Black Hat Digital Self Defense USA 2004

Note: if the class is overfilled, then you will be wait-listed. You will be contacted should this occur.


Black Hat USA Training 2004
Caesars Palace Las Vegas • July 26-27

Course Length: 2 days

Cost: US $1800 on or before July 1, 2004, or US $2000 after July 1, 2004. All course materials, lunch and two coffee breaks will be provided.
NOTE: this is a two day course. A Black Hat Certificate of Completion will be offered. You must provide your own laptop.


Two Day Course
July 26-27

Intermediate Digital Forensics: Civil Litigation Matters

eForensics LLC

What to bring:
Your Engaged Mind – a Notebook with CD & Diskette Drive and Microsoft XP installed and working.

CD containing notes, certain toolsets, datasets and evidence files are provided

Introduction to Digital Forensics and Civil Litigation Matters:
This course is delivered as an intermediate level skills development practice course. Students should have mastery of the Windows GUI, be comfortable with file structures and meta-data concepts. The expectation is students will be positively engaged in a crawl-walk-run methodology to build skills professional tradecraft and confidence in dealing with increasingly difficult – non-trivial - digital forensics challenges.

The material and current knowledge is intended to support and checkpoint each individual’s level of skills and practice as a professional digital forensics examiner. Little attention will be made to abstract theory or “hypothetical” abstractions not central to present-day digital forensics challenges.

Note that the proximate intent of the pedagogy is a practical means to both develop and verify your professional level of forensics tradecraft. The entire course materials, toolsets and cases are new– the course is both intense in depth and fast-paced in materials. This particular intensive two-day course is only offered at Black Hat, Las Vegas 2004.

Overarching Purpose:
Preparing the forensics examiner with the appropriate knowledge, skills and experience to deal with conducting, reporting and defending a forensics investigation and report in a civil litigation setting. The following are summary descriptions of the course modules over the two full work-days (16 contact hours over two day).

  • Introduction to Digital Forensics and Civil Matters: This is a summary introduction and review to the field of computer forensics and the basis for gathering digital artifacts in civil litigation matters. The setting is the US. Students are introduced to the prevailing laws, customs and practices will encounter while investigating a civil matters involving digital devices. We will review XP, Windows CE and email messaging as part of the hands-on case.
  • Data and Media Storage Concepts: Digital systems have a systematic way of managing binary data. Representation and media hard drive storage are reviewed. Some attention is made to smaller types of emerging media devices. File management allocation and de-allocation are covered in this lesson.
  • Forensic Acquisition and Examination: A selected set of differing techniques and protocols utilized by civil computer forensic examiners are discussed. A detailed protocol for standard civil forensics examination is critiqued. A proprietary alternative is presented for student critique.
  • Advanced Examination: Time lines, meta-data and graphics analysis will be reviewed and practiced. Some information hiding and evidentiary analysis is presented. Cryptographic and compression technology in forensics context is reviewed.
  • Reporting and Presentation of Digital Evidence: The necessary components of both a consulting and testifying forensics expert reports are described. Students are introduced to necessary and critical aspects of presenting digital evidence in civil litigation environments. Student reports are evaluated.

Review of US Civil Laws and Procedure:
Students are introduced to the prevailing civil laws, customs and procedures that they will encounter as a computer forensic expert in civil litigation matters. We will review an exemplary client platform and a small server.

Advanced Labs and Case materials:
Two distinct cases are presented and two evidence files are used for supporting in class – practical labs. To maximize the lab experience all students should bring a functioning XP notebook with a floppy and CD device. There will be pre-class materials which students are expected to read before the class meeting. Verification of mastery of these pre-class readings and concepts in our “grand-rounds clinical questioning” format.

To insure your knowledge and practice is validated there is a competency based examination in this course. The exam is two-part: (1) written questions and (2) a practical examination portion. This examination is optional. Those student forensics examiners who attain a score of 75% for both parts will be awarded a Certificate of Completion which attests to the mastery of the instructional material.

Course Structure:
This "crawl-walk-run" methodology runs for two days during which the student will progress, step-by-step, through two increasingly difficult types of forensics examinations.

What You Will Learn:
This course will teach you by means of  cases– forensics examples, clinical practice, tradecraft and hands-on exercises as to how to conduct a proper civil forensic investigation involving a computer system. At the end of the course each student will receive a set of CD’s which contain a set of supporting documents, certain trial versions of software, evidence files and a set of supporting checklists. A special binder is offered at extra-cost.

Who Should Attend:
Information security officers, system and network administrators, security consultants, government agencies and private investigators will all benefit from the valuable insights provided by this class.

eForensics Portal:
For those particular students who successfully complete the examinations, will be provided one-year access to a special internet listserv that contains a digital forensics discussion board, checklists and certain course materials. You should note that this is a restricted access professional forensics examiner information portal that is intended to offer:

  • A “high-signal to low noise communications” forensics communications
  • Vendor agnostic - forensics tool assessments
  • A non-law-enforcement centric commentary
  • A set of professional forensics examiner communication threads.
  • The Listserv content is intended to develop a community of practice and currency of professional communications among qualified, expert digital forensics professional.
  • The expectation is that the exchanges of communication in his setting should support development of skills, critical tools, more robust processes and verifiable metrics to support forensics examiner development.
  • Increasing levels of forensics professional tradecraft.
  • The Listserv is only available for certain qualified examiners who have attended training and have passed the combined examinations. Access is limited to one-year.

Course Length: 2 days

Cost: US $1800 before July 1, 2004 or US $2000 after July 1, 2004
NOTE: this is a two day course. A Certificate of Completion will be offered.



Larry Leibrock Ph.D. is the founder and chief technology officer for eForensics®. His primary research and practitioner competencies focus on enterprise forensics dealing with a wide range of client devices, networks, and servers which interplay in electronic discovery investigations. He has conducted over 100 digital forensics examinations, testified in over 20 hearings/trials and taught basic to advanced digital forensics tutorials in 8 countries. These digital forensics investigations range from: administrative disputes, possession of contraband pornography, malicious network intrusions to capitol espionage cases. As a digital forensics expert, Larry has served in consulting and testifying capacities in civil defendant–plaintiff and criminal prosecution–defendant disputes. In addition, he has served as court appointed special master in forensics intellectual property disputes.

Larry is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He has experience in enterprise systems, offensive/defensive systems security measures, systems audits, and IT deployment projects in global systems, governmental and corporate settings. He holds industry certifications in forensics, systems performance, computer security, security engineering, steganography/watermarking detection, IT project solutions deployments and IT cost/value assessments.

He has formerly served as a senior lecturer, Associate Dean, and the Chief Technology Officer for the University of Texas Graduate School of Business and College of Business Administration. He has taught courses in Forensics, Digital Evidence, Computer Security and IT systems and the undergraduate, graduate and Law School level. Larry is a member of American College of Forensics Examiners, IEEE, ACM, Internet Society, and USENIX/SAGE.

Mollie C. Nichols, J.D., L.L.M, is the Associate Director for Research and Professional Education for the Courtroom 21 Project at William & Mary School of Law. She was formerly the Director of Litigation Training for the Office of the Attorney General, State of Texas and has nearly two decades of experience in both civil and criminal litigation working for the federal and state government and in private practice.

As an Assistant United States Attorney for the Department of Justice, Nichols was responsible for one of the early cases dealing with electronic evidence and alleged violations of the Electronic Communication Privacy Act of 1986, including the Federal Wiretap Act and the Stored Communications Act, a landmark case where computers which contained unopened email were seized by the Secret Service. She also ran the Civil and Appellate Divisions of the Department of Justice's Attorney General's Advocacy Institute, the trial training program for Assistant United States Attorneys nationwide.  Nichols has gained national acclaim within the courtroom technology industry through her nationwide efforts training litigators, publishing articles, and speaking on the use of technology in the courtroom and electronic evidence issues

Black Hat Logo
(c) 1996-2007 Black Hat