Description

A Case Study in the Daisy-Chain Compromise of a Lawyer

Arsenal has found the only known case of an attacker leveraging the compromised email account of a high-value target (a lawyer) to then compromise that same target's computer and deliver incriminating documents. The particular technique used by the attacker involved the abuse of IMAP functionality over a significant period of time. The attacker in this case was successful, and the consequences for the victim were (and continue to be) devastating. Due to the sensitive nature of this presentation, it is only available in-person and recording will not be allowed.

Disk Images are Gamblers and Virtualization is Vegas

While there are many obvious benefits to interacting with disk images running in virtual machines, there are less obvious (but no less important) benefits if you truly appreciate the incredible control you have over a disk image running in a virtual machine. Attendees of this presentation will be exposed to these less obvious benefits via a combination of lecture and demonstrations. While Arsenal Image Mounter will be used to demonstrate launching Windows domain controllers and workstations into virtual machines to unlock secrets on workstations without any credentials, bypassing the Windows Data Protection API, and more, some of the concepts discussed during this presentation will apply regardless of the particular tools being used.

Mark Spencer is President of Arsenal Consulting, where he leads engagements involving digital forensics for law firms, corporations, and government agencies. Mark is also President of Arsenal Recon, where he guides development of digital forensics tools. He has more than 20 years of law-enforcement and private-sector digital forensics experience. He has led the Arsenal team on many high-profile and high-stakes cases, from allegations of intellectual-property theft and evidence spoliation to support of terrorist organizations and military coup plotting. Mark has testified in cases which include United States v. Mehanna and United States v. Tsarnaev.

Directions to Mason
Johnson Center

Mason is located in the heart of Fairfax County on the corner of Ox Road (123) and Braddock Road (620).
From I 66
From I 66 you would get off at exit 60, Chain Bridge Road (Route 123) south. Continue south about 4
miles, Chain Bridge Road becomes Ox Road. When you get to Braddock Road, make a left. At the next
light (Roanoke River Road), make a left. Proceed to Patriot Circle (Passing the Eagle Bank Arena on your
right) and turn right. Make a left onto Mason Pond Drive (you will pass the pond). Mason Pond Parking
Deck will be on your right.
From I 495
From I 495, get off at exit 54, Braddock Road (Route 620) heading west. Continue about 7 miles. Mason
will be on your right. You will pass the entrance to Mason that has a large marquis sign. This is
Nottoway River Lane. Enter Mason from this entrance on your right. Go straight until you come to a T
(Patriot Circle). Turn left. Make a right onto Mason Pond Drive (you will see the pond – if you passed
the pond, you went too far.) Mason Pond Parking Deck will be on your right.
Walk to the Johnson Center
After parking, walk out of the garage and head towards Wilkins Plaza. The Johnson Center will be on the
right. If you see the pond (water) you walked the wrong way.
Once Inside the Johnson Center (JC)
Room D (3rd Floor)