Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Agenda Released: Forensics and Incident Response Summit 2009

Agenda and Speakers Released for The WhatWorks in Forensics and Incident Response Summit 2009


The WhatWorks in Forensics and Incident Response Summit 2009


I am very excited about announcing this years speaker line-up. Each speaker and panelist is individually selected and invited to participate. Thank you to all the speakers and panelists that will make this event extremely exciting and worthwhile. - Rob Lee - SANS Institute and Mandiant INC.

Why should you attend the 2009 Forensics and Incident Response Summit?


In the past 10 years, the amount of knowledge gained and techniques learned in the digital forensics profession is staggering. The traditional tools, methods, and techniques have served us well, but the attack landscape has now changed so much that the community needs to have a new discussion on the most reliable techniques, tools, and analysis methods for modern forensics. In a nutshell, what are the new essentials of Computer Forensics and Incident Response in 2009?

Agenda Overview: Top industry leaders, forensics and incident response professionals, and vendors will discuss the latest strategies and techniques in a series of highly interactive sessions focused on effective incident response and mitigation strategies, core forensic investigative analysis, and criminal prosecution myths, and civil e-Discovery litigation methodologies.

Register Here


Forensic Summit Flow

Monday, July 6


Pre-Summit Course - Advanced Filesystem Recovery and Memory Forensics

5:00pm - 8:00pm


Welcome Reception and Registration


Register Here

Tuesday, July 7


6:30 am - 8:00 am


Breakfast and Registration


8:00am - 8:30am


Welcome and Introduction to the Forensic and Incident Response Summit 2009


8:30am - 9:30am


Keynote Address: Incident Response and Forensics: Still Speaking Truth to Power

- At the 2008 Summit I asked "Are incident responders part of the problem, part of the solution, or somewhere in between? Are we doing what we can, or what we must? Do we make a difference?" At the 2009 Summit I will examine what has happened since October 2008, and try to determine if anyone is listening. If no one is, how can we improve our justification for incident response?


  • Richard Bejtlich -- Director of Incident Response for General Electric; Author "Real Digital Forensics", "Extrusion Detection: Security Monitoring for Internal Intrusions", and the blog taosecurity.blogspot.com

9:30am - 10:30am


Expert Briefing: Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response -During this presentation, attendees will learn practical, tried, and true methods to

review live incident response information. You will obtain the skillful eye required to quickly confirm or dispel if a system is compromised. Recent case data from PCI credit card breaches as well as the Chinese Advanced Persistent Threat (APT) will be used as samples. Armed with this knowledge, you will excel as an initial responder to any incident.


  • Kris Harms -- Senior Consultant, Mandiant Inc.

10:30am - 10:50am


Break


10:50 am - 12:00pm


User Panel: Essential Incident Response Techniques: Panelists will tell which incident response tools and techniques they regularly use, what worked and what didn't work, and they will share the lessons they learned.


  • Ken Bradley -- Incident Handler, General Electric GE-CIRT.
  • Harlan Carvey -- Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis" and the blog windowsir.blogspot.com
  • Kris Harms -- Senior Consultant, Mandiant Inc.
  • Dave Hull -- Owner Trusted Signal LLC.; Editor and Author of the blog sansforensics.wordpress.com

12:00pm - 1:00p Lunch


1:00pm - 1:50 pm


Expert Briefing: Registry Secrets Every Investigator Should Know - While Microsoft posts warnings about the dangers of modifying the Window registry in their KnowledgeBase articles, malware authors are making prolific use of this resource to ensure the persistence of their software on compromised systems. The Windows Registry is one of the great untapped resources for analysis...a knowledgeable analyst can locate malware persistence mechanisms and other artifacts, as well as artifacts of user activity and the use of software and attached devices on the system. This presentation will address the basic structure of the registry, pertinent keys and values, as well as extracting data from Windows XP System Restore Points and from unallocated space within Registry hive files.


  • Harlan Carvey -- Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis" and the blog windowsir.blogspot.com

1:50pm - 2:50pm


User Panel: Essential Forensic Tools: Panelists will tell which forensic tools they regularly use, what worked and what didn't work, and they will share the lessons they learned.


  • Jesse Kornblum -- Senior Forensic Scientist, ManTech International Corporation
  • Troy Larson-- Senior Forensic Investigator, Microsoft's IT Security Group
  • Mark McKinnon-- Owner of RedWolf Computer Forensics; Author of the blog cfed-ttf.blogspot.com
  • Lance Mueller -- Co-owner of BitSec Forensics; Author of the blog www.forensickb.com

2:50pm - 3:10pm


Break


3:10pm - 4:30pm


Expert Briefing: Memory Forensics and Analysis - The memory in today's business desktops is now larger than the hard drives that were in systems just a few years ago. Traditionally, forensic analysis has meant taking an image of the hard drive and sifting through files. This is only half of the story and can no longer be considered sufficient. Attackers are writing less to disk and hiding more in the ample memory users now enjoy. Memory analysis- once a niche function performed by only the most advanced forensic investigators- is now mainstream and common in professional investigations. Tools have been written to make memory analysis as easy for the investigator if not easier than hard drive analysis — in a fraction of the time. In this talk, we will show you how to

quickly identify suspicious things in memory without having to be a reverse engineer. This talk will feature research, use cases, and real world examples.


  • Jamie Butler - Director Product Development, Mandiant Inc.; Author "Rootkits: Subverting the Windows Kernel"
  • Peter Sielberman - Development Engineer, Mandiant Inc.; Author of M-unition - blog.mandiant.com

Expert Briefing: Registry Analysis and Memory Forensics, Together at Last - The Windows registry can be a gold mine of information for a forensic analyst. Similarly, memory analysis can be a source of critical data, allowing an investigator to reap the benefits of live analysis with a higher degree of repeatability and integrity. New tools have recently become available that allow us to combine these two crucial data sources and extract registry information directly from memory dumps. In this talk, I'll show how you can use these tools to find passwords, uncover evidence of malware, get information about physical media like USB keys, and make your incident response more effective.


  • Brendan Dolan-Gavitt -- Researcher and PhD student at the Georgia Institute of Technology's Information Security Center; Author of the blog moyix.blogspot.com

4:30 pm - 5:30 pm


Solution Provider and Vendor Panel: Hear about strengths and weaknesses of the leading tools, services, and solutions in a format that enables vendors to interact in interesting ways and users to ask the kinds of questions they have always wanted to ask (but never dared).


5:30pm - 7:30pm


Hospitality Suites


7:30pm - 8:30pm


LiveCyberspeak Podcast - CyberSpeak (cyberspeak.libsyn.com) is your computer forensics, computer security, and computer crime podcast. Join Bret and Ovie for a session of Cyberspeak podcast recorded live from the Forensic Summit 2009.


  • Ovie Carroll -- co-host Cyberspeak podcast

  • Bret Padres -- co-host Cyberspeak podcast


Register Here


Wednesday, July 8


7:00am - 8:30am


Breakfast


8:30am - 9:30am


Keynote Address: Coming soon. Speaker checking schedule.


9:30am - 10:15am


Expert Briefing: Law Enforcement Trends and the Future of Computer Forensics and Incident Response - In the unique position to see computer forensics from the law enforcement and

prosecution prospective as well as from a state, federal, national and global level, Ovie Carroll, Director of the DOJ CCIPS CyberCrime lab discusses current trends and the future of computer forensics.


  • Ovie Carroll - Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)

10:15am - 10:30am


Break


10:30am - 12:00pm


Panel: Working with Law Enforcement Panel - Panelists will tell you the challenges faced by law enforcement, tools and techniques that law enforcement use, what works and what does work, and share their lessons


  • Andrew Bonillo -- Special Agent, United States Secret Service
  • Richard Brittson -- Detective, New York City Police Department, Retired
  • Ovie Carroll -- Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)
  • Chris Kelly -- Assistant Attorney General, Cybercrime Division, Commonwealth of Massachusetts
  • Jennifer Kolde -- Computer Scientist with the FBI San Diego Division's National Security Cyber Squad
  • Cindy Murphy -- Detective, City of Madison, WI Police Department
  • Ken Privette -- Special Agent in Charge of Digital Evidence Services, United States Postal Service Office of Inspector General
  • Elizabeth Whitney -- Forensic Computer Examiner, City-County Bureau ofIdentification, Raleigh, NC
  • Lawrence Wolfenden -- Special Agent - Federal Bureau of Investigation

12:00pm - 1:00pm


Lunch


1:00pm - 1:50pm


Expert Briefing: Forensics in the Courtroom - This presentation describes some current issues facing forensics examiners in the courtroom. Specifically, the focus of the presentation is on key evidentiary approaches which may result in evidence being denied admission to the courtroom in both civil and criminal cases. The presentation talks about being admitted as an expert, chain of custody, privacy, and current cases in 2008 which involved digital forensics evidence based on research with Tom Lonardo, J.D. of Roger Williams University. Additionally, the presentation introduces licensure vs. expert witnesses in the context of the recent movement by certain states towards requiring private investigator licenses for digital forensics examiners.


  • Dr. Doug White -- Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative

1:50pm - 2:50pm


Panel: Forensic Challenges from the Court Room - Panelists will tell you the challenges faced when preparing for and during courtroom litigation involving computer forensics, incident response, and e-discovery. They will discuss common myths associated found in the courtroom. They will discuss critical steps every investigator must know. They will tell you what works and what does work in and out of the courtroom by sharing their lessons they each of them have learned.


  • Craig Ball -- Attorney and Computer Forensic Expert
  • Gary Kessler -- Associate Professor of Computer & Digital Forensics and director of the M.S. in Digital Investigation Management, Champlain College;
  • Dave Kleiman -- Computer Forensic, E-Discovery, and Litigation Expert
  • Bret Padres -- Director, Digital Forensic Laboratory, Stroz Friedberg
  • Dr. Doug White -- Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative

2:50pm - 3:10pm


Break


3:10pm - 4:10pm


Expert Briefing: Mobile Device Forensics Essentials - Forensic examiners are encountering a wide variety of mobile devices in criminal and civil cases. These devices can contain details about who was doing what, where and when, making them a powerful source of digital evidence. At the same time, new methods and tools for acquiring and analyzing mobile devices are emerging, including remote acquisition and physical memory analysis. Forensic practitioners need an understanding of these new tools and techniques, and the types of evidence that can be recovered from mobile devices. This presentation demonstrates the strengths and limitations of powerful new tools and techniques used to acquire and analyze data from mobile devices, including Flasher boxes and specialized data carving utilities. Case examples are used to highlight how data from mobile devices can be useful in digital investigations. Lessons learned from the field are also covered to help practitioners navigate common challenges.


  • Eoghan Casey -- Author "Handbook of Computer Crime Investigation";Professor at Johns Hopkins University Information Security Institute

4:10pm - 5:10pm


Solution Provider and Vendor Panel Part II: Hear about strengths and weaknesses of the leading tools, services, and solutions in a format that enables vendors to interact in interesting ways

and users to ask the kinds of questions they have always wanted to ask (but never dared).

5:10pm - 5:30pm


Closing - Forensic and Incident Response Summit 2009

Thursday, July 9 - Tuesday, July 14


Post-Summit Course: SEC408 -Computer Forensic and E-discovery Essentials


Chad Tilbury -- SANS Institute, former Special Agent, Air Force Office of Special Investigations


Post-Summit Course: SEC508 - Computer Forensic and E-discovery Essentials


Rob Lee -- SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com


Post-Summit Course: SEC606 - Drive and Data Recovery Forensics


Scott Moulton -- Forensic Strategy Services, LLC

Register Here


The WhatWorks in Forensics and Incident Response Summit 2009

Why should you attend the 2009 SANS What Works in Forensics and Incident Response Summit?

Post a Comment






* Indicates a required field.