tuesday, july 9, 2013 july 9, 2013 time room 1 room 2 7:00am - 8:00am registration | networking...

SANS Digital Forensics and Incident Response Summit Agenda 2013

#DFIRsummit

Tuesday, July 9, 2013

Time Room 1 Room 2

7:00am

-

8:00am

Registration | Networking Breakfast

Presented By

8:00am

-

8:10am

Welcome and Introduction to the 2013 Digital Forensics and Incident Response

Summit

Rob Lee & Alissa Torres– Summit Chairs Digital Forensics and Incident Response Summit

8:10am

-

9:10am

Digital Forensics and Incident Response Summit - Keynote Address - TBA

9:10am

–

9:20am

Networking Break

9:20am

-

10:20am

Title: File system journaling forensics theory, procedures and analysis impacts

David Cowen with Matthew Seyer, G-C Partners, LLC

Title: Mining for Evil

John McLeod - Manager, Incident Response Team

Mike Pilkington - Senior Consultant, Incident Response Team

10:20am

-

10:40am

Networking Break

10:40am

–

11:40am

Title: The “Trusted” Insider Theft of Intellectual Property and Trade Secrets

Warren G. Kruse II - VP, Altep, Inc.

Michael Barba - Managing Director, BDO

George Wade - Senior Manager, Booz Allen

Title: Volatile IOCs for Fast Incident Response

Takahiro Haruyama, Forensic Investigator, Internet Initiative Japan Inc.

11:40am

-

12:40pm

Lunch & Learn

Presented By

12:40pm

–

1:40 pm

Title: Johnny AppCompatCache: the Ring of Malware

Jeff Hamm - Senior Consultant, MANDIANT

Mary Singh - Senior Consultant, MANDIANT

Title: iOS Device Forensics on a Budget

Brian Moran - Digital Forensic Analyst, CyberPoint, LLC

1:40pm Title: (Mostly) Open Source DFIR – A Toolkit for End-to- Title: Offence informs Defense, or does it?

http://twitter.com/robtlee


#DFIRsummit

–

2:40pm

End Investigations

David Kovar - Manager, Advisory Center of Excellence, Ernst & Young

Jeff Brown - Director of Cyber Operations, Cyber Clarity

2:40pm

–

3:00pm

Networking Break

3:00pm

-

4:00pm

Title: Open Source Threat Intelligence

Kyle Maxwell - Senior Analyst, Verizon Business

Title: Cyber Nightmares: Red October & Shamoon

Harold Rodriguez- Malware Reverse Engineer, General Dynamics Fidelis Cybersecurity Solutions

4:00pm

-

5:00pm

Title: Automating Malware Analysis with Cuckoo Sandbox

Claudio Guarnieri - Security Researcher, Rapid7

Title: "My name is Hunter, Ponmocup Hunter"

Tom Ueltschi - Security Officer, Swiss Post

5:00pm

–

6:00pm

Title: Hunting Attackers with Network Audit Trails

Tom Cross - Security Researcher, Lancope

Charles Herring - Security Researcher, Lancope

Panel Title: Women in DFIR Panel

Stacey Edwards

TBA

TBA

TBA


#DFIRsummit

Wednesday, July 10, 2013

7:00am

-

8:00am

Networking Breakfast

Presented By

Time Room 1 Room 2

8:00am

-

8:30am

Title: Forensic 4Cast Awards

Lee Whitfield - Director of Forensics at Digital Discovery - http://forensic4cast.com

8:30am

-

9:30am

Title: Autopsy 3: Extensible Open Source Forensics

Brian Carrier - VP of Digital Forensics, Basis Technology

Title: Timeline Analysis by Categories

Corey Harrell - IT Specialist III, New York Office of the State Comptroller

9:30am

-

10:30am

Title: Detecting data loss from cloud synchronization applications

Jake Williams - Principal Consultant, CSRgroup Computer Security

Title: A Day in the Life of a Cyber Tool Developer

Jonathan Tomczak – Chief Information Officer, TZWorks, LLC

10:30am

-

10:50am

Networking Break

10:50am

-

11:50pm

Title: Proactive Defense

Adam Meyers - Director of Intelligence, CrowdStrike, Inc

Title: The 7 Sins of Malware Analysis

Dominique Kilman, Malware Analyst, KPMG LLP

12:00pm

-

1:00pm

Lunch & Learn

Presented By

1:00

-

2:00pm

Title: Plaso– Reinventing the Super Timeline

Kristinn Gudjonsson – Senior Security Engineer, Google

Title: Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud Forensics)

Andrew Hay - Chief Evangelist, CloudPassage, Inc.

http://forensic4cast.com/


#DFIRsummit

2:00pm

–

3:00pm

Title: Timeline creation and review, GUI style!

David Nides, Manager, Forensic Technology Services KPMG LLP

Title: Building, Maturing, and Rocking a Security Operations Center

● Brandie Anderson - Manager, Security Operations Center and Security Delivery Operations, Hewlett-Packard

3:00pm

–

4:00pm

Title: ICS, SCADA, and Non-Traditional Incident Response

Kyle Wilhoit - Threat Researcher, Trend Micro

Title: Restoring Credential Integrity after an Enterprise Intrusion

James Perry - Lead Associate Booz Allen Hamilton

Anuj Soni - Lead Associate Booz Allen Hamilton

4:00pm

-

4:20pm

Networking Break

4:20pm

-

5:30pm

DFIR SANS360

In one hour, 10-12 Digital Forensics and Incident Response experts will discuss the coolest forensic

technique, plugin, too, command line, or script they used in the last year that really changed the outcome of

a case they were working. If you have never been to a lightning talk it is an eye opening experience. Each

speaker has 360 seconds (6 minutes) to deliver their message. This format allows SANS to present 10-12

experts within one hour, instead of the standard one presenter per hour. The compressed format gives you

a clear and condensed message eliminating the fluff. If the topic isn't engaging, a new topic is just 6 minutes

away.

1. Don't be a script kiddie - Kyle Maxwell, Verizon 2. Hunting and Sniper Forensics - Jason Lawrence 3. Incident Readiness - Top 10 Keys to a Successful Forensic Investigation - J Jewitt 4. Social Media Forensics - Brian Lockrey 5. Finding Evil Everywhere: Combining host-based and network indicators - Alex Bond 6. Chasing Malware, Not Rainbows - Frank McClain 7. Raising Hacker Kids - Joseph Shaw 8. TBA - Hal Pomeranz 9. A Decade of Trends in Large-Scale Financial Cyber Breaches - Ryan Vela 10. Reconstructing Reconnaissance - Mike Sconzo 11. Advanced Procurement Triage - Michael Ahrendt

5:30pm

-

5:40pm

Summary & Closing Remarks

Rob Lee & Alissa Torres– Summit Chairs Digital Forensics and Incident Response Summit

_ICS,#_Title:_

_ICS,#_Title:_

http://twitter.com/robtlee


#DFIRsummit

Session Information

Title: File system journaling forensics theory, procedures and analysis

impacts

Presenters: David Cowen with Matthew Seyer

Abstract: Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:

■ Recover data hidden or destroyed by anti-forensics ■ Recover previously unrecoverable artifacts ■ Trace all file system movements and actions of malware ■ The possibility of entirely new analysis techniques

Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS.

Biography

David Cowen, CISSP, is a partner at G-C Partners, LLC based in Dallas, Texas. Mr. Cowen is one of the Speakers of Hacking Exposed:Computer Forensics first and second editions and the third edition of the Anti-Hacker Toolkit and the upcoming 'Computer Forensics, A Beginner's Guide' all from McGraw Hill. Mr. Cowen is also the Speaker of the popular Hacking Exposed Computer Forensics Blog and a graduate of the University of Texas at Dallas with a B.S. in Computer Science. Mr. Cowen is the captain of the National Collegiate Cyber Defense Competition's Red Team. Mr. Cowen has been working doing computer forensics since 1999 and information security since 1996 acting as an expert witness in civil cases around the nation. Working as a computer forensic expert Mr. Cowen has assisted Fortune 500 companies across the United States and the world in dealing with civil litigation and internal investigations.


#DFIRsummit

Title: Mining for Evil

Speaker Name(s): John McLeod; Mike Pilkington

Speaker Titles: Manager, Incident Response Team; Senior Consultant, Incident Response Team Abstract:

Microsoft’s System Center Configuration Manager (SCCM), formerly Systems Management Server (SMS), can be a gold mine when hunting for evil. During a response it can provide valuable information of what was executed on the host system. This presentation will provide an understanding of SCCM, host artifacts, scripts and tips to find targeted threats in your enterprise. Although this presentation details SCCM, the concepts can be used on similar configuration-management platforms.

The second part of this presentation will delve into the finer points of Windows log file analysis. Properly configured Windows logging can provide a wealth of information, making the jobs of both proactive intrusion detection and reactive incident response faster and more effective. We’ll discuss a number of tips and techniques for implementing a strong logging policy and for analyzing the resulting logs for evidence of compromise.

Biographies:

John is a Manager at a Fortune 500 company and responsible for IT Security Defense services. He engaged and neutralized targeted threats since the 90’s while serving Air Force Office of Special Investigations as a Computer Crime Investigator. He has his Master degree in Network Security and holds various certifications. He is a recognized subject matter in Computer Crime, Incident Response and Digital Tradecraft. He was involved with many high-profile investigations including: Operation Aurora, TJX hacking incident, Solar Sunrise, Moonlight Maze and Titan Rain. He conducted digital media exploitation in Kosovo, Iraq and Afghanistan.

Mike Pilkington is a Senior Security Consultant for a Fortune 500 company in the oil & gas industry. He has been an IT professional since graduating in 1996 from the University of Texas with a B.S. in Mechanical Engineering. Since joining his company in 1997, he has been involved in software quality assurance, systems administration, network administration, and information security. Mike currently serves as a lead responder on the company's intrusion detection and incident response team. Outside the office, Mike has been involved with the SANS Institute as a mentor and instructor, leading classes in computer forensics and wireless security.


#DFIRsummit

Title: The “Trusted” Insider Theft of Intellectual Property and Trade

Secrets

Speaker Name(s):

Warren G. Kruse II, VP, Altep, Inc.

Michael Barba, Managing Director, BDO

George Wade, Senior Manager, Booz Allen Abstract

As company downsizing becomes more prevalent in today's economic downturn, business are increasingly vulnerable to the pirating of Intellectual Property by current and former employees. Learn how to mitigate these risks as one of the former lead investigators of the “Comtriad” investigation shares the story for this discussion. See how Warren Kruse, George Wade, and Michael Barba became aware of a potential issue, developed a strategic approach, assessed potential damages, and developed leads using forensic and network technologies which led to the arrest of three foreign nationals attempting to appropriate Intellectual Property which was valued to be in excess of one billion dollars. This investigation garnered worldwide attention and has received the High Tech Criminal Investigative Association's (HTCIA) Case of the Year award.

Hear how computer and network forensics, along with current technologies and with a little luck, aided this investigation.

Biography

Warren is a vice president with Altep Inc., a national provider of e-discovery and computer forensic services. He has spent the last twenty-five years between law enforcement and as a consultant supporting various agencies with incident response, computer forensics and eDiscovery. He is the President of the Digital Forensics Certification Board (www.DFCB.org) He is the Speaker of “Computer Forensics: Incident Response Essentials”, and has supported incident response projects across a wide range of major U.S. corporations and agencies. In addition: led a team of computer forensic experts in a three-year engagement in support of a fraud investigation task force at the world’s largest international cooperative organization. He was the eDiscovery expert for AMD on the AMD versus Intel Antitrust lawsuit; led the forensics on the billion dollar "Comtraid" theft of Intellectual Property and Trade Secrets; and testified as a computer forensic expert for the US Securities and Exchange Commission (SEC).


#DFIRsummit

Title: Volatile IOCs for Fast Incident Response

Speaker Name: Takahiro Haruyama

Speaker Title: Forensic Investigator Company: Internet Initiative Japan Inc. Abstract:

Incident response against malware infection generally takes long time for memory forensics, disk forensics and malware analysis. It's desirable to find and identify malware at an early stage performing memory forensics, but it requires expert knowledge about malware. In this session, I show "volatile IOCs (Indicators of Compromise)" to detect some famous malware (e.g., ZeuS, SpyEye, Poison Ivy) from physical memory images. By using the IOCs, everyone can pinpoint the type of malware without disk forensics and malware analysis. Audiences can also grasp the techniques of fast malware triage. Specifically, I explain how to define volatile IOCs using OpenIOC that is an extensible XML schema for describing technical characteristics of known threats. Some IOCs are already available on the Internet, but most of them are difficult to reuse and need non-volatile information such as file hash values and file names. Volatile IOCs introduced in this session can identify malware including its variants based on only volatile evidences like header signatures of data structures, deobfuscated strings and a sign of code injection in memory space.

Biography:

Takahiro Haruyama, EnCE, is a forensic professional with over seven years of extensive research experience and knowledge in intrusion detection, authentication, VPN, digital forensics and malware analysis. He is the Speaker of memory forensic EnScript such as Raw Image Analyzer (previously known as Memory Forensic Toolkit) and Crash Dump Analyzer. He also has spoken at several conferences about digital forensics and computer security including Black Hat Europe, The Computer Enterprise and Investigations Conference (CEIC), RSA Conference Japan, FIRST Technical Colloquium.


#DFIRsummit

Title: Johnny AppCompatCache: the Ring of Malware

Speaker Name(s): Jeff Hamm & Mary Singh

Speaker Title: Senior Consultants Company: MANDIANT Abstract:

In 2012, MANDIANT investigators determined that a registry key, AppCompatCache, maintained a list of executable files. The structure also contained date and timestamps. Researching the structure indicated that it belonged to the Windows Application Compatibility Database. The structure itself contains full file paths, date and time information, file sizes, and in some versions of Windows, an execution flag. A MANDIANT consultant, Andrew Davis, wrote a python script that is able to extract the information from the various versions of the Application Compatibility Database. With this tool and knowledge, MANDIANT has been able to enhance their investigations by determining that executable files were on a system and putting time or chronological context to the investigation where none had existed before. This paper and discussion will examine the structure of the database across the various versions of Windows, will discuss why many Windows registry analysis tools fail to see the structure’s data, and will provide examples of case work that illustrate why the analysis of the Application Compatibility Cache have become a regular process in MANDIANT investigations.

Biographies:

Jeff Hamm is employed with MANDIANT as a Senior Consultant where he conducts forensic examinations and incident response. Response and examinations range from a single host to over 100,000 hosts on a network. He also works part-time as an adjunct lecturer at Gjøvik University College in Gjøvik, Norway. There he provides intense practical labs based on real world computer forensic incidents using both Windows and Linux hosts and attackers. He was a Deputy with the Oakland County Sheriff’s Office in the State of Michigan, USA for over 11 years. He worked four years with the Sheriff’s Office as a Computer Crimes Detective and Forensic Examiner and three years as a first-line supervisor (Sergeant). Jeff has significant training in the computer forensic field and obtained his CFCE (Certified Computer Forensic Examiner) in 2003. He obtained his ACE (AccessData Certified Examiner) in 2008, his EnCE (EnCase Certified Examiner) in 2010, and his GCFA (GIAC Computer Forensic Analyst) in 2010. He has been instructing in the field of computer forensics since 2004 at IACIS (The International Association of Computer Investigative Specialists). Mary Singh is a Senior Consultant with Mandiant with over ten years of experience in information security. Ms. Singh specializes in forensic analysis, location of information exposure, and EnCase forensic software. She has experience in military information operations, intrusion detection and incident response, and identified specific military and engineering data targeted at several major defense contractors. In a recent investigation, she discovered a malicious driver that was unknowingly being hosted and distributed from a legitimate website. In the military and as a consultant, Ms. Singh developed both network and host level indicators of compromise. She shares her experience and knowledge by teaching courses on network investigative techniques and incident response, most recently at Black Hat USA 2012. She also presented the


#DFIRsummit

past two years at the DoD CyberCrime Conference, sharing the latest methods to “find evil” with law enforcement, federal government, and industry.


#DFIRsummit

Title – iOS Device Forensics on a Budget

Speaker Name - Brian Moran

Speaker Title - Digital Forensic Analyst Company - CyberPoint, LLC Abstract

The prominence of mobile devices has exploded in recent years, and rapid mobile device growth is expected to continue over the next several years. Many companies have created solutions in order to perform forensic analysis on these devices, however, these tools are often very expensive and may be cost prohibitive for many companies and/or agencies to purchase. This talk will cover ways that an examiner can perform some forms of forensic analysis on iOS devices while utilizing open source or very cheap tools. Methods and techniques demonstrated in this presentation allows an examiner to perform analysis on iOS devices, but these methods can be utilized for other phone operating systems as well.

Biography

Brian Moran is currently employed by CyberPoint, LLC as a digital forensic analyst. Mr. Moran was hired by CyberPoint in 2012 following a brief stint at cmdLabs after spending 13 years in the United States Air Force. He has spent the past 10 years working in the mobile device and incident response/digital forensics career fields. His first DFIR experience came during a 2004 deployment to Mosul, Iraq. He returned to Iraq in 2006 to serve in a support role performing digital forensics in support of detainee operations. He was a co-winner of the 2012 Unofficial Forensic 4cast Awards under the "Best Photoshop of Lee Whitfield" category. He currently resides in Maryland where he enjoys photography, pandas, outdoor activities, and attending Orioles games.


#DFIRsummit

Title: (Mostly) Open Source DFIR – A Toolkit for End-to-End

Investigations

Presenter: David Kovar

Title: Manager, Advisory Center of Excellence Company: Ernst & Young, LLC Abstract:

We are entering a “golden age” of incident response investigations. After many years of being outgunned and depending mostly on expensive tools to fight back, a wide range of open source tools and powerful low cost applications are coming on line. Look at the Collective Intelligence Framework, Google’s Rapid Response, Malformity, foorep, and plaso to name a few. We will spend most of the session taking a close look at some significant tools and how they contribute to a well-run incident response effort. We will close with a quick run through a number of other tools that you might want to investigate.

● Google Rapid Response – We heard about GRR at the Summit last year. Is it ready for prime time? How can you instrument, monitor and investigate a global enterprise with an open source tool?

● Maltego with Malformity – Using Maltego to conduct open source investigations of malware, network indicators, and threat actors. There are some very interesting transforms coming out to help shape Maltego for incident response.

● Foorep – You need to organize, categorize, and share your evidence. Foorep handles a lot of the static analysis, presents the results well, enables the analyst to annotate the samples, and facilitates sharing of samples and intel.

● Yara/OpenIOC/Stix – You’ve got a piece of malware, great. Now, how do you find it in the wild? Or, find things like it? Or find things that behave like it? Despite claims to the contrary, signatures and IOCs provide a lot of IR value, even if you’re just using them to share intel.

● Collective Intelligence Framework – “A framework for warehousing intelligence bits.” So you’ve got your malware all tidied up in a malware zoo. What about the rest of your data? CIF doesn’t get it all, but it goes a long way to collect, normalize, and report on threat intel from a variety of feeds.

At the end of the session you should have enough information to go home and stand up a pretty impressive incident response toolkit capable of meeting many needs in a large enterprise at the cost of your time and some hardware.

Bio:

David Kovar is a manager in Ernst & Young’s Advisory Center of Excellence where he develops and offers operational services in the digital forensics and incident response space. He has also been an entrepreneur, ediscovery consultant, software engineer, search and rescue incident commander, executive protection agent, and a lethal forensicator. He’s collected images in China, rescued wayward Americans in Australia, and fenced with APT actors from all over the world.


#DFIRsummit

Title: Offence informs Defence, or does it?

Speaker Name: Jeff Brown

Speaker Title: Director of Cyber Operations Company: Cyber Clarity Abstract:

This presentation will look at various highly publicized attack campaigns like (CVE-2011-0609,CVE-2012-1535 & CVE-2012-4792) and reveal behavioral characteristics found in each one, Attack methodologies and defensive measures will be explored in the malware, the memory artifacts and network traffic signatures. The idea is to enumerate features of the attacks to supplement defensive operations and this can only be accomplished through intelligence derived from the campaigns. Open source intelligence can be a great source of data on present day attacks which can yields volumes of threat data in a timely fashion. All of these facets will be combined and fused into a process that can make it more difficult for the attacker to succeed and help defenders elevate their awareness.

Biography:

Jeff Brown has over twelve years’ experience in information technology with over seven years in computer network defense and cyber threat intelligence. He has worked in various large-scale security operations centers where he augmented analytical capabilities, advised leadership on security architecture and conducted trainings/briefings to constituents across multiple sectors. Previous experience include advancing analytics at US-CERT by bringing passive DNS database access to analysts, conducted various training classes on current attack trends to security analysts and briefed organizations such as the FS-ISAC, FIRST, DHS SOC, various other federal agencies and law enforcement on elements of APT and Cybercrime. He has developed curriculum and taught classes on information assurance for Regis University and cyber warfare (attack/defense) at George Washington University.


#DFIRsummit

Title: Open Source Threat Intelligence

Speaker Name(s): Kyle Maxwell

Speaker Title: Senior Analyst Company: Verizon Business Abstract:

Organizations can no longer rely purely on general, preventive controls. Instead, defenders must continually adapt to their adversaries, including using threat intelligence as appropriate. This talk will examine a number of tools and sources of “open source” intelligence (OSINT) focusing on network indicators, malware, and threat actor tracking. We will also look at how to extend and integrate these tools and sources with existing common technologies for already-stressed incident response teams.

Biography:

Kyle Maxwell is a senior network security analyst for Verizon Business on the RISK Intel team, producing unclassified threat intelligence for private and public sector clients as well as supporting field investigators. He writes a blog on threat intelligence and network security at ThreatThoughts.com. Previously, he led the incident response team at Heartland Payment Systems and performed digital forensics for clients across the United States at several private investigation firms. Mr. Maxwell holds a degree in Mathematics from the University of Texas at Dallas.


#DFIRsummit

Title: Cyber Nightmares – Operation Red October and Shamoon

Speaker Name(s): Harold Rodriguez

Speaker Title: Malware Reverse Engineer Company: General Dynamics Fidelis Cybersecurity Solutions Abstract

The presentation will cover potential delivery methods used to infect the victim hosts and networks of the two most recent malware attacks—Shamoon and Red October. The presentation will also explore some of the implementation and obfuscation techniques that might explain how the malware used in the Red October operation was reportedly undetected for several years. During the live analysis of these pieces of malware, the attendees will be exposed to a series of tools used for malware analysis together with suggestions on report writing.

Biography Mr. Rodriguez received a MS EE from Johns Hopkins University. He has about seventeen (17) years of experience in the engineering field. Mr. Rodriguez worked as a Federal employee in the MD area. After that, Mr. Rodriguez worked as a contractor for a customer in the Fort Meade area and at the Defense Cyber Crime Center (DC3). At DC3, Mr. Rodriguez was involved in the areas of Research & Development, Network Intrusions, Computer Forensics, and Malware Analysis/Reverse Engineering.


#DFIRsummit

Title: "Malware is for the Bad, Automation the Good... don't be the

Ugly." "Automating Malware Analysis with Cuckoo Sandbox"

Speaker Name: Claudio Guarnieri

Speaker Title: Security Researcher Company: Rapid7 Abstract:

Corporations, governments and organizations of any sort have the growing need to digest hundreds of thousands of malicious artifacts every day. Being for incident response, preemptive analysis or just to collect intelligence, we are all having a hard time keeping up the pace. Cuckoo Sandbox is an open source software that enables you to easily automate the process of analyzing your feeds of malware samples and start collecting actionable threat data. In this presentation we will walk through the different unique features of this tool, learn how to use it, customize it and hopefully take some sweat off of you and guide you to the light of automation. Outline: - The battle against the malware - The need for automation - Introduction to Cuckoo Sandbox - Typical usage of Cuckoo - Customizing Cuckoo to achieve great things - Make sense of automated malware analysis - Tips from the open source world - Conclusions

Bio:

Claudio is a Security Researcher at Rapid7. He started messing with malware and needing tools to do it and out of despair and boredom ended up making such tools himself. As a result he created Cuckoo Sandbox, an open source malware analysis system, and Malwr.com and started violently advocating for open source in the security industry. Eventually he made of fighting malware and botnets his mission and fantasizes of changing the Internet as a core member of The Shadowserver Foundation and of The Honeynet Project. He presented at several international conferences and he brags that some of his tackles on cybercrooks were featured on the likes of Bloomberg and the New York Times. He can be found ranting on Twitter as @botherder.

References: http://www.cuckoosandbox.org http://www.malwr.com http://www.honeynet.org http://www.shadowserver.org

http://www.cuckoosandbox.org/

http://www.cuckoosandbox.org/

http://www.malwr.com/

http://www.honeynet.org/

http://www.shadowserver.org/


#DFIRsummit

Title: "My name is Hunter, Ponmocup Hunter" Speaker Name: Tom Ueltschi

Speaker Title: Security Officer

Company: Swiss Post

Abstract:

In early 2011 we discovered some botnet malware infected systems in our network. Starting

from one A/V event we discovered several host- and network-based indicators to identify and

confirm several infections. A brief high-level overview of the security architecture will help you

understand how the indicators could be found and searched for. With a one-strike remediation

all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several

known C&C domains showed the botnet was very big (several million bots). Quickly I got

obsessed with analyzing and hunting this malware, which could infect fully patched systems

without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered

A/V. The malware got some visibility and media attention in June 2012 with titles such as

"printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True".

This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably

didn't happen to all infected hosts or networks.

You'll learn:

- how the malware was discovered, what indicators were derived

- how all infected hosts were identified and how remediation was done

- how this malware spreads and how to defend against it

- how to detect infected systems (host & network indicators)

- how to find infected web servers used to spread it

- what malware functionalities are known and currently still unknown

Biography:

Tom Ueltschi received his Bachelors and Masters of Science in Computer Science and

Engineering from University of Texas at Arlington. After about 6 years working in Software

development (mainly Java web applications) he switched to IT Security five and a half years ago.

Hunting for and analyzing new malware is part of his job and hobby as well. He's an (in-

)frequent blogger about APT resources and malware/botnet research (c-apt-ure.blogspot.com)

and believes in sharing threat and malware intelligence using Twitter (@c_APT_ure), Storify, CIF

feeds and IOCs. He holds several GIAC certifications (GCIH, GWAPT, GXPN) and received the

SANS Lethal Forensicator Coin for submitting several IOCs to ForensicArtifacts.com. He's a

member of several closed/trusted groups for fighting cybercrime and sharing malware and APT

intelligence.

http://c-apt-ure.blogspot.com/


#DFIRsummit

Title: Hunting Attackers with Network Audit Trails

Speaker Name: Tom Cross

Co-Speaker Name: Charles Herring

Speaker Title: Director of Security Research

Co-Speaker Title: Senior Systems Engineer

Company: Lancope Abstract

Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time. Reports cataloging trends in data breaches reveal a systematic problem in our ability to detect that they ever occurred. Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are needed.

The purpose of the session is to review how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks. These technologies can be used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic. We will demonstrate how to these records can be used to discover active attacks in each phase of the attacker’s “kill chain.” We will also cover how these records can be utilized to determine the scope of successful breaches and document the timeline of the attacks. The session will demonstrate these processes and techniques in both open source and commercial solutions.

Biography Tom Cross is Director of Security Research at Lancope where he works to improve Lancope's network anomaly detection capabilities. He has more than a decade of experience as a security researcher and thought leader. Tom was previously manager of the IBM X-Force Advanced Research team where he focused on advancing the state of the art in network intrusion prevention technologies. He is credited with discovering a number of critical security vulnerabilities in enterprise class software and has written papers on security issues in Internet routers, securing wireless LANs, and protecting Wikipedia from vandalism. He frequently speaks on security issues at conferences around the world. Charles Herring is Senior Systems Engineer at Lancope. Charles spent 10 years on active duty with the US Navy. His last position in the Navy was as the Lead Network Security Analyst for the Naval Postgraduate School. After leaving the Navy, he spent six years consulting with the Federal government as well as serving as a contributing network security product reviewer for the InfoWorld Test Center. Charles spends much of his time assisting StealthWatch operators in detecting and responding to advanced security threats.


#DFIRsummit

Title: Autopsy 3: Extensible Open Source Forensics

Speaker Name: Brian Carrier

Speaker Title: VP of Digital Forensics]

Company: Basis Technology

Abstract:

Autopsy 3.0 is an open source, end-to-end digital forensics platform based on The

Sleuth Kit. It is a complete rewrite from Autopsy 2.0 and was designed to be an

extensible platform with modules that are open or closed source and free or commercial.

This talk covers the exciting new features of this system, including multi-threaded

frameworks, triage, embedded databases, web artifact analysis, and indexed keyword

search. This talk is targeted towards both users and developers. Users will learn about

the tool, and how they can use it. Developers will learn the basics of where they can

incorporate their tools into the Autopsy workflow as modules.

Biography:

Brian leads the digital forensics team at Basis Technology, delivering services and developing

custom systems. He is the Speaker of the book File System Forensic Analysis and developer of

several open source digital forensics analysis tools, including The Sleuth Kit and the Autopsy

Forensic Browser. Brian has a Ph.D. in computer science from Purdue University and worked

previously for @stake as a research scientist and the technical lead for their digital forensics

lab. Brian is on the committees of many conferences, workshops and technical working groups,

including the Annual DFRWS Conference and the Digital Investigation Journal.


#DFIRsummit

Title: Timeline Analysis by Categories

Speaker: Corey Harrell

Speaker Title: IT Specialist III

Company: New York Office of the State Comptroller

Abstract

When it comes to timeline analysis there are two train of thoughts about how to approach it.

One is the kitchen sink approach where all artifacts supported by the tools are included in the

timeline. The second is the minimalist approach where only the required artifacts are initially

included and more artifacts are added as needed. Both approaches are equally valid but there is

a third train of thought emerging about how to approach timeline analysis. The approach is to

build timelines based on categories and it is a combination of the kitchen sink and minimalist

approaches.

Artifacts can be organized into categories based on the examination process one uses. The

various categories can then be selected for incorporation into a timeline. In essence, the

approach is including all artifacts that belong to certain categories. Not only does categories

timeline analysis provide examiners with a more effective timeline but it makes the creation of

targeted timelines easier for different types of cases.

In this presentation Corey will discuss the process for creating timelines based on categories.

The topics will include the following: examination process, categories, timeline tools, tools

compatibility issues, artifacts in each category, and timeline matrixes for common case types.

At the conclusion of the presentation attendees will know how to leverage the timeline analysis

based on categories approach.

Biography

Corey Harrell is an information security specialist with the New York Office of the State

Comptroller. In this capacity, he has spent over five years providing digital forensic services that

supports: security incidents, investigations, fraud audits, and acceptable use policy violations. In

addition, Corey has performed vulnerability assessments at other New York State agencies to

identify and confirm weaknesses in their security management and network.

Corey is an avid blogger - posting frequently - on his personal "Journey Into Incident Response"

blog about Digital Forensics and Incident Response. He is currently developing a Malware

Analysis course for one of Champlain College's graduate programs. He has more than 10 years of

experience in Information Technology including seven of which was specific to information

security. He holds a Master of Science in Information Assurance from Norwich University and a

Bachelor of Science in Telecommunications from SUNY Institute of Technology. Corey has


#DFIRsummit

achieved several technical certifications including Encase Certified Forensic Examiner (ENCE) and

Certified Ethical Hacker (CEH).


#DFIRsummit

Title: Detecting data loss from cloud synchronization applications

Speaker: Jake Williams

Company: CSRgroup Computer Security Consultants Abstract:

Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files in each location. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely. Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.

Bio: Jake Williams, a principal consultant at CSRgroup Computer Security Consultants, has over a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Prior to joining CSRgroup, he worked with various government agencies in information security roles. Jake has twice won the annual DC3 Digital Forensics Challenge and has spoken at several regional ISSA meetings, Shmoocon, and the DC3 Conference, as well as numerous US government conferences. Jake is currently pursuing a PhD in Computer Science where he is researching new techniques for botnet detection. His research interests include protocol analysis, binary analysis, malware RE methods, subverting the security of cloud technologies, and methods for identifying malware Command and Control (C2) techniques.


#DFIRsummit

Title: A Day in the Life of a Cyber Tool Developer

Speaker Name: Jonathan Tomczak

Speaker Title: Software Engineer/CIO

Company TZWorks, LLC Abstract

As the density of digital media continues to grow, the forensic investigator will see massive amounts of data during any acquisition phase or computer analysis. Timely reduction and processing of large, disjointed datasets will be extremely important for those investigative shops that face more work than the number of available, qualified people doing the analysis. This means automating the workflow process to ensure consistent, accurate reporting which will in turn translate into more revenue for the investigator. To aid in this, forensic development shops will need to use and/or create toolsets that are flexible and scalable to assist in any automation transition. This talk will focus on how TZWorks takes on the challenge of developing a tool to aid in this automation process. The discussion will be centered on a TBD tool that has been developed in the past. It will include:(a) the step by step process used in the development and where key decision points were made, (b) the research that was involved when identifying critical data structures, and (c) how it was decided which data will be presented to the end user and which data will not. This discussion will be from a developer's perspective.

Biography

Jonathan Tomczak is the Chief Information Officer and Co-Founder at TZWorks, LLC. Jonathan's professional background stems from game engine programming and design focusing on IRC based games. With most of his programming foundation in C and C++, Jonathan has taken his knowledge and applied it to find solutions to aid the information security world. Jonathan's personal time is spent primarily outdoors, whether that be hiking, kayaking or mountain biking. As part of his desire to tinker, he retains his status as a knowledgeable bike mechanic and loves getting his hands full of dirt and grease. Jonathan attended George Mason University for Computer Engineering with a focus on Computer Software Development.


#DFIRsummit

Title: Proactive Defense

Presenter: Adam Meyers

Title: Director of Intelligence Company: CrowdStrike, Inc Abstract:

By nature, computer network defenders tend to be very reactive - an IDS alert triggers and they take action. This can quickly cause a defense team to become overwhelmed with things they need to react to, causing them to miss key indicators. Proactive network defense allows defenders to look at the threat landscape to proactively anticipate where the adversary will be in-order to defend against an attack before it happens. Today we collect large volumes of data on our enterprises. This massive amount of data, coupled with defenders who are focusing on technical analysis and typically do not have the background or experience in traditional intelligence discipline, inhibits thinking proactively. This presentation is tailored towards technical analysts who want to learn about intelligence collection and analysis and how to couple it with technical analysis in-order to mine the myriad of data to extract powerful information about the adversary such as their Tools, Techniques, and Practices (TTP). As this data is extracted, the audience will learn to start asking proactive questions about the data so that they may anticipate the adversary’s next move and begin the defense in advance. This presentation will provide background on intelligence collection, intelligence analysis, building a collection, and introduce some powerful tools to mine intelligence.

Biography: Adam Meyers is Director of Intelligence for CrowdStrike, Inc. Adam manages collection activity, reverse engineering, and adversary categorization. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. Adam served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Adam provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. Adam’s background is in penetration testing and reverse engineering. He also acted as the product manager for SRA Cyberlock a dynamic malware analysis platform. Adam supports various law enforcement agents as a technical resource, regarding malware and criminal investigation. In support of the Department of State Bureau of Diplomatic Security, Adam trained and managed an elite team of reverse engineers who conducted incident investigation and analysis in support of the mission of the Office of Cyber Security. He is a recognized speaker who has spoken on a variety of topics ranging from technical to emerging threat at security conferences throughout the world. Adam has provided significant contributions to the Wikileaks, Night Dragon, and Shady RAT investigations, as well as provided critical assistance to law enforcement in investigations of numerous hacking incidents.


#DFIRsummit

Title: The 7 Sins of Malware Analysis

Speaker: Dominique Kilman

Company: KPMG LLP Abstract:

In this presentation, I will discuss the common mistakes that analysts make when working with malicious code. Each of these ‘sins’ will be presented along with their corollary ‘what to do instead’. I hope to give new analysts a head start so they don’t make some of the newbie mistakes that can happen, as well as remind experienced analysts of some of the important characteristics that make for good analysis.

Biography:

Dominique is a Senior Associate with KPMG’s Forensic Technology Services (“FTS”) practice in San Antonio, TX. She specializes in malicious code analysis, network forensics and incident response. She has over 10 years of experience in the computer security field and 4 years’ experience in software development. She is a CISSP and CISM, holds SANS certifications in Malware Analysis, Auditing, Incident Handling and Wireless Auditing as well as the EC-Certified Security Analyst certification. She obtained an MS in Computer Security from University of Illinois in 2002 and a BS in Computer Engineering from Texas A&M in 1997.


#DFIRsummit

Title: Plaso - Reinventing the Super Timeline

Speaker: Kristinn Gudjonsson Title: Senior Security Engineer Company: Google Abstract:

Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lies on the drive. And with the introduction of the new log2timeline engine called plaso things are even changing more. The next generation of log2timeline produces more structured data with more features, which in turns opens up new ways of analyzing the massive dataset the tool extracts from any given drive. The goal of this presentation is to introduce the audience to timeline analysis in a practical way, showing how to use the tool in a simple malware intrusion investigation as well as to show how to expand the tool to parse new datasets in a simple way.

Bio:

Kristinn Gudjonsson is a senior security engineer at Google, focused on forensics, incident response, tool development and whatever gets thrown his way. Prior to joining Google he worked as a technical security manager at ArionBanki and even before that as a security/incident response/forensics consultant at Skyggnir.

Kristinn holds a M.Sc. degree in computer engineering from INT (Institut National des Telecommunications) in Paris as well as a B.Sc. degree in electrical and computer engineering from the University of Iceland. Kristinn also holds several certifications such as GCIA, GCIH and GCFA Gold.

Kristinn is among other things the creator of the tool log2timeline, and now one of the core developers of the new backend engine of log2timeline called plaso.


#DFIRsummit

Title: Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud

Forensics)

Speaker Name(s): Andrew Hay

Speaker Title: Chief Evangelist Company: CloudPassage, Inc. Abstract:

Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments. It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve. In this session, CloudPassage Chief Evangelist Andrew Hay will address the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations. Topics that will be discussed include: - Traditional forensics and IR - Cloud architectural challenges for responders - Chain-of-custody and legal issues across architectures and regions - How existing forensics/IR tools can help - and what they can do better - Advantages of conducting forensics/IR in cloud environments

Biography:

Andrew Hay is the Chief Evangelist at CloudPassage, Inc., where he represents the company and its cloud security portfolio. Prior to joining CloudPassage, Andrew served as a Senior Security Analyst for 451 Research’s Enterprise Security Practice (ESP) providing technology vendors, private equity firms, venture capitalists and end users with strategic advisory services – including competitive research, new product and go-to-market positioning, investment due diligence and tactical partnership, and M&A strategy. Through his work at 451 Research, Andrew was instrumental in securing tens of millions of dollars in equity investment for numerous security product vendors. He is a veteran strategist with more than a decade of experience related to endpoint, network, and security management technologies.


#DFIRsummit

Title: Timeline creation and review, GUI style!

Speaker: David Nides

Company: KPMG LLP Abstract:

Timeline analysis is a concept used by Digital Forensic and Incident Response practitioners to normalize event data by time and present it in chronological order for review. This sequence of data is used to tell a narrative “story” of events over a period of time. Furthermore, it can be used to put events into context, interpret complex data and identify anomalies or patterns. Thanks to tools like log2timeline the creation of timeline data is easy, however the review process can be challenged by gigabytes and millions of rows of events. This presentation will focus on making the creation of timeline data even EASIER and challenges of reviewing large timeline data sets using a FREE tool called, l2t_R, a cross-platform GUI solution specifically designed for reviewing timeline data.

Biography:

David is a Manager with KPMG’s Forensic Technology Services (“FTS”) practice in Chicago, IL. Currently David plays a national lead Incident Response role consulting client globally in APT, data breach, and other cybercrime investigations. His experience includes working in the People’s Republic of China where he significantly contributed to the growth of KPMG’s Asia Pacific FTS practices by leading high profile cross-border investigations, establishing end-to-end e-discovery solutions, integrating methodologies and technologies consistent with the US, and making best practices transparent between global practices. Ultimately, David was in part responsible for the establishment of a Forensic Technology team and service line in Shanghai, China. David also served a rotation with KPMG’s Office of General Counsel leading internal investigations involving the identification, preservation, analysis, and presentation of Electronically Stored Information in result of litigation and government inquiries. David holds a number of professional certifications and in 2012 won the forensic4cast award for Speaking “best forensic article” of the year.


#DFIRsummit

Title: Building, Maturing and Rocking a Security Operations Center

Speaker Name: Brandie Anderson

Company: Hewlett-Packard Abstract

I will discuss key items around building a security operations center and maturing it. Initially working through points on the importance of process and procedures, how to document and options to store and actively use documentation. I will discuss hiring, on-boarding and training analysts and monitoring technology (while there are many, we are an ArcSight shop so while covering general topics of use case development and actionable content, any screen shots included would be ArcSight) and data feed on-boarding (again ArcSight Logger would be mentioned/screen shots but overall log feed theories and best practices). After having a SOC in place, there are items you start to discuss around maturing the processes, incident response within the SOC and the interactions with internal and external organizations. The last section will cover incident response, daily reactions to users, noise, etc and a “rocking” example of one of our responses to a virus outbreak – going from detection, impact and a hack back response the SOC analysts used to shut it down. I will use the SANS Incident Response Model walking through the steps and how we made decisions and handled the issue. The reason I have chosen this virus outbreak is because, while dealing with the big things (intruders, etc) end up involving a lot of folks and get the visibility, sometimes the nuisance things are the hardest to get visibility internally from other groups but the security teams have to address regardless and offers an example of how to handle things when other groups aren’t as invested.

Biography I am the current manager of the HP Global Security Operations Center, the APT Hunter and the Security Delivery Operations teams. Having worked in both private and public sectors in a variety of technology positions, 13 years specializing in Information Security, highlighting both tactical and strategy functions, I have been successful in building security operations centers and working with broken teams/processes. My educational experience includes a Master’s degree in Information Management with a specialization in Information Security/Assurance and I was awarded one of the first ISC(2) scholarships from the year of the Security Professional. Current certifications include CISSP and GCIH with past certifications including MCSE, MCP and CNA. In my spare time, I am an on-going adjunct professor for information security and networking for ECPI University and have taught in the same capacity for DeVry Online and University of Phoenix. My family includes my husband, Dave, daughter Cailin, 12, son Collin, 22 and two step-daughters, Tracy, 22 and Amy, 21.


#DFIRsummit

Title: “ ICS, SCADA, and Non-Traditional Incident Response ”

Speaker Name(s): Kyle Wilhoit

Speaker Title: Threat Researcher Company: Trend Micro Abstract

INTRODUCTION: With the attack landscape constantly changing, new focus has been placed on industrial control systems (ICS) and SCADA systems. This talk aims to show not only a high level overview of ICS and SCADA systems, but also shows how to effectively perform incident response in these often times remote systems. CORE CONCEPTS: Core concepts that will be covered include, but are not limited too:

● How ICS/SCADA systems differ than normal systems. ● Core overview of ICS/SCADA overview. (Common uses for these systems) ● Reasons behind ICS/SCADA systems. ● How ICS/SCADA differs in terms of incident response. ● How to effectively perform incident response on ICS/SCADA systems.

GOALS: Goals that are included, but are not limited include:

● Help conference goers understand core incident response subjects. ● Help conference goers understand what ICS/SCADA systems are used for. ● Help conference goers be able to differentiate between ICS/SCADA incident response

and traditional incident response. ● Help conference goers leave the conference with core notes on being able to easily

perform incident response on ICS/SCADA systems.

Biography: Kyle Wilhoit is a Threat Researcher at Trend Micro on the Future Threat Research Team. Kyle focuses on original threat, malware, and vulnerability discovery/analysis. He has 8 years of experience in the information security field, holds a Bachelor's and Masters in Information Systems, and holds several professional certifications. Kyle has regular interaction with US Department of Defense regarding threat research and malware analysis. In addition, he has spoken at several conferences- including Washington University in St. Louis, Missouri and United Security Summit in San Francisco, California. Prior to joining Trend Micro, he was the Lead Incident Handler and Reverse Engineer at a large energy company, focusing on industrial control system/SCADA security and persistent threats. He has also worked at Savvis Communications, a Tier 1 Internet service provider as a Threat Analyst and Incident Response Specialist. Kyle is also involved with several open source projects.


#DFIRsummit

Title Restoring Credential Integrity after an Enterprise Intrusion

Speaker Name(s) James Perry and Anuj Soni

Speaker Title Lead Associate Company Booz Allen Hamilton Abstract

One of the most important, and most overlooked, steps of running an enterprise APT intrusion investigation involves the rapid identification of risk factors that enabled the threat actors to establish an enterprise presence in that environment. One of these risk factors is related to Active Directory and local system user credentials. Investigators must rapidly determine the status of these factors from an investigative perspective to eventually help the organization restore credential integrity with a hard password reset. We will discuss how to rapidly determine which user, admin, and service accounts have active or historical LanManager password hashes, which user accounts share credentials, which domain administrators share credentials between their standard and privileged accounts, and other factors related to user credential risk. We will demonstrate the tools and techniques we currently use, identify common pitfalls, and will include a couple of enterprise hard password reset case studies

Biography Anuj Soni is an incident responder and forensic analyst at Booz Allen Hamilton. He is a Lead Associate on Booz Allen’s Proactive Threat Identification (PTI)/ Advanced Persistent Threat (APT) ) team where he manages and executes specialized incident response techniques to detect, respond to, and mitigate sophisticated threat actors on Federal Government client networks. He uses his skills in conducting host-based forensics, malicious code analysis, APT risk assessments, and APT mitigation development to help clients improve their security posture. He has over 7 years of experience in incident response, forensics, intrusion detection, penetration testing and steganalysis. Anuj received his Bachelors and Masters from Carnegie Mellon University, where he also worked and developed whitepapers for the Software Engineering Institute’s Computer Emergency Response Team (CERT). Anuj is a Certified Information Systems Security Professional (CISSP), an EnCase Certified Examiner (EnCE), and a GIAC Reverse Engineering Malware (GREM)-certified analyst. He is also a SANS Mentor for the Reverse Engineering Malware course. James Perry is an incident responder and forensic Analyst at Booz Allen Hamilton. He is a Lead Associate on Booz Allen's Proactive Threat Identification (PTI)/ Advanced Persistent Threat (APT) team where he manages and executes enterprise intrusion investigations to detect, respond to, and mitigate sophisticated threat actors on client networks in the commercial and government sectors. He has over 7 years of experience in network security, intrusion detection, forensics, and incident response. Mr. Perry holds Masters of Information Technology from The John's Hopkins University and a Bachelor’s of Science in Systems Engineering from The University of Virginia. Mr. Perry has received forensic training from the Defense Cyber Investigations (DCITA) Training Academy.

tuesday, july 9, 2013 july 9, 2013 time room 1 room 2 7:00am - 8:00am registration | networking...

Documents