My CEIC 2014 Experience in Las Vegas
I came home from the Computer Enterprise Investigations Conference (CEIC) 2014 with a stack of newly acquired business cards, an assortment of trinkets from Las Vegas, and a great breadth of new information that will surely shape my years at Champlain College to come. It was an invaluable experience and I am thankful to Champlain College and Guidance Software for the opportunity. In addition, I would like to thank all those who helped plan the trip, especially Jonathan Rajewski and Joseph Williams.
I was able to attend ten great sessions, as well as all three of the keynote presentations. After checking in on Monday (the first day), I learned what evidence could be recovered on Windows machines even after the files have been deleted in Uncovering the Covered Tracks: Finding What’s Left Behind. It’s amazing what may be recovered months after it has been deleted off of a computer.
On Tuesday, I learned about new digital forensic techniques that use OEM’s tendencies on reboot (mostly to save time) to extract invaluable information even off the most highly secured computers in Field Triage and RAM Analysis. I also learned how Project VIC was revolutionizing how child exploitation is combated using innovative hashing algorithms and data structures. I finished the day learning how to detect if an employee is stealing data from a company using a USB drive in How to Catch an Insider Data Thief.
I was also lucky enough to attend Oleg Davydov’s (CTO of Oxygen Software) session Challenges in Obtaining and Analyzing Information from Mobile Devices on Tuesday. Oxygen Software had discovered that the developers of WhatsApp for Android and Blackberry had used (up until very recently) a hard-coded encryption key to protect sensitive data. Although the encryption method they used was fairly secure (AES-256), the complete implementation was a lacking for an app that has millions of active users and was purchased by Facebook for $19 billion dollars. Oleg Davydov was kind enough to send me some updated information regarding the newest encryption implementation for WhatsApp, which I intend to look into myself to see where I might be able to improve my personal encryption utilities.
Wednesday in Insider Threat: Investigation of Trade Secret and Intellectual Property Theft, experts in the industry recounted real-world cases where they investigated data theft with damage costs from hundreds of millions of dollars to potentially two billion dollars. Following that, in Responding to a Cyber Security Incident – A Real World Customer Example, I was given some unique insight by industry professionals on what procedures worked best to quickly resolve cases, especially at companies where there are thousands of company devices (laptops, desktops, and a whole lot of smartphones) that employees have access to.
In Finding Malware on a Windows Computer, I was able to polish and expand on my skills and competencies for removing nasty types of persistent malware. We also learned about the current favored tactics being used to disguise malware. I ended my Wednesday with Responsive Forensics for Offensive Tactics which discussed the increasing demand and necessity for experts who know how to launch attacks and computer exploits, as well as how to detect those attacks and defend against them.
The final session I attended, which was on Thursday, was Advanced Decryption Techniques. It went over how to decrypt files using Guidance’s EnCase software in conjunction with Passware’s Forensic Toolkit. For the Microcomputer Project I am currently working on at the LCDI (The Senator Patrick Leahy Center for Digital Investigation), one of my tasks is to implement robust encryption and hashing utilities. Seeing how experts in the industry might go about trying to break the encryption on a given file has given me new ideas on how to defend against those tactics and create even more robust solutions. I may not see or have access to the source code Passware uses for its various decryption attacks, but I now know the methods it uses and how to mitigate their successfulness. This experience has given me a project to work on over the summer and back at the LCDI once the school year resumes.
All of the sessions I attended were great, but they were only a small fraction of the total number available to attend, which is part of what makes CEIC so great. Beyond the excellent sessions were the three keynotes, some of which yielded some very valuable insights. The keynotes were Victor Limongelli’s (CEO of Guidance Software) opening presentation, Joel Brenner’s (Former Inspector General and Senior Counsel, National Security Agency) industry keynote, and Justin Somaini’s (CTO of Box) industry keynote. These insights regarded the massive explosion of data and the industry’s urgent need for more qualified cyber security and digital forensic experts.
I desired to attend this conference mostly because of my work at the LCDI. All of the students at the LCDI are exceptionally talented and are undoubtedly tomorrow’s cyber security and digital forensics leaders. I am a Computer Science and Innovation major at Champlain College, and the only computer science major to go to CEIC 2014 with the group this year. I am one out of only a handful of computer science majors who work at the LCDI. After working for only one semester, I noticed that there was a significant gap that needs to be bridged in the lab and field.
Looking at the representatives of the industry at CEIC, there were law enforcement officers and private security contractors and federal agents for every three letter agency (as well as a large number of international attendees from the private sector), but I had a hard time finding software engineers, a situation similar to the one at the LCDI. There were many Chief Technologist Officers, who helped create the core programs that made their companies what they were, and many at the conference understood basic programming and scripting; however, specialized software engineers seemed to be missing. All of the experts relied on several tools to get their jobs done in an efficient manner, and efficiency is important when you’re running up against all sorts of deadlines to prosecute and to prevent any sort of further monetary damages. All of these tools being used require an advanced degree of study in the field of computer science to develop and support on such a large scale–dozens of agencies and companies were using them all over the place on a countless number of devices.
It is clear more cyber security and digital forensics graduates are needed to keep up with demand. There was talk of synergy between the two distinct areas of study as a means to improve efficiency and readiness throughout the industry. I propose another area where I see room for improvement: more synergy between these cyber security and digital forensics experts and the software engineers making all of these tools possible behind the scenes. Why aren’t more of these software engineers on the front lines?
Seeing, discussing, and partaking in the some of the current day-to-day workflow that these experts navigate though was invaluable from a software design standpoint–right off the bat my passion for computer science ensured I was ready with a great deal of new ideas to potentially. With a more tightly coupled relationship between the programmer and the forensic or security expert comes tools that are, in every way, better. This would lead to less investigation and more action, yielding quicker results with a more complete set of evidence for every case.
CEIC 2014 was a great experience. I hope to take some of the great software and tools we’ve been working on at the LCDI and present them as a team at a similar conference in the near future to gain helpful insight and important feedback.
Daniel Puckowski
Champlain College Computer Science and Innovation Major
Software Engineering Specialization, Mathematics Minor
Microcomputer Project at The Leahy CDI