Today’s forensic processes are mired by practices carried over from a pre-networked world; with inexpensive and exotic storage, mobile devices, and cloud computing compounding the delays between incident notification and meaningful analysis. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine the role of existing forensic imaging formats in creating such an environment, and examine how an improved forensic image format (the AFF4 forensic container format) enables practitioners to perform forensic analysis without the delays imposed by current approaches. Finally, the seminar will provide practical advice on adopting such a new approach, defending questions around forensic soundness, and optimising forensic workflow both in the field and in the lab.
Dr Schatz will be presenting a seminar focused on the current state of the art in the extraction and analysis of evidence from smartphones at the Breakpoint 2014 conference in Melbourne, Australia on 9 October 2014.
This seminar will examine the current state of play in regard to the lowest level of acquisition and analysis of Android and iOS smart phones. Focusing on the theory of operation underlying open source and commercial tools, rather than the tools themselves, attendees of this this seminar will gain an understanding of the techniques currently employed for acquisition and analysis, and the corresponding limitations and opportunities in forensic practice.
On 13 May 2014, Dr Schatz was was honoured to present at the AusCERT2014 Online Crime Symposium at the Gold Coast, Australia. In this seminar he addressed the challenges of responding to incidents involving Ransomware, from the perspective of a private sector incident responder.
We’d like to thank the AusCERT program committee for inviting us to this forum and allowing us to share our perspectives.
The AusCERT Cybercrime Symposium is a closed, invitation only event, targeted at Government, law enforcement and private sector personnel involved in the development of policies or strategies for e-security or e-government, or who have responsibility for investigations either within their own organisations or for the broader community.
Over the period 31 March – 2 April 2014, Dr Schatz delivered a three day training course titled “Android Forensic Analysis in Depth” along side the Symposium on Security for Asia Network (SyScan) conference in Singapore.
The training covered forensic acquisition and analysis of Android based mobile phones and tablet devices. In this course the participants worked their way through the various methods of gaining access to data in phones, including logical via file and forensic acquisition applications, and physical, via rooting and JTAG. Students then moved on to learning a range of techniques for interpreting the content of such acquisition, addressing issues such as locked phones, and encryption. The culmination of the course was a half day practical session solving a mock-case.