SANS Digital Forensics and Incident Response Blog

WACCI Digital Forensics (Part 2)

After the great opening day of the Wisconsin Association of Computer Crime Investigators (WACCI) conference, I arrived at the Alliant Energy Center exhibition hall for day two of the four-day conference feeling optimistic about the chances for another exciting day. Once again, I was not disappointed.

The day began with a light breakfast followed by a few conference announcements. There were to be no keynote speeches that day, so next up were the breakout sessions. I chose to attend one entitled Browser Artifact Forensics, taught by Charles Giglia of Digital Intelligence. My partner in crime, Brad Garnett went to a session taught by Fergus Toolan entitled Perl & Regular Expressions in Forensic Exams. I had a difficult time deciding which session to attend, a problem I would face several times during the week, as there were so many different ones I was interested in. Brad and I decided to attend different sessions and then discuss them with each other later on.

Charles Giglia did a great job in the time available going over things to look for when doing exams related to Internet Explorer 8. I'm a note taker and came away with just over two pages worth of information from this session. Giglia had plenty more to tell us than he had time to tell, but he did a great job covering information such as the default settings of IE 8 and locations to find settings and artifacts. One thing I particularly found interesting involved his finding of files in the Temporary Internet Files with filenames beginning wkb*.tmp (the asterisk indicating various characters found after the wkb). He explained these had actually come from Windows Live Mail and contained the message body, but none of the email header information. Also discussed were items related to browser history, cookies and some registry settings having to do with downloads and the TypedURLS key. As always, there was more covered than I can possibly write about in one blog post. I would have liked to hear about Firefox and other browsers, but there was no way that could be done in the allotted time.

After this session was over, I met up with Brad and we were soon joined by Harlan Carvey. Harlan had gone to another breakout session I had wanted to attend called Malware, Trojans & Botnets 101, taught by Kevin Bong. We talked about the sessions we had gone to and all came away feeling like we could perhaps take something away from the session we had attended.

For the next 2 hours and fifteen minutes, the breakout sessions were all given by vendors with one fifteen minute break in the middle. I must confess, the three of us mentioned above skipped those sessions and instead stayed in the open common area talking with each other and networking with others passing through. I thoroughly enjoyed this opportunity to meet and greet people and get to know other forensic practitioners. That was something I really liked about attending WACCI, because it had big time speakers and sessions but was still small enough that you could literally talk to everyone there if you wanted to. I found everyone there very friendly and eager to talk about the work we do. Well, there was one attendee I met who seemed to have all kinds of things to complain about (not about WACCI, just things in general), but other than him everyone else seemed genuinely excited about digital forensics.

Following another excellent lunch, it was time for more breakout sessions. Again, I had a hard time deciding which one to attend, but I settled on Live RAM Analysis, taught by Det. Rick McQuown of the Milwaukee, WI Police Department. I had never heard Rick speak before, but had read material he'd posted on his blog. I could tell from the moment the session began that he is really interested in and excited about RAM analysis. It's really fun listening to a speaker who truly enjoys the topic he's speaking on and he made the entire ninety minutes an educational and fun experience. He talked about the benefits of capturing RAM prior to pulling the plug to make it possible to find memory-resident only malware and many other artifacts lost once power is removed. My only regret was that ninety minutes was all he had, as the session was extremely interesting.

The final session I attended on day two was Intellectual Property Theft Investigations-Stealing the Show, given by Gary Kissinger. Gary is a retired FBI agent who now works for the Motion Picture Association of America (MPAA) investigating movie piracy. He spoke about the financial impact of piracy on the motion picture industry and talked about methods people use to pirate movies, as well as methods he and his colleagues have used to catch them. He gave a number of examples of how people sneak high quality camcorders and other equipment into movie theaters in order to record and then make copies of films, which they then sell. Also discussed were the means by which pirated films are copied and sold via street vendors and the Internet. It was a topic I had never given a lot of thought to and the session was interesting, though it probably didn't need the full ninety minutes.

Overall, it was another fun and interesting day. I'll be writing another post on day three as soon as I have time.

Alliant Energy Center


Posted October 20, 2010 at 12:37 PM | Permalink | Reply

Ben Koehl

Conference and presos sounded really good ''" Is there anywhere we can download the presos or WP/slides?

Posted October 20, 2010 at 4:07 PM | Permalink | Reply

Ken Pryor

Hi Ben, I'm don't know what will be made available. If you go to the WACCI website, you can see how to contact them and ask.