beyond files forensic owade cloud based forensic
play

Beyond files forensic OWADE cloud based forensic Elie Bursztein - PowerPoint PPT Presentation

Mar 02, 2024 •118 likes •1.84k views

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian Wednesday, August 3, 2011 The world is moving to the cloud E.

  1. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  2. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  3. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data • Demo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  4. File based forensic refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  5. Not all files are born equal Type of file how to recover it Standard copy In the trash undelete utility Deleted file carving Wiped call the NSA :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  6. Windows registry • .dat files • Hardware information • Softwares installed with their versions and serials • Windows credentials (encrypted) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  7. Some Registry Information Extracted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  8. Windows crypto E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  9. Why do we care about Windows crypto ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  10. The Windows crypto eco-system Crypto API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  11. The Windows crypto eco-system Crypto API SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  12. The Windows crypto eco-system Crypto API DPAPI SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  13. The Windows crypto eco-system Crypto API DPAPI Credential Manager SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  14. Windows Crypto API • Basic cryptographic blocks Cipher: 3DES, AES • Hash functions: SHA-1 SHA256, HMAC • PKI: public keys and certificates (X.509) • E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  15. The Security Account Manager (SAM) • Store Windows user credentials • Located in the registry • Encrypted with the SYSKEY • Passwords are hashed E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  16. Windows Password Hashing functions • Two hash functions used LM hash function (NT, 2K, XP , VISTA) weak • NTLM (XP , Vista, 7) • • Passwords are not salted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  17. LM hash weakness • Use only upper-case • Hash password in chunk of 7 characters mypassword LMHash(MYPASSW) + LMHash(ORD) Password key-space: 69^7 (at most) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  18. Rainbow Tables • Pre-compute all the possible passwords • Time-Memory trade-off • Rainbow tables of all the LM hash are available E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  19. How OWADE Works • Extract Usernames and password hashes • LM hashes available ? use John/Rainbow tables to get the pass in uppercase • use NTLM hashes to find the password cases • • Try to crack the NTLM using John/Rainbow table E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  20. Windows Password recovered E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  21. • What if we can’t crack the NTLM hash :( • (need a sad baby face here) If the password is too strong we can’t recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  22. • Everything is not lost because of how DPAPI works • (smilling baby face) but we can still decrypt DPAPI secret (sometime) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  23. The Data Protection API • Ensure that encrypted data can’t be decrypted without knowing the user Windows password • Blackbox crypto API for developers: Encrypt data DPAPI blob • Decrypt DPAPI blob data • • Main point : tie the encryption to the user password E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  24. DPAPI derivation scheme SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  25. DPAPI derivation scheme SHA1(password) pre-key User master-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  26. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  27. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  28. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key blob key blob key DPAPI blob DPAPI blob DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  29. DPAPI Blob structure struct wincrypt_datablob { � DWORD � cbProviders, � GUID �� pbProviders[cbProviders], � DWORD � cbMasterkeys, � GUID �� pbMasterkeys[cbMasterkeys], � DWORD � dwFlags, � DWORD � cbDescription, � BYTE �� pbDescription[cbDescription], � ALG_ID � algCipher, � DWORD � cbKey, � DWORD � cbData, � BYTE �� pbData[cbData], � DWORD � dwUnknown, � ALG_ID � algHash, � DWORD � dwHashSize, � DWORD � cbSalt, � BYTE �� pbSalt[cbSalt], � DWORD � cbCipher, � BYTE �� pbCipher[cbCipher], � DWORD � cbCrc, � BYTE �� pbCrc[cbCrc] } ; E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  30. DPAPI master-key structure Header Structure struct wincrypt_masterkey_masterkeybloc { � DWORD � dwRevision, � BYTE �� pbSalt[16], � DWORD � dwRounds, � ALG_ID � algMAC, � ALG_ID � algCipher, � BYTE �� pbEncrypted[] }; Footer Structure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  31. DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  32. Master-key GUID DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  33. Master-key GUID DPAPI blob Master key pre-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  34. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  35. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  36. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  37. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  38. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User I V + Master key S a l t blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  39. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User I V + Master key S a l t Additional entropy blob key Software E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  40. Bypassing the user password cracking • If we can’t crack the password we need its SHA1 • This SHA1 is stored in the hibernate file • OWADE uses Moonsols to recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  41. DPAPI additional entropy • Software can supply an additional entropy Act as a “key” (needed for decryption) • Force us to understand how it is generated for each • software Can be used to tie data to a specific machine (i.e • Netbios name) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  42. Credential Manager • Built on top of DPAPI • Handle transparently the encryption and storage of sensitive data • Used by Windows, Live Messenger, Remote desktop... E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  43. Credstore type of credentials Type of Example of Encryption credential application DPAPI + Live messenger Generic password fixed string HTTP auth (IE) Domain password In clear Netbios Hash of Domain certificate Certificate certificate DPAPI + Remote access Domain visible password fixed string .NET passport E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  44. WiFi data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  45. Wifi data • Info stored for each access point Mac address (BSSID) • Key (encrypted) • Last time of access • • Wifi data are stored in Registry (XP) • XML file and Registry (Vista/7) • E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  46. Decrypting WiFi password • Encrypted with DPAPI • Access point shared among users Encrypted with the • System account But the system account • has no password... What is my DPAPI key ??? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  47. Decrypting WiFi password • Use a LSASecret as DPAPI key • Array of credentials HelpAssistant password • in clear DPAPI_SYSTEM • • “Encrypted” E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  48. Where are you ? • We’ve recovered access point keys but where are they ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  49. Where are you ? • We’ve recovered access There is an app point keys but where for that ! are they ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  50. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  51. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  52. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  53. Behind the curtain E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  54. Nothing is ever easy • Google started to restrict queries in June • So we started to look for other API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  55. Entering Microsoft • Live service • “Documented” in the <GetLocationUsingFingerprint xmlns="http:// inference.location.live.com"> Windows mobile MSDN <RequestHeader> <Timestamp>2011-02-15T16:22:47.0000968-05:00 </Timestamp> <ApplicationId>e1e71f6b-2149-45f3-b298-a20XXXXX5017 • After sniffing the traffic: </ApplicationId> <TrackingId>21BF9AD6-CFD3-46B2-B042-EE90XXXXXX </TrackingId> Use a big SOAP request • <DeviceProfile ClientGuid="0fc571be-4622-4ce0-b04e- XXXXXXeb1a222" Platform="Windows7" DeviceType="PC" OSVersion="7600.16695.amd64fre.win7_gdr.101026-1503" LFVersion="9.0.8080.16413" ExtendedDeviceInfo="" /> Does not check any ID • <Authorization /> </RequestHeader> fields <BeaconFingerprint> <Detections> <Wifi7 BssId="00:BA:DC:0F:FE:00" rssi="-25" /> Allows to supply one • </Detections> </BeaconFingerprint> MAC </GetLocationUsingFingerprint> E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  56. Blog post and demo released ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  57. Just fixed • Fixed last weekend • No longer return location for a single address E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  58. Just fixed • Fixed last weekend • No longer return location for a single address There is a patch for that ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  59. Geo-location API restrictions Requires 2 MAC close from each other The MAC and IP location need to be “close” Requires multiples MAC addresses see http://elie.im/blog/ for more information E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

  60. WiFi Information Extracted By OWDE E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org Wednesday, August 3, 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Catherine J. Duckett Forensic Science School of Physical &amp; Geographical Sciences Problem

Catherine J. Duckett Forensic Science School of Physical &amp; Geographical Sciences Problem

Problem Based Learning in Forensic Toxicology Keele Open Day 2007 Bringing Real Life Court Cases to the Forensic Classroom: Problem Based Learning Keele Teaching Innovation Symposium 15 th July 2010 Catherine J. Duckett Forensic

528 views • 23 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Epigenetic age signatures in the forensically relevant body fluid of semen Hwan Yong Lee Department of Forensic Medicine Yonsei University College of Medicine Seoul, Korea Current Forensic DNA Typing o Forensic cases -- matching suspect with

533 views • 14 slides
10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI, the prevalence of containment in prison/forensic system is high: men 15%; women 31% For people exhibiting symptoms: 67 % greater likelihood of

366 views • 7 slides
GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays Entity Thursday, October 27, 2016 PRESENTER : COLLIN A. A. GREENLAND, Forensic Accountant, MBA, FJIM, CFE, CFSA, CFC. 1 To Sensitize /

1.12k views • 88 slides
Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao, Spain Michael Jessen BKA, Forensic Science Institute: Forensic Speech &amp; Audio Department Guidelines Forensic Semiautomatic and Automatic

308 views • 13 slides
Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists

Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists

Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists Perspective. Dr. Michael R. Corbett Ph.D., LL.M., F-ABFT, FCSFS Forensic Toxicologist, Chemical Review Services Inc. Adjunct Professor, Forensic Science

688 views • 38 slides
Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran ! Digital investigation based on analysis of non-volatile storage . ! Loss of live evidence stored in system RAM ! Information stored in RAM:

502 views • 23 slides
Digital Investigation Full System Memory Dump Acquisition of volatile memory is an essential

Digital Investigation Full System Memory Dump Acquisition of volatile memory is an essential

When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition 1 Universit` 2 Royal Holloway, a degli Studi di Milano University of London Alessandro Reina 1 Aristide Fattori 1 Fabio Pagani 1 Lorenzo Cavallaro 2 Danilo Mauro

352 views • 33 slides
Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor, Regional Workforce Specialist Midlands &amp; East Health Education England Background NHSE - Building the Right Support 2015 A National Plan

296 views • 12 slides
Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof.

Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof.

15/01/2020 Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof. Julian FIERREZ Universidad Autonoma de Madrid - SPAIN http://atvs.ii.uam.es/fierrez Julian Fierrez Winter School on Biometrics,

259 views • 9 slides
Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions

Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions

Forensic Mental Health Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions Sarah Blackburn, M.A., Ismael Concepcion Poo, M.A., LMHCA LMHCA Title: CMHC2 Title: CMHUS Correctional Mental Health

406 views • 36 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9

680 views • 67 slides
START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in

START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in

3/28/18 START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in Child Forensic REMEMBER Interviews WHERE ARE WE HEADED TODAY? Understanding Narrative Practice: What, Why, &amp; How Practice

437 views • 12 slides

More recommend