Tuesday February 12, 2013 – Tuesday February 12, 2013
141 Catherine St.
Description:
Computer forensic practitioners (criminal and civil) dig through volumes of data to find data that is relevant to the case they are working on. This involves having to dig into the depths of software configuration files, registry files, unallocated space – anywhere and everywhere data can hide. We are pretty good at knowing where to look to find common artifacts. But how can you get the upper hand in the game of hide and seek when faced with a program you’ve never seen before and for which you can find no documentation?
A common practice is to hunt around the evidence like a game of hide and seek hoping you’ll find that elusive evidence. Some may be a bit more resourceful and install a copy of the program on a sandboxed system and run a series of scenarios and compare results with the goal of reaching conclusions with some degree of confidence as to where the data is hiding. Over the course of the session you’ll see how you can use ProcMon to map out artifact evidence left behind by an application, or even the OS, using a much more targeted approach and giving you the upper hand in this game of electronic hide and seek.
Biography
Sergeant Jacques Boucher is a 23 year veteran of the RCMP and has been involved in tech crime for the past 11 years. After over a decade doing front line police work he transferred into a the field of tech crime. He’s worked with the tech crime unit in Fredericton, NB, he was a tech crime instructor at the Canadian Police College, he worked with the tech crime unit in St. John’s, NL, and now is back in Ottawa still in the field of tech crime. He started teaching peers how to use ProcMon to assist with computer forensics back in 2007, and delivered a session on it at the 2008 DOD Cybercrime Conference in St. Louis, Missouri. He still occasionally finds himself having to dust off his ProcMon skills when faced with trying to figure out where an application is hiding its user data and settings.
Agenda
5:30-6:15 PM Registration, Networking, Cash Bar and Grill
6:15-6:20 PM Introduction of Speaker
6:20-7:20 PM Presentation
7:20-7:35 PM Question Period
7:35-7:40 PM Closing remarks