dfir blog

All about dfir.

The hand-off

Thanks to all of those who have offered to take on dfir.training.   I have a taker in the website and twitter account and will be transferring the domain and creds over soon.  

The future of what the site may become is something that I hope will happen with the new DFIR Guy, who has stated some changes that I would like to see included in the online resource.  My replacement was chosen for a main reason of not integrating or merging dfir.training with other sites or services as I would like to see it stand on its own.  

I am humbled in the support and number of emails offering to continue the website and I hope that the site will continue to be a useful resource.  I have also made a personal promise to not interfere in how the site may change and hopefully improve in the future.  Whatever happens to the site will happen to the site as my hands will be off as soon as it is transferred.
It is my goal to fully retire by next summer, so I may appear as DFIR Batman occasionally, but it is my intention to quietly close my career and enjoy living on a wonderful piece of land in a beautiful state by late Spring of next year.  I am sure to miss the field of DFIR of which I have grown so fondly attached.   As soon as the website domain and webhost has been transferred, the new DFIR Guy will take charge of the site and Twitter account.  
DFIR Guy, aka, soon to be ex-DFIR Guy
1 Hits

Experts do it for free, but why?

I'm a training monster.  I eat it up.  I get it wherever and whenever I can.  I support anyone in the DFIR field to get as much as they can too.  If you are in government, you get more than your share without spending a dime out of pocket (sorry for the private sector folks, but you guys get to pay for the public sector expenses for training).  I love conferences too.  I've been to more than I can remember.  I can look at a map and point to dozens of places nationwide where I attended a course or conference in just as many different states and cities.  

I have presented a lot too.  Some in public, some in unmarked buildings.  For the unmarked buildings, I get paid because I am technically working (it's this thing called a salary).  For the public presentations, I did it for free on several occasions, for giant corporations that paid me in free bagels and coffee for breakfast.  Oh yeah, I got "free" tuition in the conferences too.  Everything else was out of my pocket.

<hopping on soap box>

I stopped presenting for free.  I recommend that you stop presenting for free.  For every free presentation I did, my out-of-pocket included door-to-door transportation to the event (taxi, airfare), hotel, meals, incidentals, hours of preparation, and days of burnt vacation hours.  After seeing a thousand attendees who paid $2K to attend conferences, where everyone was paid except for me (caterers were paid, live band was paid, open bar was paid, and I am sure the dancing bears were paid too), I had an epiphany: I should be paid too!

My point is that for the huge corporate events where the gross revenue is hundreds of thousands of dollars (or over a million), I am certain that the organization can float a little to the presenters.  Especially since the attendees pay $2000+ to listen to the presenters.  Really, the presenters are the glue and fabric to any conference, yet the vast majority are not paid. They volunteer so much for a line on their CV, in which the organizer takes advantage of.

Here is a secret: I still present at conferences.  I present at the same conferences where I volunteered to present for free.  The difference is that now I get paid.   The next time you are recruited to present for free, I mean, in exchange for a bagel and coffee, offer to send an engagement letter with your fees.  Either they pay or they won't.  If they really want you, they will pay.  I promise you, they will pay.  They will pay for door-to-door travel, airfare, hotel, meals, and for your time.  If they don't pay, it is not because they do not have money, it is because they can find a sucker to do it for free, I mean, someone who wants to write a line on their CV for presenting.  Also, don't be shy on what to charge.  Business class is not that much more expensive than coach.  Hotels are fairly inexpensive no matter where you go, and meals are meals.  The point is that when you spend $2,000 to teach for free + burnt vacation time, you lose.  That's an expensive line to add to your CV.  

Another little secret...if you are presenting for free, you have other presenters at the same conference getting paid.  Their travel, lodging, meals, and time is paid.  Yours is not. Theirs is.  You may even be better known than the paid presenters, but there is one huge difference:  The other presenters required payment for services rendered and you didn't.

Exceptions:  You know that not-for-profit DFIR associations and groups, you had better present and volunteer your time for free.  That's where the real networking is.  That's where you can meet those who are digging into every crack and crevice to learn and meet people.  You'll find the DFIRrs that work in buildings without windows as well as those who work for big name brands.  These groups aren't making money.  They are making great events.  Don't diss them and charge for your time.  Help them grow.  Now...in regards to an organization whose gross QUARTERLY revenue is $30million....they should pay.

93 Hits

The Phill Moore Effect

I’m fortunate to have seen the DFIR field change well beyond anything I could have expected.  I started in “computer” forensics when Encase was on floppies, SafeBack was the imaging tool of choice, Norton Disk Editor was part of the toolkit, and we would literally seize entire computer systems as evidence in case we were told to rebuild everything in court (never happened).  And we called forensics images “mirror images”.  And we pulled the plug...every single time.  Times have changed (for the better!).

Also, the answers on how to do forensics were not on the Internet.  There were a handful of books written on the subject.  Every day was a new day in figuring out something.  No one really shared anything.  Most of what we did was guesswork and trial and error. 

Then came a few things to change it all. We communicated more.  We shared more.  Conferences popped up to share methods.  Software finally was starting to do what we needed.  Books were being written on forensics. Everyone was writing white papers (aka: PDFs) on every aspect of forensics for everyone to read and learn from.  We began to realize that we didn’t know as much as we thought when we started, but were catching up.  This was the height of learning how to do the job, finding a new book-of-the-week on some topic being released, and blogs galore on everything.  And we moved away from “computer” forensics to the more appropriate “digital” forensics and incident response.  When colleges start making degree programs out of thin air, you know the DFIR field has come a long way.

But something happened lately.  The number of DFIR books declined.  Prolific bloggers either retired or grew tired of blogging. Conferences increased their tuition tenfold with software licenses keeping pace with the price of conferences.  I still miss some of my favorite websites.  I admit that Twitter has filled much of this gap, as long as the timeline is not full of politics.   It seemed like the field became quieter, at least in the manner of being online to share information.   Did we learn everything already? I don't think so.

As to books, pretty much the field has been inundated with every sub-topic under the sun, but I can’t help to think that the lack of new books is somehow related to over-saturation and maybe lack of putting the effort to write (that means me too).  I have found that many of today’s DFIR blogs are becoming vendor websites that have a blog that indirectly or directly markets a product that they are selling.  I’m not too much of a fan of those blogs, but of course, we are lacking elsewhere.

Then comes along the Phill Moore effect.



The DFIR Door Kickers

I have seen a spike in the number of blogs that have gone from inactive to active, the start of new blogs, the start of new podcasts, and the talk of new books being written on topics that I never thought of before.  I partly credit (or blame) Phill for this.  If you write about DFIR, don’t worry as Phill will catch it and note it in his blog.  If you don’t write anymore, or you don’t write enough, don’t worry.  You won't be in his blog.  Don't be that person.  Get on his blog by joining the conversation to share and communicate that what you do.  This is the Phill Moore Effect.

This post may sound like a love letter to Phill, but my intention is that in this field, there is a constant.  That constant is the number of people that you can put on a short-list that have a dramatic effect on the community as a whole.  These folks put themselves out front and risk public embarrassment and failure if they screw up or say something incorrect.  It takes a lot to do that.  These folks are the DFIR Door Kickers.  Usually, the first through the door gets shot or attacked or trips and falls.  They have only hope of performing well in front of everyone else.  The rest of us just follow the door kickers as they clear the way for us.  Less risk for us.  All the risk for the door kickers.

Understandably, some in the DFIR community simply cannot go public due to type of employment or employer.  For everyone else, it is a conscious decision to remain quiet and benefit from the short-list of DFIR Door Kickers.  That is the way it is and always will be.  Harlan Carvey has commented a million times on the lack of sharing, which I tend to agree in total to the number of us, but disagree overall because there has always been a few that always share and communicate.  Harlan has been the door kicker of door kickers.  There are a select few others who will take an email question, give a presentation at a drop of a hat, write up something to post online that they worked on or discovered, and even admit when they are wrong.  

If I were to make a list of those who have jumped on stage to share their research, their thoughts, or offer mentorship, I am willing to bet that your list of names would match mine.  There are simply only a few, steady diehards who are first through the door with the rest following behind.  Consider your DFIR book authors, instructors, and software developers as those first in the door where we all follow behind.  When I have the opportunity to meet these folks, I always, without fail, give them credit for their work and a thank-you for sharing.  We are human and if we don't give credit where due, eventually the effort it takes to keep sharing will dwindle if appreciation is not felt from the community.  Do you want to know the most effective way of saying 'thanks' to the DFIR Door Kickers?  Point out something you learned from them that directly impacted a case you worked.  That is what makes the difference.   An informative talk is nice, but when you can apply it to a case, that is what makes it worthwhile.

One thing you may notice with the DFIR Door Kickers is that they don't toot their own horn.  I've not met an arrogant DFIR Door Kicker but every single one of them that I have met have told me that they learn as much as the rest of us every day, even when they are teaching, researching, or writing about DFIR.  

As I already mentioned Harlan Carvey as being one of the earlier DFIR Door Kickers,  I’d like to add Phill Moore to that list too because his blog influences every other DFIR blog out here.  How do I know this?  Because I wrote this post because of it.

Damn you Phill Moore………you’re making me write more… 😊


789 Hits

For the new kids on the block

During an all day intern interview selection, the biggest thing I always see is that many of the new kids wanting to get into "DFIR" are on the wrong track.

No offense to anyone getting into the field when I say "new kids".  I just mean those who are new to the field.  And by "DFIR", I mean the field as a whole, which I'll get into shortly.

There are many roads leading to the wrong destinations and DFIR is no exception of getting on the wrong road.  Here is what I mean.  Hollywood shows one version of DFIR work with special agents hacking into foreign governments as they shoot their way past terrorists.  The news shows another version of the same job.  And so forth.  From what I have seen, unless someone has been involved with computers for some time, it is easy to think you are working toward what you (1) want and (2) are capable of doing but actually are on the wrong path to the wrong destination.  Thank goodness for internships!

One thing I have not yet seen is an aptitude test for DFIR work.  That would help a lot of students figure out which direction may be best for them.  As to the overly general term of DFIR, we have many subsets of jobs in DFIR like infosec, forensics, ediscovery, 'cyber-this', and 'cyber-that'.  I broadly place these DFIR jobs in three categories when talking about it to someone interested in the field.  

The categories are the

(#1) Police Officer & Fire Fighter,

(#2) Detective and Arson Investigator, and

(#3) Caretaker and Custodian.

Or more commonly known as 

(#1) Incident Response

(#2) Digital Forensics

(#3) Electronic Discovery

When I watch interns run around on fire, I can instantly put them into the right box. 

(#1) The "police officers/firefighters" love to rush in and fix things that are on fire.  This is great for IR work.   

(#2) The "detectives/arson investigators" don't seem to like fire drills, but they really like to go deep in data to figure things out.  This is great for DF work.   

(#3) The "Caretakers/Custodian" prefer a different pace than either of the prior tasks, mostly collecting data and making it understandable for someone else to figure out (for the lawyers).  This is great for..."ED" (?) work.  I'm not sure on that "ED" acronym...

Of course, ability comes into play with each of these.  Some have it. Some don't.  Some will. Some won't.  That is pretty much what I give for career advice to the interns who ask.  Find what what you want to do and match it with what you are good at.  You will then make money.  And if you don't like the job you are doing, but you are good at it (which is actually most important), you will still make money.

As for money, generally speaking, all three categories make enough to make you happy if you love your job.  Each has its own Pros and Cons.  And sometimes (many times?), you can move between each category with a minimum amount of education and training because of job overlap.  So, if you love getting calls at 0200 telling you to be at the airport 2 hours ago, go for #1.   If you would rather spend time and deep focus on finding the source of the problem for prosecution or actionable intelligence, go for #2.  Or if you like the legal adversary system, go for #3.

That's how I give my feedback on the new kids running around the office.  If we need a firefighter, I look for the interns that thrive on uncertainty, unrealistic expectations, and the ability to play whack-a-mole without breaking a sweat.  If we need a detective, I'm looking for the person that is super curious and wants to put someone in jail or sending in ST6, even if the odds are slim to none in doing so.  I want bulldog tenacity.  

Oh yeah. For the intern expecting to jump out of a plane into enemy territory in a mission to steal an encrypted thumb drive from inside a secure building, all the while running-n-gunning and calling in airstrikes....you are going to be disappointed...

924 Hits

One thing leads to another, aka; how I learned not to hate on DFIR tools


Occasionally, I jest about forensic tools.  I believe that most of us have experienced a wide spectrum of emotions when having to rely upon a hardware or software tool to get a job done.  When it works, we are happy.  When it does not work, we are not happy.   But sometimes we are wrong in blaming the tool.  In short, we need to ensure that…

  1. ...the tool must be capable of handling the job (and thereby suited for the job), AND
  2. …the user must be capable of using the tool

When either of these two factors don’t exist, we fail at our job, or specific task in our job.  We can blame #1, #2, or both to be at fault.  To be honest, I have used tools that I was not as capable as I should have been at times.  There have been occasions where I bought an insanely expensive software with the expectation of having it do magic, and when it didn’t, I blamed it on the software (those were my early days in forensic work…now I just blame myself when it doesn’t work). 

I have also used tools that were defective or incapable of handling the tasks that even the manual said it could handle.  When we can identify faults with # 1 and #2, we can handle any problem by being able to find a tool that works and learning how to use the tool that is fit for the task.  When a DFIR person reaches this level, this is the person you want to hire.  They can make anything work without blaming anyone or anything. They just get the job done.

So, when I poke fun at a tool, I do it because either I failed at using it or the tool just doesn’t do what I need it to do.  It might work for someone else on a task that is different from mine, but at a certain point, I move on to a tool that works for me.

Side note:Joking around about Encase has been going on for years. 

I got sucked in by a troll....

In one of my few jests about Encase, I modified a viral Internet meme into a DFIR funny and tweeted it.  One person commented that they didn’t get it.  I imagine that he didn’t get the joke because he doesn’t use Encase….oh well. (that is also a joke by the way). 

However, one of the comments of my jest called me “sexist”, “crass”, and "creepy".   Note: this was from a non-following and non-followed account.  He sort of just jumped into my Twitter thread like a stranger would have jumped into the backseat of your car when you were stopped at a red light..and then started insulting you from the backseat.  I'll skip the details of the drama of being trolled online....lesson learned-ignore the Internet trolls.



But here is the good news (and the point of this post)! 

The trolled tweets gave me the inspiration to talk about the DFIR tools and users of the tools in a positive manner that is helpful to everyone.

I believe it is an important concept to grasp for newcomers into the field, and something that us older folks can reflect back upon, in being able to find the solution to problems.   This concept works in practically anything, such as sports, martial arts, driving, and so forth.

Sometimes it is the tool.      Sometimes it is the user.    Sometimes it’s a combination of both.   Figure out which it is and then fix it.

The competent DFIR person knows the difference and can fix it when something doesn't work as expected.  If you can do that, consider yourself competent.  That is also the type of person you want to hire.  Even a newbie who can tell the difference and figure out the problem (AND SOLVE IT) is the person you want to hire.


777 Hits

A DIY Cyber Security Degree

If I have seen any trends over the past years, it has been the questions of how to get into the field (digital forensics, incident response, or any sub-field of any sub-field in the realm of “cyber” security). 

The first range of responses generally recommended applying to law enforcement and hope to get a rare chance to compete as a digital investigator as this was typically the method that the vast majority of those in the field took, although not be design, but by happenstance. 

*  Law enforcement is a common route with a small chance of eventually competing for a forensic slot after a decade or so, unless that is something you wanted to do anyway and would be happy if you never got the coveted forensic position.

*  College is one way.  But plan to spend a lot of money and a lot of time and take a lot of courses that have absolutely nothing to do with computers (like “Zombies in popular media”) and if you choose a less-than-capable school, never get any hands on or be taught by someone who actually the job.  College depends on where you want to go.  Want a federal job in the field? You probably need a 4-year degree (BA or BS) in practically any major.  The feds don’t generally care what your degree is in other than you have a degree.

*  The military is another way.  But plan to go to basic training and potentially go to combat and potentially not get the promise of the job you were promised.  That is also fine if it is something you want to do anyway.

Another method that I have seen lately and becoming more common is the DIY degree.  I happen to feel this is probably the best method for more than a few reasons.  First off, here is my interpretation of getting into the field by Doing It Yourself.

*  Work somewhere doing something with computers.  It doesn’t matter what you are doing with computers, but work at a job doing something with them. Fixing them. Maintaining them. Building them. Configuring them. Managing them. Something with hands-on work with computer systems.  If you spend a year working on/with computers, that is a year of being paid to learn and gain experience.  Volunteer at a non-profit and maintain their website or computer work.  It adds up.

*  Networking, and I don’t mean computer networking.   Get involved in the community in which you desire to enter.  Say hello to those in the community. Tweet them. Ask for advice from them.  Be respectful but not shy.   Join the associations, clubs, and meeting groups.  Start a blog.  Join in conversations in forums.  Be involved or be left behind.

*  Training is everywhere. Figure out what you need and take it.  Focus on only what you need for the skills you need for the job you want.  Don’t take training for the sake of taking training because in the DIY method, money is time and time is money and both are limited. Don’t waste either.  To find good courses, research names.  Who is presenting at conferences? Who has written books? Who has contributed in research and development? Who have done anything amazing to the field? Who contributes?  When you find those names, seek out their training.  

This part also includes practice, research, and self-learning.  Master what you learn.  Uncover what someone else missed.  Publish your findings (at least put it on the Internet!). 

In the DIY Cyber Degree, the college portion is really only necessary if the job you want specifically requires it.  And even then, there is sometimes a chance to bypass it with Direct Hire Authority.  The DIY Cyber Degree might fit that direct hire authority.

Without getting too deep in the weeds on the DIY Cyber Security Degree, take a look through the article “A Do-It-Yourself MBA? This Guy Did It – and So Can You”. 


I find that the DIY Cyber Security Degree has been used since the inception of the field.  Cops, many without degrees, simply worked to solve electronic crimes, gaining experience and researching.  But now, you can map out your DIY degree much easier than the earlier forensic folks did because you have so many choices.

I want to go back to the college requirement.  If you can afford the time and the money, and be admitted into a good school, and formal education fits your learning style, I say this is a good route.  If you are unsure, take a look at this article on the cybersecurity master degrees.



 The other thing I want to mention is tuition.  One school listed in the article (Carnegie Mellon University) will cost you over $23,000….per semester…  That reaches close to $100,000 for 2 years.  Be careful because like any degree, a job is not sure thing upon graduation, but any student loans are certainly guaranteed with your signature.

If you choose a lower price school because it is lower priced, be prepared that the degree won’t have as much weight if the program is known to be poorly delivered.  The end result is no job, cruddy degree, and student loans anyway.

Now comes the DIY Cyber Security Degree

  • Get the experience with computers.
  • Get involved with the community.
  • Take intensive training.

Document all of this in a manner that will glaringly look to be more impressive than a degree.  The benefits are:

  1. Less money to spend up front
  2. Less money to repay on the backend
  3. Earning potential continues while working
  4. Solid member in the community
  5. Solid leads and contacts to get the job you want
  6. Enough certs and training courses to choke a horse

Personally, I have been going to training courses for years and continue.  Lately, I’ve been focusing on online courses, mostly because of time.  I’ve grown weary of flying and tend to fly only sent somewhere for work.  A few conferences I attend, a few I teach, and the rest I catch the slidedecks when they are posted online.  The biggest benefit of an online course is that within the first 30 minutes (sometimes less), I can tell the course is either going to be helpful or a waste of time. I can stop watching right then and move to another.  In a classroom, walking out of a bad class and rescheduling a flight home is more effect than it is worth.  Pick courses that are relevant to what you need for the job you want.  Want to work in IR? Don't take useless courses outside of IR unless it can apply to IR work.

I once volunteered to be on a board for interviews with new hires.  It took all of one interview session for me to realize who to hire.  I have had highly qualified people interview for a job, but the interview simply pulled out that ‘highly qualified’ was just checked boxes on education.  Great looking on paper, but that was about it.  No self-study, no extra effort to get into the community.  And dear college graduates, most of the hiring managers or decision-makers have been to college.  We know what it is like.  We know how many hours a week of classes are typical.  We know how much free time you have.  Therefore, we have an expectation of what we want to see what you did with your free time. 

I have hired a few workhorses who spent a few years before the interview to self-learn, research, read, train and work ‘on computers’ without having any formal education.  I know what it takes to work in this field as far as personality and perseverance.   I give extra credit to those who worked their way into the field and seem to know everything that is going on TODAY, not historically 10 years ago.  I really like it when they can talk about a software, show me how they use it, and then talk about how to use it in a manner that it wasn't designed to do really neat stuff.  

When I see that, I know those persons will be hired on their next job interview, so I want to hire them first. 

Before you think I am anti-college degree, I am not.  I believe in them, for those who can benefit from them personally or professionally.  I just don't believe that a college degree is the sole determining factor in getting into the field, and in fact, believe it is not a factor of competence or potential of competence compared to the DIY method that others choose to do or have no choice but to do.  Besides, once hired, you can go degree crazy in your free time and get a PhD if you want.

1273 Hits

Clearing old cases


Some cases can’t be closed.  It does not matter that you can’t figure out whodidit or howtheydidit, you just can’t close the darn file until you get something.  I have quite a few of those.  I regularly pull them out when I have a break to see what I missed. Sometimes I realize I overlooked a small detail, like a grammatical error, but mostly, the cases sit there.  Some of the cases were here even before I got this to this desk, leftovers from someone else that used to work here.

So, here’s what I’ve done over the years to cut down on the cases I really want to be off my stack.

  • Pawn them off on a new guy.
  • If I can’t pawn it off, I wait a few weeks.
  • Try to pawn them off on a new guy.

But seriously, I try to close every case, but there are some hard ones, especially difficult in certain areas of type of case.  What I really do is go to training and read. I read a lot.  Then I read more.  I take training when I can get it.  I have taken so much training that I have taken the same course more than once because I forgot I had already taken that particular course.   I’ve done that twice by the way…same vendor too.  Duh.

As much as I don’t like watching YouTube videos on forensics, I do, just in case I can find a nugget of value in the ocean of poor quality videos and commercials.  Sometimes, I find a thing of value on YouTube.  I read blogs a lot.  You can tell by the fact that I put blogs up on the home page of dfir.training. I do that so I can find which of my favorite 180 DFIR blogs have been updated.  Takes me all of 2 minutes to check 180 blogs if I check every day.

And then I take more training.  Internal training and external when I can get to it.  Conference and conferences to put on top of that.  I have been taking online courses for the past year or so with mixed results. Then again, most of the training I have taken is mixed.  Timing is important too.  I took NTI's (http://www.forensics-intl.com/whatsnew.html) 5-day course because of it's reputation.  When I saw that the software was all DOS...on floppies...I knew I should have gone to Hawaii that week instead. That was right about the time they shut their doors. 

I admit, going to Vegas to hang around poolside, drinking and eating as much as I can without pulling out a wallet is nice.  Sitting in a room full of 500 people listening to a speaker talk for an hour is OK, but only if you are close enough to feel you are in the same room (otherwise, may as well be on Youtube since I can see the screen better). 

I have taken about a dozen online courses ranging from the big vendors (like the vendors that charge thousands for a dongle…) and to the little guys (like the unknown people putting on courses at Udemy.com).  My opinion with online courses is that the instructor needs to know what they are talking about and if it is software based, the software better work.  I took a software course for a tool that is no longer sold and the reason is because it didn’t even work in the class.  Not to mention the tool, but most likely, you may have heard of it anyway. 

I’ve taken courses from presenters that knew as much as about forensics and incident response as I know about building a space shuttle.  When the instructor reads from a book or manual, go back to work at your office or start hitting your thumb with a hammer.  I won’t bash the vendors or instructors, but if I am right, you probably feel like you took the same training and tried to use the same software that I am talking about…

An online course I just finished is Brett Shavers’ Placing the Suspect Behind the Keyboard.  I mention this because just I re-opened two cases because of the course.  Two cases that really need to be worked and I not only booted the cases back up, but anticipate being able to close them.  The last training event I went to, I learned a few things that helped me the very next week, but those were little artifact things.  The things I tried this week are different and the bosses are happy with what I’ve done.  All because of a few things I learned over the weekend with an ONLINE course.  Who would have figured?  My faith in online training is still on the fence, because it depends on the topic and the presenter.  If either are bad or unknown, I'm out.  I will mention that any SANS course is worth its weight in gold, but unfortunately, one course costs about as much as two gold bars.

My points for this post is two-fold.

One, I’m bragging about cases that I won’t be able to brag about publicly, but I’m happy to brag anyway.  

Two, keep taking training.  Keep reading.  And learn something new.  It’s amazing how you can apply the simplest of ideas to solve the biggest of problems.


Clearing out old cases each day keeps the bosses away.


quick side note: my goal is to clear a lot of cases that are known to be return-to-file before I retire, which is coming up soon enough :)

293 Hits

What ever happened to “I saw it, here is a picture of what I saw, therefore it happened.” ?


I came across an article this week where a judge didn’t accept printouts and screen grabs of a Facebook page as evidence because the metadata wasn't captured AND the defense couldn’t click on the links that were captured via screenshot.  Really?

Since when is it is not enough for a law enforcement officer to not only testify what s/he saw, but also provides a print out of what was seen to not be enough to show that it probably happened?  The ramifications can extend to every aspect of cases with electronic media.  Can you imagine excluding evidence because RAM was not seized? Or because you didn't use a tool that the court liked (even though the community accepts it as forensically sound)? Or because you didn't capture links that were 3 or 4 levels deep?

Have we gone so far with capturing everything electronically that if we don’t capture everything, then nothing we capture will be admissible?  That is a bridge we should not cross.  Seriously, if a pdf of a website page, plus a screen grab of that page, plus testifying under penalty of perjury that what is presented is what was seen is not enough, we have a long road ahead with electronic evidence. Maybe this was just the work of a really really good defense attorney, but cases like this eventually start affecting your cases too.

On another note, I had planned on a peaceful weekend, but signed up for an online forensics course that I don’t think I can wait to finish (or start).  There goes the weekend….but I guess in a good way.  The course: Placing the Suspect Behind the Keyboard.  I have the book already, but the course topics look very relevant (plus I get another copy with the course that I will donate to a newbie).   I also sneaked in with a promo at half price >.  The promotion includes an X-Ways Forensics online training course, but I did that one already...

I have also noticed that Magnet Forensics is putting on lots of webinars with cool topics too.   Their blog is a good one to follow to catch some of the webinars they are putting out: https://www.magnetforensics.com/uncategorized/new-webinars-android-recovery-griffeye-integration-coming-way/ 

698 Hits

Times have changed....


...for the better.  These past few weeks have been nothing but wildfire after wildfire (maybe your workplace was quiet?).   If not for the news showing up at the gate and everyone sneaking in the back door, phones ringing off the hook, I'm surprised the whole world wasn't burning down by 2pm on some days.

But that was just my office...Hawaii would have been nice in June.  I would have taken Alaska.  Anywhere actually.

On the 'times have changed' comment, I mean that in the way that there are some great things that have happened to the DFIR community over the past decade, at least as far as I have experienced.  The change is SHARING and CARING.  Maybe not so much in caring, but certainly in sharing.  We, as a community, seem to share a whole lot more than ever before.  The easiest measure is just looking at social media, whether it is Facebook or Twitter or Slack or whichever means you use, the amount of sharing information is quite incredible.  This includes sharing from those in government positions where you once avoided saying the word "sharing" as much as you avoided saying the "T" word, if you know what I mean.  I also don't mean sharing just between government agencies, but between govt and private sector.  Overall, I see the private sector as bashing the heck out of a problem as a group, making short work out of major incidents, and then...the govt can take advantage of the work :)

Ten years ago, heck, even 5 years ago, we were lucky to even talk to someone about our work or cases in fear of _____.  That's a blank because I don't know why we never talked about the generalities of our work problems and covered our cases with a protective blanket just to make sure we got no help at all.  I believe we are sharing now because we have learned how to share only that which is pertinent to share, that which does not compromise a case, and that which does not cause embarrassment to a person, place, or thing.  

We finally figured out how to share the issue of specific problems with the result of all of us solving the same problem that we have in our different cases and incidents.  Some have even learned to share anonymously to make sure info gets shared, not in the way of a whistleblower, but in a way to figure out a problem that everyone is having and that you may have the answer or part of the answer for many others.

All in all, this is really good. Many hands make light work.  We all get smarter for it.  We all bask in the glory (haha...that hurt my stomach) of crushing serious problems that we could not have hoped to solved years ago.

Now on the dfir.training website side, I will finally be able to add about a hundred DFIR tools sent to me over the past month. Sorry to all, but I was busy and questioning myself every day why I didn't take my uncle's advice and be a firefighter.  I wonder if they have an age limit.......

343 Hits

Reality Winner wins the Captain Obvious contest


Some #DFIR cases are easy.  The Reality Winner case is one of those, at least for the purpose of obtaining Probable Cause to arrest and most likely, convict, without having to do much more work.  In police work, this is called “a case assigned on a silver platter.”

To be the case agent assigned to this is a joy simply because of criminals making mistakes out of ignorance, complacency, negligence, or pure stupidity.  This was not a world-wide manhunt for a highly trained mastermind spy who planned in advance and escaped to a foreign country.  The Realty Winner case is more of a high schooler snatching a teacher’s password from her desk and later “hacks” into the teacher's gradebook…and only changes her own grades…and then brags about doing it on Twitter…

But!  Not to be one to take anything for granted, we can all learn from this case, even if we never hear of the inner most secret details of the work.  Some of the takeaways we can glimmer include:

  • Winner accessed and printed classified documents
  • She physically mailed the documents
  • She confessed when questioned
    • Easy enough
  • Case closed (for all practical purposes, the case is open and shut)

The forensic takeaways are:

  • Logging is important
    • File access
    • File printing
    • Work schedules, keycard access, co-worker statements can place at the scene
  • Metadata is important
    • Can tie a sheet of paper to a printer
    • Verify date/time of printing
  • Physical evidence is important
    • Postmarked mail shows origin of sender (by city/area)
    • Potential witnesses/video and tracking of letter through USPS
  • Interviews are important
    • A confession or admission solidifies a case
  • Follow-up DFIR work
    • Past social media (Winner’s Twitter account indicate intention)
    • Social media and email show associations with others
    • The electronic devices seized from Winner will most likely confirm what is already known (prior Google searches already provided good evidence in this case)

 The most glaring point of this case is Winner’s incompetence as a leaker. Given her security clearance level and years of experience, it is almost as if she didn’t care to be caught.  However, her obvious mistakes are lessons for us that our work is effective, regardless of how much our methods are publicly known to uncover criminal activity.  I mean, the printer dot metadata has been known for at least a decade….


1023 Hits

Digital Immigrants.


I’m a digital immigrant.  For a long time, I used pagers at work and had a cell phone that was the size of a toaster with a battery that lasted 10 minutes if it wasn’t plugged in.  I grew up with BASIC, DOS, AOL, and 5-1/4 floppy drives.  Now…I make phone calls on a computer that I carry in my pocket, have video meetings on a tablet that is thinner than the newspapers I used to have delivered to my driveway, and can take a class in practically any subject in DFIR I want…online…

For the non-digital immigrants, the younger whipper-snappers have no idea of the changes of having to migrant into a technical world rather than being born into it.  That works for you and against you.  This also works for and against the digital immigrants.

Here are some of the changes, both good and bad, that I have seen in the transition of the world into the digital realm.

I have seen where the vast majority of ‘computer forensic’ people were mostly retired cops or retired special agents.   If you weren’t in those careers, you were “just” IT. Coming from that world, especially at that time, meant that the skills were not generally shared.  Many times, you learned on the job and figured it out yourself.  It wasn’t for lack of being able to share but more of coming from a world where secret skills were best kept a secret so the criminals wouldn’t find out.  Even the courses available at the time didn’t cover 10% of what is covered today.  Can anyone name a case where memory forensics played a role in the 90s?  Did anyone even capture memory in the 90s?  See what I mean..

I have seen the days when shopping for any forensic book meant being able to choose between the only three books in existence. 

Tools? I remember the days of Norton Disk Editor, Maresware, and NTI tools being “it”.

Conferences? Sure.  A few hacker Cons, but not much more than that. 

Communication with other forensic folks?  Not really.  Small group contacts, but not really more than that either.  It was a small world.

Fast forward to today.

There are more books to choose from than you have time to read.

There are more blogs, websites, forensic tools, and hardware than ever before.

Communication and information sharing is on full fire hydrant blast.  You want to learn something? The information is there to learn it.

Skills and techniques are developed all the time.  If some “thing” stores data, we can get it or find out how to get it off that “thing”.   The list of impossible has grown shorter every day. Plus, we find new places where data is stored constantly.

No longer are retired detectives the main source of employees.   We have colleges graduating students in many aspects of forensics from undergraduate to PhD degrees.  High schools are teaching forensics!  “Cyber” jobs are in such high demand with a such a large pool of applicants that employers can cherry pick exactly who they want.

Anyone in the field can create a blog in minutes to post something they just found and share with the world.  The names in DFIR are now recognizable, where before, few even wanted their name in public.  The world of DFIR is different now, in a better way.  We are better in our skills and I credit sharing information as the main reason, if not the only reason. 


As for the bad…

All knowledge is available to everyone and anyone.  That includes the bad guys too.  The tools and skills to do good are just as well known as the skills and tools to do bad.  A crime that took months to plan in the past, can be planned and committed in minutes without leaving behind any of the clues of traditional crimes such as a bank robbery using guns…now it is a keyboard behind proxies with dark money and virtually untraceable Internet use.

Getting into the DFIR field has always been difficult, but now it’s difficult for different reasons.  Where before, you just needed to have the skill to do the job, you now need certifications, degrees, diplomas, and experience because the pool of competing applicants is probably 100x what it was a few short years ago.  If you want in the field today, plan to spend years learning and prepping to compete against some very bright graduates.

I like being a digital immigrant, having been able to see the transition from analog to digital, privacy to publicity, and selfish to sharing.  I enjoy the conferences that started with a few people and have grown to thousands.   At this last Enfuse conference, I have seen so many new faces, heard so many new names, that I feel honored to be in such a growing community.  It is getting harder each year at conferences to find those who I met the prior year, only because of so many new faces.  This is pretty cool.  


530 Hits

Trading Personal Information for Price Quotes. Why do we do it?


Whenever I have to buy a dongle (ie…a license for a software I don’t have or an additional license to a software I do have), I go through periods of frustration lasting 2 or 3 days.   In short, I just want to know how much to pay.  That is all I ask.  How much does it cost?  Nothing more, nothing less.

The 2 or 3 days of frustration is having to wait for price quotes via email.  Yes, I can call and ask, but I have done that before and felt like I was talking to a telemarketer where it took 30 minutes to get an idea of the price before having to still wait for an emailed quote the next day. 

For businesses, the tactic of requiring the act of requesting a price is effective.  The potential buyer must submit their name, company, telephone number, email address, and sometimes their position/title and maybe even their address.  So, rather than purchase an email list, a business simply requires the same information by withholding pricing until the information is provided.

Then comes the hard sell.  I have had phone calls, emails, and snail mail sent to me after submitting a single price request…for years after the fact…even when I ended up not purchasing a particular software. 

On one occasion, I sent two separate price requests to the same company for the same software with one of the requests coming from a fake name/company.  Result: different prices, not by much, but different.  The same request for the same software = different price. Huh?

On top of that, the price quotes are valid for a brief time period.  If you want that price, you have to buy before this date otherwise, we can’t promise you that the price won’t increase if you ask in a few weeks from today.  I personally find it difficult to accept that the price of a product from the manufacturer (or developer) will fluctuate so much within a month that fear is used to push a purchase to happen.  I have even seen (on a tweet) that the licensing for one DFIR software starts on the day of the quote and not on the day of the purchase or first use.  So...ask for a price and buy it at the end of the quote period and you lose a month of licensing.  Cool...right?  I guess that is a way to push you over the edge to buy it in a hurry.

I know that this is an industry standard for some forensic tools. Guidance Software and Magnet Forensics as two examples that require your personal information before you simply get a price of their product that you wish to purchase.  Other forensic tools put their price online for the world to see it.  It’s the same for everyone.  It takes 1 second to find how much you put on your card and you can order it on the spot within a minute. X-Ways Forensics and Paraben Forensics are examples of simply posting the price of a product.   Other tools take days to get a price and it’s nearly a week before you make a purchase.

I get it.  Potential customer information is valuable, especially when you have a direct telephone number, email address, job title, and have a good gauge of the revenue based on the company name.  I can imagine that a price quote request for a single license from the Boeing Company could be different than a price quote from Joe Blow’s Forensics Services.  Maybe it’s the same price for both, but there is no way to tell. I have seen small print on quotes to not distribute the quote to anyone else.  Seriously?

If you develop forensic software, listen up.  I do everything I can to avoid buying the software if I have to ask for a secret quote.  It’s not that I’m impatient, but yeah, I’m impatient because I have work to do.  When I need a tool, I just want to buy it and not go through 18 steps of emails, phone calls, and printing out quotes to figure out pricing. I also don't trust secret prices based on secret sauce and 'who you are' or 'who you work for'.  

The reason we trade personal information for price quotes is because if you want that specific software, you have to give it up.  Your name, phone, email, company, job title, and sometimes even more...just to get the price of something you may not even purchase.  This is worse that trying to buy a used car.


373 Hits

The 2 Easiest Ways to get into DFIR


One of the greatest questions in the field of DFIR has nothing to do with analysis, but rather, “How do I get started in DFIR?”

Using Google-fu, you can find plenty of answers reaching back a decade or more of blog posts and forum threads of how to get into DFIR.  To add to the Internet resources, here is some methods of getting in that you may or may not have found elsewhere.

The easiest 2 ways to get into DFIR

  1. Your current employer chooses you for the job and..
    • Sends you to training
    • Pays for college tuition
    • Pays for all the tools
    • Gives you time to learn and practice
  2. You get hired specifically for DFIR without any experience and your new employer…
    • Sends you to training
    • Pays for college tuition
    • Pays for all the tools
    • Gives you time to learn and practice

Both of these are generally going to be government jobs, including the military.   Either you currently have the job (such as a police detective) or willing to join the military to get it.  Nothing wrong with either method, but it requires lots of prior work before even getting to that point of learning DFIR skills, like physical examinations, physical fitness tests, psychological examinations, academies or boot camps, and so on…  Going the military route pretty much takes care of everything.  You will be given everything you need with expectations already set out.  You essentially are putting your life at risk for the community or country.  Very respectful and honorable, but is not for everyone.

The other route to DFIR, which is probably more common:

Research first

  1. Figure out if you want to do the DF or the IR or both.
    • Digital forensics is generally forensic analysis ‘after the fact’ of storage media, such as someone being arrested for a crime and a computer is seized as evidence.
    • Incident response is generally a forensic analysis ‘after the fact’ of networks, such as a breach in a network.
    • Within DF/IR, there are many sub-categories to choose from (based on operating systems, devices, networks, etc…). Find what you think you may want to specialize in.
  2. Decide on who you want to work for/with.
    • Government: Local, state, federal (or military as previously mentioned).
    • Private: Internal job in a corporation or company that provides DF/IR services (or start your own company).
    • Read the job requirements and plan to obtain those specific requirements (if a BS degree is required for the job you want, plan to get a BS degree).
  3. Plan your path of education and experience
    • Education: Will your current employer pay for training/education or will you be paying on your own?
    • Experience: Can you get experience in your current job or do you need to find experience on your own?

Put your plan into motion

  1. Self-learn from this second forward until you no longer work in the field
    • Scour the Internet for resources (white papers, forums/blogs) and read everything
    • Obtain software (open source or commercial) and start practicing with imaging and analysis based on what you read. Mirror what others have done that you find online, such as with practice images.
    • Check out, purchase, and borrow DF/IR books. Read them.  Read more of them.
  2. Get educated
    • If your employer will pay for education/training, sign up and go.
    • If you will be paying, accept that your vacation days will be used attending courses.
    • Take night classes at the local community college in DF/IR/IT.
    • Consider that the majority of your pleasure reading will be DFIR and not the latest James Patterson book.
  3. Get experience
    • If you can get experience at your current job, take advantage of it. Can you help out someone in your company with imaging? Do it.  Can you help with packaging electronic evidence? Do it.  Get hands-on experience every second you can.
    • Can you volunteer or be an intern at a DF/IR provider or organization? Spend your time volunteering if you can in order to get hands-on experience.
  4. Get recognized
    • Join local, national, and international DFIR associations.
    • Go to conferences and meetings
    • Write papers on that which you learned and mastered. You don’t need to know everything about everything in DFIR in order to masterfully write about a specific nuance in the field that you learned or tested.
    • Start a blog.
    • Share your work. Make your testing results public.

Keep moving forward

  1. Once hired, research to improve your skills.
    • Prove or disprove something in the field.
    • Find previously unidentified artifacts.
    • Find better ways of doing something.
    • ‘Break’ tools so that they can be improved.
    • Write better tools.
  2. Keep educating yourself.
    • Do NOT rely on anyone else to teach you.
    • Teach yourself from today and forever.
  3. Keep practicing.
    • Practice doing it right.
    • Practice doing it right.
  4. Go public with your work and share.
    • Do not be shy.
    • Do not be stingy.
  5. Keep reading.
    • Read what others publish online and in print.
    • Read the reports and affidavits your peers have written.
  6. Mentor others.
    • Encourage today’s youth.
    • Encourage career changers.
  7. Teach
    • You will learn by teaching.
    • You will help the field by teaching.
  8.  Do it. Write it. Publish it somewhere.
  9. Research more.

What not to do

  • Wait for your employer to pay for everything.
  • Refuse to read books unless you are required to read them.
  • Refuse to spend time self-learning.
  • Quit self-learning once you are getting a salary.
  • Keeping to yourself and never sharing your research.
  • Believing you know enough.
  • Believing you know everything.
  • Believing that there is nothing else to learn.
  • Believing that your job is safe because you learned all you need to know.


The bottom line is that you need to work hard.  You need to self-learn.  You need to put yourself out there in the public eye.  You need to do everything because the DFIR field will eventually be so competitive that just doing the minimum will get you nowhere.

As one example, take a look at this student’s tweet:



I have no idea who she is, other than a Champlain College student.  But I know from experience that this type of project is not easy, cannot be done in a weekend, and the guts to put it online and post about it means she has the potential to be in front of a classroom teaching DFIR or writing a book about DFIR or discovering something new in DFIR at some point in her career.   In technical terms, we call that “employable”.

Bottom line. It takes hard work.   

514 Hits

My #DFIR Books of the Month

Before I get started talking about the #DFIR books I’ve read, don’t be too excited that I’ll have a ‘book of the month’ post more than once.  With forensic books, there just isn’t enough to do a book of the month review.   With that, I do want to post a bit about the books I have enjoyed and some that I have not.

These are only the books that I have personally read or skimmed.  Other books surely belong on the list, more are pre-ordered that I am waiting on, and some I will never read for one reason or another.  Books you see in the “Avoid if you can” column were promptly sold off at Half-Price Books.  I have had more books than this list, but I just can't remember what they were, which could be positive or negative about the books.

There are some books that I do not recommend.  Surely, the list is longer than what I have, but this list is mine.  If you can avoid buying these books, do so.  Each book has problems that just rubbed me the wrong way.  For example, one is so basic but claims to be advanced, however the authors write it assuming you don’t even know what a computer is.  Another book is so haphazardly organized and written by so many different authors with conflicting information that it reads like a book designed to frustrate most readers.  Any book written as a textbook is an automatic failure for me.  I do not want a book written to fit into a semester.  I do not want a book that requires an instructor edition to use, written at a 10th grade level, or with such a broad overview to meet the ‘majority’ of students' needs that it misses what I am looking for.

I want a book that I can put to use on the same day I start reading it.


Green big thumbs up:  A Must-Have book.  You should already have it or read it or wrote it.

Green small thumbs up:  Helpful, especially if it fits what you are doing.

Red thumbs down:  If you buy this book, it's all on you. 




Helpful to have or must-have

Avoid if you can



*notes are at the end of this post.




The book that got me excited about forensics in the beginning.




I’m sorry if your instructor makes you buy this one.



Short and sweet. Good if you are thinking about getting into forensics to get a clue of what it is.




Good info.




A classic.




Looks advanced, but tries to take a big bite in such a broad topic.




Good tips in here.




I didn’t like it.




Getting started in “cyber”, maybe you’ll like this one. Not for me.




Nope. Didn’t like it.



Good info if you are new to the field and need to know the legal end of the work.








Straight to Half Price Bookstore.




Bought it for my certification prep. Reads more than a basic forensic book than how to use EnCase.



Required reading.


No much to say, because I know you already have this book as well you should.




If only for reading what constitutes Free and Open Source forensics tools, it’s worth it.



Do you do Windows forensics? Then get this book, every edition.




I’m not sure how to rate this one.  Just didn’t do it for me, but not so terrible.



Certainly worth it.



Good to know as much as you can about building out a lab.



I call it “basic” in that this book is a little old now, but still has good info in it.




“Mastering” needs to be removed from the title.



A few good points in the book to know. Worth it.




Better to spend time reading the FTK manual.



Required reading.


You need this book.  Seriously.



Now this is a PACKT book that works!



Whether you do IR or not, this is good stuff to know.



Required reading.


Don’t tell you me that you don’t have this book yet..



Required reading.


This one and every edition of the book.  They are already on your shelf, right?




Trying not to bash basic books, but this one didn’t do it for me.



If you use X-Ways, it is required reading.


If you don't use X-Ways, don't get the book unless you are considering X-Ways.  It doesn't teach forensics.

If you use X-Ways, it is required reading.



If you do this type of work, this book is worth the time and money.



See above.




Again, not sure what I can say.




Basic. And it’s written as a textbook.




Take out “Mastering” and you have an ok basic book.



Personally, any book on operating systems is worth it unless it is really bad.




I’m into Android forensics, so yeah, I read every book on the subject I can.



Yeah, this too.  Even the older books have some bits of knowledge that make it worthwhile.


Required reading.


One of the better investigative books, which is a skill solely missing in many DFIRs.

Required reading because you need an investigation reference.




This book could have been so so much better.  Lots of research done, but really not much in substance.



Another subject I am ‘into’, therefore, worth the time to buy and read.




I’m not getting into the PACKT books at all.




Mid-way through, I forgot it was an Internet Forensics book.



No other books on this subject, and you’ll find something of value.



Should know these things about CD/DVDs even as we find fewer and fewer of them.




Run away from this book and don’t look back.  This is a straight-to-Half-Price-Books book.




Another book that the title implies that it should be so so much better.



Neat topic, comes up in casework and worth the time and money.



Lots of good info and worth it.




Good grief.  Yet another book title that could have been so so much better.



Good info, worth the time and money.



Required reading.


Should be required reading for everyone in DFIR. The title states what you should be doing every day.



 If I offended anyone with my opinions of any book, I can't really apologize since either I liked the book or didn't (or it just didn't apply to what I was looking for in that topic).  The required readings are required readings for me and anyone I mentor or teach, again, based on my personal opinion.

**Book addition update: 6/5/2017**

My order of Digital Forensics Trial Graphics finally arrived.  I have been waiting for a year for this book to come out.  Two known authors on a topic that needed to be written.   I didn't bat an eye at the $50+ price tag.  However, when the mail came, the package that had the book was small and light, so small and light that I thought that it could not be the book in it.  But it was.

It's smaller than my iPad in overall length and width and thickness.  I figured, "there must be dynamite in those few pages".  After less than a minute flipping through the book, I realized that I had been had.  The content is nothing more than putting together a powerpoint.  The pages (all 96 of them) seem to be filler.  In fact, the last 6 pages of the book are blank pages.  For the time to wait a year for this book, it reads like it was written last weekend and printed on a laserjet on Monday to be shipped out on Tuesday. The cover was also different than originally marketed, but that is nothing if the content is worthwhile.   Few DFIR books have ever made it to this low on my list.

865 Hits

Website Updates (more search warrants, affidavits, forms, etc..)

Website Updates (more search warrants, affidavits, forms, etc..)

A few changes to the DFIR.training website.   First, several lists have been updated (bad links removed, more links added). 

The event calendar has been removed. 

Too many courses have been canceled or changed to keep up with as I have curated most of the courses myself with only a handful of providers updating their own training.  So, now there are direct links to the course provider calendar pages. http://www.dfir.training/index.php/education

 I did add a few more colleges, but did not go overboard with searching for more.  Today, we are almost at the point that if you are wondering if a college has a DFIR program, it is the same as wondering if a college has an English or History program.  Meaning…most colleges are beginning to add some sort of DFIR program to their catalog.

More search warrants! 

On the search warrants and templates, if you see something you like, you may want to download it right away because they can disappear anytime.  I am not hosting the files and simply linking to the affidavits and other forms.   I put a wide variety of forms and warrants/affidavits to help anyone who (1) is a student and wants to see real warrants, (2) current write affidavits and want to see how other people write.  There is some good stuff in some of these affidavits to take a look at. http://www.dfir.training/index.php/lists/dfir-forms-and-examples

News feeds…

The RSS feeds were bogging down the site.  There are so many of them and I cannot trim any more since the remaining feeds are active and great blog resources.   However, I am working on configuring the feeds differently with cache settings and alternative methods (different Joomla extensions) to display the feeds.  You will see the News Feed page (http://www.dfir.training/index.php/news-feeds) work and not work over the next days until I can get the settings to a point where the website doesn’t crash or grind to a halt.

DFIR Tool Database

No changes.  This database rocks!  Approaching 1,000 DFIR tools.  There is no other database like this one.  Yes, some tools may not work as good as other tools, but every situation is different.  Sometimes Tool A works better than Tool B in one case, but in another case, Tool C works better than Tool A.  You can add a tool to the database by submitting it online (http://www.dfir.training/index.php/contact) or Tweeting it with @DFIR_tools in the tweet so I can see it.

254 Hits

3 Tips to Keep Your Name out of the News

A police officer called me about a private sector case referral that ended up being a hornet’s nest of problems.

The story goes:

Victim company fires an IT employee.  Rather than escorting him out at the same time of revoking all access to the company network, they gave him the afternoon to clean out his desk.  In that time frame of unsupervised “desk cleaning”, the employee did a number of things.   After the ex-employee left the property, this is what the newly promoted IT guy discovered;

  • Missing laptop (was there at the time and had been assigned to the fired employee)
  • Missing tech gear (enough to fill a hockey bag)
  • C-level staff receiving emails from clients asking if the C-level staff email accounts were hacked
  • Access failure on a server.  Everything deleted..
  • Physical backup tapes on that server missing.

Company calls 911 to report theft and "cybercrime"

Patrol Officer shows up.

Patrol Officer calls the ‘cyber unit’ (yes, they call it the “cyber unit”).

Cyber Unit Detective shows up and patrol officer departs.

After telling the detective everything they found up to that point, the detective classifies it as a civil matter since it was a fired employee and is “not a police issue”.   The detective then leaves.  Company calls a Sgt at the police department and the Sgt says, “If the detective says it’s a civil matter, then it’s a civil matter.”

The patrol officer calls me and has the company call me.  When I show up and hear the story (with in-house counsel), I agree to take the engagement.  It was easy enough to see the activity in a 4-hour window on the ex-employees desktop (lots of file access…external drive connection…and accessing MS Exchange accounts…).  I called the detective and explained a half dozen felonies, but because it’s a civil matter….

I even asked the detective to have a theft report taken of the property.  No-go.  It’s a civil matter.  I called the local sheriff’s department, who referred me back to the local PD.  Nope. Not doing that again.

So then, I explain to the company and its attorney that the local PD refuses to do anything and that the county simply refers back to the local PD. They can keep going and ask a federal agency if they want, or I can get to work now and they can figure it out later.

End result:

Company called the police chief.  Police chief didn’t seem to understand the gravity of stolen IP (probably 500GB+ of CAD designs, images, plans, code, etc…). 

Company told me to get to work, damn the torpedoes, and cost is of no concern.

Company CEO is calling the media today……

Moral of the story is:

Don’t be the DFIR guy that doesn’t know what to do AND won’t admit it or ask someone for help.

Oh yeah, the 3 tips to keep your name out of the news...

1) If you don't know how to do something, just ask someone who knows how to help.

2) If you have a duty or responsibility to do something, best is to do it.

3) Refer back to #1





I am not bagging on LE in the least bit (or byte).  I have seen this in the private sector too, but generally this type of person is fired whereas a govt employee is not.  I realize in the private sector, the individual has to soak up the majority of costs for training and education, whereas in govt, the govt entity picks up the tab for training.  When it comes to many govt employees, they do not expand their training beyond that which is provided by their employer. I believe that to be a loss in learning in this profession.

582 Hits

I only do 10%.

I only do 10%.

I’m on the second day of a conference for the second time this year and 90% of the time, I am hearing information that is more or less, a “refresher”.  Before you take that as a complaint, stop right there.  If anything, I am complimenting that there is 10% that is super great information, in effect, “refreshing” information.  My goal is to find that 10% so I don’t waste time on the 90% I don’t need right now.

Most likely, you are like me in that time is scarce to not only spend learning the latest and greatest things, but scarce in trying to keep up with the field.  To solve this problem, I have my 10% rule.  I focus only on 10% of what I need at the time I need it.   The trick is quickly figuring out the 90% to avoid wasting time on it.

I also know how I learn, which is probably the most important thing to know in any line of work.  If you learn by doing, but spend all your time trying to learn in classrooms, you won’t be effective in learning.  For me, I am a visual-hands-on learner. I watch and physically repeat what I saw (listening is important too, but primarily if I ‘see it’, I can ‘do it’).

For any task or skill, I immerse myself in it completely, ignoring everything else, with the goal of mastering 10% of the skill quickly and soundly.  From there, learning the remaining 90% will come through practice as I get to it.  But I have to master the 10% first.   As an example, take the Windows registry.  You don’t have to master the entire registry to be an expert for the most common artifacts of the registry.  Master the basics first.  Learn the advanced as it comes.

Little things I do to learn in the DFIR include;

-Taking copious notes.  I write down everything. I have notes in every DFIR book I own. I have highlighted my books in every color ever manufactured. I do this because I most always need to refresh what I learned or check back on a point I made to myself.  Don’t worry that the book you bought cost more than $50. Write in it! Highlight it!

-30 minutes a day dedicated to something in DFIR, every day.  I spend 30 minutes every single day, unless I am physically incapacitated with an illness, to consistently learn something specific.  This comes out to over 100 hours a year if you count the days that I simply can’t spend 30 minutes to study.   The level of skill you will achieve doing this will make you an expert in that subject within a year.  Don’t believe me? Try it for a year.  Get up 30 minutes earlier every day for a year, sit down and learn one thing for a year.  You..will..be..an..expert..in..that..subject.  I promise.

-I am super selective in who I learn from.  Because of I have spent way more time that I wanted with poorly written books, incompetent instructors, travel, and high tuition of courses that I will never get back any return of investment, I have become extremely choosy.  I have cut my conferences down to only two per year, maximum, whether I am attending or presenting.  It’s not the cost of attending as much as it is 90% of what I don’t need.  And for each class I take, I prefer to take from someone who I know knows what she or he is talking about. 

-Repetition saves me.  If I can repeat what I see, I can learn it. If I can learn it, I can master it.  If I can see it more than once, it speeds my process of mastering it.   This is the biggest reason I am a fan of recorded courses, because I can rewind, watch, practice, rewind, watch, practice, master the skill. 

I have said on many occasions that I am not a fan of cheaply made videos (Udemy and YouTube come to mind) for several reasons (http://www.dfir.training/index.php/blog/free-dfir-training-is-great-except-when-it-s-not), which I won’t repeat in this post.  I like training videos.  Correction, I thrive on training videos, but only the good ones. Yes, even a cheaply made can have great info, but I don't have the time to spend the time to weed through a dozen hours of videos to find 10 minutes of gold nuggets.

Some tips on avoiding the 90% of material you don’t need:

  • Don’t read books cover to cover.
    1. Read the sections you need, when you need it.
    2. Read the rest of the book when you have nothing else to do.
    3. I read and write/highlight and move on.
  • Don’t take any course that you don’t need.
    1. Sure, “Conducting Memory Forensics Underwater” sounds cool, but is it necessary?
    2. You already took “Bootcamp 101”? Do you really need to take it again?
  • Check the conference agenda BEFORE registering.
    1. “Just because everyone attends” is not good enough reason.
    2. Go to the breakouts that matter. Skip everything else.
  • Staleness
    1. Is the thing you are looking at more than 2 years old? Is it still relevant?
    2. Some things never change, some things change weekly.
  • Choose what you want to learn and only what you want.
    1. Ignore the rest.
    2. Focus (master) what you want/need to learn.

As far as training vs education vs self-learning, I do all three.  But I only do 10% of it.

ps...If you teach anything in DFIR, be sure to teach the 10% and don't fill time with the 90%.  And if you find someone who teaches the 10%, stay with that trainer or organization for the biggest time saver you can have when mastering skills.


428 Hits

Forensic 4:cast Awards

Forensic 4:cast Awards

Sadly, dfir.training didn’t make it as a nomination for Digital Forensics Organization of the Year Award, but still, I’ll be there for the award presentations (I have a ticket in hand, or rather, in my email).  I suggest that you vote in the awards to show appreciation for those in the field who do a lot for the rest of us in the field. 

The physical awards in and of themselves aren’t as important as the recognition the community gives in the form of voting.  Voting shows support and support is truly appreciated.  If you do nothing more in the advancement of the community than voting, you are doing something that makes a difference.

Everyone votes differently.  Some may vote for popularity while others may vote based on contributions made by a person/organization.  Whichever way you feel is irrelevant as long as you vote. 

One thing about the 4:cast award categories is that you may not have an opinion in one or more categories because you might not have used one of the tools listed, or read one of the books, or know what a person contributed.  That's ok.  But, a quick Google search can help guide you in the right decision to vote in what you feel fits your input.

In case you want to see how I would vote…take a look below 😊.  This is by no means to influence you, but to show that I am certainly going to vote, hope that my choices win, and that I feel bad about some of the people that I couldn't vote for.  It is difficult to make a choice between great competitors, but alas, one vote is what you get for each category.

See you at the Summit!

And don't forget to push Submit! 






by the way, did aboutdfir.com win the popular vote or the electoral college vote?....

470 Hits

We catch the smart criminals too.

We catch the smart criminals too.

I just finished reading “The Art of Invisibility” by Kevin Mitnick.  The book is full of tips on how to be anonymous on the Internet.  Nothing in the book was a surprise or new information to me and most likely won’t be new to anyone who works in DFIR/Infosec, which leaves the information on how to be anonymous out of the comprehension range of the average Internet user.  Unfortunately, the book doesn’t really help computer professionals (we already know what an IP address is) and it doesn’t help the average Internet users (they don’t care to know what an IP address is).

The biggest takeaway from the book was the reassurance that no matter what a criminal does with computer technology, if you look long enough and have patience, you can catch them.  Again, this is not new to those who investigate criminal cases or civil violations.  Police typically solve cases because the criminal makes a mistake, not because the police are supernaturally gifted.  Any person that wants to commit a crime through the Internet risks getting caught by a myriad of reasons, with the most likely reason being lazy and/or making a mistake.  By the way, this book is not about how to get away with crimes, nor is it how to catch criminals.  

In the DFIR/Infosec world, we live on capitalizing on the mistakes made by those using technology to commit crimes, regardless if it is an intrusion investigation or possessing child pornography.  We don’t only catch the dumb criminals.  The dumb criminals are easy to catch.  We can do that during a lunch break.  But we also catch the smart criminals because all humans make mistakes.  in every DFIR case I work, I am looking for the mistakes that the suspect made because the one mistake you find can break open the entire case, regardless if it is a "little" oversight or major error.  I once broke a case by finding a single USB entry in the Windows registry.  That one entry tied the computer to a known USB, which tied it to the known owner, which led to the discovery of multiple devices that had all the evidence needed for the case.  The suspect lazily plugged in a USB flash drive when he kept everything else separate. One registry entry = a decade in prison.

It is certainly true that criminals have to be lucky/good ALL the time.  You only have to be lucky once. That is the crux of the book.  One mistake and anonymity is broken.

564 Hits

The #1 Tip to Solve your DFIR Case Problem

The #1 Tip to Solve your DFIR Case Problem

Have someone else take a look at it.

That’s the best tip you can do for any problem that you cannot solve; have another set of eyes take a look.  I personally know investigators (in LE, or DFIR, or LE DFIR) who refuse to ask for help because, as I am told, they can do it better than anyone else.

This reasoning is understandable, especially if you are highly skilled and have massive experience.  Why would any highly skilled DFIRer ask help from a junior examiner?  Seriously.  If the expert can’t figure it out, how can a lowly, low-skilled, less-experienced person figure it out?

The answer is that it is not the skill or experience level that can solve your problem. It is the simple act of looking at your problem from a different point of view.  I have seen complex criminal investigations, including a murder case, that was solved simply because someone looked at the case and asked a simple question that made everything come together.

Sometimes, we need help because we just forgot to look somewhere for some artifact that we overlooked.  Or maybe we see it, but don’t recognize it.  The answer may be right in front of your nose but it takes someone else to point it out.

Asking for another set of eyes does not mean you admit defeat, that you are incompetent, or that anyone else is ‘better’ than you. It means you are thorough. It means you are good.  Most likely, you do this anyway, but not by asking for someone else to look at the problem, but by stepping back for a time and coming back later to look at it.  Giving your eyes a break (physically and mentally) can solve 90% of anything you come across.  I am talking about that 10% of the time where no matter how much effort you expend, you are not going to find the solution.  You need to ask.

Don’t think this works? Then you have never tried it.  Cold cases are solved with this same concept.  When a case is given to someone else, many times it is closed quickly solely because a different perspective took a look at it.

Want to be the best?  Want to be known as someone who can work a case?  All you gotta do is to remember to ask for help and borrow someone’s eyes.   That’s the number 1 tip.

373 Hits