SANS Digital Forensics and Incident Response Blog

WACCI Digital Forensics (Part 1)

This week, I had the pleasure of attending the Wisconsin Association of Computer Crime Investigators (WACCI) conference in Madison, WI. I was fortunate to be accompanied by good friend and fellow SANS Computer Forensics blog author Brad Garnett. The following is a recap of our time at the conference.

When I first learned about the WACCI conference, I was immediately interested in attending. The biggest draw was the speaker lineup, which included such forensics luminaries as Ovie Carroll, Harlan Carvey, Rob Lee, Brian Carrier and Mark McKinnon. That's quite a list of talent. I was amazed that such a great conference could be given while still keeping the registration price incredibly low. Finally, I was attracted by the conference location. Given that I live in a rural area, it was great to see a high quality forensics conference taking place within realistic driving distance. Once I was certain I would be able to go, I made sure to reserve some vacation time from work and sent my registration.

On arrival at the Alliant Energy Center Exhibition Hall for day 1, quite a few people were already there signing in. I met the awesome Cindy Murphy, president of WACCI-West and cell phone guru at the registration table, where I received my name tag and goody bag containing various conference materials and items supplied by sponsors. I found some familiar faces in the group of attendees and took time to catch up with them. Everyone I talked with seemed excited to be there and I had the feeling it was going to be a great week.

After the initial welcome, it was time for lunch. In addition to the high quality speakers and breakout sessions, WACCI also made sure we got high quality food. They fed us well all week and I'm still amazed they did all this with such a low registration fee. Once lunch was over, it was time for the first of the days two keynote speeches. Let me tell you, they could not have picked two better people to speak right after lunch than Ovie Carroll and Harlan Carvey. Some people (like me) get really sleepy after a large meal, but these two guys kept things moving at a fast pace with audience participation and I doubt there were any yawns in the group.

Ovie Carroll is the Director of the Cybercrime Lab for the Department of Justice, Computer Crime and Intellectual Property Section, but most of us know him from the CyberSpeak podcast, which he co-hosts with Bret Padres. Ovie is a "high energy" speaker and extremely funny. He is also a pro at creating great presentations and had beautiful slides to accompany his keynote talk. He kept things rolling while making a lot of great points about computer forensics issues. He talked about the importance of performing triage whenever possible to help help set your focus when it comes time to perform the full forensic analysis of a computer. He also encouraged the law enforcement people in attendance to place greater emphasis on getting their prosecutors involved in cases to help make sure you get the things the prosecutors want while at the same time not wasting time getting things they don't. He also stressed the need to make our reports readable for the intended audience, using plain language (no geek speak) in an executive summary along with a timeline to help put it all together for the jury or other non-techie audience. Much more was talked about than I can possibly cover in this post, but suffice to say it was an outstanding and very enjoyable talk.

Next up after a short break was Harlan Carvey. Harlan is a very well-known author in the forensic community with his Windows Forensic Analysis DVD Toolkit books (1st and 2nd editions), as well as his book Perl Scripting for Windows Security and the upcoming Windows Registry Forensics. He's also the creator of the RegRipper program and provides regular content to his Windows Incident Response blog. Harlan's scheduled talk was titled "Collaboration Between the Private Sector and Law Enforcement." Harlan is another "high energy" speaker, in that he is consistently walking around, engaging the entire audience and bringing them into the conversation. He's pretty funny, too.

Harlan started off with some introductory comments and then started what wound up being an excellent conversation on the lack of sharing and collaboration in our field. He posed questions and suggestions to the group and solicited comments, He rightly pointed out that there seems to be a reluctance to share information in the field, not just between law enforcement sector and the private sector, but really even between members of the same sector. I know this is an issue he has raised before on his mailing list and other places and it's a subject near and dear to his heart. He discussed ways to share information and provided possible solutions to reasons given for not sharing that were given by some audience members. There was excellent participation by the audience and I think a lot of legitimate concerns were addressed. I am hopeful that everyone there came away with something that would help them be more likely to participate in community discussions elsewhere and provide information that might help others.

When Harlan was done, it was time for the Social Hour. It was a nice time to get together with friends and make new ones as well. The vendors in attendance had their booths set up in the same area and had representatives in place. Later, the annual awards banquet took place followed by a special public presentation, which I did not attend.

That wraps up day one. I'll be posting recaps of each day and will try to catch up days 2 and 3 tomorrow.

Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He has been a police officer since 1987 and has been working in the area of digital forensics since 2008. He can be contacted at


Posted October 14, 2010 at 6:11 PM | Permalink | Reply

Joe Garcia

Nice write upon WACCI. Wish I could have joined you guys. I\\'ll just have to wait for the SANS Forensic & IR Summit in Texas next year.

Posted October 15, 2010 at 12:21 AM | Permalink | Reply

Ken Pryor

Thanks Joe, I wish you could have been here too. It's been a great time for sure. Hope I can go to Texas too!

Posted October 15, 2010 at 7:27 PM | Permalink | Reply

Gregory Pendergast

Thanks for the review, Ken. Information sharing was an overarching theme at MIRCon as well, though from a somewhat different perspective, I suspect. The focus there was on the sharing of threat intelligence, which tends to be both more sensitive and more perishable. Would I be correct in guessing that Harlan was approaching it from more of a forensic perspective, in the sense that the shared information would be less time-sensitive?
At any rate, I'm sorry to say that I heard far more about the challenges of information sharing. Not so much about solutions. Did the discussion at WACCI fare any better? (Note: I'm not criticizing any of the presenters at MIRCon. I don't have a good answer to the information sharing question either.)

Posted October 27, 2010 at 1:01 PM | Permalink | Reply

kanyakumari hotels

I suspect. The focus there was on the sharing of threat intelligence, which tends to be both more sensitive and more perishable. Would I be correct in guessing that Harlan was approaching it from more of a forensic perspective, in the sense that the shared information