2014 Spring Conference DIRECT FROM THE NATIONAL ACFE. Intro to Digital Forensics: Gathering and Preserving Electronic Evidence Presented by Cary Moore

Transcription

1 The Lansing Chapter of the Association of Certified Fraud Examiners 2014 Spring Conference DIRECT FROM THE NATIONAL ACFE Intro to Digital Forensics: Gathering and Presented by Cary Moore Tuesday, April 29 & Wednesday, April 30, 2014 Lansing Community College West Campus 5708 Cornerstone Drive, Lansing, MI CONFERENCE PARTICULARS Registration Time: 7:30 am 8:00 am (Continental fast) Conference: 8:00 am 4:25 pm Conference Fee: $200 members, $250 non-members Meals (Included in fee): Continental fast; Buffet Lunch Registration Deadline: Monday, April 21, 2014 CPE Credit: 16 Hours Dress: Business Casual

2 Lansing Chapter of the ACFE 2014 Spring Conference Intro to Digital Forensics: Gathering and Tuesday, April 29 & Wednesday, April 30, 2014 Tuesday, April 29, 2014 Time: Session: 7:30 8:00 Registration and Continental fast 8:00 9:20 Computer Forensics and Fraud Investigations 9:20 9:35 9:35 10:55 Computer Forensics Examination process 10:55 11:10 11:10 12:30 Principles of Computer Forensics 12:30 1:30 Lunch 1:30 2:50 Digital Documents, Correspondence and Communication 2:50 3:05 3:05 4:25 Evidence Seizure and Security Wednesday, April 30, 2014 Time: Session: 7:30 8:00 Registration and Continental fast 8:00 9:20 Working with the Digital Forensic Examiner: Understanding What They are Doing 9:20 9:35 9:35 10:55 Working with the Digital Forensic Examiner: Understanding How They are Doing It 10:55 11:10 11:10 12:30 Asking the Right Questions To Get What You Need, Part 1 12:30 1:30 Lunch 1:30 2:50 Asking the Right Questions To Get What You Need, Part 2 2:50 3:05 3:05 4:25 Putting It all Together: Preparing Your Case for the Next Step

3 Introduction to Digital Forensics: Gathering and The proliferation of technology in the modern-day workplace presents a world of opportunity for fraudsters and a complex challenge for fraud investigators and examiners. Desktops, laptops, smartphones, digital cameras, even watches and GPS devices can all be used to abet a fraud. They also all leave behind a digital trail. Gathering and preserving electronic evidence requires a special set of considerations. Without a thorough understanding of digital forensics, your next move could compromise evidence or cause your findings to be inadmissible in court. This two-day instructor-led course will introduce you to the essential knowledge you need when your investigation turns up electronic evidence. Learn best practices for evidence collection, chain of custody, expert designation and analysis. You ll also take an in-depth look at the role of a digital forensics expert and how to effectively work with one. You Will Learn How To: Properly handle digital evidence Apply methods and legal implications of seizing digital evidence Identify types of crimes involving digital media Categorize types and characteristics of digital storage devices Perform techniques used to seize, secure and analyze digital evidence Understand the forensic examiners role and the dos and don ts of handling digital evidence Recognize digital artifacts and the methodology for imaging digital evidence Who Should Attend: Attorneys, legal professionals and law enforcement personnel Detectives and private investigators IT professionals Internal auditors, forensic accountants and bank examiners Certified Fraud Examiners and other anti-fraud professionals Questions member2@lansingacfe.com Register online at OR ************************************************************************** Please detach and remit with payment to: Lansing Chapter of the ACFE, P.O. Box 4312, East Lansing, MI Name: Name on Badge: Company: Title: Lansing ACFE Member? Yes No Address: Phone: Address: City: State: Zip:

4 APPENDIX A Course Outline Introduction to Digital Forensics: Gathering and Tuesday April 29, :00-9:20 Computer Forensics and Fraud Investigations In this session, you will get an overview of how computer forensics has evolved to become a critical component of many fraud examinations. In addition, you will hear about some real-world, high-tech fraud investigations. 9:20-9:35 9:35-10:55 Computer Forensic Examination Process This section will discuss how the forensic examination is planned, the phases of the examination, and when and how to call in the experts. This section presents an overview of the entire process, including: pre-deployment, securing and preserving evidence, analysis, production, reporting and preparing for declarations/depositions. 10:55-11:10 11:10-12:30 Principles of Computer Forensics This section covers the basic elements you will need to be familiar with during your digital forensic investigation. Terminology and equipment are introduced, along with the fundamentals for gathering and reviewing evidence, and some essential considerations for reporting and producing exhibits. 12:30-1:30 Lunch 1:30-2:50 Digital Documents, Correspondence and Communication Knowing, as specifically as you can, the type of documents for which you are searching is a key component to any digital forensics examination. What is

5 APPENDIX A Course Outline expected to be found in those documents is also crucial. A hardcopy of a document or may not be as valuable as the original stored on the computer. In this session, learn about metadata and the other hidden attributes of computer documents, even those that may have been deleted. This session also begins the practical problem/case study that will run for the rest of the seminar. 2:50-3:05 3:05-4:25 Evidence Seizure and Security This section introduces digital search and seizure following Industry Best Practices. It includes corporate and law-enforcement considerations as well as overt vs. covert methods. This session will cover such topics as: evidence collection and storage, chain of custody considerations, seizing vs. imaging, tools traditionally used and why, media types (removable vs. installed), storing and handling digital evidence, and how to prevent or mitigate spoliation. Wednesday April 30, :00-9:20 Working with the Digital Forensic Examiner: Understanding What They Are Doing If the case requires a computer forensic expert you, as the lead investigator, will need to know where to locate such an expert and how they will go about their work, what tools they might use, and how these tools will get you what you need. 9:20-9:35 9:35-10:55 Working with the Digital Forensic Examiner: Understanding How They Are Doing It This session will review how the digital forensic examiner identifies and secures all potential sources of electronic evidence and what tools and techniques they use in

6 APPENDIX A Course Outline their work. 10:55-11:10 11:10-12:30 Asking the Right Questions To Get What You Need, Part 1 As the lead investigator you will need to know how to ask the computer forensic expert the right questions in the right way to optimize their work and enable them to be productive in the pursuit of your case. To do this, you need to know your case and where it might lead. You also need to be aware of, and prepared for, the unexpected. Computer forensics work may result in discovery of more than you bargained for, and the fraud examiner needs to know what to do and how to approach each new finding in both the fraud at hand, and the unexpected findings of the examination. 12:30-1:30 Group Lunch 1:30-2:50 Asking the Right Questions To Get What You Need, Part 2 Building on the earlier block, this session continues to develop the expertise to work with the computer forensic expert; teaching you how to answer their questions as well as ask your own. Technical expertise is not a requirement, but knowledge of how these experts work and how to optimize your requests is key. 2:50-3:05 3:05-4:25 Putting it all Together: Preparing Your Case for the Next Step The outcome of your case can rest on the quality of the work done and who performed the work. Courts need assurance that evidence was obtained and handled in the most appropriate manner possible. This wrap-up session will bring your case to a close and prepare you for the next steps in your fraud examination.