CEIC 2014 STUDENT SERIES: Kelsey Ward

From the moment I submitted my application to attend CEIC with Champlain College, I was both terrified and excited.  Finding out I had been accepted only intensified these feelings.  So when I stepped onto the plane at 5:10 AM, I was both in awe of the opportunity I had in front of me.

I can safely say that my awe was well-deserved, and every moment was filled with opportunity and challenges. Despite running on only two hours of sleep,  when I arrived in Las Vegas after nearly 8 hours of traveling with my best friend Kayla, I was more than ready to attend the conference.

1
My view on the plane from Albany, New York to Dulles, Washington.

Caesar’s Palace (where CEIC was held) was much bigger than I had ever imagined, and I found myself getting more and more confused as to where I was in the building with every step I took.  Once inside the expansive Expo Hall, I felt my stomach drop.  People were fluttering about from stand to stand, catching up with old friends and extending their personal networks.  I began to think I was in way over my head.  Some of the other Champlain students who had attended conferences before encouraged me to begin speaking with exhibitors.  Eventually I worked up the courage and began to talk with sponsors.  They were friendlier than I could’ve imagined and incredibly knowledgeable.  After explaining that I was a student from Champlain College who had just finished her first undergraduate year as a Computer and Digital Forensics major, many people congratulated me and told me what a great field I was getting into.  Though it was not easy, I found myself able to communicate with these people much better than I thought I would.  I learned about a lot of new products by speaking with representatives and watching demos.

When the time came for the Opening Key Note, I was worried that I would feel overwhelmed and confused.  As this was the Opening Keynote, it was more about the conference and Guidance Software than it was about specifics in cyber investigation.  I was thankful, but still feeling incredibly overwhelmed.  A big part of Victor Limongelli’s talk was the concept of taking the “red pill” from the Matrix.  As someone who has never seen the Matrix, the entire concept was confusing.

After the Keynote it was time to jump right into the sessions.  My CEIC experience began with an “EnCase Enterprise Basics” session.  I had never worked with EnCase prior to attending the session, so I found it to be incredibly helpful.  A lot of the information I learned was rather basic, as implied by the title, but the new information I took away from the session was that EnCase Enterprise is composed of three components: SAFE, examiner, and a servlet.  The SAFE is basically the authorization and authentication component, the examiner would be whoever is using the software to monitor an enterprise, and the servlet is used to compress data.  The slower the network, the lower priority EnCase should be run at.

At 6:00PM the poolside Welcome Reception began.  Walking out to the pool we were greeted by lavish Grecian warriors and ladies, as well as trumpeters.  There were gladiator battles, airbrush tattoos, and photo booths.  I was shocked to see these things there, but it did help to shatter the rigid illusion of professionalism I had told myself this conference would adhere to.  Instead, here were a group of people who hoped to not only have a good time and hang out with friends old and new, but also to learn.  At around 8PM, we decided to finally see what our room looked like and get ready to go out onto the strip.

Danielle, Kayla, and I getting “juiced” since there was nothing else for us to drink.
Danielle, Kayla, and I.

Day two began with a nice breakfast before we headed to our first sessions at 8AM.  My first session was “One User Multiple Devices: Cross-Platform Recovery and Analysis of Social Media and Chat Artifacts,” which I was looking forward to greatly.  Something I found interesting was how difficult it seemed to be to do forensics on a Chromebook because of the way the OS is set up.  You have to have the machine in developer mode, but there’s no sound way to access data and going into developer mode clears crucial data on the machine.

At 9:30 there was the first of two Industry Keynotes.  It was given by Joel Brenner, the author of “America The Vulnerable.”  He spoke of the weaknesses in cybersecurity and the ever-present danger of the cyber world.  Following the Keynote was an opportunity to return to the Expo Hall and continue to network.  I spoke with Jad of Magnet Forensics, the creator of Internet Evidence Finder, and learned how to use Belkasoft to capture and analyze data from RAM.

The giant screen in the Keynote Hall.
The giant screen in the Keynote Hall.

After spending some time in the Expo Hall, I went to my second session of the day,  “Solving PCI Discovery Challenges at Scale with EnCase Cybersecurity.”  The session focused on how to configure EnCase to monitor and protect Payment Card Industry data.  One of the most important things I took away from this session was how crucial it is to know where your data is stored.  It is also important to schedule regular scans to build records of PCI data, making it easier to ensure your data is secure and that there has not been a breach.  These records also make scanning easier because EnCase can filter out known files and hash values, leaving less data that personnel must manually sort through.

Next, I attended an amazing lunch complete with decadent desserts.  If there’s one thing that pushed my CEIC experience into the land of awesome, it might have been the desserts.  That’s not to belittle how lucky I was to be able to meet people in the industry and learn some invaluable information.

Day one of decadent desserts that almost brought me to tears.
Day one of decadent desserts that almost brought me to tears.

Come 1:30, it was time for the third session of the day.  For me, this meant I was heading to “EnCase as a Data Discovery Tool.”  The first part of the session was all about how a company decides what data is considered “sensitive.”  This typically includes: social security numbers, credit card information, and intellectual property.  One of the issues with finding this data and keeping it safe is that employees may use computers for things that violate company policy, like shopping on their lunch break.  This creates more sensitive data than the company intends on having.  Again, it is important and beneficial to scan for data regularly in order to speed up search times and improve security.  Another important reminder is to make sure you properly delete sensitive data and fully wipe drives that are repurposed.

My final session of the day was “Hands-On Smartphone Analysis.”  This session was a lab, with the smartphone files preloaded onto the computers.  This session was one of my favorites, and I learned a lot from it.  For instance, if you can keep a phone powered on until you are able to analyze it, you may be able to acquire more data from it.  There are also three types of acquisition: physical (block-based), logical (file-based), and content (data from within the files).  A content acquisition on an Android changes the original device, but still soundly collects evidence.  This was one of the first times I was able to really play around with EnCase and I had a fun time doing so.  Kayla was in the session with me, and we shared a few laughs while sorting through pictures and text messages that were left on the phones.

As the learning day came to a close, the strip had barely begun to light up.  However, after a quick change into more comfortable clothes, Kayla and I went off to explore.  It was strange to see the strip in the daylight.  After searching for cheap presents to no avail, we met up with some other students to grab dinner before heading back to the hotel.

Just outside the Venetian
Just outside the Venetian

After another early morning, I headed to my first session of the third day, “Defrag Forensics.”  The session was disappointingly short, but the information was still very interesting.  Different types of defrags (scheduled, manual, etc.) show various kinds of evidence in different places.  These artifacts can be found in prefetch files, user assist key in registry, other registry files, and event logs.  By examining these artifacts, you can determine whether a defrag was run manually to intentionally delete evidence, or if it was accidental.  Intentionally hiding, altering, or destroying evidence is known as spoliation.

Before I went off to my second session, I went back to the Expo Hall to continue networking.  I talked with a man from Digital Intelligence who asked about Professor Crane and told me about FRED.  I also spent a lot of time at the Cellebrite booth watching a demo and talking about different uses for the product and what their hopes for the future were.  I spoke with a woman named Christa Miller who is a well-known female in the digital forensics world.  It was very nice to hear her positive experiences and passion for the field, and only further encouraged me to become involved.

A horribly blurry image of FRED.
FRED.

The second session I attended was called “Why is Removing Malware So Difficult?”  I found this session to be a little above my head at times.  The first part of the session was spent learning about malware and how persistence and resilience are the biggest reasons removing malware is so difficult.  When it came time to actually infect the machines in the lab with malware, I got very lost.  I worked with Kayla, and though we were able to get some of the malware to infect the computer, we didn’t fully understand what exactly it was we were doing.  We had a small typo when creating the first malware file, and we found it very difficult to catch up completely.  Despite the issues we had regarding the technicality of the session, it was still very fun and I did take away some things that will hopefully make more sense as I learn more.

The result of Firefox being infected with DLL Hijacking malware.
The result of Firefox being infected with DLL Hijacking malware.

Next came time for lunch and more amazing desserts.   Kayla and I made an attempt to not sit with our peers so that we could meet new people.  We ended up meeting a really interesting and friendly man from the French-speaking part of Switzerland.  I don’t remember his name, but it was awesome to hear his international experiences.  We even swapped some travel stories since I had spent some time in Germany and the Netherlands as an exchange student in high school.

Second, and final, round of amazing desserts.
Second, and final, round of amazing desserts.

After lunch, I attended “Searching Your Case.”  This session was about how Matthew McFadden used EnCase in real life cases to search evidence and find incriminating data.  His presentation skills were spectacular, and his stories held both Kayla and I captive.  He spoke of how to be thorough in searching, and making sure you log everything you search or try.  He showed us a lot of tips on how to optimize EnCase to search and show results in evidence files.  Afterwards, Kayla and I went up to speak with him and express how helpful we found his session.  He was incredibly friendly and kind and I think I can speak for Kayla when I say that this was one of the best sessions either of us attended at the conference.  I hope that we are both able to follow Matthew in his future endeavors with Guidance Software because of how interested we both were.

The final session I attended was called “An Introduction to Cryptocurrencies: Bitcoin, Litecoin & Alt Currencies.”  The presenter was Andy Reid, who is actually currently studying at Champlain College for his Masters Degree.  I absolutely loved this session and found it packed with information that held my interest.  Cryptocurrencies are kind of similar to actual currency in that the value is intrinsic, and completely man-made.  Bitcoin is only worth money because we have decided it represents a certain amount of more physical currency like USD.  The easiest way to explain the concept of Alt Currencies is that there is a fixed amount available and they are released in set intervals after the correct hash value is calculated for a new transaction.  Getting involved in Bitcoin at this point is not very profitable because of how much processing power is needed to mine it.  One of the enticing things about Bitcoin is its anonymity.  Your name is not tied to anything.  You’re simply a number.  After the session, I spoke to Andy personally and he offered great advice on how to get involved in mining and told me he would be happy to share his research with me when it was complete.

The opening screen of the session.
The opening screen of the session.

After another day of sessions, a small group of us decided to go grab dinner together before we explored a new part of the strip. Four of us decided we were going to walk three miles to go to the world’s largest gift shop.  Our arrival to the store was greeted with a policeman informing us our three mile walk only granted us nine minutes of shopping time.  I shopped hurriedly before we were escorted out at 9PM.  Both the walk there and back was filled with complaints, but by the end of it we were all thankful for the experience and the adventure we had.

After a tiring six mile walk and a night of sleep that was too short, we headed down for the last breakfast of CEIC before our two final sessions.  The first session I went to was “Data Recovery.”  The presenter was very lively and told a lot of jokes to keep us all awake.  The information he gave us was apparently “top secret,” so I’m not sure how much I can include in this blog post.  However, he did show us some of the processes for recovering data after both software and hardware problems, along with his favorite products for recovery.

Approximately $25k worth of data recovery equipment.

The final session I attended was “How Internet Evidence Told the Whole Story: Criminal Investigation of a DDOS Attack.”  This session was more story-telling than it was educational.  It was still interesting to see how they used Internet Evidence Finder in a real life case to find evidence they could use, however.  They used IEF to examine mIRC, MSN Plus, Gmail, and Google Chrome.  Many of these applications have logs which can be checked for evidence, as well as leaving evidence in the RAM.  The law enforcement officer also spoke of how important it is to perform a data triage and build a timeline in a case.

When the final session came to a close, I couldn’t help but feel sad.  The wonderful opportunity I had been anticipating was quickly coming to an end.  I wasn’t ready to leave.  I was beginning to form relationships with some of the professionals, and I hope to keep in contact with them in the future.  When Kayla and I finally sat on the plane to go home, we saw a woman in a Guidance Software polo and joked about how strange it would be if she had the empty seat in our row.  The look of surprise we shared when the woman sat next to us was priceless.  We were able to discuss our experiences with her and further connect with other professionals.  She told us how much she hoped we came back for the next CEIC to further our networks and knowledge.

Looking back on the trip, I don’t think I can thank anyone involved enough.  I am truly lucky to have been awarded the opportunity to attend CEIC, and I loved every second of it, even if I had to get up early.  I wouldn’t have been able to go if it weren’t for the generous support of Champlain College, Guidance Software, and Caesar’s Palace.  I sincerely encourage others to look into CEIC for next year because of the experience I had.  It was a wonderful mix of networking and educational experience with a lot of fun and memories I can keep for a long time.

More Conferences & Events
Champlain College as Finalists in NECCDC
A Reflection On Our Cyber Symposium
Leahy Center Thrilled to be Celebrating Ten Year Anniversary!