About ISS World Pre-Conference Seminars and Tutorials

The full agenda for the preconference tutorials are below. For information on any other track, please click the links below.

Track 1: Lawful Interception and Criminal Investigations
Track 2: Big Data Analytics and Social Network Monitoring Training
Track 3: Threat Detection from Automated OSINT Collection and Analysis
Track 4: Encrypted Traffic Monitoring and IT Intrusion Product Training
Track 5: LEA, Defense and Intelligence Analyst Training and Product Demonstrations
Track 6: Social Network Monitoring and Big Data Analytics Training and Product Demonstrations
Track 7: Mobile Location, Surveillance and Signal Intercept Training and Product Demonstrations

Training Seminars by LEA's and Ph.D Computer Scientists (Tuesday, 2 June 2015)

Seminar #1

Online Social Media and Internet Investigations 

Presented by Charles Cohen, Cohen Training and Consulting, LLC
Charles Cohen also holds the position of Commander, Cyber Crimes Investigative Technologies Section, Indiana State Police, USA

The role of Online Social Media OSINT in Predicting and Interdicting Spree Killings: Case Studies and Analysis
This session is for criminal investigators and intelligence analysts who need to understand the impact of online social networking on how criminals communicate, train, interact with victims, and facilitate their criminality.

OSINT and Criminal Investigations
Now that the Internet is dominated by Online Social Media, OSINT is a critical component of criminal investigations. This session will demonstrate, through case studies, how OSINT can and should be integrated into traditional criminal investigations.
Metadata Exploitation in Criminal Investigations
This session is for investigators who need to understand social network communities along with the tools, tricks, and techniques to prevent, track, and solve crimes.

EXIF Tags and Geolocation of Devices for Investigations and Operational Security
Current and future undercover officers must now face a world in which facial recognition and Internet caching make it possible to locate an online image posted years or decades before. There are risks posed for undercover associated with online social media and online social networking Investigations. This session presents guidelines for dealing with these risks.

Case Studies in Metadata Vulnerability Exploitation and Facial Recognition
While there are over 300 social networking sites on the Internet, Facebook is by far the most populous, with over 800 million profiles. It has roughly the same population as the US and UK combined, making it the third largest country by population. There are over 250 million images and 170 million status updates loaded on Facebook every day. This session will cover topics including Facebook security and account settings, Facebook data retention and interaction with law enforcement, and common fraud schemes involving Facebook.

What Investigators Need to Know about Emerging Technologies Used to Hide on the Internet
Criminal investigators and analysts need to understand how people conceal their identity on the Internet. Technology may be neutral, but the ability to hide ones identity and location on the Internet can be both a challenge and an opportunity. Various methods of hiding ones identity and location while engaged in activates on the Internet, provides an opportunity for investigators to engage in covert online research while also providing a means for criminals to engage in surreptitious communication in furtherance of nefarious activities. As technologies, such as digital device fingerprinting, emerge as ways to attribute identity this becomes a topic about which every investigator and analyst may become familiar.

Seminar #2

A Real World Look at Investigations in the Dark Web

Presented by: Todd G. Shipley CFE, CFCE, President and CEO of Vere Software, Co-Author of , Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace

The aim of this 1 day seminar is to take the attendees from the basics of understanding the Dark Web, how to access it to how to finding information hidden within it. The attendees will learn the best practices for the internet investigator when working in the Deep Web and the tools available to assist their investigations into the Deep Web.

This exclusively Law Enforcement only, as Practical examples, covert and investigative methods will be given throughout the seminar.

The Dark Web, what it is and what it is not

To Tor or not to Tor

CryptoCurrency and its use in the Dark Web

Going Undercover on the Dark Web

Using web bugs and other technology to locate a suspect

Advanced Dark Web Investigations, identifying the anonymous user

Seminar #3

Practitioners Guide to Internet Investigations

Presented by: Mark Bentley, Communications Data Expert, National Cyber Crime Law Enforcement, UK Police

The aim of this 1 day seminar is to take the attendees from the basics of understanding the internet, how to find data, through to a full understanding of best practice of an internet investigator, having awareness and knowledge of all the tools available to achieve this.

This is exclusively Law Enforcement only, as Practical examples, covert and investigative methods will be given throughout the seminar.

The World Wide Web and the Internet

  • How it works. Why it works. How data traffic leaves a trace ;
  • What the internet is; what is an IP and what protocols are used ( TCP/IP)
  • IPv4 and IPv6 – understanding the changes
  • mirror servers use and value
  • Tracking and evaluating data

Recognizing Traffic Data

  • A practitioner's guide to what data is available. How to harvest and analyze it.
  • Best practice to identify suspects and build profiles.
  • Data collection and interrogation
  • IP usage, exploitation and dynamics; IP plotting and analysis how to look for suspect mistakes and exploit them ( where they show their id)
  • Dynamic approaches to identifying suspects through internet profiles
  • What investigators get from tech and service providers, and how to analyze it
  • What to ask for with current legislation to achieve best results
  • SPOC best practice.
  • ISP/ CSP capabilities and opportunities.

WIFI and Mobile Data

  • A practitioner's look at Wi-Fi, attribution, cell site data, GPRS location services and technology. How an investigator can track devices, attribute suspects locations, devices and movement.
  • Dynamic live time tracing
  • Geo location services and uses
  • Surveillance without DSA and authority

Emerging Technologies, Masking Tech and Tools

  • How suspects are using emerging and new technologies.
  • An introduction to where technology is going, and how Law enforcement can use this to our advantages.
  • Darknet, (Deepweb) and IRC use
  • VOIP, Skype
  • Advanced data sniffing and profile building
  • TOR systems, applications and ways to coax offenders out of the system.

Advanced Techniques in Tracing Suspects

  • Using innovative and dynamic methods to trace offenders.
  • tricks used by suspects and how to combat them
  • Covert internet investigations
  • Proxy servers and hiding.
  • managing collateral intrusion
  • Reverse and social engineering
  • Thinking outside the box
  • Possible missed opportunities
  • Profile building and manhunts

Open Source Intelligence Training (OSINT)

  • An in depth look at what tools are available; how to use them, and practical applications.
  • safety online when open sourcing
  • open source training and awareness basics
  • Trace suspects using available tools
  • How to identify leads in investigations and data from ISP
  • Internet tools to assist in building online profiles on suspects
  • A run through of my website dedicated to online tracing tools and how best to use it (LEA ONLY)
  • Reverse engineering and social engineering

Seminar #4

Understanding ISS Technologies and Products Deployed in Telecommunications Networks and Monitoring Centers for Law Enforcement and Intelligence Analysts

Presented by: Dr. Jerry Lucas, President, TeleStrategies

This one day pre-conference seminar covers the spectrum of ISS Technologies and Products deployed in today's fixed wire, mobile wireless and Internet Service Provider networks and LEA Monitoring and Intelligence Gathering Centers. This all day seminar is ideal for those law enforcement, public safety and intelligence analysts who need an understanding of the ISS technologies to be discussed in the conference sessions and the ISS products displayed at the exhibit hall as well as an understanding of the buzz words and jargon used by telecom operator engineers and their vendors.

Introduction to Telecom Infrastructure, Interception and Related ISS Products

Understanding ISS:
Why Understanding Telecom Infrastructure is Important for Law Enforcement and Intelligence Analysts

Basic Telecom Building Blocks:
Circuit vs. Soft IP Switching, Signaling (SS7, ISDN, DTMF, etc.), fiber optics (SDH and SONET), Broadband Access (DSL, Cable Modems, Wi-Fi etc.), IP Core Technologies (Routing, ATM, MPLS, etc.) and Network Elements for Intercept.

Telco Back Office Systems:
Billing Systems, Mediation Services for Capturing Call Detail Records and LEA Intercept Request Processing.

Lawful Interception Architectures:
Probes (active and passive), Optical Layer Intercept at 10, 40 and 100 GBPS, Mediation and Data Retention Architectures, CALEA Pen Register and Trap & Trace, LEA Monitoring Center Functions and ISS Products Deployed in Fixed Wire Network Infrastructure.

Typical US DEA Funded LI Systems:
LIMS, T2S2, Warrant Processing, Data Logs, Capacity Requirement (e.g. Targets, Handoff Circuit Capacity, etc.) Central America Project Funding and Enterprise Hardware/Software Requirements

Legal Intercept Options:
What must telecom operators provide with a served subpoenas, Search Warrant, CALEA-Title III, National Security Letter and FISA Warrant.

Understanding Mobile Wireless Infrastructure, Interception and Related ISS Products
Infrastructure basics, back office infrastructure, IM, data and where are ISS products deployed for monitoring and intercept.

Types of Wireless Network:
Differences among Network Operators, MVNO's, WiFi, WiMAX, Microwave, Satellite, Femtocells and NFC Interfacing.

Mobile Network Infrastructure:
Subsystems (cell sites, sector antennas, back hall, processors at towers, MSO special features (HLR, VLR, etc.) and PSTN Interconnect.

Cellular Network Generations:
Infrastructure Difference Among GSM, GPSS, EDGE, HSPA, North American CDMA, W-CDMA and LTE (CSFB vs. IMS Based) and Difference in Data Service Support.

Functional Differences between 3G/4G Smartphones and 2G Phones, SMS messaging vs. iPhone text messages regarding intercept and 3G vs. LTE data services capabilities.

Cell Phone CDR's:
What records do cellular operators obtain when the phone is on, what's in a CDR when phone call is initiated and other forensic data of value to LEA's.

Cell Phone Tracking Options:
Cellular Operator Tracking Services available to LEA's, Target Pinging, Location technologies (GPS is National Based vs. RF Spectrum Mapping, GSM Surveillance, A-GSM intercept, WiFi Tracking, IMSI/IMEI Catchers, Spyware and more.

Smartphone Services to Avoid Tracking:
WHATSAPP, TIGER Text, WICKR, VIBER, GroupMe and more.

ISS Intercept Product Options:
Electronics Surveillance (audio, video and GPS), Location Based Mediation Products, Smartphone IT Intrusion and Cellular CDR data mining, Geocoded Photo Metadata, EXIF tags, Special Smartphone Services for Geolocation (Creepy, Instragram, Foursquare, VIBE and more).

Understanding the Internet, Interception and Related ISS Products
What Investigators Have To Know about IP call Identifying Information, Investigations Involving E-Mail, Facebook, Twitter, Skype, Instant Messaging, Chat Rooms and what can be done to address Internet intercept deploying ISS infrastructure and where are ISS products deployed for monitoring and intercept.

IP Basics:
Why Understanding IP Layering Model, TCP/IP and UDP is important for LEA's and the IC Community, IP addresses (IPv4 vs. IPv6), static vs. dynamic addresses and more.

Internet Players:
The managers (ICANN, IANS and IETF), NSPs vs. ISPs vs. CDNs, How the Internet Players exchange IP Traffic, Private vs. Public peering and IXPs.

ISP Infrastructure:
RAS, RADIUS, DHCP and DNS and why these servers are important to understand.

VoIP Options:
Types of VoIP Services, PSTN interconnect, Gateway Based (Vonage), P2P (Skype & VIBER), Softswitches, SIP and IMS.

E-mail Services:
Client Based E-mail vs. Webmail. What's different about E-mail, SMS, WEB 2.0, HTTPS, HTTPS 2.0, Smartphone messaging and Social Network messages.

Social Network Metadata:
From Tweets, Facebook, E-mail and Smartphones.

Deep Packet Inspection:
What's DPI, Where do telecoms deploy DPI and Where does the Intelligence Community request DPI intercept.

Defeating Encryption:
Encryption options, Public Key Encryption, TOR, Third Party Services Available (Wickr), Encryption Products and how to defeat encryption (Spyware, Remotely Loaded Programs, IT Intrusion and Man-In-The-Middle Attacks)

ISS Products for Intelligence Gathering:
OSINT, Big Data Analytics, Speaker Recognition, Facial Recognition, IP Mediation Devices and Monitoring Centers.

Seminar #5

Bitcoin 101: Introduction to What Technical Investigators Need to Know about Bitcoin Transactions, Dark Web Commerce and Blockchain Analysis

Presented by: Matthew Lucas (Ph.D, Computer Science), Vice President, TeleStrategies

This 101 training seminar is an introduction to Bitcoin, how the system is used to support criminal activities (e.g. Dark Web) and why technical investigators need to understand the basic Bitcoin transaction mechanism (Blockchain) to successfully defeat 21st century criminals and terrorist actions.

Specifically this introduction to Bitcoin for technical investigators addresses:

  • Bitcoin Basics for Technical Investigators: What's a bitcoin, basics of peer-to-peer electronic cash, who orchestrates the financial process, who champions Bitcoin commerce, how do consumers get started using Bitcoin and who handles the settlements
  • Understanding Bitcoin Infrastructure, Blockchain and Bitcoin Mining: What's a Bitcoin Miner, what's needed to become one, why should law enforcement become Bitcoin miners, understanding Blockchain, transaction ledger records, how criminals do business anonymously using Bitcoins and how is all this orchestrated with no central authorities involved.
  • How Criminals and Terrorists Use TOR and Dark Web: What's TOR, how does it function for basic anonymous communications, what's different with TOR Hidden Service (e.g. Dark Web), what is .ONION and how do criminals get started with setting up a Dark Web Merchandise site.
  • Bitcoin Cryptography Demystified (For Non-Math Majors): The key to understanding why third party, financial institutions are not needed in Bitcoin transactions is understanding basic cryptography. This brief session explains how the system works starting with Bitcoin miners given an auto-generated "hash value" and challenged to add bits (nonce) to a block of Bitcoin transactions over the last 10 minutes along with how Bitcoin addresses (private and public encryption keys) are created. Webinar segment presentation time is less than five minutes for those not mathematically inclined.
  • Bitcoin 2.0 and the New Challenges Facing Law Enforcement: Where is the Bitcoin phenomenon headed, what new application should investigators expect and the case for why Bitcoin will become the currency of Internet Commerce.

Seminar #6

Bitcoin 201: Setting Up a Live, Classroom Bitcoin Mining Platform in Order to Demonstrate Online, the Underlying Mechanisms of the Bitcoin System for Technical Investigators

Presented by: Matthew Lucas (Ph.D, Computer Science), Vice President, TeleStrategies

Bitcoin 201 provides a hands-on demonstration of how to set up a Bitcoin mining platform to investigate Bitcoin Transactions and gather intelligence criminal and terrorist activities via monitoring Bitcoin Blockchain archived and real-time ledger record flow. Specifically Technical Investigators will learn how to set up a Bitcoin Mining Platform.

  • Bitcoin Core Client Software: What hardware at a minimum is needed to monitor Bitcoin Blockchain not for profit (e.g. Winning New Bitcoin) but for intelligence gathering.
  • Bitcoin Hardware and Software: Hash per second processing, electrical power requirements, Internet access speed requirements, blockchain storage, security considerations and more.

  • Blockchain Analytics: Analysis tools available to search on Bitcoin Addresses. Big Data Analytics tools to connect the transaction slots and other basic program technical investigators should be aware of.
  • Keys and Bitcoin Addresses: How to start the key generation process, from private (secret) key generator to public key and bitcoin Address generation. (Note, you don't have to be a math major to do this)
  • Bitcoin Investigator Platform Q&A

Seminar #7

Bitcoin 301: Classroom Demonstration of Submitting a Real Bitcoin Transaction to P2P Miners and viewing the recording in the Most Recent Blockchain and More Online Event Capturing Demonstrated

Presented by: Matthew Lucas (Ph.D, Computer Science), Vice President, TeleStrategies

With a running Bitcoin Miner Platform how to go live as a Peer-to-Peer Bitcoin Miner will be demonstrated. Again not to win new Bitcoins (virtually zero chance given the platform hash generation power) but to monitor live what's going on in the "Bitcoin Cloud".

  • Establishing our Demonstration Platform Oerpator as a peer in the Bitcoin peer-to-peer network.
  • Creating a Real, Valid Bitcoin transaction (Buyer to Seller), submitting it is the Bitcoin P2P network and watching it being made a part of the last 10 minute blockchain ledger.

  • Submitting a non-valid Bitcoin transaction (e.g. erroneous private key signature) and monitoring the P2P rejection.

  • Other Real Time bitcoin Network Monitoring Options for Technical Investigation.

  • Technical Investigator Q&A

Seminar #8

The Dark Web: What LE, Intel and Security Professionals Need to Know

Presented by: Stephen Arnold, Managing Partner, ArnoldIT

The Basics. What is available and how to access the Dark Web safely.

In this lecture, Stephen E Arnold will present essential information about the Dark Web. The information presented is not designed for individuals not engaged in security, investigatory, and intelligence work.

The program will answer these questions with examples and case examples:

  • How can an investigator protect himself or herself when exploring the Dark Web?

  • What software is required to access the Dark Web?

  • What products and services are available on the Dark Web?

  • How does an investigator locate specific vendors selling products and services which may be illegal in some jurisdictions?

  • What are the vulnerable points in the Dark Web?

  • What role do modern cyber OSINT systems play in Dark Web investigations?

Each attendee will be provided with a link to the urls cited in the lecture.

This program is designed to make clear the basic mechanisms, procedures, and software required to probe the "hidden" Internet.

A question and answer session will follow Mr. Arnold's formal remarks.

Services and bitcoin. The consumer services on the Dark Web and the basics of digital money for buying products and services

This second lecture focuses on the consumerization of the Dark Web and the role of Bitcoin (digital currency) in Dark Web transactions. Like the first lecture, the information in the presentation is intended solely for law enforcement, intelligence, and security professionals.

The lecture will answer these questions:

  • What communication services are available to a Dark Web visitor?

  • What tools are available to allow anyone to set up an eCommerce site in the Dark Web?

  • What is the procedure for sending and receiving email to a Dark Web vendor or "contact" in a forum?

  • What services are available to permit anonymous and encrypted financial transactions?

  • What services operate as "middlemen" or escrow services for Dark Web transactions?

  • What is the weak link in a Dark Web transaction for physical goods?

  • How does one launder or "hide" money from tax and other authorities?

  • What is the outlook for the Dark Web as an environment for terrorist funding?

A question and answer session will follow Mr. Arnold's formal remarks.

Seminar #9
Thursday, 4 June 2015

Bitcoin Trading Detection

Presented by:Vladimir Vesely, Researcher, FIT-BUT, Brno University of Technology

Presentation Outlines cryptocurrency ecosystem (namely Bitcoins), their peer-to-peer networks architecure and use communicating protocols. Different methods are discussed, which detect running Bitcoin clients and miners in local network.

Seminar #10
Wednesday, 3 June 2015

Decryption of TLS/SSL

Presented by:Jan Pluskal, Researcher, FIT-BUT, Brno University of Technology

Presentation introduces ways how to decrypt TLS/SSL connection. Focus is on man-in-middle attack employing TLS/SSL proxy, which is demonstrated on webmail communication interception.