Find Out What We’ve Got Lined Up for #MVS2021

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Learn from Dave Shaver, Senior Digital Forensic Analyst the methodology to assist you in decrypting a forensic image of an encrypted volume (bitlocker or filevault2).

Join Jad Saliba, Magnet Forensics Founder & CTO and Geoff MacGillivray, Vice President of Product Management, as they kick off Magnet Virtual Summit 2021 with a feature presentation.

For years, there was a disconnect between the security research community and election technology manufacturers. In recent times, the two have opened dialogue and begin working with each other, but what role does the Digital Forensic & Incident Response (DFIR) community play? This presentation will address DFIRs’ role in securing global elections by examining cyber-attacks on electoral systems.

Security of digital data is of paramount importance to individual security and national security. The ability to access protected or deleted data from embedded systems memory puts the security of sensitive data at risk. This talk will demonstrate the bleeding-edge of what is possible in overcoming embedded hardware security in the most common forms of NAND flash storage.

A case study will be presented on a mobile digital device that we commonly use to store sensitive data relating to our daily lives that isn’t a Smart Phone!

The presentation will include elements of:

• Embedded Memory Types & Hardware Security
• NAND Memory Interface and Internal Structure
• Physical Image Extraction
• Data Reconstruction Obstacles and Challenges
• Reverse Operations
• Logical Image Reconstruction Process
• Uncommon Filesystem Analysis
• SQL Scraping
• Data Stored on Modern Vehicles (inc. Recovered Protected Data)

SQLite has become a ubiquitous data storage format for digital forensic practitioners to consider. First popularised by smartphone platforms it now forms part of almost every investigation in one form or another. SQLite’s ubiquity was built upon the growing market share of the platforms that used it extensively so it’s interesting to ask the question: what’s the next platform, and what’s the next data format?

Join one of our featured speakers, Matt Mitchell, as he walks through how forensics impacts social justice. Known for his impressive work with the Ford Foundation, CryptoHarlem and Tactical Tech – Matt Mitchell is not to be missed.

Join Warren Kruse, Robert Fried, and Kenneth Oliver from Consilio for a discussion on the potential relevance of IoT data to different corporate or civil case scenarios, and the potential need for obtaining discovery from, for example, internet-connected cameras; home automation systems; smart speakers, TVs, and refrigerators, and wearables.

This discussion will also touch on aspects of the industrial realm such as the challenge of IoT data generated in factories, warehouses, and pipelines, among other settings.

• What is IoT?
• Consumer IoT
• Wearables
• Digital Assistants
• Smart Home devices (thermostats, light bulbs, doorbells, refrigerators, e.g.)
• Industrial IoT
• Safety and maintenance monitoring
• Supply Chain tracking and monitoring
• Productivity tracking and monitoring
• Unique IoT Challenges
• Use in Civil cases
• Preserving Data
• Helping clients understand what IoT data they have
• Who to send preservation request to?
• How to preserve?
• Collecting Data
• How to collect and from whom?
• Possession, Custody, and Control
• Consumer IoT – who owns the data? How and where is it stored
• Industrial IoT – cloud-based monitoring systems or manufacturer IoT or LEASED IoT equipment
• Subpoenaing data from third parties
• Different formats and potential need to convert the data for review

Assessing Accessibility, Relevance of IoT Data

• Often less accessible, but also more ephemeral, more danger of spoliation
• Is same data available from other, more easily accessible sources?
• Is all IoT data relevant? Can it be “untwined” if it’s massive?

The next phase of AXIOM Cyber is coming: version 5.0!

Join Magnet Forensics’ Geoff MacGillivray, Vice President of Product Management and Drew Roberts, Sr. Product Manager, as they unveil the latest major release of AXIOM Cyber. Hear how Magnet Forensics has helped private sector organizations address their unique challenges with modern solutions including its artifacts-first approach. And be the first to see AXIOM Cyber 5.0 in action during a live demo of the latest features!

Since AXIOM Cyber’s official debut in January of 2019, we’ve ruthlessly and incrementally added functionality to help businesses address the unique digital forensics challenges that they have. Some of those highlights include:

• Off-network collection – Reliable remote acquisition of endpoints not connected to the corporate network
• Open source forensically sound container – Save remote collections to an AFF4-L container
• Support for eDiscovery – Generate a load file—complete with OCR scans—that can be ingested into an eDisco review platform

Sign up and save your spot today to hear about what’s new with AXIOM Cyber!

Join us as we unveil the next generation of Magnet AXIOM!

Magnet Forensics’ Sr. Product Manager Curtis Mutter and Trey Amick, Director of Forensic Consultants, will be on hand to share the latest innovations we’ve brought to Magnet AXIOM with version 5.0 to help streamline and strengthen your digital investigations.

Digital forensics examiners today face considerable challenges as data volumes and sources continue to grow in both size and complexity, and the need for solutions that can help quickly find, analyze, and report on the most relevant evidence required for an investigation is more critical than ever. Curtis and Trey will show how we’re continuing to help you stay ahead with Magnet AXIOM 5.0 and beyond by providing new ways to enhance your investigations, recover data from sources, and get to the evidence.

Do you have a response plan for dealing with data stored in the cloud? Do you have the necessary accounts, access, logging, and knowledge on what to do if you need to collect evidence stored in AWS, Azure, or other provider or service? Maybe your organization has fully shifted to a cloud first approach or perhaps it’s still thinking about it (likely somewhere in the middle) but understanding and preparing for that time is best done beforehand and not during an incident. Does it make sense to preserve and download all the relevant data and conduct your investigation completely on-premise or is there a time where you may want to do your analysis in the cloud? Your answer is likely somewhere in the middle for that as well.

In this talk, Jamie McQuaid will detail the various sources of evidence that may reside in the cloud, the prerequisites needed to access it, and discuss the best ways to collect and analyze that data to ensure integrity is maintained and you get all the relevant data you need for your investigation. The focus will be on data sources stored in AWS and Azure but we will also call out situations where cloud data may need to be collected elsewhere as well. As with anything in DFIR, there isn’t always one answer that fits every situation so we’ll discuss several options and will likely say “it depends” a lot.

In recent times the next-generation evidence file format, AFF4, has transitioned from niche to broad support across the forensic tool ecosystem. Targeted at intermediate examiners, this presentation will provide an introduction to new users of the format, allowing one to understand the format’s advantages, how it differs to existing approaches, independently assess its forensic soundness in comparison to existing formats, and identify where current forensic workflows might benefit. It will also examine where the format is headed next in solving emerging challenges such as logical acquisition.

Ransomware attacks on huge enterprises, also known as Big Game Hunting, were the hottest topic in 2020. As it is impossible to image every drive you want during incident response engagements, it’s extremely important for forensic analysts to know which sources of artifacts are the most important for attack reconstruction, as well as what to look for during such investigations. This talk will shed light on most common techniques used by adversaries during such attacks, and which forensic artifacts to look to successfully uncover them.

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Evidence review has often been plagued with hurdles regardless of the agency’s size, location, or budget. Some of these challenges include shipping evidence which can be costly and may introduce security risks, requiring investigators to travel to the lab to review evidence on workstations, training investigators on multiple tools, and now (more than ever) enabling remote work as pandemic restrictions limit access to the lab. That’s why we’ve built Magnet REVIEW, a single web-based platform purpose-built for non-technical investigators to securely review evidence from anywhere with an internet connection. Overcoming these challenges with a centralized platform like REVIEW enables teams to get to the truth quickly, without being limited by physical distance or technical tools, all while reducing evidence distribution costs and improving overall security posture.

Join Cody Bryant, Director, Product Management, and Craig Guymon, Director of Solution Consulting, to learn why and how we built Magnet REVIEW for the non-technical investigator, see a live demo of REVIEW’s intuitive interface, and learn how to enable teams of non-technical investigators to review evidence from anywhere.

Cloud data has quickly become the new frontier in DFIR. More and more data is being stored in the Cloud, by the various cloud storage, cloud communication, social networking, and mobile computing platforms. Join Tim Moniot from Magnet Forensics during this discussion and demonstration of how you can begin identifying evidence of cloud platform usage, as a component related to your investigations. Once identifying that Cloud data is related to an investigation, Tim will discuss options for gaining access to and subsequently collecting relevant Cloud source data so that it too can be analyzed within AXIOM. This presentation will be relevant to both law enforcement and corporate DFIR professionals.

The complexity of digital investigations and the increasing volume of data requires you to need an enhanced approach to your digital investigations, so that you can better serve your customers without increasing headcount or requiring drastic investments in new digital forensic equipment.

In this session Rhys Tooby, Solutions Consultant at Magnet Forensics, will perform covert remote collection of Windows and macOS devices with an ad hoc agent and you’ll learn how to perform advanced cloud acquisition from Office 365, G Suite, Box, AWS S3, EC2 and Azure virtual machines.

The design of life saving software plays a vital role in the Medical Manufacturing industry. The way in which medical devices are being revolutionized is staggering and breathtaking, but it hasn’t necessarily resulted in a corresponding revolution in how these devices are built. With the advancement and evolution of research into chronic illness; newer, more advanced, methods are found to more effectively treat these chronic illnesses. Medical technologies can be defined as products, services, or solutions which are used to improve and prolong life. Statistics done in 2019 showed that there are more than 500,000 medical technologies such as implantable devices, patient monitors, and robotic surgery aids are available to hospitals and patients. The medical device industry is poised for a steady increase in growth, with a global forecasted annual sales growth of over 5% a year and estimated to reach 800 Billion US dollars by 2023. The question is how prepared are we to deal with medical device forensics and additionally how mature is the data on these devices. This talk focuses on the frustrations that Veronica has faced as a patient, hacker, and forensicator in realizing that forensic readiness should be build into these devices as they contain little to no forensic value currently. When nothing goes right, go left. By influencing the way the devices are built and the developers that build them has shown an increase in the forensic readiness of devices. We need to create a team of Forensic Developers to enable future forensicators to have success in dealing with breaches on these devices.

The USBKill switch is a software that was created to respond to having the computer system falling within the hands of law enforcement, bullies, or individuals that might steal it from while working at a public place. It is well known as an anti-forensics kill-switch software that could be configured to power-off a system, but could do others such as deleting files from the system.

This research is an attempt to counter the USBKill switch by sharing how it works, what artifacts can be found, and how investigators and incident responders can counter systems that are configured to use it.

Join Dr. Joshua James, Digital Forensic Consultant to learn how automation is currently used in digital investigations and what limits there are to current automation methods. He will explain the state of the art on technical automation as well as applied, automated reasoning. He will conclude his presentation by formalizing automated reasoning in digital investigations and making explicit challenges to completely automating a digital investigation process.

Join us for a fireside chat with American journalist and investigative reporter, Brian Krebs. This will be a unique opportunity to talk to Brian live about his insights on cybercrime prevention and detection.

Magnet Forensics is excited to bring you their 4th annual CTF!  This CTF will be a 3 hour timed event to test your skills and learn while competing with others from around the world to win prizes. This CTF promises to introduce an entirely new image set and scenario with different data sources than have been presented in other Magnet Virtual Summit CTFs. We don’t want to give away too much, but we promise that Jessica Hyde, Director of Forensics, and students from the Champlain College Digital Forensics Association have created a challenge that will be fun, frustrating, and full of learning opportunities.

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

The cloud can be your best friend in conducting digital investigations. Increasing volumes of digital evidence, budget constraints and talent shortages can make it difficult for your lab to keep up with demand. The cloud provides practically unlimited storage capability, computing power, and tools to ensure that your data remains secure and protected. We will discuss how the cloud enables an enhanced approach to digital investigations so that you can better serve your agency, without increasing headcount or drastic investments in new forensic equipment. Join us as we discuss the challenges and solutions enabling digital forensics labs today.

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

• examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
• an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
• reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

A single wrench a toolset does not make. By leveraging multiple tools we can enrich our investigations in two major ways:
1) Bring new insights and unique tool capabilities to the forefront.
2) Make sure overlapping analysis between tools are consistent.

AXIOM provides multiple ways to easily achieve these goals in one place providing unified analysis and reporting capabilities. Testing and validation in one place. Come and learn how.

This case study looks at the importance of validation of timelines and log processes in a complex murder investigation. It is concerned with piecing together the activities of the suspect, who was initially considered a victim of the crime.

The case study will consider extractable logs from an iPhone 5c circa late 2016, billing records in which shortcuts have been made in billing mediation, a phone with a manually modified clock, a massive thunderstorm and state-wide blackout, suspicious gaps in the record, and securement mistakes made by crime scene investigators.

The case study is real, presented with sanitised data. It demonstrates the importance of understanding the big picture of a complex telecommunications system – the links between data sources and the subtleties of their compilation.

According to Statista.com in 2019, the global social penetration rate reached 45 percent, with East Asia and North America both having the highest penetration rate at 70 percent, followed by Northern Europe at 67 percent. Mobile device usage for social media has increased to 91% of social channel accesses in 2018 according to Marketing Profs. Many technology thought leaders believe social networking will displace traditional email as the leading communication medium. This presentation will provide a practical walkthrough of preservation of top social media sites and how to effectively utilize tools for evidentiary collection across the Web, PCs/desktops and smart devices. It will look at social media apps on smartphones and what digital evidence exists compared to what can be found on the cloud. It will also explore innovations in emoji/avatar Apps such as Bitmoji.

Persistent exposure to Indecent Images of Children (IIoC) can take its toll on Examiners and Investigators leading to trauma, stress, burnout, and more. Rhys Tooby, Magnet Solutions Consultant, will share his experience of addressing mental wellness during his career as an Examiner and Head of a Digital Forensics Unit in the South Wales UK Police force. Rhys will be joined by Elizabeth Strong, Program Manager for Wellness/Mental Health Initiatives at the National White Collar Crime Center (NW3C). Join this informal discussion as Elizabeth answers questions from Rhys, as she explains the brain and body science behind stress and provides helpful coping mechanisms for dealing with IIoC exposure.

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources including cloud, smartphones, memory, and computers. We’ll be navigating through the different Examine views and will learn how AXIOM leverages machine learning for examinations. We’ll also discuss how Connections in AXIOM connects files and users along a path of evidence. Learn how to build strong timelines using artifacts from many data sources which could be relevant to your case. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

A common response when talking to Law Enforcement officers and staff often shows that there is a distinct lack of understanding as to the amount of evidence that can be found on the Cloud. It usually starts with an unwillingness to consider what authority is needed to obtain that evidence, and, with policies and procedures differing from Country to Country, Agency to Agency, and Police Force to Police Service, it can often be confusing and difficult. It is however essential that this “Forgotten” or “Missed” data is taken into consideration.

We have seen the amalgamation of Mobile Phone devices and Computer devices become more and more prevalent within the LE Community. What about adding in Cloud Data too? From OSINT data, public tweets and Instagram, not to mention access with credentials and warrant returns, this data is essential in modern LE. It is only going to increase in importance with the onset of large data being accessible via mobile devices, 5G and beyond.

What is the future for traditional computer dead box forensics? How many computers do you have in your home today compared with 5 years ago? There needs to be a tool to bring all this evidential data together, OSINT, Cloud Services data, Mobile devices and Computers. This is where AXIOM comes in. In respect of Cloud data, AXIOM can add Open Source Data, Credential downloads and Warrant return Data into a single case file showing connections between people places and data. Let’s be honest, how many of us would bother with our devices if there was no internet connection? The mix of data shows a far fuller picture of lifestyle and activities. With Cloud data we are dealing with “Now Data” with seized Computers and Mobiles it is often “Then Data”. Why not have all of it …

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

In this lab we will explore Magnet AXIOM’s support for macOS and APFS. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This course is perfect for those using Windows workstations for Macintosh evidence without missing Mac-exclusive artifacts.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

• examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
• an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
• reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.

The global pandemic accelerated workplace shifts towards new ways of working, many involving online work and new technologies. Law Enforcement Agencies and Digital Forensic teams were already re-imagining new workflows to cope with rising digital evidence volumes. Like other sectors, the pandemic has accelerated this re-imagining and leading agencies are using a combination of technology and process change to realize greater efficiencies.

Join Geoff MacGillivray, Vice President of Product Management at Magnet Forensics, to learn about Magnet’s vision for stronger investigations of digital data, securely and at scale. Hear how solutions such as Magnet AUTOMATE and Magnet REVIEW can help organizations, to automate, manage and collaborate on investigations with speed, accuracy and transparency. Leave with an actionable path forward – for any-sized agency – to modernize your investigation of digital data and meet the needs of your agency today and tomorrow.

Automation is not a new concept, it comes in numerous forms some of which are already in use in almost every digital forensics lab in the DFIR community. But, are all forms of automation right for all types of cases? What will happen to the forensic examiner role if we introduce workflow automation? Will automation decrease the quality of digital investigations? Join Aaron Sparling, Officer, Investigations Branch, Digital Forensics Unit at the Portland Police Bureau, for a thought-provoking presentation where he challenges common preconceptions about automation in digital forensics, presents some of the real ways automation is successfully being used today and where lab managers and examiners might face issues.

Google created the descendent of their wearables operating system, Wear OS, back in 2014, a full year before the arrival of the Apple Watch and watchOS. Since that time, several OEMs such as Fossil, Motorola, and Mobvoi have released multiple smart watches that run Wear OS, and Google has acquired FitBit, which could mean a push towards a Google-made smart watch similar with what it did with the Google Nexus and Pixel lines of phones. With that in mind, this presentation takes a look at what artifacts are available in Wear OS, including hardware information, recently launched applications, used watch faces and complications, location data, paired phone information, account information, and Google Assistant data. These artifacts will also be compared to what is available on the paired Android phone.

Not to be confused with Office 365’s Unified Audit Log, the User Access Logging (UAL) database is included with Server editions of Microsoft Windows starting with Windows Server 2012. Designed to provide system administrators with insight into service usage on Windows servers, it contains valuable forensic data which remains largely untapped by DFIR professionals. Among other things, the UAL database maintains a record of the types of services accessed on a server; the username associated with the access; and the source IP address from which the access occurred. With default settings, the UAL database retains this information for two years. The database is stored in the Extensible Storage Engine (ESE) format, and can be parsed offline or accessed from a live system via PowerShell cmdlets.

Many of us in the field of digital forensics have been lucky to have a senior practitioner to look up to as we began our journey into digital forensics, and some of us have not. But regardless the reality is that having a mentor to guide you as you gain your journey is a crucial part of knowledge transfer, and has been a key part of effective knowledge and skill transfer for centuries.

In this presentation we will explore the importance of mentorships in digital forensics in not only developing the next generation of digital forensic practitioners, but also enhancing the skills of existing practitioners. We will explore this from two perspectives. The first being how to be an effective mentor to a digital forensics practitioner, and the second, how to be an effective mentee.

The presentation will also explore various mentorship programs and equip you with the knowledge to set up your own mentorship programs, and how to find the correct mentor for you.

Play Like a Girl leverages the collective power of women athletes, coaches and executives to serve as role models and mentors to middle school girls with an interest in STEM.
This session will detail how Play Like a Girl uses its educational programs and strategic partnerships with hundreds of corporate volunteers to deliver a coordinated, multi-year program where middle school girls are exposed to practical lessons in leadership and engage in hands-on STEM education, all through the lens of a confidence-building curriculum.

I am the Director of the St. Joseph County, IN Cyber Crimes Unit. The unit consists primarily of college students. We’ve all heard the horror stories about this generation of workers, which currently accounts for over 50% of the workforce. Among other things, they are entitled, lazy, unmotivated, disloyal, and selfish. Combine that with the fact that I am a terrible manager and it sounds like a recipe for disaster. But it hasn’t been. This model has led to innovative solutions to digital forensics investigations. We analyze over 700 devices a year. We haven’t had a case backlog in over four years. Our turnaround time is routinely same day. This talk will discuss a new paradigm in the workforce and our forensics lab. When I became the Cyber Crimes Director, I had no formal training or experience as a manager. So I bucked the convention wisdom of management and decided not to manage at all. Instead, I took the approach of being a leader and mentor. What I’ve learned through leadership is that if you take care of the people taking care of the work, the people taking care of the work will excel beyond expectations. This simple concept that you manage things, but you lead people, will be discussed. Lessons from this talk can be applied by anyone in any industry to usher in a new area of the end of management and a focus on leadership at every level.

This talk will share the Cyber Sleuth Science Lab (CSSL) research findings on the effectiveness of combining ethical and social lessons with technical education to engage the next generation. CSSL is geared to reach all students in high school with an emphasis on engaging more young women and underrepresented youth in STEM. This approach leverages DFIR as a unique opportunity to inform learners about security and privacy issues and encourage responsible and ethical behavior in our digital society while preparing them for success in a variety of STEM career pathways.
In addition, this project built on the foundational work of the National Girls Collaborative Project and the FabFems network by encouraging learners to work with peers, near peers and interact with mentors and role models. In particular, Cyber Sleuth Science Lab, showcases the variety of jobs in the DFIR and Cybersecurity industry by bringing experts across these domains into the classroom to discuss the unique ways this expertise is applied in their day-to-day work and to share more in-depth information about the individual pathways they took to get into the field.

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Device users are no longer relying on default applications to communicate, often migrating to 3rd party applications with additional features. Unfortunately, these same types of applications can be used by actors involved in criminal investigations to encrypt and obfuscate their activities.

In this webinar, join David and Trey, digital forensic experts from Grayshift and Magnet Forensics, for a hands-on deep dive into modern approaches to digital forensics that help enable you to achieve same-day results (often within hours), extract more data from locked and encrypted mobile devices, and get the most out of GrayKey + Magnet AXIOM. We’ll also review decryption methods for third party applications, securing critical evidence that is admissible and discoverable, and how to accelerate your investigations.

GrayKey labs are restricted to law enforcement and government attendees only. Please note that all submissions are being validated and approved by Grayshift. If you are approved, you will receive the joining details 24 hours before the session starts.

Did you know that there are alternative techniques for Windows memory analysis? In this session, you’ll see how utilizing MemProcFS in conjunction with Magnet AXIOM can help to enrich your investigation with both a mounted logical file structure of memory output alongside carved artifacts from memory. Join Tarah Melton who will demonstrate these techniques and apply them to solving memory analysis questions.

With more devices having onboard storage capability than ever before, it is imperative that analysts work with investigators to ensure that every possible medium of digital storage is collected during the course of an investigation. “Traditional” mediums, such as hard drives, flash drives, tablets, cell phones, and multimedia cards, are straightforward and at the forefront of most investigations. However, one must also take into account items such as televisions, smart speakers, smart watches/fitness trackers, digital photo displays, and even exercise equipment, often referred to as the Internet of Things (IoT) devices.

This talk will cover both identifying these additional sources and a methodology to acquire and analyze these possible storage mechanisms during the course of an investigation. Brian and Jessica will also lay out baselines of a few “obscure” mediums for forensic analysts to be aware of during the course of their investigation.

The PinePhone is one of the first functioning open source smartphone projects to truly put the choice of operating system into the user’s hands. It has been designed to run the Linux operating system, and can be purchased with a number of smartphone-specific Linux variants pre-flashed, so the phone can be used out of the box. Whilst this device is still very much in the development phase, and not everything functions exactly as expected, just yet, it’s still fun to play with, and to try and work out what it might mean to a digital forensic investigation if one of these devices was seized as part of a case. Kathryn will talk through an introduction to the device, potential methods to acquire data, and where some key data may be stored based on my research so far.

In this talk we will explore Magnet AXIOM’s features useful to the Linux examiner. We will consider acquisitions, processing, and interactive examinations to leverage AXIOM’s various explorers for faster examinations, timeline analysis, artifact relationships, and more.

This session is perfect for those using Windows workstations for Linux evidence without missing Linux/UNIX-exclusive artifacts.

Join Eduardo Santos, Computer Network Analyst for a demonstration on how powerful the Wireshark tool is for analysis during forensic investigations and incident response. You will learn how protocol concepts in the TCP / IP stack can support an investigation. This talk will also cover setting filters, creating different profiles, analyzing patterns and checking statistical data. In addition Eduardo will discuss perceiving and analyzing recurring attacks on a computer network, such as DoS, malware traffic, HTTP malicious traffic, Command and Control artifacts. These are attributes that make Wireshark a powerful Open Source traffic analysis tool, which can support a forensic investigation and security incident response process.

Join us for a live recording of the Forensic Lunch.

This session will explore the major cloud structures in many modern corporations including O365, AWS, Slack, and more. Throughout this lab, students will learn about AXIOM Cyber’s different functionality through acquisition and analysis of several cloud platforms including what new information may be available in the latest versions. This lab will also include several pre-acquired image files so that students can see what information will be available once it is all pulled down.

This lab is most applicable to corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

In this lab we will show you how to extend your capabilities with Magnet AXIOM by utilizing and creating custom artifacts. In this hands-on lab we will learn how to create and install custom artifacts including custom artifacts from the Artifact Exchange or those shared within your organization. We will review multiple ways to create custom artifacts including using XML Templates, Python Custom Artifacts, and the Magnet Custom Artifact Generator. We will show how XML templates can be created for both SQLite Artifacts and Fragmented Artifacts. At the end of the session, attendees will know the techniques necessary to create their own custom artifacts and bring in custom artifacts created by others.

This lab is applicable to both criminal and corporate investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, and Officer wellness features work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims. We will also take a look at Magnet’s OUTRIDER and what it can do for your investigations.

This lab is most applicable to criminal investigations. Participants of this hands-on lab will receive 1 CPE credit for attending.

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

In 2020 there was a dramatic growth in outdoor activity with millions exploring the great outdoors according to a report from the Outdoor Foundation*. With the increased interest in activity, there was also exponential growth in fitness apps – that helped consumers find trails, parking, weather conditions and much more. As you can imagine, accidents happened, people got lost, went missing and crime occurred. As Investigators and digital forensics analysts, we have a grasp of most fitness applications and their value to the overall crime story. Have we kept up with the top downloads from the App Store and the Google Play store for; mountain biking, trail running, skiing, and other outdoor activities?

This talk will hit the outdoor adventure applications and explore their forensic artifacts just as they allow you to explore this wonderful planet. We will weave together a few real-world examples of how these little-known applications can shed light on what really happened. How fast was a skier going when they lost control and left the marked trail and collided with tree? When did a trail runner quit uploading their runs to one of the popular services, which may not be popular to everyone? Join in and prepare to explore the apps that help you explore!

*Ref: https://outdoorindustry.org/press-release/forthcoming-reports-outdoor-foundation-outdoor-industry-association-provide-unprecedented-insight-trends-outdoor-participation/

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection

2020 came with many challenges, least of which was the emergence of more aggressive ransomware tactics — doubling down on extortion via encryption and exfil, new vectors (ESXi), and the adaptation of deployment techniques. This talk will give a fast-paced walk through of how to contain the attack, find evil, and bring critical business infrastructure back up as a rapid responder.
While this talk focuses on attack techniques seen in ransomware, it is important to note similar techniques are seen utilized by other malicious actors, including nation state APT’s.
The end goal of this talk is to provide immediate take-aways for listeners, both for security posture strengthening and additions to current response run books based on the latest mutations of e-crime adversaries.

A lot has been shared about the MITRE ATT&CK framework and how it can be leveraged as a powerful hunting resource and a threat modeling foundation. In this presentation, Mary Ellen will cover a different way of using MITRE ATT&CK – during a forensic investigation.

This talk will walk the audience through a complete investigation plan, A-Z, built from the MITRE ATT&CK framework. Unlike a lot of MITRE ATT&CK implications, the contents will be less about proactive threat hunting, and more as an aid to a forensic investigation. We’ll begin with an example incident that was just dropped on your desk, and all you have is an ip address. Your company had a visit from a three-letter agency, and you’ve now found out through a third party, that your org was popped; it doesn’t get much worse than that. The “suits” leave, and all you’ve got is an ip address and strict orders to piece together what happened. The order of events will be based loosely off of a paper Mary Ellen published in 2016 entitled, “IR A-Z“.

Grab your water bottle and favourite workout gear and join us for a Magnet Virtual Summit group fitness class. This fitness class requires no equipment and can be done anywhere that you have space to move. We’ll combine strength training, cardio and stretching for a one hour full body workout.

We are in a seemingly never-ending battle to learn, enter, survive, and hopefully thrive in the realm of Digital Forensics and Incident Response. Everyone’s path is different, strewn with obstacles that feel like they are intended to make your journey more difficult than anyone else. But you are not alone! Using personal successes and tragedies, Brett will share lessons he learned that you can apply to your path of success, whether new to the field or transitioning from one level to the next. From mistakes, general advice, and tips on forensic analysis, Brett will be an open book to share some of the great and the not-so-great aspects of our chosen profession, including some of the best words of advice that you can put to use in less than two minutes after the presentation.

What is 1%? Forensic Examiners and Investigators are used to giving 100% of themselves to their examinations and case load. While examiners are quick to share “how to’s”, the stress of the work is not often discussed or acknowledged. Many enjoy immersing themselves in their case load and mission of their work, however it often comes at great sacrifice. Staying late to look through one more device or start one more case processing or try one more method to search for the data (or absence of data) for an examination is all too common. Deadlines, case implications and backlog can influence how not only work time is spent, but also mental energy at home. By dedicating just 1% of the day to something fun, something different, something to step back for just a moment, physical and mental energy can be renewed to continue to embrace work with less burnout and fatigue. Join us as we discuss how you can use your 1%, the importance of regularly scheduled time for your 1% and how to identify times you need to take an unplanned 1%.

Cindy Murphy, President of Tetra Defense, will be presenting insights on the cyber incidents she investigates daily, including a behind-the-scenes look at the trajectory from incident to millions of dollars of damage for unsuspecting businesses. Ransomware has always been prevalent, and because of many changes made to networks to allow working from home during COVID-19 and throughout 2020, attacks have become even more frequent. Some takeaways will include specific COVID-related incidents, the “business” structure of ransomware threat actors, and the latest intel from the Tetra team regarding ransomware threats and how to thwart them.

James will explore the local data storage of ‘Snapchat’ for iOS, the implications of the chosen data protection mechanisms that Snapchat have implemented while dissecting the various application databases, exploring how they inter-operate and how the databases are manipulated during execution. This will provide a valuable insight for forensic analysts, allowing for both a further understanding of Snapchat internals and how to detect local data manipulation prior to device filesystem acquisition.

Over the past year, Law Enforcement Agencies and Digital Forensic Units have accelerated their modernization efforts to re-imagine how they handle growing challenges such as increasing data volumes, evidence complexity, skilled talent shortages and remote work.

Magnet AUTOMATE, an orchestration and automation platform, helps agencies create efficient workflows to tackle these challenges and meet the demands for service from their agency. Automate repetitive/manual tasks to complete more investigations faster with your existing resources while allowing examiners to focus on complex analysis. Join Greg Ward, Product Manager, and Tarah Melton, Solutions Consultant, to learn more about Magnet AUTOMATE, see it in action, and check out recent advancements such as new mobile workflow capabilities and stats & management dashboards to help Lab Managers measure, act and report on lab efficiency.

Join Hans Ehren from the Dutch Police for a discussion on the importance of triage during COVID-19. With a large number of people are working from home, children are spending more time online increasing the need for the availability of computers. Unfortunately, the spread of CSAM also increases in this situation making effective and fast triage even more important. It ensures that the suspected systems are identified and that other systems remain available for home working and home schooling.

Numerous defense techniques exist for preventing and detecting malware on end stations and servers (endpoints). Although these techniques are widely deployed on enterprise networks, many types of malware manage to stay under the radar, executing their malicious actions time and again. Therefore, a more creative and effective solution is necessary, especially as classic threat detection techniques do not utilize all stages of the attack kill chain in their attempt to detect malicious behavior on endpoints. In this presentation, the novel approach for detecting malware is proposed. The approach uses offensive and defensive techniques for detecting active malware attacks by exploiting the vulnerabilities of their command and control panels and manipulating significant values in the operating systems of endpoints – in order to attack these panels and utilize trusted communications between them and the infected machine.