Sunday, July 11, 2010

SANS What Works 2010 - HUGE Success

This past week, I had the great privilege of attending and speaking at the SANS What Works in Incident Response Summit in Washington, DC.

The Conference once again had some of the best speakers in the world of incident response and forensics including, Major Carol Newell of the Broken Arrow, OK Police Department, Rob Lee, Harlan Carvey, Jesse Kornblum, Troy Larson, Kris Harms, and Robert Shullich.

This is the second year for the conference, and I think that without question, the conference continues to improve. In a field as dynamic and fluid as Incident Response and Computer Forensics, investigators really need to keep current with not only their skill sets, but with emerging technologies, theories, and methodologies. This only makes sense, since the "bad guys" we are all trying to catch, are undoubtedly doing the same thing! This is crux of the summit, and the true value add for the attendees...you get to hear and see what is ACTUALLY working from some of the best minds in the industry.

The major focus this year was on the new challenges we face with the arrival of Windows 7, which is very different than XP, and Vista. There are new registry entries, gobs of new event logs, and a new file system layout. All in all, it going to mean countless hours of research by investigators to be efficient and effective at performing comprehensive forensic investigations.

The other big takeaway from the conference is the involvement with corporate investigators with law enforcement agencies...something I am a HUGE advocate of! Look for a LOT MORE of this to come, but the gist is this...LE agencies do not use police for forensic pathology, or for forensic dentistry, or forensic arson investigations. Why would they? For this, they would use doctors, dentists, and fireman. Why? Because they are subject matter experts in those fields. Why then, when it comes to computer forensic (arguably one of the most difficult of the forensic sciences - based on the vast array of digital media current in use by the "average" person) do LEs want to keep these types of investigations in house? Why not treat cases involving digital media, the same way they would any other case involving a forensic scientist, and seek the assistance of subject matter experts? This is the direction we want to start moving.

If you are an investigator, and want to start helping in LE cases, here are a few tips from Major Newell:

1. Certifications...get them! They look great on the stand, and will help you with the vetting process by the PD and as an expert witness.

2. Be presentable. You don't have to be a cover model by any stretch...but you ARE going to be representing the PD or the DA's office. Dress accordingly!

3. Letters of recommendation. Get these from any law enforcement agency, public official, military officer, or business executive you can. ALSO...get them from fellow investigators...IE...if Rob Lee, Harlan Carvey, and say...Jesse Kornblum say...hey...this guy is legit, then chances are that is going to carry a lot of weight with any respective PD.

4. Be an effective communicator. We deal with some of the most technical information in the IT world...and when on the stand, we may have to explain some of that highly technical information to a jury of our "peers"...which according to most PDs, is about as educated as the average 7th grader. So, know your audience...talk TO them, but never DOWN to them. Save the $5 words for the lawyers...remember the KISS pronciple on the stand.

ALSO...there is something I call the, "Your Mom" principle. If you can get your mom to understand (or some non-technical person provide your mom is either not around, or is in fact an IT engineer as well), then you should be good to go. Remeber, the goal is to convey the "story" of what happened...without spin...to the jury, not impress them with how smart you are.

Again, Kudos to Rob Lee and the SANS Institute for putting on yet another fantastic conferece. I said this last year, and I will say it again...if you only have the funding for one conference per year, THIS IS THE ONE to attend. There are more expert speakers, more potential to make great contacts, and more opportunity to learn at THIS conference, than any other confernce I have attended or spoken at! Great job ROB!!!

3 comments:

  1. These are great remarks and I emphasize the particular parts about effective communication.

    ReplyDelete
  2. Thanks Tom. I think that's an aspect of our jobs that does not get the level of attention that it needs. It is absolutely critical for an investigator to be able to clearly describe what he did, why he did it, what his results were, and why those results are pertinent to the case.

    ReplyDelete
  3. I agree! Effectively communicating at the "Your Mom" level is so important, because at the end of the day a jury may hear the case. The digital artifacts recovered and documented will be scrutinized and preparation to key!

    ReplyDelete