Nabble - Security - Forensics

On-Demand Penetration Testing Webcasts with Ed Skoudis of SANS

2008-11-11T07:48:14Z

As a security pro, it's important to periodically stop, take a break, and refuel your brain. Once per month, Core Security Technologies does the same thing and invites industry thought leaders to share their insights through educational webcasts offering security testing tips, tricks and strategies.

We'd like to share one of our favorite webcast series with you: "Penetration Testing Ninjitsu" with Ed Skoudis of SANS and InGuardians.

> Click here to access this on-demand, three-part webcast series:
http://www.coresecurity.com/Form/generic/campaign/secfocus

--------------------------------------------------------------------
About "Penetration Testing Ninjitsu Parts I-III"
--------------------------------------------------------------------
These in-depth, technical presentations by Ed Skoudis look at the art and science of using penetration testing to gain visibility into your organization's security posture.

-- Part I: A brief introduction to the value of penetration testing + an overview of pen testing techniques using the Windows command shell.

-- Part II: An introduction to techniques for performing the functions of Netcat - such as moving files, scanning ports and creating backdoors - without using Netcat.

-- Part III: This installment explores what can happen after the initial vulnerability is compromised and a threat becomes truly invasive - and how to proactively assess your systems against such attacks.

> Click here to access the "Penetration Testing Ninjitsu" series:
http://www.coresecurity.com/Form/generic/campaign/secfocus

Core Security provides comprehensive security testing software solutions based on independent, trusted vulnerability research and leading-edge threat expertise. Unlike many vendor webcasts, these are focused on educating the security community rather than selling a specific product.

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

CfP: Int. Workshop on Information Credibility on the Web (WICOW2008) at CIKM2008

2008-07-06T19:22:34Z

(+apologies for cross-posting+)

****CALL FOR PAPERS****

2nd Workshop on Information Credibility on the Web
(WICOW 2008)

in conjunction with 17th ACM CIKM 2008

October 30, 2008, Napa Valley, California
http://www.dl.kuis.kyoto-u.ac.jp/wicow2

* AIM OF THE WORKSHOP *

The aim of this workshop is to provide a forum for discussion about issues
related to information credibility and its evaluation.
As computers and computer networks become more sophisticated, a huge
amount of information, such as that found in Web documents, has been
accumulated and circulated. Such information gives people a framework for organizing their daily
lives. A well-functioning society needs technology that can be used to
manage this wealth of information and, in particular, investigate its credibility.
This technology would be able to handle a wide range of tasks:
extracting credible information related to a given topic,
organizing this information, detecting its provenance, clarifying
background, facts, and various related opinions and the distribution of
them, and so on. Especially, as the Web is becoming a major source of
information nowadays, it is necessary to provide efficient and reliable
methods for evaluation of Web content's trustworthiness.

* TOPICS *

We invite submissions on any aspects of information credibility on the
Web. Topics include, but are not limited to:

- Information credibility evaluation and its applications
- Content analysis for credibility evaluation
- Sentiment analysis of content
- Credibility of Web search results
- Search models and applications for trustworthy content
- Conflicting opinion detection and analysis
- Credibility evaluation of user-generated content (e.g., Wikipedia)
- Information credibility evaluation in social networks
- Analysis of information dissemination
- Estimation of author and publishing venue reputation
- Spatial and temporal aspects in information credibility
- Estimation of information age, provenance and validity
- Sociological and psychological aspects of information credibility
- Users study for information credibility
- Risk assessment of information credibility
- Multimedia content credibility
- Persuasive technologies
- Information credibility in online advertising and Internet monetization
- Object identification on the Web

* IMPORTANT DATES *

- July 20, 2008 - Paper submission
- August 10, 2008 - Notification of acceptance
- August 15, 2008 - Camera-ready paper submission (hard deadline for publication in proceedings)
- October 30, 2008 - Workshop

* SUBMISSION *

Submissions should be sent in English in PDF format via the submission website. Papers should adhere
to ACM formatting guidelines and should have length of 6 to 8 pages.
They must be original and have not been submitted for publication elsewhere. We
encourage also position papers outlining interesting research directions.

The accepted papers are going to appear in CIKM Workshops Proceedings published by ACM either as full
(up to 8 pages) or short papers (up to 4 pages) depending on the review
results. At least one author of each accepted submission should register
by the end of the early registration period in order for the paper to be
included in the proceedings.

* ORGANIZATION *

General Chairs:

- Katsumi Tanaka Kyoto University, Japan
- Takashi Matsuyama Kyoto University, Japan
- Ee-Peng Lim Singapore Management University, Singapore

PC Chair:

- Adam Jatowt Kyoto University, Japan

Program Committee:

- see website

* CONTACT *

Adam Jatowt
email: adam [at] dl [dot] kuis [dot] kyoto-u [dot] ac [dot] jp
phone/fax: +81-75-231-4282

CCE training opportunities in June...

2008-05-18T11:11:01Z

Hi all!

Champlain College, in partnership with the International Society of Forensic Computer Examiners (ISFCE), is going to be offering two Certified Computer Examiner (CCE) Bootcamp courses in June:

o June 9-13 in Burlington, Vermont
o June 23-27 at Bunker Hill Community College in Boston

More information can be found at http://c3di.champlain.edu/ and clicking on Training Opportunities.

Do let me know if you have any questions! Feel free to share with any other interested parties.

Thanks!
/gary kessler

==========================================================================
Gary C. Kessler gary.kessler@...
Dir., Center for Digital Investigation Project Director
Associate Professor Information Security
Computer & Digital Forensics program Vt. Information Technology Ctr.

Champlain College Office: +1 802-865-6460
West Hall, Room 107 Fax: +1 802-865-6446
163 South Willard Street Cell: +1 802-238-8913
Burlington, VT 05401 Skype: gary.c.kessler

http://c3di.champlain.edu kumquat@...
http://digitalforensics.champlain.edu http://www.garykessler.net
PGP Public Keys: http://www.garykessler.net/kumquat_pubkey.html
http://digitalforensics.champlain.edu/gck/GaryKessler.asc

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

CfP hack.lu 2008

2008-05-15T23:57:54Z

Call for Papers Hack.lu 2008

The purpose of the hack.lu convention is to give an open and free
playground where people can discuss the implication of new technologies
in society.

hack.lu is a balanced mix convention where technical and non-technical
people can meet each others and share freely all kind of information.

The convention will be held in the Grand-Duchy of Luxembourg in October
2008 (22-24.10.2008).

Scope

======

Topics of interest include, but are not limited to :

* Software Engineering and Security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Newly discovered vulnerabilities in software and hardware
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Electronic Voting
* Free Software and Security
* Assessment of Computer, Electronic Devices and Information Systems
* Standards for Information Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Network security
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities

Deadlines

=========

The following dates are important if you want to participate in the CfP

Abstract submission : no later than 1 July 2008
Full paper submission : no later than 1st August 2008
Notification date : around end of August

Submission guideline (for standard paper track)

====================

Authors should submit a paper in English up to 5.000 words, using a
non-proprietary and open electronic format.

The program committee will review all papers and the author of each
paper will be notified of the result, by electronic means.

Abstract is up to 400 words. Submissions must be sent via the
http://www.hack.lu/ website.

Submissions should also include the following:

1. Presenter, and geographical location (country of origin/passport)and
contact info.
2. Employer and/or affiliations.
3. Brief biography, list of publications or papers.
4. Any significant presentation and/or educational experience/background.
5. Reason why this material is innovative or significant or an important
tutorial.
6. Optionally, any samples of prepared material or outlines ready.
7. Information about if yes or no the submission has already been
presented and where.

The information will be used only for the sole purpose of the hack.lu
convention including the information on the public website.

If you want to remain anonymous, you have the right to use a nickname.

(Accepted) Speakers' Privileges

====================

* Accommodation will be provided (3 nights)
* Travel expenses will be covered
* Conference speakers night

Publication and rights

======================

Authors keep the full rights on their publication/papers but give an
unrestricted right to redistribute their papers for the hack.lu convention
and its related electronic/paper publication.

Sponsoring

==========

If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to info(AT)hack.lu

Web site

======

http://www.hack.lu/

Barcamp and interactive session

====================

During the conference, there is a continuous interactive session. You
are also very welcome to participate to submit small ideas, presentation
or poster. The review process is simplified and open to anyone willing
to take an active role during the conference. You can submit your
proposal using the same web interface for the barcamp but you don't
require to submit a full paper.

Submissions are done via the hack.lu website (http://www.hack.lu/)

The hack.lu conference is organized by the ASBL CSRRT-LU (Computer
Security Research and Response Team Luxembourg)

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

Re: Verify alternation and tracing the source of digital photos

2008-05-13T12:37:55Z

Unless you have a MD5 or SHA value of the original it is a pretty daunting task. I came across this article from wired while doing a research paper. Here is the link. http://www.wired.com/gadgets/digitalcameras/news/2007/03/72883

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

[Fwd: NZ cops get 'COFEE' to capture PC evidence]

2008-05-03T08:32:32Z

Interesting news from New Zeland, I wonder how to get a copy. ;o)
-Aron-

-------- Original Message --------

http://www.stuff.co.nz/4507443a28.html

NZ cops get 'COFEE' to capture PC evidence
NZPA | Saturday, 03 May 2008

New Zealand police have been given a small plug-in device that
investigators can use to quickly extract forensic data from computers
that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence
Extractor, is a prototype of a USB "thumb drive" that Microsoft has
quietly distributed to a few law-enforcement agencies around the
world.

A spokesman at police national headquarters said today: "Police have
been issued with the COFEE tool by Microsoft and the E-Crime Lab's
digital forensic analysts have been trained in the use of it".

New Zealand police had an excellent relationship with the software
company, which had provided specialist training to digital forensic
analysts and investigators, he said.

Overseas, experts in computer forensics have said the preconfigured,
automated tool can carry out in 20 minutes, with the click of one
button, 150 complex commands that previously required a manual process
taking three to four hours.

Microsoft general counsel Brad Smith confirmed the device dramatically
cut the time required to gather the digital evidence which is becoming
more important in real-world crime, as well as cybercrime.

It can decrypt passwords and analyse a computer's internet activity,
as well as data stored in the computer.

The tiny device also eliminates the need to seize a computer itself,
which typically involves disconnecting from a network, turning off the
power and potentially losing data. Instead, the investigator can scan
for evidence on site.

It was provided for free, Mr Smith told the Seattle Times newspaper,
because the software company was working to help ensure that the
internet stayed safe.

"It's basically a thumb drive that is like a Swiss army knife for law
enforcement officials that are investigating computer crimes.

"If you're a law enforcement official and let's say you have access to
a computer that might be used, for example, by a child predator, a lot
of times they have information on their hard disk that's encrypted,
and you've got that information off in order to have a successful
investigation and prosecution.

"In the past, people would have to literally unplug the computer, they
would lose whatever was in RAM. They'd have to transport it somewhere
else, and it would take at least four hours, often more to get at the
heart of the information."

COFEE was developed by Anthony Fung, a former Hong Kong police officer
working as a senior investigator on Microsoft's internet safety team.

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

Verify alternation and tracing the source of digital photos

2008-02-01T02:00:40Z

Hi List,

A case of digital photos circulated on the Internet formus, I need your
helps in find out answers for 2 answers:

1. Are there any tools that we could used to verify if a digital photo
has been altered?

2. As those photos are posted on various formus, how to trace back the
original source of the photos? I think even though we could obtain all logs
(for timeline analysis) from the forums that those pictures are found, but
we could not rule out that some more sources are missed.

Thanks for answering in advance.

Frankie

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

Advice on transferring forensic image

2007-12-04T04:35:16Z

Folks,

one of my cases has been going on for almost half a year
now. Unfortunately, I now do have the need to transfer
the forensic dd image to another target disk which will
then become the case disk.

Is there anything other than the usual stuff (securely
erase the 'new' disk, create checksums before copying,
transfer the image using dcfldd, create checksums after
copying, securely erase the 'old' disk, document the whole
process) which needs to be done?

Am I missing anything important here?

Cheers,

Stefan.

--------------------------------------------------------
T.I.S.P. - Lassen Sie Ihre Qualifikation zertifizieren
vom 25.-29.02.2008 - http://www.secorvo.de/college/tisp/
--------------------------------------------------------
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm@..., http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

-----------------------------------------------------------------
Uncover stealthy Trojans and malware in corporate web traffic
Anti-virus and URL filtering solutions provide only a limited solution to evasive crimeware.
Qualify for a free audit for enterprises
www.finjan.com/RUSafe

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-26T13:17:27Z

Greetings,

First off, use a hardware write blocker if you really want to be
certain nothing is going back to the drive.

Then, you can cover all the bases quite neatly by making multiple
forensic copies of the evidence disk. Allow one to mount "normally".
Mount one with a write blocker. Mount one with a different kernel.
Mount one .... Etc. Compare and contrast ...

-David

On Nov 24, 2007, at 9:49 PM, Krassimir Tzvetanov wrote:

> Well this is a little one sided.
>
> When you are preserving a hard disk you want a snapshot in the moment
> it was seized. This would mean that you should not do any alteration
> after that point and I'll ask you to consider two cases that will show
> you where I come from.
>
> 1. The journal replay may overwrite some chunks of data you may want
> to have linked the way they were. I.e. somebody did "rm -rf /" the
> moment the agents were serving a no know warrant (and if they turned
> off the machine the files will be still linked).
>
> 2. The kernel of the system you are running may have a bug that may
> result in a different behavior than the system being investigated. (or
> vice versa the system may had "special patches" applied that might
> cause your data replay to corrupt data.
> Even further think about a patch that ignores certain records of the
> journal file and those records when applied by a "unpatched kernel"
> unlink certain files (or overwrite them with random data).
> You should also do separate analysis on the journal itself to
> determine what contents it contains.
> Having said all that I do not reject the ability to present as a
> separate evidence replayed journal (*and note you did that*) to the
> investigators/court.
>
> Regards,
> Krassi

RE: Converting an external hard drive enclosure into a write blocker?

2007-11-26T13:13:03Z

Tableau makes good write blockers for many different types of
connections.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Matthew Pepe
Sent: Saturday, November 24, 2007 8:24 PM
To: Terry Roebuck
Cc: forensics@...
Subject: Re: Converting an external hard drive enclosure into a write
blocker?

The easiest thing to do is to use a bridge whose firmware can be
modified to take a different action upon the issuance of a write (or
write-related) command. Operating systems will react differently
depending upon whether the device returns an error code, success code,
or remains quiet. The bottom line is that you need to intercept
packetized commands - write enable is not based off of a pin pulled high
or low. For more information, check out the ATA/ATAPI5 documents from
the T13 working group.

- Matt

On Nov 20, 2007, at 11:11 AM, Terry Roebuck wrote:

> A*nix mount with DD would be my option of choice, but for windows, I
> hesitatingly ask could you not modify an IDE cable to make any
> connected drive 'read-only' (might require a resistor - not sure if
> you can just clip a wire? - maybe some one with better EE skills could

> answer that?)

Call for Papers -- Journal of Digital Forensics Practice

2007-11-26T07:56:03Z

Hi all!

My apologies for any duplicate posts!

Attached is a Call for Papers for the next issue of the Journal of Digital Forensics Practice. We are specifically seeking practitioner articles for this peer-reviewed, high-quality publication.

Feel free to contact me or editor-in-chief Marc Rogers (rogersmk@...) with any questions!

Later!
/kess

==========================================================================
Gary C. Kessler gary.kessler@...
Associate Professor Project Director
Dir., Center for Digital Investigation Information Security
Prog. Dir., Computer & Digital Forensics Vt. Information Technology Ctr.

Champlain College Office: +1 802-865-6460
West Hall, Room 107 Fax: +1 802-865-6446
163 South Willard Street Cell: +1 802-238-8913
Burlington, VT 05401 Skype: gary.c.kessler

http://c3di.champlain.edu kumquat@...
http://digitalforensics.champlain.edu http://www.garykessler.net
PGP Public Keys: http://www.garykessler.net/kumquat_pubkey.html
http://digitalforensics.champlain.edu/gck/GaryKessler.asc

JDFP-CFP.doc (86K) Download Attachment

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-26T07:05:12Z

A*nix read only mount would be my option of choice, but for windows, I
hesitatingly ask could you not modify an IDE cable to make any connected
drive 'read-only' (might require a resistor - not sure if you can just
clip a wire? - maybe some one with better EE skills could answer that?)

Stefan Kelm wrote:

>>you can mount the storage as read-only - any unix filesystem will
>>support read-only mount, and provided your root account isnt
>>compromised, no one can remount it as write. Root cant write to
>>read-only mounted filesystems without remount either.
>>
>>mount -r /dev/da2 /readonly in BSD land..
>>
>>
>
>Beware, however, that on journaling file systems such as
>ReiserFS or EXT3 you might incidentially change the file
>system although it is mounted read-only:
>
>http://www.mail-archive.com/reiserfs-list@.../msg20263.html
>
>Cheers,
>
> Stefan.
>
>--------------------------------------------------------
>Stefan Kelm
>Security Consultant
>
>Secorvo Security Consulting GmbH
>Ettlinger Strasse 12-14, D-76137 Karlsruhe
>Tel. +49 721 255171-304, Fax +49 721 255171-100
>stefan.kelm@..., http://www.secorvo.de/
>PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
>
>Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>
>

--

Terry Roebuck
Dept. of Computer Science
http://www.cs.usask.ca/people/faculty.shtml
University of Saskatchewan
306 966 2532 (office)
306 966 4884 (dept office)
terry.roebuck@...

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-24T23:00:44Z

On Apr 12, 4:47am, Terry Roebuck wrote:
}
} A*nix mount with DD would be my option of choice, but for windows, I
} hesitatingly ask could you not modify an IDE cable to make any connected
} drive 'read-only' (might require a resistor - not sure if you can just
} clip a wire? - maybe some one with better EE skills could answer that?)

As I pointed out sometime in the last couple of weeks when this
question was first asked, the difference between read and write is the
command sent to the drive. There is nothing you can do to the cable to
stop writing that won't also stop reading. You have to have an
intelligent device that will monitor the commands sent to the drive and
abort any write commands.

}-- End of excerpt from Terry Roebuck

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-24T21:49:07Z

Well this is a little one sided.

When you are preserving a hard disk you want a snapshot in the moment
it was seized. This would mean that you should not do any alteration
after that point and I'll ask you to consider two cases that will show
you where I come from.

1. The journal replay may overwrite some chunks of data you may want
to have linked the way they were. I.e. somebody did "rm -rf /" the
moment the agents were serving a no know warrant (and if they turned
off the machine the files will be still linked).

2. The kernel of the system you are running may have a bug that may
result in a different behavior than the system being investigated. (or
vice versa the system may had "special patches" applied that might
cause your data replay to corrupt data.
Even further think about a patch that ignores certain records of the
journal file and those records when applied by a "unpatched kernel"
unlink certain files (or overwrite them with random data).
You should also do separate analysis on the journal itself to
determine what contents it contains.
Having said all that I do not reject the ability to present as a
separate evidence replayed journal (*and note you did that*) to the
investigators/court.

Regards,
Krassi

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-24T17:23:59Z

The easiest thing to do is to use a bridge whose firmware can be
modified to take a different action upon the issuance of a write (or
write-related) command. Operating systems will react differently
depending upon whether the device returns an error code, success code,
or remains quiet. The bottom line is that you need to intercept
packetized commands - write enable is not based off of a pin pulled
high or low. For more information, check out the ATA/ATAPI5 documents
from the T13 working group.

- Matt

On Nov 20, 2007, at 11:11 AM, Terry Roebuck wrote:

> A*nix mount with DD would be my option of choice, but for windows, I
> hesitatingly ask could you not modify an IDE cable to make any
> connected drive 'read-only' (might require a resistor - not sure if
> you can just clip a wire? - maybe some one with better EE skills
> could answer that?)

smime.p7s (3K) Download Attachment

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-21T13:08:03Z

On Fri, 16 Nov 2007 22:14:07 EST, Max Gribov said:
> Tom,
> you can mount the storage as read-only - any unix filesystem will
> support read-only mount, and provided your root account isnt
> compromised, no one can remount it as write. Root cant write to
> read-only mounted filesystems without remount either.

Note that most journaled file systems (on Linux, this includes ext3, reiserfs,
jfs, and xfs) will insist on replaying the journal and thus making changes
to the disk, even when mounting as read-only.

You'd really want to have some other utility that captures the journal
datastream before you do the mount, and then a utility to reverse-apply
the changes. In some cases, this may not be doable, as the journal doesn't
record what the status was *before* the event - for instance, a file permission
change event may only have the *new* value listed, so you can't roll it back.

There's also another issue - if you *do* create a "mount without journal
replay", you're quite likely going to screw things up gloriously, as the
whole *point* of the journal is to gloss over inconsistent data that hasn't
been fully synced to disk. You don't replay the journal, you may find some
parts of the filesystem (those that are affected by live journal entries)
won't be accurate, or may even crash the system. Of course, there's a very
high probability that "the files that the hacker was working on when we
pulled the plug" are *exactly* the pieces most likely to be zorkumblattum
if you don't replay the journal....

And I won't even get into the forensics-relevant semantics of ext3's
data=journaled/ordered/writeback options, other than to note that they *do*
have forensics implications....

attachment0 (234 bytes) Download Attachment

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-20T08:11:26Z

A*nix mount with DD would be my option of choice, but for windows, I
hesitatingly ask could you not modify an IDE cable to make any connected
drive 'read-only' (might require a resistor - not sure if you can just
clip a wire? - maybe some one with better EE skills could answer that?)

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-20T00:27:03Z

> you can mount the storage as read-only - any unix filesystem will
> support read-only mount, and provided your root account isnt
> compromised, no one can remount it as write. Root cant write to
> read-only mounted filesystems without remount either.
>
> mount -r /dev/da2 /readonly in BSD land..

Beware, however, that on journaling file systems such as
ReiserFS or EXT3 you might incidentially change the file
system although it is mounted read-only:

http://www.mail-archive.com/reiserfs-list@.../msg20263.html

Cheers,

Stefan.

--------------------------------------------------------
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm@..., http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

RE: Converting an external hard drive enclosure into a write blocker?

2007-11-19T11:06:11Z

http://irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocke
r

"If you want to go the cheapest route, use a linux system with auto mounting
disabled and buy some USB or Firewire drive enclosures. If you go this route
make sure you create a documented procedure for acquiring evidence and
follow it every time. You might even go as far as to record the history of
your shell commands as part of your digital case file."- warquel Re:
Forensic write blockers < Reply #1 on: July 05, 2007, 12:28:52 AM >
http://www.ethicalhacker.net/index.php?option=com_smf&Itemid=&topic=1405.msg
5441

Hope this helps!

Kian
White Hat Group

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Tom Yarrish
Sent: Tuesday, November 13, 2007 7:00 PM
To: forensics@...
Subject: Converting an external hard drive enclosure into a write blocker?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
I wanted to find out if there was a method to convert an external
hard drive enclosure into a "cheap" write blocker device? I'm not
looking for something to use from a forensic standpoint. Basically
if I want to put a hard drive into an enclosure and pull data/burn
data to DVD/whatever off of it, but prevent anything from being
written to the drive, I can do that.

Thanks ahead of time,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHOmStZWzkfeDiTw4RAqcdAJ9FZ+QX3tnajnV4yaUPhK/R/xcqogCfV9Br
h+Fb956D4hQWWJ2roctoIT8=
=EOp6
-----END PGP SIGNATURE-----

RE: [Fwd: AOL file structure and utilities]

2007-11-18T05:24:39Z

We have used ePreserver Forensic for pfc files.

http://www.connectedsw.com/Overview/36400.

Greg Kelley, EnCE
Vestige, Ltd

-----Original Message-----
From: listbounce@... on behalf of James G. McIntyre
Sent: Fri 11/16/2007 12:01 PM
To: forensics@...
Cc:
Subject: [Fwd: AOL file structure and utilities]

Anyone know of any docs or utilities for analyzing AOL files, for
example
pfc and feedbag etc. ?

Any assistance would be appreciated.

Jim Mc....

--

--
James G. McIntyre
Senior Consultant
SANS/GIAC - GCIA Certified Intrusion Analyst
- GCFW Certified Firewall Analyst
- GAWN Auditing Wireless Networks
- GWAS Web Application Security
HP-UX Certified System Administrator

McIntyre & Associates, Inc.
Virginia Tech Corporate Research Center
2020 Kraft Drive, Suite 3005
Blacksburg, VA 24060
540-552-9090
www.mcintyresecurity.com

PROPRIETARY NOTICE
This e-mail and its attachments contain proprietary information that is
intended only for the individual or entity indicated. If you are not
the
intended recipient, you are hereby notified that the disclosure,
copying,
distribution or use of the contents of this transmission is strictly
prohibited, and no privilege or protection has been waived. If you have
received this communication in error, please notify the sender
immediately
and then delete the message from your computer.

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-17T14:19:18Z

If it is a USB enclosure and you have Windows XP service Pack 2 use
the USB write Protect.

http://www.m2cfg.com/usb_writeblock.htm

Turn write block on before plugging in the drive.

Thanks

Mike

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-16T23:58:09Z

If your computer is running Windows XP Service Pack 2, see
http://www.accessdata.com/media/en_US/print/papers/wp.USB_Write_Protect.en_us.pdf

Tom Yarrish wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey all,
> I wanted to find out if there was a method to convert an external hard
> drive enclosure into a "cheap" write blocker device? I'm not looking
> for something to use from a forensic standpoint. Basically if I want
> to put a hard drive into an enclosure and pull data/burn data to
> DVD/whatever off of it, but prevent anything from being written to the
> drive, I can do that.
>
> Thanks ahead of time,
> Tom
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFHOmStZWzkfeDiTw4RAqcdAJ9FZ+QX3tnajnV4yaUPhK/R/xcqogCfV9Br
> h+Fb956D4hQWWJ2roctoIT8=
> =EOp6
> -----END PGP SIGNATURE-----
>

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-16T19:25:15Z

On Apr 5, 3:35pm, Tom Yarrish wrote:
}
} I wanted to find out if there was a method to convert an external
} hard drive enclosure into a "cheap" write blocker device? I'm not

The only difference between read and write is the command issued.
You would need an intelligent adapter that sits between the cable
coming into the enclosure and the drive which analyses all commands and
aborts any write commands.

}-- End of excerpt from Tom Yarrish

Re: Converting an external hard drive enclosure into a write blocker?

2007-11-16T19:14:07Z

Tom,
you can mount the storage as read-only - any unix filesystem will
support read-only mount, and provided your root account isnt
compromised, no one can remount it as write. Root cant write to
read-only mounted filesystems without remount either.

mount -r /dev/da2 /readonly in BSD land..

Id say thats the easiest route without buying specialized hardware.

Sorry if this is something you already tried/thought about..

Tom Yarrish wrote:

[Fwd: AOL file structure and utilities]

2007-11-16T09:01:43Z

Anyone know of any docs or utilities for analyzing AOL files, for example
pfc and feedbag etc. ?

Any assistance would be appreciated.

Jim Mc....

--

--
James G. McIntyre
Senior Consultant
SANS/GIAC - GCIA Certified Intrusion Analyst
- GCFW Certified Firewall Analyst
- GAWN Auditing Wireless Networks
- GWAS Web Application Security
HP-UX Certified System Administrator

McIntyre & Associates, Inc.
Virginia Tech Corporate Research Center
2020 Kraft Drive, Suite 3005
Blacksburg, VA 24060
540-552-9090
www.mcintyresecurity.com

PROPRIETARY NOTICE
This e-mail and its attachments contain proprietary information that is
intended only for the individual or entity indicated. If you are not the
intended recipient, you are hereby notified that the disclosure, copying,
distribution or use of the contents of this transmission is strictly
prohibited, and no privilege or protection has been waived. If you have
received this communication in error, please notify the sender immediately
and then delete the message from your computer.

Patchlevel 2 release open computer forensics architecture.

2007-11-16T00:36:49Z

The new 2.0.6pl2 release of the open computer forensics architecture
(ocfa) has been put on sourceforge. The most important patches are:

* More strict configure scripts.
Fixes in configure for 64 bit (suse) platforms.
* Aditional rulelist for SLES 9, to work around the
problem that unzip is compiled without large file
support. As a workaround 7z module is used.
* Workaround for 7z bug that makes it produce its input file
as output if the file names ends with 'aa'
* Added workaround for indexer memory allocation problem.
Clucene grows its memory usage to about 4 times the size of
the largest file it is given to index, the workaround now makes
sure the indexer does not get and/or process large files.

The indexer problem solution, being a workaround is something we will take
as a main priority for upcomming releases. We are considdering dropping
the clucene based indexer and moving to the java version of lucene.
The upcomming 2.0.8 release will include some enhancements (xml based
serialisation for messaging) that should allow more easy integration of
other programming languages based modules, that should help us move more
cleanly to the java implementation of lucene.

CarvFs/LibEwf integration has run into an unexpected delay as a result of
composit memory consumption of carvfs/libewf in situations where numerous
encase images are mounted into the repository and are then iterated.

Rob Meijer

Re: Log in as administrator with live data collection CD?

2007-11-15T16:33:24Z

Matt and Kelly,

> I guess there is one point here that leads to
> possible issues a cd to forensically collect
> evidence for law enforcement would require that
> you collect the data with a device that could
> not write to the hard disk,

What if you could collect the data you needed, but know and be able to show that the likelihood of you changing data is low to unlikely?

> The issue with a disk that would collect
> real-time as the OS was logged in with a
> administrator would give you the ability to
> change the data

It may give you the ability, but that doesn't mean that you're going to destroy or create evidence. In the real world, LEOs have the ability all the time to plant or modify evidence...but that doesn't mean that they do.

>> I could use PSexec or runas or something to log
>> in as administrator, but I have a concern that
>> this may alter important information on the
>> computer.

Of course it will...any time you interact with a live machine, you're going to alter something. The question isn't one of altering data on the system, but can you show that you understand that, and do you have documentation of your actions?

LEOs interact with crime scenes and evidence all the time. However, they have processes and documentation...why should the digital world be any different?

>> The question I have is, what is the best policy
>> when creating a forensic boot disk?

Okay, I'm confused...you started out asking about a "live data collection forensic CD", and know int the same paragraph you're referring to a forensic boot disk. You're aware, I'm sure, that a bootdisk obviates the need for a "live data collection forensic CD".

>> Is it best to wait for the information or have
>> the CD log in as local administrator to collect
>> information in a timely fashion before shutting
>> down? I do have the local admin password so
>> that is not an issue. I am talking about
>> windows boxes.

I would think that it would be best to document what you do thoroughly. Do some testing to show due diligence, and then document what you do.

Harlan
http://windowsir.blogspot.com

Converting an external hard drive enclosure into a write blocker?

2007-11-13T18:59:56Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
I wanted to find out if there was a method to convert an external
hard drive enclosure into a "cheap" write blocker device? I'm not
looking for something to use from a forensic standpoint. Basically
if I want to put a hard drive into an enclosure and pull data/burn
data to DVD/whatever off of it, but prevent anything from being
written to the drive, I can do that.

Thanks ahead of time,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHOmStZWzkfeDiTw4RAqcdAJ9FZ+QX3tnajnV4yaUPhK/R/xcqogCfV9Br
h+Fb956D4hQWWJ2roctoIT8=
=EOp6
-----END PGP SIGNATURE-----

Re: Forensics on Terminal Server Client

2007-11-13T08:59:39Z

If you dump one of the *.bmc files it's pretty obvious from the number
of repeating byte patterns that it's not compressed (or encrypted).

And if you compress one of the files, it will compress nicely, which
is a fairly good indicator that they're not compressed to begin with.

On Nov 10, 2007 3:28 PM, Mike Theriault <Mike_Theriault@...> wrote:
> It's probably compressed so in that case you probably wont find any header information.
>
> Mike Theriault
> Security Enginer

Re: Log in as administrator with live data collection CD?

2007-11-11T08:08:09Z

I guess there is one point here that leads to possible issues a cd to
forensically collect evidence for law enforcement would require that
you collect the data with a device that could not write to the hard
disk, or alter data in any way. The issue with a disk that would
collect real-time as the OS was logged in with a administrator would
give you the ability to change the data prior to collection, thusly
you don't have credibility on the collection of the data in its
original form.

as for your 20 min problem, I assume that your hitting a timeout of
file access due to permissions, so you might want to code in a error
routine so that your not waiting on windows API to time out.

I created a super "slurp" tool a while back primarily used for backup
of data in a flash, also for non-legal investigation work.

On Nov 7, 2007 5:41 AM, Matthew Webster <awakenings@...> wrote:

> Hello,
>
> I am almost finished creating a live data collection forensic CD, but I've noticed it is slow (20 minutes when it should be 3-5 minutes) when running on computers that are not logged in as administrator. I could use PSexec or runas or something to log in as administrator, but I have a concern that this may alter important information on the computer. The question I have is, what is the best policy when creating a forensic boot disk? Is it best to wait for the information or have the CD log in as local administrator to collect information in a timely fashion before shutting down? I do have the local admin password so that is not an issue. I am talking about windows boxes.
>
> Thanks,
>
> Matt
>
>
>

RE: Forensics on Terminal Server Client

2007-11-10T12:28:39Z

It's probably compressed so in that case you probably wont find any header information.

Mike Theriault
Security Enginer

CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and PacSec Dojo's

2007-11-08T20:24:13Z

I'd like to congratulate Adam Laurie for winning the second Powerbook
from the Pwn_to_Own contest as the prize for the best speaker rated
by the audience for his presentation on RFID at CanSecWest 2007.
We will have a similar prize for the best speaker at CanSecWest 2008,
prize TBD (but we promise it will be cool - depending on what we find
trawling though the electronics shops in Akihabara this year :).

**

The Security Masters Dojo courses available at PacSec in Tokyo
on November 27/28 2007 have been updated. The final list is:

Ultimate Web Hacking - Yeng-Min Chen (Japanese)
Reverse Engineering - Yuji Ukai (Japanese)
The Exploit Laboratory - Saumil Shah (English)
Advanced Honeypot Tactics - Thorsten Holz (English)
Advanced Linux Hardening - Andrea Barisani (English)
Bugfinding with the Immunity Debugger - Nicolas Waisman & Kostya
Kortchinski (English)
Practical 802.11 Wi-Fi (In)Security - Cedric Blancher (English)

**

CanSecWest 2008 CALL FOR PAPERS

VANCOUVER, Canada -- The ninth annual CanSecWest applied technical
security conference - where the eminent figures in the
international security industry will get together share best
practices and technology - will be held in downtown Vancouver at
the the Mariott Renaissance Harbourside on March 26-28, 2008. The
most significant new discoveries about computer network hack
attacks and defenses, commercial security solutions, and pragmatic
real world security experience will be presented in a series of
informative tutorials.

The CanSecWest meeting provides international researchers a
relaxed, comfortable environment to learn from informative
tutorials on key developments in security technology, and
collaborate and socialize with their peers in one of the world's
most scenic cities - a short drive away from one of North
America's top skiing areas.

The CanSecWest conference will also feature the availability of
the Security Masters Dojo expert network security sensei
instructors, and their advanced, and intermediate, hands-on
training courses - featuring small class sizes and practical
application excercises to maximize information transfer.

We would like to announce the opportunity to submit papers, and/or
lightning talk proposals for selection by the CanSecWest technical
review committee. This year we will be doing one hour talks, and
some shorter 20/30 minute talk sessions.

Please make your paper proposal submissions before November 30th,
2007.

Some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible
for travel and accomodations for the speakers. If you have a
proposal for a tutorial session then please email a synopsis of
the material and your biography, papers and, speaking background
to _secwest08_@... (please remove _'s). Only
slides will be needed for the March paper deadline, full text does
not have to be submitted - but will be accepted if available.

The CanSecWest 2008 conference consists of tutorials on technical
details about current issues, innovative techniques and best
practices in the information security realm. The audiences are a
multi-national mix of professionals involved on a daily basis with
security work: security product vendors, programmers, security
officers, and network administrators. We give preference to
technical details and new education for a technical audience.

The conference itself is a single track series of presentations in
a lecture theater environment. The presentations offer speakers
the opportunity to showcase on-going research and collaborate with
peers while educating and highlighting advancements in security
products and techniques. The focus is on innovation, tutorials,
and education instead of product pitches. Some commercial content
is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best practices
instruction or detailing significant new technology in the
products.

Paper proposals should consist of the following information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal address,
phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
description.
6. Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines
ready.
8. Will you have full text available or only slides?
9. Please list any other publications or conferences where this
material has been or will be published/submitted.

Please include the plain text version of this information in your
email as well as any file, pdf, odt, docx, ppt, or html attachments.

Please forward the above information to _secwest08_@...
(remove _'s) to be considered for placement on the speaker
roster, or have your lightning talk scheduled.

You can find more information at:
http://pacsec.jp and http://cansecwest.com

The Vancouver Dojos will be held on March 24/25 and will
be announced shortly.

cheers.
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

Log in as administrator with live data collection CD?

2007-11-07T05:41:08Z

Hello,

I am almost finished creating a live data collection forensic CD, but I've noticed it is slow (20 minutes when it should be 3-5 minutes) when running on computers that are not logged in as administrator. I could use PSexec or runas or something to log in as administrator, but I have a concern that this may alter important information on the computer. The question I have is, what is the best policy when creating a forensic boot disk? Is it best to wait for the information or have the CD log in as local administrator to collect information in a timely fashion before shutting down? I do have the local admin password so that is not an issue. I am talking about windows boxes.

Thanks,

Matt

CFP: 2008 ADFSL Conference on Digital Forensics, Security and Law

2007-11-06T18:06:37Z

=======================================================================
* * * C A L L F O R P A P E R S A N D P R O P O S A L S * * *
=======================================================================
Dear colleagues:

The ADFSL 2008 Conference on Digital Forensics, Security and Law will be
held in Oklahoma City, Oklahoma USA on April 23-25, 2008 and is calling
for papers and proposals in, or related to, the following areas.

CURRICULUM
1) Digital forensics curriculum
2) Cyber law curriculum
3) Information assurance curriculum
4) Accounting digital forensics curriculum

TEACHING METHODS
5) Digital forensics teaching methods
6) Cyber law teaching methods
7) Information assurance teaching methods
8) Accounting digital forensics teaching methods

CASES
9) Digital forensics case studies
10) Cyber law case studies
11) Information assurance case studies
12) Accounting digital forensics case studies

INFORMATION TECHNOLOGY
13) Digital forensics and information technology
14) Cyber law and information technology
15) Information assurance and information technology
16) Accounting digital forensics information technology

NETWORKS AND THE INTERNET
17) Digital forensics and the Internet
18) Cyber law and the Internet
19) Information assurance and Internet
20) Digital forensics accounting and the Internet

ANTI-FORENSICS AND COUNTER ANTI-FORENSICS
21) Stegonography
22) Stylometrics and Author Attribution
23) Anonymity and Proxies
24) Encryption and Decryption

INTERNATIONAL ISSUES
25) International issues in digital forensics
26) International issues in cyber law
27) International issues in information assurance
28) International issues in accounting digital forensics

THEORY
29) Theory development in digital forensics
30) Theory development in information security
31) Methodologies for digital forensic research
32) Analysis techniques for digital forensic and security research

The deadline for submissions is midnight EST, January 15, 2008.
Abstracts may be submitted for review. Papers whose abstracts are
accepted pending final paper review must have the final paper submitted
by midnight EST, March 1, 2008.

Submission Types

Short briefing papers: Such papers need not be extensive. A technology
or a management briefing on an aspect of digital forensics, information
assurance, and/or cyber law would be enough. Such papers will be
presented by the author in a round table discussion format at the
conference. Typical length would be around 1500-2000 words.

Research papers: Such papers need to be extensive. Usually a research
question or an argument is posed and subsequently conducted. Empirical
work (quantitative or qualitative) would be necessary. Research papers
will be presented by the authors in a regular conference session.
Typical length would be around 5000-6000 words. All research papers will
be considered for publication in the Journal of Digital Forensics,
Security and Law (JDFSL).

Case Studies: Case studies are typically descriptions of a given digital
forensics situation. Names of organizations/actors can be kept anonymous
to maintain confidentiality. Case studies will be presented by the
authors at the conference. Typical length would be around 5000-6000
words. All case studies will be considered for publication in the
Journal of Digital Forensics, Security and Law (JDFSL).

Panels: Panels and workshop proposals are welcome. These would typically
be around 1000 words long and cover a current technology or a
controversial issue.

The primary audience will include individuals who are interested in
developing curriculum and teaching methods as well as conducting
research related to the areas of digital forensics, security and law.
This conference will be of value to both academic and practitioner
audiences.
All submissions are double blind peer reviewed.

ADDITIONAL INFORMATION FOR THE CONFERENCE IS AT:
http://www.digitalforensics-conference.org

REGISTRATION INFORMATION IS AT:
http://www.digitalforensics-conference.org/registration.htm

The Chair of the conference is Dr. David P. Biros.
Dr. Biros may be reached via email at david.biros@...

Association for Digital Forensics, Security and Law
Website: http://www.adfsl.org

Journal of Digital Forensics, Security and Law
Website: http://www.jdfsl.org

Call For Papers - DFRWS 2008

2007-11-06T04:38:35Z

Call for Papers
The 8th Annual DFRWS Conference (DFRWS 2008)
August 11-13, 2007
Baltimore, MD, USA
www.dfrws.org
dfrws2008 <at> dfrws <dot> org

DFRWS brings together leading researchers, developers, practitioners,
and educators interested in advancing the state of the art in digital
forensics from around the world. As the most established venue in
the field, DFRWS is the preferred place to present both cutting-
edge research and perspectives on best practices for all aspects
of digital forensics. As an independent organization, we promote
open community discussions and disseminate the results of our work
to the widest audience.

We invite original contributions as research papers, panel proposals,
Work-in-Progress talks, and demo proposals. All papers are evaluated
through a double-blind peer-review process, and those accepted will
be published in printed proceedings by Elsevier.

Topics of Interest
------------------
* Incident response and live analysis
* Network-based forensics, including network traffic analysis,
traceback and attribution
* Event reconstruction methods and tools
* File system and memory analysis
* Application analysis
* Embedded systems
* Small scale and mobile devices
* Large-scale investigations
* Digital evidence storage and preservation
* Data mining and information discovery
* Data hiding and recovery
* File extraction from data blocks ("file carving")
* Multimedia analysis
* Tool testing and development
* Digital evidence and the law
* Anti-forensics and anti-anti-forensics
* Case studies and trend reports
* Non-traditional approaches to forensic analysis

The above list is only suggestive. We welcome new, original ideas
from people in academia, industry, government, and law enforcement
who are interested in sharing their results, knowledge, and experience.
Authors are encouraged to demonstrate the applicability of their
work to practical issues. Questions about submission topics can
be sent via email to: dfrws2008 <at> dfrws <dot> org.

Important Dates
---------------
Submission deadline: March 17, 2008
Author notification April 28, 2008
Final drafts due May 12, 2008

Publication Criteria
--------------------
Research papers must be original contributions, not substantially
duplicate previous work, and must not be under simultaneous publication
review elsewhere. The review process will be "double-blind" (the
reviewers will not know who the authors are, and the authors will
not know who the reviewers are). Therefore, the version submitted
for review should not contain the names or affiliations of the
authors. When referring to their own previous work, authors should
use the third person instead of the first person (i.e. "Smith and
Jones [2] previously determined..." instead of "We [2] previously
determined.."). Authors are expected to present their work in person
at the workshop and must have at least one registration per paper
in order to be included in the proceedings.

Papers must be written in English and should not exceed 10
single-spaced, two-column pages with 1 inch margins and 10pt font.
Authors will be given 30 minutes to present their paper.

Panel proposals should be one to three pages and clearly describe
the topic, its relevance and a list of potential panelists and their
biographies. Panels will be evaluated based on the topic relevance
and diversity of the panelists.

Proposals for demonstrations of proof of concept and research-based
tools are also welcome. Proposals should describe the tool, its
relevance to the forensics field and space/equipment needs (e.g.,
power, networking, etc.) and be submitted.

Submission instructions for papers, panels, demos, and WiPs (work
in progress session) will be posted at the DFRWS web site at
http://www.dfrws.org/2008/cfp.shtml.

Student scholarship program
---------------------------
A limited number of scholarships may be awarded to students presenting
a paper at the conference. The intent is to help alleviate the
financial burden due to the cost of hotel expenses and conference
registration. Full details will be posted at the DFRWS website
http://www.dfrws.org/2008/.

Organizing Committee
--------------------
Conference Chair: Brian Carrier (Basis Technology)
Technical Program: Frank Adelstein (ATC-NY)
Wietse Venema (IBM)
Local Arrangements: Eoghan Casey (Stroz Friedberg)
Proceedings: Vassil Roussev (University of New Orleans)
Publicity/Sponsors: Daryl Pfeif (Digital Forensics Solutions)
Keynote: Golden Richard (University of New Orleans)
Finances: Rick Smith (ATC-NY)
Forensic Challenge: Matthew Geiger (CERT)

Marcus Rogers (Purdue University)
Dave Baker (Mitre)
Todd Shipley

--------------------------------------------------------------------
David W. Baker bakerd@...
Associate Department Head
G025 - Secure Operations (703) 983-3658
The MITRE Corporation (703) 983-1002 (F)
Mailstop T240 (877) 682-0632 (P)
7515 Colshire Drive McLean, VA, 22102
--------------------------------------------------------------------

smime.p7s (4K) Download Attachment