SANS Digital Forensics and Incident Response Blog

High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those large events, since many times you never see the same person in two different sessions. But, at an event like HTCIA's, you really get a chance to talk and interact with other forensicators, compare notes on a previous talk, and you can probably sit next to a speakers during a lunch break.

One of the speakers attendees did interact with with The SANS Institute's very own Rob Lee. Rob Lee taught a number of sessions on digital forensic timelines at the conference. During one of the evening breaks, Rob "held court" where this blogger observed fans of the SANS Forensics program talking with Rob and sharing their success stories. The reach and influence of the SANS community is reaching deep into may organizations. Another day of the conference, this blogger even observed a forensicator asking a bald attendee wearing a SANS shirt, "Are you Rob Lee?" He wasn't, but it was great to see the word getting out.

Another SANS Forensic instructor lectured at the event: Scott Moulton. Scott Moulton is one of the leading experts in hard drive forensics. He didn't disappoint at the HTCIA Conference. His seminar on Solid State Drivers (SSD) was standing room only. In the Good Reads/ Good Listens section below, you may hear an interview on SSD forensics, and their unique challenges.

Duncan Monkhouse, President of HTCIA told The SANS Forensic Blog that the conference's goal was "To provide a broad range of training and labs, and still try to keep the event vendor neutral. The conference has 14 forensic lab streams, and seven lecture streams." HTCIA Executive Director Carol Hutchings said there was a 30% increase in attendance versus last year, and the HTCIA expects another sizable increase in next year's conference.

As the information security industry matures, we are really starting to see a bifurcation of events: Huge, well known shows with "Rock Star" speakers and large vendor participation; Smaller events with more of a "small town feel." This year's HTCIA Conference did have a "Rock Star" Keynoter, though, and he really started the show off with a bang. Back in the 80s, Dr. Cifford Stoll worked at a US Government research lab came under a cyber attack. There was not a rule book for the response. Dr. Clifford Stoll was assigned the task, and had to create a response largely on his own. His content and presentation was electrifying. Unlike the dull, but well known keynoters that kicked off most of the other information security conferences this year, Dr. Stoll gave a keynote that made this forensicator WANT to go to the labs and sessions to learn more.


  • From HTCIACon: For iOS forensicators, The iDevice Physical Imaging Utility. A free tool scheduled for release this month for Government, LE and other forensicators. This tool will conduct physical acquisition of iPhone4, 3GS, iPod Touch 4G, iPad, and "more to follow" (one could assume iOS5). Brute forcing of the iOS password, using the device's own chip, is required to image these devices. According to the company's president, Sean Morrissey, this tool uses this brute forcing technique to crack the password. Sean Morrissey told CyberJungle Radio, "I think imaging tools should be free, it's the analysis software that should cost money, not the imaging tools."

Good Listens / Good Reads:

  • From HTCIA Conference: Scott Moulton talk with CyberJungle Radio about the unique challenges of doing forensics on solid state drives (SSD). Beware, it's not your father's hard drive.
  • CyberJungle Radio's Samantha Stone would love to have a discussion about the oddball psychology behind this promotion drummed up for Toyota by its marketing firm, Saatchi & Saatchi, but she settled for a discussion of the legal questions it raises. Both companies are in court now with Amber Duick, who was terrified by the "prank" they perpetrated, which took the shape of disturbing emails from someone who claimed he was anxious to see Amber "again" ? although she had no idea who he was ? and that he was headed for her house (he had her correct address). By the way, he also said he was running from the law. Bottom line, Amber now has Toyota on the run in the California courts. CyberJungle Radio's Samantha Stone spoke with her attorney, Nicholas Tepper from Tepper Law Firm in Los Angeles. This case has potentially far reaching digital law implications.


  • Hacktivism Incident Response Planning Part II: Anonymous Declares Sept 24 "Day Of Vengeance" In The US, Plans A "Series Of Cyber Attacks"



Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 22, Sep 2011 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT, CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.