About Pre-Conference Tutorials

The full agenda for Pre-Conference Tutorials is below. For information on any other track, please click the links below.

Track 1: ISS for Lawful Interception and Criminal Investigation
Track 2: ISS for Telecom Metadata Retention and NSA Access
Track 3: ISS for Cyber Threat Detection and Information Sharing
Track 4: Encrypted Traffic Monitoring and IT Intrusion Product Training
Track 5: LEA, Defense and Intelligence Analyst Training and Product Demonstrations
Track 6: Social Network Monitoring and Big Data Analytics Product Demonstrations
Track 7: ISS for Dark Web, TOR and Bitcoin Investigation

---

Advanced Hi-Tech, Cyber Crime Investigation Training

31 classroom training hours, scheduled over 3 days, presented by sworn law enforcement officers, Ph.D. Computer Scientists and nationally recognized cybercrime textbook authors and instructors.

Charles Cohen, Cohen Training and Consulting, LLC, also holds the position of Commander, Cyber Crimes Investigative Technologies Section, Indiana State Police
(6 classroom hours, Tuesday)

Mark Bentley, Communications Data Expert, National Cyber Crime Law Enforcement, UK Police
(7 classroom hours, Wednesday and Thursday)

Todd G. Shipley CFE, CFCE, President and CEO of Vere Software, Co-Author of , Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace and retired Reno, NV, Police Officer
(6 classroom hours, Tuesday)

Stephen Arnold, Managing Partner, ArnoldIT and author of Beyond Search: What To Do When Enterprise Search System Doesn’t Work, Cyber OSINT: Next Generation Information Access ad Searching The Dark Web
(2 classroom hours, Tuesday and Thursday)

Christopher Westphal, Raytheon Visual Analytics and author of Data Mining for Intelligence, Fraud and Criminal Detection.
(3 classroom hours, Thursday)

Matthew Lucas (Ph.D., Computer Science), Vice President, TeleStrategies
(4 classroom hours, Wednesday and Thursday)

Jerry Lucas (Ph.D., Physics), President, TeleStrategies
(4 classroom hours, Tuesday)

Tuesday, September 29, 2015

Seminar #1
9:00-5:00 pm

Online Social Media and Internet Investigations　

Presented by Charles Cohen, Cohen Training and Consulting, LLC
Charles Cohen also holds the position of Commander, Cyber Crimes Investigative Technologies Section, Indiana State Police, USA

9:00-10:00
The role of Online Social Media OSINT in Predicting and Interdicting Spree Killings: Case Studies and Analysis
This session is for criminal investigators and intelligence analysts who need to understand the impact of online social networking on how criminals communicate, train, interact with victims, and facilitate their criminality.

10:15-11:15
OSINT and Criminal Investigations
Now that the Internet is dominated by Online Social Media, OSINT is a critical component of criminal investigations. This session will demonstrate, through case studies, how OSINT can and should be integrated into traditional criminal investigations.
　
11:30-12:30 pm
Metadata Exploitation in Criminal Investigations
This session is for investigators who need to understand social network communities along with the tools, tricks, and techniques to prevent, track, and solve crimes.

1:30-2:30 pm
EXIF Tags and Geolocation of Devices for Investigations and Operational Security
Current and future undercover officers must now face a world in which facial recognition and Internet caching make it possible to locate an online image posted years or decades before. There are risks posed for undercover associated with online social media and online social networking Investigations. This session presents guidelines for dealing with these risks.

2:45-3:45 pm
Case Studies in Metadata Vulnerability Exploitation and Facial Recognition
While there are over 300 social networking sites on the Internet, Facebook is by far the most populous, with over 800 million profiles. It has roughly the same population as the US and UK combined, making it the third largest country by population. There are over 250 million images and 170 million status updates loaded on Facebook every day. This session will cover topics including Facebook security and account settings, Facebook data retention and interaction with law enforcement, and common fraud schemes involving Facebook.

4:00-5:00 pm
What Investigators Need to Know about Emerging Technologies Used to Hide on the Internet
Criminal investigators and analysts need to understand how people conceal their identity on the Internet. Technology may be neutral, but the ability to hide ones identity and location on the Internet can be both a challenge and an opportunity. Various methods of hiding ones identity and location while engaged in activates on the Internet, provides an opportunity for investigators to engage in covert online research while also providing a means for criminals to engage in surreptitious communication in furtherance of nefarious activities. As technologies, such as digital device fingerprinting, emerge as ways to attribute identity this becomes a topic about which every investigator and analyst may become familiar.

Seminar #2
8:30-5:00 pm

Practitioners Guide to Internet Investigations

Presented by: Mark Bentley, Communications Data Expert, National Cyber Crime Law Enforcement, UK Police

The aim of this 1 day seminar is to take the attendees from the basics of understanding the internet, how to find data, through to a full understanding of best practice of an internet investigator, having awareness and knowledge of all the tools available to achieve this.

This is exclusively Law Enforcement only, as Practical examples, covert and investigative methods will be given throughout the seminar.

9:00-10:00
The World Wide Web and the Internet

• How it works. Why it works. How data traffic leaves a trace ;

• What the internet is; what is an IP and what protocols are used ( TCP/IP)

• IPv4 and IPv6 – understanding the changes

• mirror servers use and value

• Tracking and evaluating data

10:15-11:15
Recognizing Traffic Data

• A practitioner's guide to what data is available. How to harvest and analyze it.

• Best practice to identify suspects and build profiles.

• Data collection and interrogation

• IP usage, exploitation and dynamics; IP plotting and analysis how to look for suspect mistakes and exploit them ( where they show their id)

• Dynamic approaches to identifying suspects through internet profiles

• What investigators get from tech and service providers, and how to analyze it

• What to ask for with current legislation to achieve best results

• SPOC best practice.

• ISP/ CSP capabilities and opportunities.

11:30-12:30 pm
WIFI and Mobile Data

• A practitioner's look at Wi-Fi, attribution, cell site data, GPRS location services and technology. How an investigator can track devices, attribute suspects locations, devices and movement.

• Dynamic live time tracing

• Geo location services and uses

• Surveillance without DSA and authority

1:30-2:30 pm
Emerging Technologies, Masking Tech and Tools

• How suspects are using emerging and new technologies.

• An introduction to where technology is going, and how Law enforcement can use this to our advantages.

• Darknet, (Deepweb) and IRC use

• VOIP, Skype

• Advanced data sniffing and profile building

• TOR systems, applications and ways to coax offenders out of the system.

2:45-3:45 pm
Advanced Techniques in Tracing Suspects

• Using innovative and dynamic methods to trace offenders.

• tricks used by suspects and how to combat them

• Covert internet investigations

• Proxy servers and hiding.

• managing collateral intrusion

• Reverse and social engineering

• Thinking outside the box

• Possible missed opportunities

• Profile building and manhunts

4:00-5:00 pm
Top 20 Open Source Tools (OSINT) Used in Cybercrime Investigations

Seminar #3
9:00-5:00 pm

A Real World Look at Investigations in the Dark Web

Presented by: Todd G. Shipley CFE, CFCE, President and CEO of Vere Software, Co-Author of , Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace and retired Reno, NV, USA Police Investigator

The aim of this 1 day seminar will take the attendees from the basics of understanding the Dark Web, how to access it to how to finding information hidden within it. The attendees will learn the best practices for the internet investigator when working in the Deep Web and the tools available to assist their investigations into the Deep Web.

This is exclusively Law Enforcement only, as Practical examples, covert and investigative methods will be given throughout the seminar.

9:00-10:00
The Dark Web, what it is and what it is not
In this block attendees will learn the background of what the really “Dark Web”. The attendees will be able to identify the differences between the “Dark Web” and the “Deep Web”

10:15-11:15
To Tor or not to Tor
This block will provide the attendees with an understanding of Tor, The Onion Router, and its use during law enforcement investigations. Also discussed will be management controls and investigative policy regarding its use in an undercover capacity.

11:30-12:30
Cryptocurrency and its use in the Dark Web
Attendees will be exposed to the concepts of cryptocurrency and their use in crimes. Also, discussed will be the concepts of investigating cryptocurrency by law enforcement.

13:30-14:30
Going Undercover on the Dark Web
In this block will be discussed the practical concerns and methods to be considered when going undercover on the “Dark Web”. Also discussed will be the tools needed to be obtained for Internet investigations on the “Dark Web”, agency policy concerns and how to document those investigations.

14:45-15:45
Using web bugs and other technology to locate a suspect
Attendees will be exposed to techniques, using code and scripting inserted in various delivery methods, for revealing criminal Internet targets. The material covered will include tools available on the Internet and examples of scripting and techniques they can do themselves.

16:00-17:00
Advanced Dark Web Investigations, identifying the anonymous user
This block will cover advanced concepts in the identification of targets over the Internet. Particularly focus will be on the available tools to law enforcement and the Intelligence community.

Seminar #4
1:30-5:00 pm

How Criminals and Terrorists Electronically Communicate Today and Available ISS Products for Interception and Surveillance

Presented by: Dr. Jerry Lucas, President, TeleStrategies

This half-day seminar covers how criminals and terrorists communicate over today’s public telecommunications wireline and wireless networks, over the top Internet services and social networks.  This seminar is ideal for law enforcement, interior security, public safety and others who need to understand the ISS technologies and products used to lawfully intercept electronic communications and conduct mass network surveillance as discussed at ISS World Conference sessions and by exhibitors.

1:30-2:30 pm
Introduction to Telecom Infrastructure, Interception and Related ISS Products

Understanding ISS:
Why Understanding Telecom Infrastructure is Important for Law Enforcement and Intelligence Analysts

Basic Telecom Building Blocks:
Circuit vs. Soft IP Switching, Signaling (SS7, ISDN, DTMF, etc.), fiber optics (SDH and SONET), Broadband Access (DSL, Cable Modems, Wi-Fi etc.), IP Core Technologies (Routing, ATM, MPLS, etc.) and Network Elements for Intercept.

Telco Back Office Systems:
Billing Systems, Mediation Services for Capturing Call Detail Records and LEA Intercept Request Processing.

Lawful Interception Architectures:
Probes (active and passive), Optical Layer Intercept at 10, 40 and 100 GBPS, Mediation and Data Retention Architectures, CALEA Pen Register and Trap & Trace, LEA Monitoring Center Functions and ISS Products Deployed in Fixed Wire Network Infrastructure.

Typical US DEA Funded LI Systems:
LIMS, T2S2, Warrant Processing, Data Logs, Capacity Requirement (e.g. Targets, Handoff Circuit Capacity, etc.) Central America Project Funding and Enterprise Hardware/Software Requirements

Legal Intercept Options:
What must telecom operators provide with a served subpoenas, Search Warrant, CALEA-Title III, National Security Letter and FISA Warrant.

2:45-3:45 pm
Understanding Mobile Wireless Infrastructure, Interception and Related ISS Products
Infrastructure basics, back office infrastructure, IM, data and where are ISS products deployed for monitoring and intercept.

Types of Wireless Network:
Differences among Network Operators, MVNO's, WiFi, WiMAX, Microwave, Satellite, Femtocells and NFC Interfacing.

Mobile Network Infrastructure:
Subsystems (cell sites, sector antennas, back hall, processors at towers, MSO special features (HLR, VLR, etc.) and PSTN Interconnect.

Cellular Network Generations:
Infrastructure Difference Among GSM, GPSS, EDGE, HSPA, North American CDMA, W-CDMA and LTE (CSFB vs. IMS Based) and Difference in Data Service Support.

Smartphones:
Functional Differences between 3G/4G Smartphones and 2G Phones, SMS messaging vs. iPhone text messages regarding intercept and 3G vs. LTE data services capabilities.

Cell Phone CDR's:
What records do cellular operators obtain when the phone is on, what's in a CDR when phone call is initiated and other forensic data of value to LEA's.

Cell Phone Tracking Options:
Cellular Operator Tracking Services available to LEA's, Target Pinging, Location technologies (GPS is National Based vs. RF Spectrum Mapping, GSM Surveillance, A-GSM intercept, WiFi Tracking, IMSI/IMEI Catchers, Spyware and more.

Smartphone Services to Avoid Tracking:
WHATSAPP, TIGER Text, WICKR, VIBER, GroupMe and more.

ISS Intercept Product Options:
Electronics Surveillance (audio, video and GPS), Location Based Mediation Products, Smartphone IT Intrusion and Cellular CDR data mining, Geocoded Photo Metadata, EXIF tags, Special Smartphone Services for Geolocation (Creepy, Instragram, Foursquare, VIBE and more).

4:00-5:00 pm
Understanding the Internet Over-the-Top (OTT) Interception and Related ISS Products

What Investigators Have To Know about IP call Identifying Information, Investigations Involving E-Mail, Facebook, Twitter, Skype, Instant Messaging, Chat Rooms and what can be done to address Internet intercept deploying ISS infrastructure and where are ISS products deployed for monitoring and intercept.

IP Basics:
Why Understanding IP Layering Model, TCP/IP and UDP is important for LEA's and the IC Community, IP addresses (IPv4 vs. IPv6), static vs. dynamic addresses and more.

Internet Players:
The managers (ICANN, IANS and IETF), NSPs vs. ISPs vs. CDNs, How the Internet Players exchange IP Traffic, Private vs. Public peering and IXPs.

ISP Infrastructure:
RAS, RADIUS, DHCP and DNS and why these servers are important to understand.

VoIP Options:
Types of VoIP Services, PSTN interconnect, Gateway Based (Vonage), P2P (Skype & VIBER), Softswitches, SIP and IMS.

E-mail Services:
Client Based E-mail vs. Webmail. What's different about E-mail, SMS, WEB 2.0, HTTPS, HTTPS 2.0, Smartphone messaging and Social Network messages.

Social Network Metadata:
From Tweets, Facebook, E-mail and Smartphones.

Deep Packet Inspection:
What's DPI, Where do telecoms deploy DPI and Where does the Intelligence Community request DPI intercept.

Defeating Encryption:
Encryption options, Public Key Encryption, TOR, Third Party Services Available (Wickr), Encryption Products and how to defeat encryption (Spyware, Remotely Loaded Programs, IT Intrusion and Man-In-The-Middle Attacks)

ISS Products for Intelligence Gathering:
OSINT, Big Data Analytics, Speaker Recognition, Facial Recognition, IP Mediation Devices and Monitoring Centers.

Note: Seminar #4 above Repeated on Thursday 8:30-1:00PM

Wednesday, September 30, 2015

Seminar #5
9:00-10:00 pm

Understanding Bitcoin, Blockchain and Available Analytic Tools for Criminal Investigators

Presented by: Matthew Lucas (Ph.D., Computer Science), Vice President, TeleStrategies

This seminar presents the basics of Bitcoin, Blockchain and Available tools for criminal investigators.  Beginning with how you get started with a Bitcoin Wallet, how transactions flow from wallet to Bitcoin miners finding there way to the Blockchain Ledger.  Why Bitcoin is becoming the currency of the Internet and why there use is championed by criminals and fund raising terrorists.  More in-depth investigator material covers how to conduct Bitcoin Blockchain Investigations and what tools are available.

Bitcoin 101: What Investigators Need to Know about Bitcoin, TOR and Dark Web Commerce: Bitcoin basics, Miners, Blockchain and Cryptography Demystified and more.

Seminar #6
11:30-12:30 pm

The Computer Science View of Bitcoins and Dark Markets

The research community has devoted significant effort into understanding Bitcoin and the associated criminal activities ‹ the results of which have promise to transform how law enforcement might handle Bitcoin investigations going forward. This speaker will present relevant Bitcoin/Dark Web investigation research including clustering to mass-deanonymize Bitcoin transactions, "tumblers" and Dark Markets; and why recording transactions is critical for de-anoymization success; robust estimates on the scale of Dark Markets and the daily volume of currency exchanged to/from Bitcoin ($500,000/day); and experiments involving merging datasets with the Bitcoin blockchain ‹ both of which reveal the MtGox accounts of multiple Silk Road drug dealers and was able to confirm that Sean Bridges (the Secret Service agent who stole from Silk Road) transferred effectively all his Bitcoins through MtGox.

Presented by: Nicholas Weaver, Ph.D. is a researcher at the International Computer Science Institute in Berkeley. His primary research is focused on network security, including worms, botnets, and other internet-scale attacks, network measurement, and network criminality including Bitcoin.

Thursday, October 1, 2015

Seminar #7
8:30-9:30

Understanding and Defeating TOR

Presented by: Matthew Lucas (Ph.D., Computer Science), Vice President, TeleStrategies

This session will explain how TOR anonymizes IP traffic, how TOR hidden services work, who uses TOR hidden services and the top five TOR investigation approaches. The session will start by illustrating standard standard IP based services and comparing with anonymizing TOR software. Transactions will be considered by both a DPI tool, and looking at server logs. Next, the presenter will illustrate how TOR hidden services work, and present the latest research on TOR HSDIR usage and statistics. Finally, the presenter will look at TOR statistical analysis; identifying TOR traffic via IP lookups and protocol signatures; TOR protocol defeating research such as padding and signaling; malware compromises and inducing identity-related traffic outside the TOR stack.

Seminar #8
8:30-1:00 pm

Visualizing Fraud Patterns: Exposing The Hidden Threats

Presented by: Christopher Westphal, Raytheon Visual Analytics
 
Fraudulent activities account for billions of dollars lost in the insurance, banking, health care, retail, transportation, manufacturing, and communications industries each year. Likewise, fraud riddles our federal, state, and local governments; virtually every industry is vulnerable to fraud. Fraud is dynamic and constantly shifting, adapting, and morphing itself to take advantage of vulnerabilities and flaws within the oversight and control systems that are established to minimize its presence. Flexibility remains a critical aspect for quickly responding to changing fraud patterns; thus, it is vital to use methods and techniques to expose new patterns of fraud without having to re-program, re-train, or re-invent the underlying systems. Often, there is no clear-cut right or wrong answer, rather, an irregulatiry in the data, a variance in the values, or an inconsistency in the expected results that standout as usual. This presentation overviews a number of real-world fraud patterns and presents their common traits through the use of visual diagrams. See how many of these patterns are found through common sense (verses complex algorithms) and learn about how new methods, derived content, and external data help expose new fraud patterns.

Presentation topics will cover:

-Methods for exposing generalized fraud patterns

-Reviewing repeated claims and multiple filings

-Use of meta-data content for adding analytical value

-Performing consistency checks on the data

-Integrating multiple sources of disparate data

-Using visualization techniques for showing fraud patterns

-Performing look-backs on the data to see the big picture