SANS Digital Forensics and Incident Response Blog

SANS Forensic/IR Summit Panel Questions Posted

The WhatWorks in Forensics and Incident Response Summit 2009

The panels for the Forensic and Incident Response Summit have been posted. Each panelist will help answer these critical questions and present their answers to the audience. Then the attendees will be able to ask their own questions to the panel via a question and answer session. The panels are one of the many great reasons to attend the 2009 Forensic/IR Summit.

This event should not be missed.

Regsiter NOW!!


User Panel: Essential Incident Response Techniques:

Panelists will tell which incident response tools and techniques they regularly use, what worked and what didn't work, and they will share the lessons they learned.

Ken Bradley ? Incident Handler, General Electric GE-CIRT.

Harlan Carvey ? Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis" and the blog

Kris Harms ? Senior Consultant, Mandiant Inc.

Dave Hull ? Owner Trusted Signal LLC.; Editor and Author of the blog

Chris Pogue ? Senior Security Consultant, Trustwave; Author of Unix and Linux Forensic Analysis.

Some Panel Questions for Incident Response Techniques to be asked at the Summit

  1. What techniques do you use in incident response that are the most reliable at helping solve cases?
  2. If you were going to write the job requirements of an entry level incident responder to handle a gig by themselves, what would the job description look like?
  3. Have you seen a decent incident response policy? If so, tell us why it was good. If not, where did it fail?
  4. Rank a list of tools in order of importance that are in your incident response jump kit.


User Panel: Essential Forensic Tools:

Panelists will tell which forensic tools they regularly use, what worked and what didn't work, and they will share the lessons they learned.

Jesse Kornblum ? Senior Forensic Scientist, ManTech International Corporation

Troy Larson ? Senior Forensic Investigator, Microsoft's IT Security Group

Mark McKinnon ? Owner of RedWolf Computer Forensics; Author of the blog

Lance Mueller ? Co-owner of BitSec Forensics; Author of the blog

Some Panel Questions for Essential Forensic Tools to be asked at the Summit

  1. What forensic technique(s) do you feel every investigator should know but currently doesn't?
  2. What are 2-3 major challenges that investigators now face or will face in the near future?
  3. Which software tool or capability needs to be created that hasn't been created yet?
  4. Name a simple technique that you use that is incredibly reliable and utilized in your casework most often?


User Panel: Working with Law Enforcement Panel -

Panelists will tell you the challenges faced by law enforcement, tools and techniques that law enforcement use, what works and what does work, and share their lessons

Andrew Bonillo ? Special Agent, United States Secret Service

Richard Brittson ? Detective, New York City Police Department, Retired

Ovie Carroll ? Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)

Chris Kelly ? Assistant Attorney General, Cybercrime Division, Commonwealth of Massachusetts

Jennifer Kolde ? Computer Scientist with the FBI San Diego Division's National Security Cyber Squad

Cindy Murphy ? Detective, City of Madison, WI Police Department

Ken Privette ? Special Agent in Charge of Digital Evidence Services, United States Postal Service Office of Inspector General

Paul J. Vitchock ? Special Agent, Federal Bureau of Investigation, Washington Field Office

Elizabeth Whitney ? Forensic Computer Examiner, City-County Bureau of Identification, Raleigh, NC

Some Panel Questions for Working with Law Enforcement Panel to be asked at the Summit

  1. What is the biggest challenge facing law enforcement in digital forensics? How would you overcome this challenge?
  2. Why law enforcement only tools/techniques/knowledge? Do you agree with this reasoning? Why?
  3. Where would recommend an civilian digital investigator go in order to meet their law enforcement counter parts? Is it effective? Are there any recommended groups/lists/email boards/etc where you can interact with each other?
  4. What technical skill have you learned over the past year that has changed the way you approach your cases? Why?
  5. What software do you routinely use working with cases? Why was it useful and is this capability found in other competing software products?


User Panel: Forensic Challenges from the Court Room -

Panelists will tell you the challenges faced when preparing for and during courtroom litigation involving computer forensics, incident response, and e-discovery. They will discuss common myths associated found in the courtroom. They will discuss critical steps every investigator must know. They will tell you what works and what does work in and out of the courtroom by sharing their lessons they each of them have learned.

Craig Ball ? Attorney and Computer Forensic Expert

Larry Daniel ? Consultant, Guardian Digital Forensics; Talk Forensics Host; Author of Ex Forensis Blog -

Gary Kessler ? Associate Professor of Computer & Digital Forensics and director of the M.S. in Digital Investigation Management, Champlain College;

Dave Kleiman ? Computer Forensic, E-Discovery, and Litigation Expert

Bret Padres ? Director, Digital Forensic Laboratory, Stroz Friedberg

Dr. Doug White ? Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative

Some Panel Questions for Forensic Challenges from the Court Room Panel to be asked at the Summit

  1. Should I become a licensed private investigator in my state even if my state does not have a specific law telling me to do so? Why or why not?
  2. What is the biggest challenge an investigator presenting evidence will have in a courtroom in 2009? How do you overcome it?
  3. If you were working the defense on a case, what would your basic strategy be to create doubt in the plaintiff's digital evidence?
  4. I am working a case and the opposing council states that (SODDI) some other dude did it or that a Trojan/malware did it (the Trojan defense). What strategy would you recommend to me that could help to combat this in court?