매일 발전을 꿈 꿉니다.

The computer forensic examiner follows many procedures during an investigation, but the culmination of all the work is usually expected to be a trial. This session will engage the audience to prepare for a deposition and direct and cross examination in a courtroom. Methods and techniques, tips and tricks will all be shared that will help an examiner successfully present and defend the work they have performed during an examination. Expect to leave this session confident and prepared for your next deposition or trial. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

2. Digital Evidence from Social Networking Sites & Smartphone Apps

According to Statista.com in 2017, 71 percent of Internet users worldwide were social network users and these figures are expected to grow. In 2016, more than 81 percent of the United States population had a social media profile. As of the second quarter of 2016, U.S. users spend more than 215 weekly minutes on social media via smartphone, 61 weekly minutes via PC, and 47 minutes per week on social networks via tablet devices. Many technology thought leaders believe social networking will displace traditional email as the leading communication medium. This track will provide a practical walkthrough of preservation of top social media sites and how to effectively utilize tools for evidentiary collection across the Web, PCs/desktops and smart devices. We will look at social media apps on smartphones and what digital evidence exists compared to what can be found on the cloud.

3. Digital Transformation in Financial Services and Insurance

The CFSR is one of the only certifications in the industry which requires you to assess your knowledge through a written exam and to demonstrate your skill at examining actual evidence of a possible intrusion scenario. Come join our preparation sessions which will clearly instruct you to the requirements and expectations of this testing process. Learn the pertinent subject matter and analysis skills are necessary to be a Certified Forensic Security Responder. This assessment is well-rounded. It challenges both your forensic and your incident response/host intrusion analysis skills. PLEASE NOTE: You MUST send in an application no later than MAY 11, 2018 in order to to take the CFSR test on-site at Enfuse. Applications can be found on the Guidance Software website at https://www.guidancesoftware.com/training/certifications?cmpid=nav_r // When submitting your application, please note: 1) Applications must be submitted by May 11, 2018 and approved by May 17, 2018 – NO WALK-INS WILL BE ACCEPTED. 2) Please make sure the “I will be taking the CFSR test at Enfuse” box or the application may not be reviewed in time. 3) To ensure the application is given priority, please put “Enfuse 2018 Certification Application” in the email subject line.

Healthcare and Life Sciences organizations are among the most targeted entities for cyberattacks. Healthcare organizations are targeted for the personal information they possess, for cyber-facilitated fraud, and for disruptive and destructive attacks. Pharmaceutical and medical device manufacturers are heavily targeted for theft of their intellectual property, recruitment of their employees, and attacks on their operations. While the specific reasons for concern differ among these two industries, attacks have been increasing in frequency and in diversity of attack vectors all along the healthcare value chain. In this breakout session, you will learn about the evolving threat landscape in which these types of organizations operate, and how they combat these threats both before and after particular cyber incidents materialize. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

This presentation will discuss the real world campaigns leveraged against an enterprise size organization. It will also discuss the measures taken to detect, investigate, and mitigate these campaigns. Teaching end users how to inspect emails for authenticity and legitimacy is one key to cultivating a hardened email security stack. End users will always be the weakest link but by teaching them the current trends of today's phishing campaigns we hope to improve the strength of that link.

This educational session was designed especially for new users of EnCase Endpoint Investigator. If you want to shorten your learning curve, are new to EnCase, or just need a comprehensive overview, this session is for you. In this session we will discuss: * EnCase Endpoint Investigator System Overview; * Encryption Implementation of EnCase Endpoint Investigator; * SAFE Configuration and Servlet Installation; * Network, Roles and Users; * Preview and Acquisition; * System Snapshot.

A strong incident response plan is key to any organizations’ cyber defense. Many organizations, however, have an ineffective or no cyber response plan at all. We only need to look at the news to see the impact that an ineffective cyber response can have on an organization's bottom-line. A strong plan can help you identify and respond quickly to a cyber incident, as well as mitigate the financial and reputational costs. Cyber Security experts Michael Quinn and Lucie Hayward will talk through the key components of a successful Incident Response plan. As experienced cyber professionals they have worked with organizations across all industries to develop and improve their cyber incident response. This session will guide you through the incident response planning best practices, including definitions, roles & responsibilities, and the incident response process itself.

There are no doubts to the value of data from smartphones. They rule our lives with a digital fist, but how to capitalize on the evidentiary data that they can offer? Knowing how to sift through the many layers of data from the manufactures to find the valuable user data can be difficult. Learn the tricks and tips to find valuable data.

The EU General Data Protection Regulation (GDPR) is one of the most talked about regulations in recent history. GDPR was approved by the EU Parliament on 14 April 2016 and will become effective on 25 May 2018. Join EY as we discuss the impact GDPR will have on investigation and litigation, along with relevant applications from the newly released Sedona Conference International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation. We will discuss topics including rights of the data subjects, responsibilities of controllers and processors, differences in GDPR and prior regulation, and expected changes in enforcement. We will also explore multiple scenarios and practical considerations for compliance including sampling, technology aided review, and anonymization and pseudo anonymization.

This session will inform attendees about the vision for the EnCase (and Tableau) product portfolio in the context of the broad business and technology trends influencing it. The near-to-mid term roadmap as well as the longer-term vision for Security, Forensics and eDiscovery products will be presented.

Bring your own laptop to follow along and take away python scripts. In our industry, ‘automation’ is a mantra. Experts preach if you’re not automating your processes, you’re doing it wrong. This is especially true with the continued shortages of skilled cybersecurity professionals. Unfortunately, a lot of organizations have no idea what steps they should be, or can be taking, to implement automation in their security operations center (SOC) or incident response. This session covers common work flows that analysts and responders leverage regularly to hunt for threats and triage events in their environments. After establishing the work flows, we will cover methods to automate them to make an analyst / responder more efficient. Whether that is hunting down a suspicious domain or researching an unknown file; the end goal is to make the machines do what they are best at, so the analyst / responder can focus on doing actual work.

Whether you are working for a small business or large corporation, managing data can be a time consuming task. Learn how a Fortune One company uses full automation to help streamline large datasets and high volume demands. This session will provide an in-depth overview into saving time and money; while providing faster results; and delivering data in a repeatable and defensible manner. Attendees will have the opportunity to work a basic eDiscovery case from start to finish in a lab environment.

Digital disruption impacts all industries, including their supply chains. How will IoT, AI and Blockchain impact supply chains? Will they help or hinder them? Supply chains and the information regarding their transactions can be a weak link. Government support and regulation varies from country to country. OpenText is powering the future intelligent business network to strengthen supply chains with innovations in IoT, supply chain analytics and AI, Blockchain and more. Attend this session to learn how a supply chain can be enhanced by new technologies delivered by OpenText.

2. Axcelerate Basic Certification Pt. 1

PLEASE NOTE: This is PART 1 of a 2-Part Class: Discover how Axcelerate Smart Filters and Analytics can help you evaluate project data. This is an introduction to the basics of Axcelerate analytics. You will learn data investigation techniques to uncover key documents and facts. Completion of the course and passing of a short exam will earn you a certificate.

3. Brain Dump and Forensic Scavenger Hunt Pt. 1

**PLEASE NOTE: This is PART 1 of a 2-Part Session**: This class is a complete brain dump of everything we find important. It will cover: Mac collections and important forensic locations;. SSD drives to find where the deleted data went; Microsoft Office points to find exactly what happened; Metadata hidden items; Outlook Cached Exchange mode and what it means for collections; All about the Windows Recycle Bin; Volume Shadow Copy (VSS); Backup and Offline Files. The class will end with three scavenger hunts built from cases that caught us off guard. These cases will mostly evolve around Office documents and will stump you. This will be live data to load into EnCase and race against the other examiners.

4.EnCase Mobile Investigator: Finding Your Evidence

Working with and demonstrating EnCase solution for mobile examinations. Providing hands on walk through of Mobile Investigator using both iOS and Android based evidence files.

5. Exploring the Forensic Richness of WhatsApp Event Logs

The forensic investigation of smartphone chat apps mostly concentrates on their contacts and chat history. This is nowadays an essential element of any police investigation. One of these, called WhatsApp, has in the past five years become hugely popular around much of the globe. In forensic terms WhatsApp differs from similar apps in that it has an extensive events logging system. In it are stored details about all user interaction with the app, even when no message was sent or received, information about connectivity status, locking and unlocking of the device, and much more. In my presentation I will explore the rich content of these event logs both on Android and iOS systems, and I will provide new scripting solutions for Encase and UFED to disclose their contents in a meaningful way.

6. Full Lifecycle eDiscovery Process Enablement Using Encase and Recommind/Opentext

Utilizing an active client example, a case study will be presented that highlights the power of integrating two tools from the Opentext suite (Encase and Recommind) to provide full life cycle EDRM capabilities. The discussion will focus on Business Process Integration and how the tools can be leveraged to support each phase of the life cycle. The Business Process Integration view of the solution provides participants with the roadmap to integrate systems and information for the organization. Successful examples of how to create an integrated model will be shared with the session participants.

7. IoT and the Bot Wars to Come

In this presentation we will look at what IoT is and how these devices can be used for malicious intent. We will talk about how the IoT devices form together to make botnets and how they are controlled. We will discuss the current botnet wars and how researchers see the future of this technology. Understanding the IoT threat landscape is imperative to being able to fight against it. We will show you tips on how to secure your IoT devices and not get caught up in a botnet.

8. Separated By A Common Language: Compliance, Security and The Business

Traditionally, the war between compliance and security has left both sides battered, bruised and (possibly) broken. Conflicting priorities and competing budgets turn what should be a collaborative discussion into a cage match, with the business having to act as referee. It doesn't have to be that way. Drawing on real world experience, we'll walk down the causes for the conflicting views and the solution to finding that common ground between these disciplines. Using real world regulations, we'll give you an understanding of how the same words can mean very different things, depending on where you sit. We'll explore differences in missions, requirements, responsibilities and corporate alignment and show you how to resolve the disconnect, build bridges and focus on the core business. There is no doubt that there are lots of opinions in the world of risk; managing to piece them all together in an effective program is key to success in today's world.

9. Top Applications of AI, Machine Learning, & Analytics for Law Enforcement, Government and Enterprise

Data and analytics have been revolutionizing Law Enforcement, Government, and Enterprises over the past generation – and now AI & Machine Learning is poised to do the same for the next. But, what are specific applications and use cases that we can take back to our own departments? And, how might it work / what does it look like? In this session, we’ll share leading use cases of AI/Machine Learning & Analytics, as well as walk through very tangible examples and demos, so that attendees leave unafraid and well equipped to go back and share how they too might tangibly apply it to better solve challenges. Finally, we’ll wrap up the session with a Q&A as well as open forum for attendees to share their own top uses and/or any other related experiences helpful to knowledge share among the audience of colleagues.

10. Verizon DBIR Report

PLEASE NOTE: This is PART 2 of a 2-Part Class: Discover how Axcelerate Smart Filters and Analytics can help you evaluate project data. This is an introduction to the basics of Axcelerate analytics. You will learn data investigation techniques to uncover key documents and facts. Completion of the course and passing of a short exam will earn you a certificate.

**PLEASE NOTE: This is PART 2 of a 2-Part Session**: This class is a complete brain dump of everything we find important. It will cover: Mac collections and important forensic locations;. SSD drives to find where the deleted data went; Microsoft Office points to find exactly what happened; Metadata hidden items; Outlook Cached Exchange mode and what it means for collections; All about the Windows Recycle Bin; Volume Shadow Copy (VSS); Backup and Offline Files. The class will end with three scavenger hunts built from cases that caught us off guard. These cases will mostly evolve around Office documents and will stump you. This will be live data to load into EnCase and race against the other examiners.

Probably the only session NOT covering case work, we will review and have an open discussion on the files used and proper administration of all of the EnCase application. This session will cover files created and used, organization and storage of all items associated with all EnCase offerings from Forensics and Endpoint Investigator, to eDiscovery and Endpoint Security (Bonus: CodeMeter, SAFE, Portable, etc). Then, proper administration of each of the applications such as installation concepts, licensing, key management, as well as system alterations to enhance the efficiency and speed of all the things you do within EnCase (i.e., SAFE Administration, Examiner Services, upgrade vs migration, etc). Bring your questions!

Information Governance is set to top the agenda in 2018. As the industry continues to reel from last year’s serious data breaches and record fines, the challenges around GDPR and the associated shift in consumer perception are all pushing Information Governance up the agenda and into the C-Suite. Our annual report sheds light on the current state of Information Governance in organizations – both large and small – around the world. Insights include: • Defining the many facets of Information Governance • How Information Governance is gaining traction – with just 2% of companies not having an IG project underway • How Information Governance is evolving – and a new, more proactive approach is emerging • What is required to drive Information Governance forward • The potential value to be mined in the data held within organizations // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

AChoir is an Open Source Windows triage tool and scripting language designed primarily for Live Response. AChoir is a flexible tool, designed to be used in the myriad of different situations and environments where an Incident Responder needs to extract digital artifacts from a Live (or an Imaged) Windows system. AChoir can be run on a live system either locally or remotely. In this talk, David will cover why he designed a shell and scripting language specifically targeted at gathering artifacts from Windows systems. David will also show how to use AChoir both locally and remotely, and for both Live Response and Dead-Box artifact extraction. Finally David will cover some of the built-in AChoir features designed specifically for Incident Responders. Lastly, David will show how Responders can create their own scripts for their own unique needs, and how to use AChoir as an interactive DFIR Shell for extracting artifacts on local or remote systems.

For those taking the EnCE exam onsite. Join us for a short high level review to help you be on the top of your game for your exam. Please note, this course is not meant to replace comprehensive study prior to the conference. PLEASE NOTE: You MUST send in an application no later than MAY 11, 2018 in order to to take the EnCE test on-site at Enfuse. Applications can be found on the Guidance Software website at https://www.guidancesoftware.com/training/certifications?cmpid=nav_r // When submitting your application, please note: 1) Applications must be submitted by May 11, 2018 and approved by May 17, 2018 – NO WALK-INS WILL BE ACCEPTED. 2) Please make sure the “I will be taking the Phase I test at Enfuse” box or the application may not be reviewed in time. 3) To ensure the application is given priority, please put “Enfuse 2018 Certification Application” in the email subject line.

How Artificial Intelligence is becoming a crucial tool for next generation law enforcement. In this session, few of the real criminal investigation cases would be shared where AI and machine learning have played an important role. Learning through real experiences which has changed the data modeling strategies. By identifying trends, patterns and associations of suspicious activity, social media and network analytics can make significant contributions to criminal investigations. Implementing predictive models can provide intelligence about prospective criminal behaviors, probability of crime in an area and can determine how law enforcement or Social Media surveillance can be planned to respond or to prevent crime. Examples are provided from variety of criminal cases. How the investigation cases like a murder mystery, a terrorist attack or financial fraud can be solved using such analytic tools and approaches. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

By May 25, 2018, all companies collecting, storing, and processing personal data of EU residents are expected to be fully compliant with the General Data Protection Regulation or GDPR. While the Regulation will have a significant impact on organizations in all industry sectors, it will have unique compliance challenges for global Financial Services organizations, as well as opportunities to achieve competitive advantage. OpenText will present an overview of the GDPR, potential issues for Financial Services, and discuss 10 steps organizations can take now to address priority areas while unleashing real value out of their information.

This advanced hands-on lab will introduce attendees to the art of manipulating data at the binary level utilizing Python's bit-wise operators. There are many methods in which data can be encoded. By reducing the encoded data to its binary level, attendees will analyze patterns to understand the mechanism used to store crucial information. Attendees will learn how to apply logic tables (AND and OR) as well as left and right bit shift operators to create Python scripts to automatically parse encoded data. The lessons here can be applied to data that has been encoded using schemes such as GSM 7 bit and Reverse 7 bit as well as decoding variable integers (VarInts) found within SQLite databases.

Held Hostage: A Ransomware Primer is an introduction to ransomware - what it is, how it works, where it comes from. This session will define what ransomware is, describe infection methods used by ransomware authors, explore real-world engagements involving ransomware, and show a live demo of how ransomware can silently infect a system.

Microsoft Windows PowerShell is seventeen years old and is ubiquitous with system administrators. However, because it is a built-in component of every modern Windows operating system, it is being used more and more by attackers. This session is designed to inform those seeking to protect a network or investigate a compromise as to the artifacts that malicious PowerShell use leaves behind. Even some file-less PowerShell exploits leave evidence on the hard drive if you know where to look.

Using real-life example of international anti-corruption investigation on legal entities in Russia, Kazakhstan and Ukraine, this session will describe strategy and tactics of working with electronic information, analysis approach and legal aspects. Legal framework of working with digital evidence. Dealing with sensitive and personal information. Cross-border data transfer.- Collection and processing of information. Specific data sources.- Data analysis and E-Review. Combined approach to navigate to valuable findings. Search terms preparation: matter details, most corruption/bribery risky areas to consider, corporate/business intelligence.- Law enforcement and applicability of investigation results

Cloud storage continues to grow in ease of use and popularity. Businesses use the cloud to store important collaborative documents; individuals use the cloud to store sentimental pictures. The convenience and accessibility from computers and phones make cloud storage ideal for many uses. What happens when cloud storage is used for nefarious purposes? What traces can a forensic examiner see on a system that has been either synced or used with cloud storage? This session will cover the forensic artifacts left behind. Using EnCase, attendees will be able to determine what cloud storage was used on the computer, how it was used, and what still might remain to aid in their investigations.

The new file system recently introduced by Apple, APFS, is the first mainstream file-system to have been introduced in several years. APFS is significantly different in its approach to disk-space-management and partitioning than other mainstream file-systems (FAT, exFAT, NTFS, HFS+, etc.) It’s important that anyone examining data from APFS disks and disk-images understands these differences, which may both benefit and hinder digital investigations. This session will explain the reason for the file-system’s introduction, provide an overview of its features, and take the attendees down the “rabbit hole” of APFS on-disk data. Attendees will use an EnScript program to locate and view APFS data in its raw format. This will facilitate a better understanding of how APFS file-system data is maintained, how it is displayed by the latest version of EnCase, and how it is likely to affect digital investigations. // *NOTE: This session is also being offered on Wednesday 5/23 at 1:30 pm*

While many industries have seen new digital technologies disrupting their traditional business models, healthcare and life sciences have been slower to leverage this transformation. However, artificial intelligence, IoT, 3D printing, robotics hold great promise in bringing innovative and safer products to the market faster. Attendees will learn how the healthcare and life sciences industries can achieve digital maturity within the next 10 years.

In today’s digital enterprise, many organizations are retaining legacy applications and systems to ensure a measure of compliance. But the escalating costs and risks associated with their management is a burden, especially for enterprises attempting to: • Adapt to increasingly stringent data protection regulations • Embark on IT rationalization • Initiate cloud adoption projects How are organizations effectively addressing these issues? Join OpenText product experts as we provide a general introduction to compliant archiving of all business application types—ensuring compliance while reducing complexity and overhead. Whether this is an introduction or a refresher for you, you’ll leave with a comprehensive understanding of the scope and capabilities offered by a new generation of compliant archiving solutions!

Join us for a live, mock email investigation using OpenText Axcelerate and 20,000 publicly released FOIA emails from the Hillary Clinton investigation. We’ll use interactive visualizations to find emails sent to personal domains, concept groups to organize the content, and redact sensitive information on the fly. We'll talk about the technological building blocks of investigations from basic metadata filtering and keyword search to phrase analysis and machine learning with an eDiscovery attorney and a fun, fresh dataset. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

The CFSR is one of the only certifications in the industry which requires you to assess your knowledge through a written exam and to demonstrate your skill at examining actual evidence of a possible intrusion scenario. Come join our preparation sessions which will clearly instruct you to the requirements and expectations of this testing process. Learn the pertinent subject matter and analysis skills are necessary to be a Certified Forensic Security Responder. This assessment is well-rounded. It challenges both your forensic and your incident response/host intrusion analysis skills. PLEASE NOTE: You MUST send in an application no later than MAY 11, 2018 in order to to take the CFSR test on-site at Enfuse. Applications can be found on the Guidance Software website at https://www.guidancesoftware.com/training/certifications?cmpid=nav_r // When submitting your application, please note: 1) Applications must be submitted by May 11, 2018 and approved by May 17, 2018 – NO WALK-INS WILL BE ACCEPTED. 2) Please make sure the “I will be taking the CFSR test at Enfuse” box or the application may not be reviewed in time. 3) To ensure the application is given priority, please put “Enfuse 2018 Certification Application” in the email subject line.

Next to the imaging of media, the final report of examination is the most important component of the analysis of media. The reporting function of EnCase was once thought to have limited customization; now with enhanced customization, some examiners consider it to be more difficult and time-consuming. To improve understanding of the reporting process, this presentation will provide additional clarity to assist in processing and finalizing techniques to better produce a report of examination for presentation to supervisory personnel and attorneys. These techniques, to be discussed and performed in this presentation, will include, but are not limited to, adding crime scene photographs or other photographic images, documenting the validation of evidence files, including metadata and reference bookmarks serving as pointers to files, folder locations and contents, and a summary of data supporting the findings of the investigation. At the conclusion of the presentation, participants will receive templates organized for the most current version of EnCase.

By May 25, 2018, all companies collecting, storing, and processing personal data of EU residents are expected to be fully compliant with the General Data Protection Regulation or GDPR. While the Regulation will have a significant impact on organizations in all industry sectors, it will have unique compliance challenges for Public Sector organizations all over the world. OpenText will present an overview of the GDPR, and discuss potential issues specifically for the Public Sector and Government agencies. We will also discuss 10 steps organizations can take now to address priority areas while unleashing real value out of their information.

Apple’s newest files system – Apple File System (APFS) – presents the forensic examiner with a few hurdles. Learn about the file system, released in September 2017, and discuss issues involved in the APFS image acquisition and analysis.

This session will shed light on the state of Incident Response in 2017 straight from the analysts' point of view. We will go through the latest research from an independent, third-party survey to highlight challenges faced by IR teams, how they are being addressed, and where the shortfalls lie. Based on findings, we will provide best practices and lessons from the field to combat these challenges.

In today's world, threats come from many sources and in many forms. This challenge is especially vexing in the digital ecosystem of the modern enterprise. Detecting and mitigating threats involves proper analysis of structured and unstructured data both at rest and in real-time, streaming environments. In this session, you will be given a high-level overview of technologies that are brought together in a cohesive, robust threat detection and mitigation system. Find out how to combine cutting-edge tools including machine learning, anomaly detection, clustering, statistics, graph-database theory, among others, in order to orchestrate a powerful threat- and risk-mitigation enterprise infrastructure. While this infrastructure approach is cutting edge, it is a common configuration used by progressive companies to protect their valuable assets and to limit risk in an efficient way. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

In today’s digital enterprise, content is being created—and used—by an ever-increasing variety of processes and people on both sides of the firewall. The opportunities to access, share, and collaborate on it have never been greater, but they also bring challenges in governance, control, and security. How are organizations dealing with this new reality? Join OpenText product experts as we provide a general introduction to the strategy and practice of content management in 2018. We’ll review the goals of content management, its reach and impact across organizations, and how a new breed of “content services” are rewriting the rules for future productivity, accessibility, and control. Whether this is an introduction or a refresher for you, you’ll leave with a comprehensive understanding of the scope and capabilities offered by a new generation of content management applications!

This session will introduce how AI and related practices are used by clients and practitioners today, as well as how practices will evolve in the near term. AI impacts practitioners in two critical ways: what technologies and techniques practitioners (investigators and attorneys) are using - and how clients are already using those technologies in their current practices. We will cover the basics and delve, where appropriate, into the specifics, addressing audience questions and encouraging participation along the way. We will focus on the main uses of these technologies and their impacts in investigations, litigation, and M&A. We will also address the overall question: "what is the difference between 'can' and 'may' when it comes to the uses of these technologies?"

Recent cyber security incidents highlight the fact that organizations can’t just have an incident response plan, they need one that works. Typical IR Plans can lead to poor information flow, frustration, and costly delays, wasting critical time during phases of IR and investigations. The methods presented can be readily adapted to various frameworks (e.g., NIST 800-61) and compliance standards (e.g., ISO27001) in use today. Using case studies and observations from years of IR experience, this presentation will cover: • Two existing models for IR Plans and a new model for creating or growing your incident response program • A method to include input from various stakeholders, including risk, legal, operations, information security, and corporate communications • The key characteristics of a good incident response plan -brief, clear, resilient, and living • Methods to building tabletop programs to support compliance requirements and drive improvements for IR teams

PLEASE NOTE: This is PART 1 of a 2-Part Class: EnCase Endpoint Security helps you implement both a risk-assessment plan and a rapid-response process that complement and extend your current security technologies in order to quickly identify, mitigate and respond to a threat on your network. On a normal day, a corporate network can experience over one million attempted cyber-attacks. Response times are growing along with costs, frequency of events, and the number of alerting tools your team must manage. Now you can combat the rising threat and costs of cyber-attacks with the real-time incident response solution used by the U.S. Department of the Treasury, Bank of the West, Polo Ralph Lauren Corporation, and many other leading companies, law-enforcement and government agencies.

PLEASE NOTE: This is PART 1 of a 2-PART CLASS: One of the most difficult tasks in applying the law in cyberspace is determining in what jurisdiction the legal process should take place. There are numerous cases where disparate jurisdictions have vied for venue but should the venue be based upon geography? Stephenson defines cyberspace as a complex global information infrastructure that facilitates communication between technology such as computers, networks and other digital systems, both independently and on behalf of people using it. Cyberspace is distinct from physical space and the constraints imposed by it such as geographic boundaries. This session suggests an alternative to geographic venue: suitable choice of law across affected geographies. While this simply is a first step to developing a more complete cyber jurisprudence, it seeks to answer the most prickly question in applying the law to events in cyberspace: Whose law governs? // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

Legal qualifications of a digital forensics investigator/expert to testify as an expert witness in state or Federal courts have evolved since the landmark 1923 Frye case, as well as the more sweeping 1993 Daubert case, and continue to evolve. Although Rule 702 of the Federal Rules of Evidence have codified and standardized landmark Supreme Court cases (the Daubert trilogy) for admissibility of scientific expert testimony in the federal courtroom (and 42 states by statutes), this session emphasizes Daubert standards but still covers standards for admissibility of scientific expert testimony in all state courtrooms still under Frye. / **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

If some of your organization’s most sensitive data lives inside your content management stack, what measures are you taking to protect it? Not having the insight or visibility to what’s happening (especially with how your users are interacting with your organization’s digital assets) can leave you vulnerable to insider threats - intentional or accidental. Join us as we step through some real-world examples and how you can leverage the power of user behavior insight to prevent incidents while harnessing the contextual data as part of your incident response plan.

The Missouri State Highway Patrol has used a number of methods to stretch a limited budget in an effort to offer forensic services to a wide range of law enforcement customers. Using creative solutions with software and hardware, partnerships, policy innovation and other methods, keeping the focus on getting customers what they need can be achieved at lower investments in time and money.

PLEASE NOTE: This is PART 1 of a 2-Part Class: Bitcoin and other altcoins have been in the news almost daily lately. You may or may not be aware of what blockchain and/or cryptocurrencies are but news of the rapid increase of value, wild price fluctuations, major investment options, ransomware crypto payments and dark web activity it will be difficult to ignore cryptocurrencies and blockchain based transactions as relevant in digital investigations.Cryptocurrency (or crypto currency) is a digital asset designed to work as a medium of exchange that uses cryptography to secure its transactions, to control the creation of additional units, and to verify the transfer of assets. Cryptocurrencies are classified as a subset of digital currencies and are also classified as a subset of alternative currencies and virtual currencies.

The new file system recently introduced by Apple, APFS, is the first mainstream file-system to have been introduced in several years. APFS is significantly different in its approach to disk-space-management and partitioning than other mainstream file-systems (FAT, exFAT, NTFS, HFS+, etc.) It’s important that anyone examining data from APFS disks and disk-images understands these differences, which may both benefit and hinder digital investigations. This session will explain the reason for the file-system’s introduction, provide an overview of its features, and take the attendees down the “rabbit hole” of APFS on-disk data. Attendees will use an EnScript program to locate and view APFS data in its raw format. This will facilitate a better understanding of how APFS file-system data is maintained, how it is displayed by the latest version of EnCase, and how it is likely to affect digital investigations. // *NOTE: This session is also being offered on Wednesday 5/23 at 8:00 am.*

The 2015 Amendments to the Federal Rules of Civil Procedure paved the path to proportional discovery and preservation and allow parties to tailor their preservation approaches to avoid the costs, risks, pains, and burdens associated with over-preservation. Join and participate in this interactive session to learn what post-Amendment best practice guidance, case law, and company benchmarking exists that describe whether and how parties are taking steps down the path of proportional preservation as new legal holds are implemented and existing holds are right-sized. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

PLEASE NOTE: This is PART 2 of a 2-Part Class: EnCase Endpoint Security helps you implement both a risk-assessment plan and a rapid-response process that complement and extend your current security technologies in order to quickly identify, mitigate and respond to a threat on your network. On a normal day, a corporate network can experience over one million attempted cyber-attacks. Response times are growing along with costs, frequency of events, and the number of alerting tools your team must manage. Now you can combat the rising threat and costs of cyber-attacks with the real-time incident response solution used by the U.S. Department of the Treasury, Bank of the West, Polo Ralph Lauren Corporation, and many other leading companies, law-enforcement and government agencies.

EnScript is a powerful scripting language that can be used to customize, enhance and automate the operation of EnCase Forensic and EnCase Endpoint Investigator. It is ideally suited to implementing custom workflows, decoding newly-encountered data-types, and adding functionality to the EnCase GUI. This session is aimed at EnCase users who are interested in leveraging the power of EnScript to further their investigations. The session will cover basic functionality applicable to most investigations. This will include finding relevant items in the case, bookmarking, and file input/output. No programming experience is needed to attend this session. Attendees will use a menu-driven system to write scripts in sections. This will allow them to concentrate on the code being written rather than waste time debugging syntax errors, which often leads to frustration and confusion. Some minor code-changes will still be made to facilitate learning and demonstrate the benefits of code-reuse.

PLEASE NOTE: This is PART 2 of a 2-PART CLASS: One of the most difficult tasks in applying the law in cyberspace is determining in what jurisdiction the legal process should take place. There are numerous cases where disparate jurisdictions have vied for venue but should the venue be based upon geography? Stephenson defines cyberspace as a complex global information infrastructure that facilitates communication between technology such as computers, networks and other digital systems, both independently and on behalf of people using it. Cyberspace is distinct from physical space and the constraints imposed by it such as geographic boundaries. This session suggests an alternative to geographic venue: suitable choice of law across affected geographies. While this simply is a first step to developing a more complete cyber jurisprudence, it seeks to answer the most prickly question in applying the law to events in cyberspace: Whose law governs? // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**

OpenText/Guidance Software, Cellebrite, Sumuri. What do these names have in common? They’re all forensic companies, they all make valuable products, and you’ve heard of them. If branding is important to these companies, shouldn’t it be important to forensics professionals as well? You may not know where to start in building your brand, some people don’t like public speaking, or approaching strangers. This session will cover the benefits of creating a personal brand in the Digital Forensics and Incident Response (DFIR) field, and why you should consider taking the leap into the limelight to reap the rewards and improve the community. We will discuss both my personal journey into digital forensics fame and fortune (fortune yet to be obtained) as well as my observations and a variety of ways that you can get noticed in DFIR in a way that is right for you.

There is mounting evidence that we need a holistic approach to security incidents. Having good technical incident response (IR) capabilities is no longer enough - the way a company handles an incident is often more important than the incident itself. Security leaders who own the responsibility for their enterprise's incident response must work closely with other relevant parts of the organization to ensure incident management goes smoothly, even when everything is on fire. We will break down enterprise incident management into outcomes and core functions, then give you the program and leadership tools to plan, build, and run your incident management program. This talk will present a model for defining enterprise incident management that sets realistic and measurable goals, and is backed by thousands of hours of research and industry contributors spanning all market segments and maturities.

Forensic imaging of a Mac has become more difficult with the release of Apple File System (APFS) and new Mac hardware. Adding Apple Core Storage to the mix along with Fusion Drives and FileVault hasn't made it any easier. With a proper understanding of these technologies it is possible to create the proper images which can be used in any forensic tool. Please join SUMURI's CEO, Steve Whalen, as he explains each of these technologies, how to interpret Mac's physical and logical disk structures, proper imaging techniques and how to create a decrypted FileVault image.

Forensic software performance is in part dependent upon optimizing the hardware that it will run on. But bigger and more expensive isn't always better in the world of forensic computer systems. Whether your software application of choice is EnCase, FTK, or NUIX -- this session will help you understand which system components have the greatest potential to positively impact forensic software performance.

PLEASE NOTE: This is PART 2 of a 2-Part Class: Bitcoin and other altcoins have been in the news almost daily lately. You may or may not be aware of what blockchain and/or cryptocurrencies are but news of the rapid increase of value, wild price fluctuations, major investment options, ransomware crypto payments and dark web activity it will be difficult to ignore cryptocurrencies and blockchain based transactions as relevant in digital investigations.Cryptocurrency (or crypto currency) is a digital asset designed to work as a medium of exchange that uses cryptography to secure its transactions, to control the creation of additional units, and to verify the transfer of assets. Cryptocurrencies are classified as a subset of digital currencies and are also classified as a subset of alternative currencies and virtual currencies.

This presentation will discuss industry hiring trends and strategies for career success in e-discovery and cybersecurity. It will cover a variety of topics, supported by market data and research to quantify observations, and provide recommendations for employee and employer success. Topics will include: * A history of e-discovery staffing 2000-2018 and how things got to be where they are today; * Statistical hiring trends 2012-2018 in e-discovery and cybersecurity; *Strategies for sales hiring success and transition into e-discovery sales; * Geographic and compensation hiring trends; * Competitive analysis on opportunity verticals (law firm/vendor/ corporate); * How to stay current and reinvent yourself professionally.

**NOTE: This class is also being offered on Tuesday, May 22nd at 11:00 am.** This is a presentation of the latest stuff in Digital Forensics, Investigations and E-Discovery. This entertaining and informative presentation is constantly updated. Presented by the Menz Brothers and Kip Loving, this has been the most successful presentation at the HTCIA international conference for 15 years. The latest Forensics tricks and innovations are shown along with new Investigative techniques being used, and clever E-Discovery methods are given. Everyone will receive a copy of the power point and usually free samples of tools or devices shown.

After his 2015 presentation on Water Damaged Devices, Steve Watson returns to present current research and cases related to Damaged Device Forensics. This project, funded by the United States Department of Homeland Security, is identifying and defining the forensics best practices for the retrieval of data from damaged electronic devices. This research based presentation will identify recent cases affecting law enforcement and investigators and examine the four areas of damage research including liquid, thermal, impact and ballistics damage. This presentation will follow the Spring highlight project that includes a video and photos of the fire damaged car and the electronic devices included inside.

It is no longer surprising to see high-profile data breaches on the 5pm news broadcast. Privacy is now in the spotlight. Staying safe from making headline news requires an in-depth knowledge of information and privacy laws, best practices, frameworks, and self-regulatory models in both the U.S. and abroad. This includes information on consumer disclosures, data collection, use, and sharing, data protection, data retention, data security, and data breach rules, among others. During this presentation we will take a close detailed look at data protection, data retention, data security, and data breach rules. We will examine the best approach to addressing these risks with a thorough legal review of data retention and management practices. With the rise of "ransomware" attacks and other emerging threats, cyber security is becoming cyber-warfare. Is your company prepared to protect your most valuable sensitive data?

What would happen if Guidance Software (now OpenText) Technical Services took their entire knowledge base of solutions and stuck it in a blender? Would it include the hottest tips for Endpoint Security? Would it make your processing jobs faster? Would it fix all of your Exchange headaches? Would it get your Linux Agents in order? Yes, it would. Would it be as good as this presentation? Probably not. If you’re new to EnCase or have been using our products for years, this session is guaranteed to provide you with quick, practical solutions so that you can focus on getting results delivered.

PLEASE NOTE: This is PART 1 of a 2-PART CLASS: This class will primarily leverage EITT and several integrated opensource tools to perform an initial triage of a compromised machine. Attendees will learn how to leverage EITT to collect artifacts and parse the collected data to answer a series of questions related to the lab. This class will contain a hands-on element simulating a real-world incident that will allow for attendees to leverage EITT to respond to a compromised machine.

During this panel discussion we will present several federal forensic cases in which Encase was an essential part of identifying suspects and prosecuting cases. These investigations include digital forensic examinations that led to a suspect in a murder investigation as well as numerous cases regarding the core violations of the U.S. Secret Service. These violations include, not only manufacturing counterfeit currency, credit card fraud and other financial crimes, but larger, higher profile data breaches on large companies and our compromised personal information. The panel will present case summary on federal forensic investigations which will lead into a discussion of ways to protecting your personal information and what federal investigators are looking for when you are the victim of a data breach.

Modern Forensic Duplicators do a lot more than duplicate physical media. Attend this session to learn how the Tableau TX1 Forensic Imager can save you time using logical imaging, preview and triage, and high-performance network operations.

The importance of video evidence is increasing exponentially for solving and prosecuting cases. Recovering video footage from a DVR is complex. Investigators may be faced with many problems: non-functional DVRs, password protection, deleted video files, corrupt or formatted hard drives,etc. Most current DVR forensic tools can recover neither video from formatted or corrupt drives or file systems, nor video files exported to external media. We will show a method for analyzing DVR-video and reverse engineering the video chunk structure. We will discuss how to determine definitively whether video frames exist on the device, and how to carve them for viewing without relying on the file system, but on the frame structure of video files. We will demonstrate powerful EnCase and Python tools for automating scanning for every possible fragment of video, creating reports which include channel ID, timestamps and offsets; the ability to filter by date and time, demultiplexing and carving.

PLEASE NOTE: This is PART 2 of a 2-PART CLASS: This class will primarily leverage EITT and several integrated opensource tools to perform an initial triage of a compromised machine. Attendees will learn how to leverage EITT to collect artifacts and parse the collected data to answer a series of questions related to the lab. This class will contain a hands-on element simulating a real-world incident that will allow for attendees to leverage EITT to respond to a compromised machine.

Endpoint Investigator 8.06 introduced an industry-leading, optimized indexing engine that delivers fast, accurate results that forensics investigators depend on everyday to jumpstart their cases. Searches just got easier with improved indexing. This hands-on and interactive session will explore queries and expressions for all experience levels.

This session will document notable artifacts and examination techniques that are likely to add value to any Macintosh examination. These will include the recovery of deleted property-list files, the examination of extended file-system attributes, the recovery of deleted SQLite data (using the macOS Previous Versions chunk storage database as an example), and the examination of the latest version of the Safari web cache.

Memory forensics and analysis is a goldmine of data for case studies of malware, malicious intent, and system activities that people try to hide. How do you find out what the malware has done on a system with no active artifacts? How do you uncover the pathogen of an infection? How do you locate Command and control hosts the malware used to drop the files on your systems? What persistence mechanisims were put in place so it stays infected? What did the malware do on the system from initial infection through p0wnage? All these questions can be answered with memory analysis. Come see how to track malware through memory 4n6.

For thousands of years, humans have learned through storytelling. As kids we are read stories to teach us lessons and morals - and those stories stick with us for years. In recent years, there has been an explosion in books and presentations teaching lawyers how to tell a story. The reason is simple - the side that tells the best (factual) story often wins. Digital evidence, by its very nature, is often devoid of story. This talk will focus on how examiners can tell a compelling story that gets lawyers, judges, and juries to understand and listen. You'll techniques to make your testimony compelling and interesting, while still following the rules of the court. // **This session is eligible for CLE Credits. You must manually sign in and out of the session in order to receive CLE accreditation. There will be sign-in/out sheets available just outside the session room.**