Join us virtually at the 2020 National Cyber Crime Conference, July 13th-17th.  With NCCC becoming a premier annual cybercrime and digital evidence training event for law enforcement, prosecutors, and forensics examiners, this year’s event has expanded to 5-days.  Cellebrite is featuring a mixture of live sessions and on-demand training sessions to help expand your knowledge of digital tools when it comes to both mobile and computer forensics helping you to accelerate your digital investigations.

Below you will find our agenda:

2020 Virtual Mass Cyber Crime Agenda

Session One (On-Demand)
Examiner Track by Robert Pike
Title: Leveraging Virtualization for Android Application Research
Description: With budget restrictions become more of the norm during the COVID epidemic, leveraging virtualization can provide a more cost-effective method of conducting application research and analysis than purchasing separate devices.  Using this virtualized environment, the latest applications can be downloaded onto a new android install, run in the environment while populating test data and conduct an analysis of that data using Cellebrite’s Physical Analyzer.  Not only does the virtualized environment provide a clean system to conduct research, but it can also be configured to show spoofed GPS locations for a location-based application.  As a secondary benefit, it can also be used to conduct undercover chat investigations where the environment can be preserved for court. 


Session Two (Live – July 16th 12:30 PM – 1:30 PM and 2:00 PM – 3:00 PM)
Examiner Track by Chris Weber
Title: Using Python in Cellebrite Physical Analyzer to go beyond just Mobile
Description: Today’s investigations rely on evidence from various forms of digital evidence from computers, cloud, IoT, and various service providers, to name a few.  Cellebrite Physical Analyzer is known for its ability to parse artifacts from mobile devices, but it can be used for so much more with a little bit of help from Python. Learn how Physical Analyzer can be used to categorize and review data from various sources other than mobile devices using Cellebrite Physical Analyzer API and Python.


Session Three (July 14th 12:30 PM – 1:30 PM)
Examiner Track by Ed Michael
Title: Android Usage Stats and iOS KnowledgeC
Description: With the new advances in extractions including Cellebrite Premium, chkm8, and Graykey learn to interpret what the new available artifacts are telling us. Learn to understanding tool output from Cellebrite’ s Physical Analyzer and understand what generates these events and how to use them in your investigations. From solving traffic crashes to murder, these artifacts can and will fill in the data gaps you need for a win.


Session Four (July 15th 12:30 PM – 1:30 PM)
Examiner Track by Ed Michael
Title: Examination of Mobile Malware/Spyware – Incident Response/Forensics
Description: With the number of malicious apps increasing for Android and the iOS jailbreak exploits, getting bad software onto mobile devices has never been easier. Learn the way bad software makes its way onto mobile platforms and the mitigations you can do to prevent and discover bad on the device. Just running the files through a virus scanner or online tool isn’t enough, this lab will show you how to locate and identify malicious applications, which all the scanners and tools missed.


Session Five (July 16th 11:00 AM – 12:00 PM)
Examiner Track by Ed Michael
Title: Mobile Triage Analysis, because more devices aren’t always better
Description: With the days of one mobile device per case long gone, triage on mobile derives is now essential to save time and quickly locate relevant data. Know which one of those two, ten, or 30 devices to load into your mobile forensics tool first, to do that deep dive into your case. You’ll use an Android and iOS script to parse through multiple extractions in minutes and see where to start your true “forensic” work. Both scripts are free and available and will save hours of time in each case by previewing your evidence. Enjoy this practical where you will locate relevant evidence across 15 extractions in under ten minutes and be confident where to start!


Session Six (Live—July 13th at 11:00 AM EST – 12:00 PM EST)
Legal Track by Judge Mark McGinnis
Title: Satisfaction of The Warrant Requirement for Digital Data and Technology
Description: This presentation will provide the basic framework to satisfy the Warrant requirement.  We will discuss probable cause, the nexus, and the specificity and particularity requirements of a warrant.  The focus will be on the challenges and trends to draft and use warrants that comply with the warrant requirement, especially in the areas of emerging technology and digital data


Session Seven (Live—July 14th at 2:00 PM EST – 3:00 PM EST)
Legal Track by Judge Mark McGinnis
Title: Understanding the Differences and The Interplay Between Reasonable Expectation of Privacy and Consent
Description: This presentation will provide the important differences between consent to search/seize digital data and a person’s reasonable expectation of privacy in digital data.  We will provide examples of when there is interplay (and potentially even conflict) between these and the best practice to apply both concepts.


Session Eight (Live—July 16th at 2:00 PM EST – 3:00 PM EST)
Legal Track by Judge Mark McGinnis
Title: Admissibility of Digital Data as Evidence in Court
Description: This program will discuss the admissibility of technology, including digital data, in the courtroom.  We will discuss and understand authenticity, best evidence, foundation, relevance, hearsay, confrontation clause, and the potential need for expert testimony.


Session Nine (On-Demand)
Investigator Analyst Track by Dr. John McHenry
Title: Optimizing the Workflow When Lives Are at Stake
Description: Every day around the world, digital data is impacting child exploitation investigations with an ever-expanding need to make it both intelligent and actionable. Getting the most out of your data when lives are at stake requires a comprehensive investigative workflow. This session and hands-on lab will cover the challenges involved in most mobile forensic workflows, an end-to-end strategy and solution set addressed by current and future requirements, including:

  • Deploying a tiered investigative model to support a unified team and improve productivity and operational proficiency
  • Triaging evidence quickly and efficiently
  • Empowering the case investigator to address increasing data volume both in the lab and in the field
  • Addressing increasing data volume complexity within the scope of normal agency budget planning by empowering extraction and analysis in the field
  • Exploring the role of cloud and social media and how to leverage both public and private accounts to accelerate investigations

Session Ten (On-Demand)
Investigator & Legal Track by Dr. John McHenry
Title: Streamlining the Legal Review Process: Legalview and Relativity
Description: Legal professionals need access to all data sources pertinent to a case, including data from mobile devices (i.e. text messages, emails, contacts, photos, videos etc.). Keeping up with the latest technology enhancements of iOS and Android devices continually proves to be a major challenge. Once the digital data is extracted and decoded, it needs to be put into a format that is readable in a review platform. Until now, professionals have spent hours converting data into a format that can be entered a review platform. In this interactive webinar participants will learn the advantages of using Legalview for investigations that contain privileged data.


Session Eleven (On-Demand)
Examiner Track by Charlie Rubisoff
Title: Apple Diagnostic Logs – Phones and More
Description: This talk will introduce participants to Apple device diagnostic logs.  The function and purpose of the “sysdiagnose” logs will be discussed.  Participants will then learn how to create, collect, and analyze logs from various Apple mobile and IOT devices.  Artifacts of investigative value will be covered and methods for parsing these artifacts using open source, paid, and MacOS tools will be presented.


Session Twelve (On-Demand)
Examiner & Legal Track by Keith Leavitt & Brendan Morgan
Title: Using Physical Analyzer to Create Defense Discovery Reports in Child Exploitation Cases
Description: Per the Adam Walsh Act, law enforcement and prosecutors are prohibited from providing visual depictions of suspected child exploitation to defense attorneys and defense attorney experts. Producing reports that exclude the prohibited material but include non-prohibited material can be challenging for investigators, examiners, and prosecutors. For example, the defense may not be entitled to possess the image or video physically; however, the state would be required to provide the file name and file attributes related to the file. Generally, most forensic software, including Physical Analyzer, create reports that are intended to report all relevant “evidence” or information as set forth during the report generation. This would include thumbnail images and links that would display the entire image or video. Physical Analyzer has built-in functions to assist examiners in generating reports that omit these thumbnail images, links, and files; however, examiners should be diligent in ensuring these are not included in the report.


Session Thirteen (On-Demand)
Examiner Track by Ed Michael
Title: Virtual Byte Sized Learning
Description: The Cellebrite CCO/CCPA Familiarization Workshop (CFW) is a 1.5 hour live online instructor-led exposure of what course participants can expect to learn in Cellebrite’s Certified Operator / Cellebrite Certified Physical Analyst courses. Attendants will get a brief overview of the Virtual classroom technology, class content, and will observe a live advanced logical extraction of an Android smartphone and will then have the opportunity for hands-on participation using Physical Analyzer.


Session Fourteen (Live Q&A/Recorded – July 16th 2:00 PM – 3:00 PM
Examiner Track by Vico Marziale, Senior Research Developer, BlackBag
Title: Exploring the Windows 10 Activity Timeline
Description: When Microsoft released Windows 10 version 1803 in 2018, it had an interesting new feature. Users could click a button in the task bar and see a history of activities they had previously engaged in, for example editing a document with Word, or viewing a web page with Edge. Further it allowed a user to immediately resume any of these activities – sometimes even on a different machine than where the activity was started. Called the Activity Timeline, it was obviously a new tracking mechanism, one that recorded this wealth of forensically useful information. Though there is still much left to discover about this artifact, in this session we will explore its basic operation, learn analysis techniques, and see how to apply the information in your investigations. 


Session Fifteen (July 13th 2:00 PM – 3:00 PM)
Examiner Track by Bruce Hunter, Senior Forensic Engineer, BlackBag
Title: Avoiding the “Gotchas” while Triaging and Imaging a Mac
Description:  In this session, Bruce will take you through to dos, don’ts and gotchas when triaging and imaging Mac computers.  What can you touch, where can you get information on a live running Mac, how can you triage a Mac live to find specific data?  These are all questions that examiners are often presented with when confronted with a Mac computer. Then once you get past triaging the Mac, how do you image it? What about T2 encryption – how does that affect the data you can get and can’t get?
Bring your patience and your questions to this informative session.

Share this post