, Vice President of Product Management and Drew Roberts, Sr. Product Manager, as they unveil the latest major release of AXIOM Cyber. Hear how Magnet Forensics has helped private sector organizations address their unique challenges with modern solutions including its artifacts-first approach. And be the first to see AXIOM Cyber 5.0 in action during a live demo of the latest features!

Since AXIOM Cyber’s official debut in January of 2019, we’ve ruthlessly and incrementally added functionality to help businesses address the unique digital forensics challenges that they have. Some of those highlights include:

  • Off-network collection – Reliable remote acquisition of endpoints not connected to the corporate network
  • Open source forensically sound container – Save remote collections to an AFF4-L container
  • Support for eDiscovery – Generate a load file—complete with OCR scans—that can be ingested into an eDisco review platform

Sign up and save your spot today to hear about what’s new with AXIOM Cyber!

Expand

REGISTER NOW

May

06

Introducing Magnet AXIOM 5.0 

Curtis Mutter Trey Amick

Lecture

Magnet Forensics Product Lecture

13:00 EDT

In this Lecture:

Join us as we unveil the next generation of Magnet AXIOM!

Magnet Forensics’ Sr. Product Manager Curtis Mutter and Trey Amick, Director of Forensic Consultants, will be on hand to share the latest innovations we’ve brought to Magnet AXIOM with version 5.0 to help streamline and strengthen your digital investigations.

Digital forensics examiners today face considerable challenges as data volumes and sources continue to grow in both size and complexity, and the need for solutions that can help quickly find, analyze, and report on the most relevant evidence required for an investigation is more critical than ever. Curtis and Trey will show how we’re continuing to help you stay ahead with Magnet AXIOM 5.0 and beyond by providing new ways to enhance your investigations, recover data from sources, and get to the evidence.

Expand

REGISTER NOW

May

06

Forensic Considerations for Cloud Storage Data

Jamie McQuaid

Lecture

Cloud

Corporate Investigations

14:00 EDT

In this Lecture:

Do you have a response plan for dealing with data stored in the cloud? Do you have the necessary accounts, access, logging, and knowledge on what to do if you need to collect evidence stored in AWS, Azure, or other provider or service? Maybe your organization has fully shifted to a cloud first approach or perhaps it’s still thinking about it (likely somewhere in the middle) but understanding and preparing for that time is best done beforehand and not during an incident. Does it make sense to preserve and download all the relevant data and conduct your investigation completely on-premise or is there a time where you may want to do your analysis in the cloud? Your answer is likely somewhere in the middle for that as well.

In this talk, Jamie McQuaid will detail the various sources of evidence that may reside in the cloud, the prerequisites needed to access it, and discuss the best ways to collect and analyze that data to ensure integrity is maintained and you get all the relevant data you need for your investigation. The focus will be on data sources stored in AWS and Azure but we will also call out situations where cloud data may need to be collected elsewhere as well. As with anything in DFIR, there isn’t always one answer that fits every situation so we’ll discuss several options and will likely say “it depends” a lot.

Expand

REGISTER NOW

May

06

The AFF4 Evidence Container: Why and what’s next?

Bradley Schatz

Lecture

Computer

15:00 EDT

In this Lecture:

In recent times the next-generation evidence file format, AFF4, has transitioned from niche to broad support across the forensic tool ecosystem. Targeted at intermediate examiners, this presentation will provide an introduction to new users of the format, allowing one to understand the format’s advantages, how it differs to existing approaches, independently assess its forensic soundness in comparison to existing formats, and identify where current forensic workflows might benefit. It will also examine where the format is headed next in solving emerging challenges such as logical acquisition.

Expand

REGISTER NOW

May

06

Big Game Hunting from a Forensic Point of View

Oleg Skulkin

Lecture

Corporate Investigations

16:00 EDT

In this Lecture:

Ransomware attacks on huge enterprises, also known as Big Game Hunting, were the hottest topic in 2020. As it is impossible to image every drive you want during incident response engagements, it’s extremely important for forensic analysts to know which sources of artifacts are the most important for attack reconstruction, as well as what to look for during such investigations. This talk will shed light on most common techniques used by adversaries during such attacks, and which forensic artifacts to look to successfully uncover them.

Expand

REGISTER NOW

May

10

Time To Evidence: Improve Your ICAC Investigations with AI, Media Categorization, Cloud, OUTRIDER and More

Larry McClain

Hands-on Lab

Criminal Investigations

09:00 EDT

In this Hands-on Lab:

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

10

AXIOM Cyber and the Corporate Cloud

Chris Vance

Hands-on Lab

Cloud

Corporate Investigations

13:00 EDT

In this Hands-on Lab:

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

10

macOS/APFS Examinations with AXIOM

Hoyt Harness

Hands-on Lab

Computer

Criminal Investigations

16:00 EDT

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

11

How to Solve Today’s Evidence Review Challenges with Magnet REVIEW

Cody Bryant Craig Guymon

Lecture

Lab Management

Magnet Forensics Product Lecture

10:00 EDT

In this Lecture:

Evidence review has often been plagued with hurdles regardless of the agency’s size, location, or budget. Some of these challenges include shipping evidence which can be costly and may introduce security risks, requiring investigators to travel to the lab to review evidence on workstations, training investigators on multiple tools, and now (more than ever) enabling remote work as pandemic restrictions limit access to the lab. That’s why we’ve built Magnet REVIEW, a single web-based platform purpose-built for non-technical investigators to securely review evidence from anywhere with an internet connection. Overcoming these challenges with a centralized platform like REVIEW enables teams to get to the truth quickly, without being limited by physical distance or technical tools, all while reducing evidence distribution costs and improving overall security posture.

Join Cody Bryant, Director, Product Management, and Craig Guymon, Director of Solution Consulting, to learn why and how we built Magnet REVIEW for the non-technical investigator, see a live demo of REVIEW’s intuitive interface, and learn how to enable teams of non-technical investigators to review evidence from anywhere.

Expand

REGISTER NOW

May

11

Finding Evidence of Cloud Data ‘Footprints’ in Existing Evidence

Tim Moniot

Lecture

Cloud

Criminal Investigations

13:00 EDT

In this Lecture:

Cloud data has quickly become the new frontier in DFIR. More and more data is being stored in the Cloud, by the various cloud storage, cloud communication, social networking, and mobile computing platforms. Join Tim Moniot from Magnet Forensics during this discussion and demonstration of how you can begin identifying evidence of cloud platform usage, as a component related to your investigations. Once identifying that Cloud data is related to an investigation, Tim will discuss options for gaining access to and subsequently collecting relevant Cloud source data so that it too can be analyzed within AXIOM. This presentation will be relevant to both law enforcement and corporate DFIR professionals.

Expand

REGISTER NOW

May

11

Enhancing Digital Investigations using Cloud and Endpoint Collections

Rhys Tooby

Lecture

Cloud

Corporate Investigations

13:00 EDT

In this Lecture:

The complexity of digital investigations and the increasing volume of data requires you to need an enhanced approach to your digital investigations, so that you can better serve your customers without increasing headcount or requiring drastic investments in new digital forensic equipment.

In this session Rhys Tooby, Solutions Consultant at Magnet Forensics, will perform covert remote collection of Windows and macOS devices with an ad hoc agent and you’ll learn how to perform advanced cloud acquisition from Office 365, G Suite, Box, AWS S3, EC2 and Azure virtual machines.

Expand

REGISTER NOW

May

11

If we do not have it we should build it (Forensic Readiness in Application Security)

Veronica Schmitt

Lecture

Corporate Investigations

14:00 EDT

In this Lecture:

The design of life saving software plays a vital role in the Medical Manufacturing industry. The way in which medical devices are being revolutionized is staggering and breathtaking, but it hasn’t necessarily resulted in a corresponding revolution in how these devices are built. With the advancement and evolution of research into chronic illness; newer, more advanced, methods are found to more effectively treat these chronic illnesses. Medical technologies can be defined as products, services, or solutions which are used to improve and prolong life. Statistics done in 2019 showed that there are more than 500,000 medical technologies such as implantable devices, patient monitors, and robotic surgery aids are available to hospitals and patients. The medical device industry is poised for a steady increase in growth, with a global forecasted annual sales growth of over 5% a year and estimated to reach 800 Billion US dollars by 2023. The question is how prepared are we to deal with medical device forensics and additionally how mature is the data on these devices. This talk focuses on the frustrations that Veronica has faced as a patient, hacker, and forensicator in realizing that forensic readiness should be build into these devices as they contain little to no forensic value currently. When nothing goes right, go left. By influencing the way the devices are built and the developers that build them has shown an increase in the forensic readiness of devices. We need to create a team of Forensic Developers to enable future forensicators to have success in dealing with breaches on these devices.

Expand

REGISTER NOW

May

11

Countering the USBKill Switch

Ali Hadi

Lecture

Computer

Corporate Investigations

Criminal Investigations

15:00 EDT

In this Lecture:

The USBKill switch is a software that was created to respond to having the computer system falling within the hands of law enforcement, bullies, or individuals that might steal it from while working at a public place. It is well known as an anti-forensics kill-switch software that could be configured to power-off a system, but could do others such as deleting files from the system.

This research is an attempt to counter the USBKill switch by sharing how it works, what artifacts can be found, and how investigators and incident responders can counter systems that are configured to use it.

Expand

REGISTER NOW

May

11

How much can we automate in digital investigation?

Joshua James

Lecture

Lab Management

16:00 EDT

In this Lecture:

Join Dr. Joshua James, Digital Forensic Consultant to learn how automation is currently used in digital investigations and what limits there are to current automation methods. He will explain the state of the art on technical automation as well as applied, automated reasoning. He will conclude his presentation by formalizing automated reasoning in digital investigations and making explicit challenges to completely automating a digital investigation process.

Expand

REGISTER NOW

May

12

A Fireside Chat With Brian Krebs

Brian Krebs

Featured Lecture

Criminal Investigations

11:00 EDT

In this Featured Lecture:

Join us for a fireside chat with American journalist and investigative reporter, Brian Krebs. This will be a unique opportunity to talk to Brian live about his insights on cybercrime prevention and detection.

Expand

REGISTER NOW

May

12

MVS 2021 Capture the Flag Challenge

Special Event

16:00 EDT

In this Special Event:

Magnet Forensics is excited to bring you their 4th annual CTF!  This CTF will be a 3 hour timed event to test your skills and learn while competing with others from around the world to win prizes. This CTF promises to introduce an entirely new image set and scenario with different data sources than have been presented in other Magnet Virtual Summit CTFs. We don’t want to give away too much, but we promise that Jessica Hyde, Director of Forensics, and students from the Champlain College Digital Forensics Association have created a challenge that will be fun, frustrating, and full of learning opportunities.

Expand

REGISTER NOW

May

13

Officer Wellness: Prioritising your Personal Mental Health and Wellness in IIoC investigations

Elizabeth Strong

Lecture

Criminal Investigations

09:00 EDT

In this Lecture:

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

Expand

REGISTER NOW

May

13

Enhancing Digital Investigations with Cloud-based Evidence

Doug Gartner Matt Melton

Lecture

Cloud

Criminal Investigations

10:00 EDT

In this Lecture:

The cloud can be your best friend in conducting digital investigations. Increasing volumes of digital evidence, budget constraints and talent shortages can make it difficult for your lab to keep up with demand. The cloud provides practically unlimited storage capability, computing power, and tools to ensure that your data remains secure and protected. We will discuss how the cloud enables an enhanced approach to digital investigations so that you can better serve your agency, without increasing headcount or drastic investments in new forensic equipment. Join us as we discuss the challenges and solutions enabling digital forensics labs today.

Expand

REGISTER NOW

May

13

Add “Protobuf Expert” to your examiner’s resume

Mike Williamson

Lecture

Computer

11:00 EDT

In this Lecture:

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

  • examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
  • an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
  • reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

Expand

REGISTER NOW

May

13

Integration and Validation of Third Party Tool Outputs Within AXIOM

Alexis Brignoni

Lecture

Cloud

Computer

Mobile

13:00 EDT

In this Lecture:

A single wrench a toolset does not make. By leveraging multiple tools we can enrich our investigations in two major ways:
1) Bring new insights and unique tool capabilities to the forefront.
2) Make sure overlapping analysis between tools are consistent.

AXIOM provides multiple ways to easily achieve these goals in one place providing unified analysis and reporting capabilities. Testing and validation in one place. Come and learn how.

Expand

REGISTER NOW

May

13

The Order of Things – Timeline Analysis of a Complex Investigation

Matthew Sorell

Lecture

Criminal Investigations

Mobile

14:00 EDT

In this Lecture:

This case study looks at the importance of validation of timelines and log processes in a complex investigation. It is concerned with piecing together the activities of a person of interest.

The case study will consider extractable logs from an iPhone 5c circa late 2016, billing records in which shortcuts have been made in billing mediation, a phone with a manually modified clock, a massive thunderstorm and state-wide blackout, suspicious gaps in the record, and anomalous records after securement of the scene.

The case study is real, presented with sanitised data. It demonstrates the importance of understanding the big picture of a complex telecommunications system – the links between data sources and the subtleties of their compilation.

Expand

REGISTER NOW

May

13

Digital Evidence from Social Networking Sites & Smartphone Apps

Julie Lewis

Lecture

Mobile

15:00 EDT

In this Lecture:

According to Statista.com in 2019, the global social penetration rate reached 45 percent, with East Asia and North America both having the highest penetration rate at 70 percent, followed by Northern Europe at 67 percent. Mobile device usage for social media has increased to 91% of social channel accesses in 2018 according to Marketing Profs. Many technology thought leaders believe social networking will displace traditional email as the leading communication medium. This presentation will provide a practical walkthrough of preservation of top social media sites and how to effectively utilize tools for evidentiary collection across the Web, PCs/desktops and smart devices. It will look at social media apps on smartphones and what digital evidence exists compared to what can be found on the cloud. It will also explore innovations in emoji/avatar Apps such as Bitmoji.

Expand

REGISTER NOW

May

13

Officer Wellness: Prioritising your Personal Mental Health and Wellness in IIoC investigations

Elizabeth Strong

Lecture

Criminal Investigations

16:00 EDT

In this Lecture:

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

Expand

REGISTER NOW

May

17

Magnet AXIOM Tips & Tricks

Justin Almanza

Hands-on Lab

Cloud

Computer

Mobile

09:00 EDT

In this Hands-on Lab:

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

17

Law Enforcement and the Cloud “Now Data versus Then Data”

Larry McClain

Hands-on Lab

Cloud

Criminal Investigations

13:00 EDT

In this Hands-on Lab:

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

17

macOS/APFS Examinations with AXIOM

Hoyt Harness

Hands-on Lab

Computer

Corporate Investigations

16:00 EDT

In this Hands-on Lab:

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

18

New Approaches to Digital Forensics Investigations

Geoff MacGillivray

Lecture

Lab Management

Magnet Forensics Product Lecture

09:00 EDT

In this Lecture:

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

Expand

REGISTER NOW

May

18

Add “Protobuf Expert” to your examiner’s resume

Mike Williamson

Lecture

Computer

10:00 EDT

In this Lecture:

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

  • examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
  • an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
  • reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

Expand

REGISTER NOW

May

18

New Approaches to Digital Forensics Investigations

Geoff MacGillivray

Lecture

Lab Management

Magnet Forensics Product Lecture

13:00 EDT

In this Lecture:

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

Expand

REGISTER NOW

May

18

Automation in digital forensics – the good, the bad and the preconceptions

Aaron Sparling

Lecture

Lab Management

14:00 EDT

In this Lecture:

Automation is not a new concept, it comes in numerous forms some of which are already in use in almost every digital forensics lab in the DFIR community. But, are all forms of automation right for all types of cases? What will happen to the forensic examiner role if we introduce workflow automation? Will automation decrease the quality of digital investigations? Join Aaron Sparling, Officer, Investigations Branch, Digital Forensics Unit at the Portland Police Bureau, for a thought-provoking presentation where he challenges common preconceptions about automation in digital forensics, presents some of the real ways automation is successfully being used today and where lab managers and examiners might face issues.

Expand

REGISTER NOW

May

18

Tick Tock Ya Don’t Stop – Examining Google’s Wear OS

Josh Hickman

Lecture

Cloud

15:00 EDT

In this Lecture:

Google created the descendent of their wearables operating system, Wear OS, back in 2014, a full year before the arrival of the Apple Watch and watchOS. Since that time, several OEMs such as Fossil, Motorola, and Mobvoi have released multiple smart watches that run Wear OS, and Google has acquired FitBit, which could mean a push towards a Google-made smart watch similar with what it did with the Google Nexus and Pixel lines of phones. With that in mind, this presentation takes a look at what artifacts are available in Wear OS, including hardware information, recently launched applications, used watch faces and complications, location data, paired phone information, account information, and Google Assistant data. These artifacts will also be compared to what is available on the paired Android phone.

Expand

REGISTER NOW

May

18

No logs, no problem: Leveraging User Access Logging on Windows Server systems

Patrick Bennett

Lecture

Cloud

16:00 EDT

In this Lecture:

Not to be confused with Office 365’s Unified Audit Log, the User Access Logging (UAL) database is included with Server editions of Microsoft Windows starting with Windows Server 2012. Designed to provide system administrators with insight into service usage on Windows servers, it contains valuable forensic data which remains largely untapped by DFIR professionals. Among other things, the UAL database maintains a record of the types of services accessed on a server; the username associated with the access; and the source IP address from which the access occurred. With default settings, the UAL database retains this information for two years. The database is stored in the Extensible Storage Engine (ESE) format, and can be parsed offline or accessed from a live system via PowerShell cmdlets.

Expand

REGISTER NOW

May

19

Paying it Forward: Mentorship in Digital Forensics

Jason Jordaan

Lecture

Mental Wellness & Mentorship

10:00 EDT

In this Lecture:

Many of us in the field of digital forensics have been lucky to have a senior practitioner to look up to as we began our journey into digital forensics, and some of us have not. But regardless the reality is that having a mentor to guide you as you gain your journey is a crucial part of knowledge transfer, and has been a key part of effective knowledge and skill transfer for centuries.

In this presentation we will explore the importance of mentorships in digital forensics in not only developing the next generation of digital forensic practitioners, but also enhancing the skills of existing practitioners. We will explore this from two perspectives. The first being how to be an effective mentor to a digital forensics practitioner, and the second, how to be an effective mentee.

The presentation will also explore various mentorship programs and equip you with the knowledge to set up your own mentorship programs, and how to find the correct mentor for you.

Expand

REGISTER NOW

May

19

Easing the Path for Girls into STEM

Dr. Kimberly Clay

Lecture

Mental Wellness & Mentorship

11:00 EDT

In this Lecture:

Play Like a Girl leverages the collective power of women athletes, coaches and executives to serve as role models and mentors to middle school girls with an interest in STEM.
This session will detail how Play Like a Girl uses its educational programs and strategic partnerships with hundreds of corporate volunteers to deliver a coordinated, multi-year program where middle school girls are exposed to practical lessons in leadership and engage in hands-on STEM education, all through the lens of a confidence-building curriculum.

Expand

REGISTER NOW

May

19

How Being a Terrible Manager Has Led to Innovative Solutions for Digital Forensic Investigations

Mitch Kajzer

Lecture

Mental Wellness & Mentorship

12:00 EDT

In this Lecture:

I am the Director of the St. Joseph County, IN Cyber Crimes Unit. The unit consists primarily of college students. We’ve all heard the horror stories about this generation of workers, which currently accounts for over 50% of the workforce. Among other things, they are entitled, lazy, unmotivated, disloyal, and selfish. Combine that with the fact that I am a terrible manager and it sounds like a recipe for disaster. But it hasn’t been. This model has led to innovative solutions to digital forensics investigations. We analyze over 700 devices a year. We haven’t had a case backlog in over four years. Our turnaround time is routinely same day. This talk will discuss a new paradigm in the workforce and our forensics lab. When I became the Cyber Crimes Director, I had no formal training or experience as a manager. So I bucked the convention wisdom of management and decided not to manage at all. Instead, I took the approach of being a leader and mentor. What I’ve learned through leadership is that if you take care of the people taking care of the work, the people taking care of the work will excel beyond expectations. This simple concept that you manage things, but you lead people, will be discussed. Lessons from this talk can be applied by anyone in any industry to usher in a new area of the end of management and a focus on leadership at every level.

Expand

REGISTER NOW

May

19

Cybersleuth Labs – Introducing High School Girls and Underrepresented Minorities to Digital Forensics

Daryl Pfeif

Lecture

Mental Wellness & Mentorship

13:00 EDT

In this Lecture:

This talk will share the Cyber Sleuth Science Lab (CSSL) research findings on the effectiveness of combining ethical and social lessons with technical education to engage the next generation. CSSL is geared to reach all students in high school with an emphasis on engaging more young women and underrepresented youth in STEM. This approach leverages DFIR as a unique opportunity to inform learners about security and privacy issues and encourage responsible and ethical behavior in our digital society while preparing them for success in a variety of STEM career pathways.
In addition, this project built on the foundational work of the National Girls Collaborative Project and the FabFems network by encouraging learners to work with peers, near peers and interact with mentors and role models. In particular, Cyber Sleuth Science Lab, showcases the variety of jobs in the DFIR and Cybersecurity industry by bringing experts across these domains into the classroom to discuss the unique ways this expertise is applied in their day-to-day work and to share more in-depth information about the individual pathways they took to get into the field.

Expand

REGISTER NOW

May

20

GNU/Linux Examinations with AXIOM

Hoyt Harness

Lecture

Computer

09:00 EDT

In this Lecture:

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Expand

REGISTER NOW

May

20

Alternative Approaches to Windows Memory Analysis

Tarah Melton

Lecture

Computer

11:00 EDT

In this Lecture:

Did you know that there are alternative techniques for Windows memory analysis? In this session, you’ll see how utilizing MemProcFS in conjunction with Magnet AXIOM can help to enrich your investigation with both a mounted logical file structure of memory output alongside carved artifacts from memory. Join Tarah Melton who will demonstrate these techniques and apply them to solving memory analysis questions.

Expand

REGISTER NOW

May

20

Conducting Android & iOS Investigations with Graykey & AXIOM: Finding Support for Unsupported Applications

David Smalley Trey Amick

Lecture

Criminal Investigations

11:00 EDT

In this Lecture:

Device users are no longer relying on default applications to communicate, often migrating to 3rd party applications with additional features. Unfortunately, these same types of applications can be used by actors involved in criminal investigations to encrypt and obfuscate their activities.

In this webinar, join David and Trey, digital forensic experts from Grayshift and Magnet Forensics, for a hands-on deep dive into modern approaches to digital forensics that help enable you to achieve same-day results (often within hours), extract more data from locked and encrypted mobile devices, and get the most out of GrayKey + Magnet AXIOM. We’ll also review decryption methods for third party applications, securing critical evidence that is admissible and discoverable, and how to accelerate your investigations.

GrayKey labs are restricted to law enforcement and government attendees only. Please note that all submissions are being validated and approved by Grayshift. If you are approved, you will receive the joining details 24 hours before the session starts.

Expand

REGISTER NOW

May

20

Hiding in Plain Sight

Brian Moran Jessica Hyde

Lecture

Cloud

13:00 EDT

In this Lecture:

With more devices having onboard storage capability than ever before, it is imperative that analysts work with investigators to ensure that every possible medium of digital storage is collected during the course of an investigation. “Traditional” mediums, such as hard drives, flash drives, tablets, cell phones, and multimedia cards, are straightforward and at the forefront of most investigations. However, one must also take into account items such as televisions, smart speakers, smart watches/fitness trackers, digital photo displays, and even exercise equipment, often referred to as the Internet of Things (IoT) devices.

This talk will cover both identifying these additional sources and a methodology to acquire and analyze these possible storage mechanisms during the course of an investigation. Brian and Jessica will also lay out baselines of a few “obscure” mediums for forensic analysts to be aware of during the course of their investigation.

Expand

REGISTER NOW

May

20

PinePhone forensics

Kathryn Hedley

Lecture

Mobile

14:00 EDT

In this Lecture:

The PinePhone is one of the first functioning open source smartphone projects to truly put the choice of operating system into the user’s hands. It has been designed to run the Linux operating system, and can be purchased with a number of smartphone-specific Linux variants pre-flashed, so the phone can be used out of the box. Whilst this device is still very much in the development phase, and not everything functions exactly as expected, just yet, it’s still fun to play with, and to try and work out what it might mean to a digital forensic investigation if one of these devices was seized as part of a case. Kathryn will talk through an introduction to the device, potential methods to acquire data, and where some key data may be stored based on my research so far.

Expand

REGISTER NOW

May

20

GNU/Linux Examinations with AXIOM

Hoyt Harness

Lecture

Computer

15:00 EDT

In this Lecture:

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Expand

REGISTER NOW

May

20

Introducing Network Forensics with Wireshark

Eduardo Santos

Lecture

Corporate Investigations

16:00 EDT

In this Lecture:

Join Eduardo Santos, Computer Network Analyst for a demonstration on how powerful the Wireshark tool is for analysis during forensic investigations and incident response. You will learn how protocol concepts in the TCP / IP stack can support an investigation. This talk will also cover setting filters, creating different profiles, analyzing patterns and checking statistical data. In addition Eduardo will discuss perceiving and analyzing recurring attacks on a computer network, such as DoS, malware traffic, HTTP malicious traffic, Command and Control artifacts. These are attributes that make Wireshark a powerful Open Source traffic analysis tool, which can support a forensic investigation and security incident response process.

Expand

REGISTER NOW

May

21

The Forensic Lunch

Special Event

12:00 EDT

In this Special Event:

Join us for a live recording of the Forensic Lunch.

Expand

REGISTER NOW

May

24

AXIOM Cyber and the Corporate Cloud

Chris Vance

Hands-on Lab

Cloud

Corporate Investigations

09:00 EDT

In this Hands-on Lab:

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

24

Magnet Forensics Custom Artifacts Lab

Jessica Hyde

Hands-on Lab

Cloud

Computer

Mobile

13:00 EDT

In this Hands-on Lab:

In this lab we will show you how to extend your capabilities with Magnet AXIOM by utilizing and creating custom artifacts. In this hands-on lab we will learn how to create and install custom artifacts including custom artifacts from the Artifact Exchange or those shared within your organization. We will review multiple ways to create custom artifacts including using XML Templates, Python Custom Artifacts, and the Magnet Custom Artifact Generator. We will show how XML templates can be created for both SQLite Artifacts and Fragmented Artifacts. At the end of the session, attendees will know the techniques necessary to create their own custom artifacts and bring in custom artifacts created by others.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

24

Time To Evidence: Improve Your ICAC Investigations with AI, Media Categorization, Cloud, OUTRIDER and More

Larry McClain

Hands-on Lab

Criminal Investigations

16:00 EDT

In this Hands-on Lab:

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Expand

REGISTER NOW

May

25

Duck Hunt! Hunting Qakbot Malware with AXIOM

Aaron Sparling

Lecture

Computer

Corporate Investigations

09:00 EDT

In this Lecture:

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

Expand

REGISTER NOW

May

25

Exploring Apps in the Back Country

Christopher Atha

Lecture

Cloud

Mobile

10:00 EDT

In this Lecture:

In 2020 there was a dramatic growth in outdoor activity with millions exploring the great outdoors according to a report from the Outdoor Foundation*. With the increased interest in activity, there was also exponential growth in fitness apps – that helped consumers find trails, parking, weather conditions and much more. As you can imagine, accidents happened, people got lost, went missing and crime occurred. As Investigators and digital forensics analysts, we have a grasp of most fitness applications and their value to the overall crime story. Have we kept up with the top downloads from the App Store and the Google Play store for; mountain biking, trail running, skiing, and other outdoor activities?

This talk will hit the outdoor adventure applications and explore their forensic artifacts just as they allow you to explore this wonderful planet. We will weave together a few real-world examples of how these little-known applications can shed light on what really happened. How fast was a skier going when they lost control and left the marked trail and collided with tree? When did a trail runner quit uploading their runs to one of the popular services, which may not be popular to everyone? Join in and prepare to explore the apps that help you explore!

*Ref: https://outdoorindustry.org/press-release/forthcoming-reports-outdoor-foundation-outdoor-industry-association-provide-unprecedented-insight-trends-outdoor-participation/

Expand

REGISTER NOW

May

25

Duck Hunt! Hunting Qakbot Malware with AXIOM

Aaron Sparling

Lecture

Computer

Corporate Investigations

13:00 EDT

In this Lecture:

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

Expand

REGISTER NOW

May

25

Rapid Ransomware Response: A Survival Guide

Heather Smith

Lecture

Corporate Investigations

14:00 EDT

In this Lecture:

2020 came with many challenges, least of which was the emergence of more aggressive ransomware tactics — doubling down on extortion via encryption and exfil, new vectors (ESXi), and the adaptation of deployment techniques. This talk will give a fast-paced walk through of how to contain the attack, find evil, and bring critical business infrastructure back up as a rapid responder.
While this talk focuses on attack techniques seen in ransomware, it is important to note similar techniques are seen utilized by other malicious actors, including nation state APT’s.
The end goal of this talk is to provide immediate take-aways for listeners, both for security posture strengthening and additions to current response run books based on the latest mutations of e-crime adversaries.

Expand

REGISTER NOW

May

25

Applying the MITRE ATT&CK Framework to Dead Box Forensics by Mary Ellen Kennel

Mary Ellen Kennel

Lecture

Computer

15:00 EDT

In this Lecture:

A lot has been shared about the MITRE ATT&CK framework and how it can be leveraged as a powerful hunting resource and a threat modeling foundation. In this presentation, Mary Ellen will cover a different way of using MITRE ATT&CK – during a forensic investigation.

This talk will walk the audience through a complete investigation plan, A-Z, built from the MITRE ATT&CK framework. Unlike a lot of MITRE ATT&CK implications, the contents will be less about proactive threat hunting, and more as an aid to a forensic investigation. We’ll begin with an example incident that was just dropped on your desk, and all you have is an ip address. Your company had a visit from a three-letter agency, and you’ve now found out through a third party, that your org was popped; it doesn’t get much worse than that. The “suits” leave, and all you’ve got is an ip address and strict orders to piece together what happened. The order of events will be based loosely off of a paper Mary Ellen published in 2016 entitled, “IR A-Z“.

Expand

REGISTER NOW

May

26

Get Moving with Magnet Forensics

Special Event

09:00 EDT

In this Special Event:

Grab your water bottle and favourite workout gear and join us for a Magnet Virtual Summit group fitness class. This fitness class requires no equipment and can be done anywhere that you have space to move. We’ll combine strength training, cardio and stretching for a one hour full body workout.

Expand

REGISTER NOW

May

26

Surviving and Thriving in DFIR, Game of Thrones Style

Brett Shavers

Featured Lecture

Corporate Investigations

Criminal Investigations

11:00 EDT

In this Featured Lecture:

We are in a seemingly never-ending battle to learn, enter, survive, and hopefully thrive in the realm of Digital Forensics and Incident Response. Everyone’s path is different, strewn with obstacles that feel like they are intended to make your journey more difficult than anyone else. But you are not alone! Using personal successes and tragedies, Brett will share lessons he learned that you can apply to your path of success, whether new to the field or transitioning from one level to the next. From mistakes, general advice, and tips on forensic analysis, Brett will be an open book to share some of the great and the not-so-great aspects of our chosen profession, including some of the best words of advice that you can put to use in less than two minutes after the presentation.

Expand

REGISTER NOW

May

26

Finding Your 1%

Kim Bradley Sheryl Woolverton

Lecture

Criminal Investigations

Mental Wellness & Mentorship

14:00 EDT

In this Lecture:

What is 1%? Forensic Examiners and Investigators are used to giving 100% of themselves to their examinations and case load. While examiners are quick to share “how to’s”, the stress of the work is not often discussed or acknowledged. Many enjoy immersing themselves in their case load and mission of their work, however it often comes at great sacrifice. Staying late to look through one more device or start one more case processing or try one more method to search for the data (or absence of data) for an examination is all too common. Deadlines, case implications and backlog can influence how not only work time is spent, but also mental energy at home. By dedicating just 1% of the day to something fun, something different, something to step back for just a moment, physical and mental energy can be renewed to continue to embrace work with less burnout and fatigue. Join us as we discuss how you can use your 1%, the importance of regularly scheduled time for your 1% and how to identify times you need to take an unplanned 1%.

Expand

REGISTER NOW

May

27

Ransomware: Current Trends and Updates

Cindy Murphy

Lecture

Corporate Investigations

09:00 EDT

In this Lecture:

Cindy Murphy, President of Tetra Defense, will be presenting insights on the cyber incidents she investigates daily, including a behind-the-scenes look at the trajectory from incident to millions of dollars of damage for unsuspecting businesses. Ransomware has always been prevalent, and because of many changes made to networks to allow working from home during COVID-19 and throughout 2020, attacks have become even more frequent. Some takeaways will include specific COVID-related incidents, the “business” structure of ransomware threat actors, and the latest intel from the Tetra team regarding ransomware threats and how to thwart them.

Expand

REGISTER NOW

May

27

Snapchat – A False Sense Of Security?

James Duffy

Lecture

Mobile

10:00 EDT

In this Lecture:

James will explore the local data storage of ‘Snapchat’ for iOS, the implications of the chosen data protection mechanisms that Snapchat have implemented while dissecting the various application databases, exploring how they inter-operate and how the databases are manipulated during execution. This will provide a valuable insight for forensic analysts, allowing for both a further understanding of Snapchat internals and how to detect local data manipulation prior to device filesystem acquisition.

Expand

REGISTER NOW

May

27

Managing Digital Evidence in the Microsoft Azure Cloud

David Williams Trey Amick

Lecture

Computer

Corporate Investigations

11:00 EDT

In this Lecture:

The exploding growth of digital data is flooding digital forensics labs with valuable evidence that needs to be collected, stored, and analyzed in an efficient and timely manner. By leveraging the cloud, forensics teams can enable powerful, scalable, and cost-effective solutions for managing investigations and storing and safeguarding digital evidence.

Join Microsoft’s David Williams, and Trey Amick, from Magnet Forensics, as they discuss how you can leverage secure, future-ready cloud solutions on Microsoft Azure, backed by a team of experts and proactive compliance, to more easily adjust to meet the changing investigative challenges and evidence storage requirements of today’s law enforcement agencies.

Expand

REGISTER NOW

May

27

Magnet AUTOMATE: Transforming your DF Lab with Automation

Greg Ward Tarah Melton

Lecture

Lab Management

Magnet Forensics Product Lecture

13:00 EDT

In this Lecture:

Over the past year, Law Enforcement Agencies and Digital Forensic Units have accelerated their modernization efforts to re-imagine how they handle growing challenges such as increasing data volumes, evidence complexity, skilled talent shortages and remote work.

Magnet AUTOMATE, an orchestration and automation platform, helps agencies create efficient workflows to tackle these challenges and meet the demands for service from their agency. Automate repetitive/manual tasks to complete more investigations faster with your existing resources while allowing examiners to focus on complex analysis. Join Greg Ward, Product Manager, and Tarah Melton, Solutions Consultant, to learn more about Magnet AUTOMATE, see it in action, and check out recent advancements such as new mobile workflow capabilities and stats & management dashboards to help Lab Managers measure, act and report on lab efficiency.

Expand

REGISTER NOW

May

27

Using Triage Tools in Different Phases of an Investigation

Hans Ehren

Lecture

Criminal Investigations

14:00 EDT

In this Lecture:

Join Hans Ehren from the Dutch Police for a discussion on the importance of triage during COVID-19. With a large number of people are working from home, children are spending more time online increasing the need for the availability of computers. Unfortunately, the spread of CSAM also increases in this situation making effective and fast triage even more important. It ensures that the suspected systems are identified and that other systems remain available for home working and home schooling.

Expand

REGISTER NOW

May

27

Detection in the Dark – Exploiting XSS Vulnerability in C&C Panels to detect Malwares

Shay Nachum

Lecture

Corporate Investigations

15:00 EDT

In this Lecture:

Numerous defense techniques exist for preventing and detecting malware on end stations and servers (endpoints). Although these techniques are widely deployed on enterprise networks, many types of malware manage to stay under the radar, executing their malicious actions time and again. Therefore, a more creative and effective solution is necessary, especially as classic threat detection techniques do not utilize all stages of the attack kill chain in their attempt to detect malicious behavior on endpoints. In this presentation, the novel approach for detecting malware is proposed. The approach uses offensive and defensive techniques for detecting active malware attacks by exploiting the vulnerabilities of their command and control panels and manipulating significant values in the operating systems of endpoints – in order to attack these panels and utilize trusted communications between them and the infected machine.

Expand

REGISTER NOW
SELECT AND REGISTER FOR SESSIONS

Note: Once you’ve registered for MVS21, you will be able to manage all your events via your MVS21 event hub.

#MVS21 #MVS21

MVS MERCH

Get YOUR SUMMIT ON

We’re offering exclusive merch to help you get in the spirit of MVS! Check out what apparel we have available and remember that all profits go to Child Rescue Coalition.

Use code MVS2021 at checkout for 10% off!

BROWSE MERCH