web
analytics

dfir blog

All about dfir.

Clearing old cases

file-means-organizing-and-paperwork_z1PrQ4DO

Some cases can’t be closed.  It does not matter that you can’t figure out whodidit or howtheydidit, you just can’t close the darn file until you get something.  I have quite a few of those.  I regularly pull them out when I have a break to see what I missed. Sometimes I realize I overlooked a small detail, like a grammatical error, but mostly, the cases sit there.  Some of the cases were here even before I got this to this desk, leftovers from someone else that used to work here.

So, here’s what I’ve done over the years to cut down on the cases I really want to be off my stack.

  • Pawn them off on a new guy.
  • If I can’t pawn it off, I wait a few weeks.
  • Try to pawn them off on a new guy.

But seriously, I try to close every case, but there are some hard ones, especially difficult in certain areas of type of case.  What I really do is go to training and read. I read a lot.  Then I read more.  I take training when I can get it.  I have taken so much training that I have taken the same course more than once because I forgot I had already taken that particular course.   I’ve done that twice by the way…same vendor too.  Duh.

As much as I don’t like watching YouTube videos on forensics, I do, just in case I can find a nugget of value in the ocean of poor quality videos and commercials.  Sometimes, I find a thing of value on YouTube.  I read blogs a lot.  You can tell by the fact that I put blogs up on the home page of dfir.training. I do that so I can find which of my favorite 180 DFIR blogs have been updated.  Takes me all of 2 minutes to check 180 blogs if I check every day.

And then I take more training.  Internal training and external when I can get to it.  Conference and conferences to put on top of that.  I have been taking online courses for the past year or so with mixed results. Then again, most of the training I have taken is mixed.  Timing is important too.  I took NTI's (http://www.forensics-intl.com/whatsnew.html) 5-day course because of it's reputation.  When I saw that the software was all DOS...on floppies...I knew I should have gone to Hawaii that week instead. That was right about the time they shut their doors. 

I admit, going to Vegas to hang around poolside, drinking and eating as much as I can without pulling out a wallet is nice.  Sitting in a room full of 500 people listening to a speaker talk for an hour is OK, but only if you are close enough to feel you are in the same room (otherwise, may as well be on Youtube since I can see the screen better). 

I have taken about a dozen online courses ranging from the big vendors (like the vendors that charge thousands for a dongle…) and to the little guys (like the unknown people putting on courses at Udemy.com).  My opinion with online courses is that the instructor needs to know what they are talking about and if it is software based, the software better work.  I took a software course for a tool that is no longer sold and the reason is because it didn’t even work in the class.  Not to mention the tool, but most likely, you may have heard of it anyway. 

I’ve taken courses from presenters that knew as much as about forensics and incident response as I know about building a space shuttle.  When the instructor reads from a book or manual, go back to work at your office or start hitting your thumb with a hammer.  I won’t bash the vendors or instructors, but if I am right, you probably feel like you took the same training and tried to use the same software that I am talking about…

An online course I just finished is Brett Shavers’ Placing the Suspect Behind the Keyboard.  I mention this because just I re-opened two cases because of the course.  Two cases that really need to be worked and I not only booted the cases back up, but anticipate being able to close them.  The last training event I went to, I learned a few things that helped me the very next week, but those were little artifact things.  The things I tried this week are different and the bosses are happy with what I’ve done.  All because of a few things I learned over the weekend with an ONLINE course.  Who would have figured?  My faith in online training is still on the fence, because it depends on the topic and the presenter.  If either are bad or unknown, I'm out.  I will mention that any SANS course is worth its weight in gold, but unfortunately, one course costs about as much as two gold bars.

My points for this post is two-fold.

One, I’m bragging about cases that I won’t be able to brag about publicly, but I’m happy to brag anyway.  

Two, keep taking training.  Keep reading.  And learn something new.  It’s amazing how you can apply the simplest of ideas to solve the biggest of problems.

 

Clearing out old cases each day keeps the bosses away.

 

quick side note: my goal is to clear a lot of cases that are known to be return-to-file before I retire, which is coming up soon enough :)

59 Hits
0 Comments

What ever happened to “I saw it, here is a picture of what I saw, therefore it happened.” ?

metadatacase

I came across an article this week where a judge didn’t accept printouts and screen grabs of a Facebook page as evidence because the metadata wasn't captured AND the defense couldn’t click on the links that were captured via screenshot.  Really?

Since when is it is not enough for a law enforcement officer to not only testify what s/he saw, but also provides a print out of what was seen to not be enough to show that it probably happened?  The ramifications can extend to every aspect of cases with electronic media.  Can you imagine excluding evidence because RAM was not seized? Or because you didn't use a tool that the court liked (even though the community accepts it as forensically sound)? Or because you didn't capture links that were 3 or 4 levels deep?

Have we gone so far with capturing everything electronically that if we don’t capture everything, then nothing we capture will be admissible?  That is a bridge we should not cross.  Seriously, if a pdf of a website page, plus a screen grab of that page, plus testifying under penalty of perjury that what is presented is what was seen is not enough, we have a long road ahead with electronic evidence. Maybe this was just the work of a really really good defense attorney, but cases like this eventually start affecting your cases too.

On another note, I had planned on a peaceful weekend, but signed up for an online forensics course that I don’t think I can wait to finish (or start).  There goes the weekend….but I guess in a good way.  The course: Placing the Suspect Behind the Keyboard.  I have the book already, but the course topics look very relevant (plus I get another copy with the course that I will donate to a newbie).   I also sneaked in with a promo at half price >.  The promotion includes an X-Ways Forensics online training course, but I did that one already...

I have also noticed that Magnet Forensics is putting on lots of webinars with cool topics too.   Their blog is a good one to follow to catch some of the webinars they are putting out: https://www.magnetforensics.com/uncategorized/new-webinars-android-recovery-griffeye-integration-coming-way/ 

280 Hits
0 Comments

Times have changed....

share

...for the better.  These past few weeks have been nothing but wildfire after wildfire (maybe your workplace was quiet?).   If not for the news showing up at the gate and everyone sneaking in the back door, phones ringing off the hook, I'm surprised the whole world wasn't burning down by 2pm on some days.

But that was just my office...Hawaii would have been nice in June.  I would have taken Alaska.  Anywhere actually.

On the 'times have changed' comment, I mean that in the way that there are some great things that have happened to the DFIR community over the past decade, at least as far as I have experienced.  The change is SHARING and CARING.  Maybe not so much in caring, but certainly in sharing.  We, as a community, seem to share a whole lot more than ever before.  The easiest measure is just looking at social media, whether it is Facebook or Twitter or Slack or whichever means you use, the amount of sharing information is quite incredible.  This includes sharing from those in government positions where you once avoided saying the word "sharing" as much as you avoided saying the "T" word, if you know what I mean.  I also don't mean sharing just between government agencies, but between govt and private sector.  Overall, I see the private sector as bashing the heck out of a problem as a group, making short work out of major incidents, and then...the govt can take advantage of the work :)

Ten years ago, heck, even 5 years ago, we were lucky to even talk to someone about our work or cases in fear of _____.  That's a blank because I don't know why we never talked about the generalities of our work problems and covered our cases with a protective blanket just to make sure we got no help at all.  I believe we are sharing now because we have learned how to share only that which is pertinent to share, that which does not compromise a case, and that which does not cause embarrassment to a person, place, or thing.  

We finally figured out how to share the issue of specific problems with the result of all of us solving the same problem that we have in our different cases and incidents.  Some have even learned to share anonymously to make sure info gets shared, not in the way of a whistleblower, but in a way to figure out a problem that everyone is having and that you may have the answer or part of the answer for many others.

All in all, this is really good. Many hands make light work.  We all get smarter for it.  We all bask in the glory (haha...that hurt my stomach) of crushing serious problems that we could not have hoped to solved years ago.

Now on the dfir.training website side, I will finally be able to add about a hundred DFIR tools sent to me over the past month. Sorry to all, but I was busy and questioning myself every day why I didn't take my uncle's advice and be a firefighter.  I wonder if they have an age limit.......

207 Hits
0 Comments

Reality Winner wins the Captain Obvious contest

cap

Some #DFIR cases are easy.  The Reality Winner case is one of those, at least for the purpose of obtaining Probable Cause to arrest and most likely, convict, without having to do much more work.  In police work, this is called “a case assigned on a silver platter.”

To be the case agent assigned to this is a joy simply because of criminals making mistakes out of ignorance, complacency, negligence, or pure stupidity.  This was not a world-wide manhunt for a highly trained mastermind spy who planned in advance and escaped to a foreign country.  The Realty Winner case is more of a high schooler snatching a teacher’s password from her desk and later “hacks” into the teacher's gradebook…and only changes her own grades…and then brags about doing it on Twitter…

But!  Not to be one to take anything for granted, we can all learn from this case, even if we never hear of the inner most secret details of the work.  Some of the takeaways we can glimmer include:

  • Winner accessed and printed classified documents
  • She physically mailed the documents
  • She confessed when questioned
    • Easy enough
  • Case closed (for all practical purposes, the case is open and shut)

The forensic takeaways are:

  • Logging is important
    • File access
    • File printing
    • Work schedules, keycard access, co-worker statements can place at the scene
  • Metadata is important
    • Can tie a sheet of paper to a printer
    • Verify date/time of printing
  • Physical evidence is important
    • Postmarked mail shows origin of sender (by city/area)
    • Potential witnesses/video and tracking of letter through USPS
  • Interviews are important
    • A confession or admission solidifies a case
  • Follow-up DFIR work
    • Past social media (Winner’s Twitter account indicate intention)
    • Social media and email show associations with others
    • The electronic devices seized from Winner will most likely confirm what is already known (prior Google searches already provided good evidence in this case)

 The most glaring point of this case is Winner’s incompetence as a leaker. Given her security clearance level and years of experience, it is almost as if she didn’t care to be caught.  However, her obvious mistakes are lessons for us that our work is effective, regardless of how much our methods are publicly known to uncover criminal activity.  I mean, the printer dot metadata has been known for at least a decade….

 

461 Hits
0 Comments

Digital Immigrants.

Floppy_disk_5_25_inch

I’m a digital immigrant.  For a long time, I used pagers at work and had a cell phone that was the size of a toaster with a battery that lasted 10 minutes if it wasn’t plugged in.  I grew up with BASIC, DOS, AOL, and 5-1/4 floppy drives.  Now…I make phone calls on a computer that I carry in my pocket, have video meetings on a tablet that is thinner than the newspapers I used to have delivered to my driveway, and can take a class in practically any subject in DFIR I want…online…

For the non-digital immigrants, the younger whipper-snappers have no idea of the changes of having to migrant into a technical world rather than being born into it.  That works for you and against you.  This also works for and against the digital immigrants.

Here are some of the changes, both good and bad, that I have seen in the transition of the world into the digital realm.

I have seen where the vast majority of ‘computer forensic’ people were mostly retired cops or retired special agents.   If you weren’t in those careers, you were “just” IT. Coming from that world, especially at that time, meant that the skills were not generally shared.  Many times, you learned on the job and figured it out yourself.  It wasn’t for lack of being able to share but more of coming from a world where secret skills were best kept a secret so the criminals wouldn’t find out.  Even the courses available at the time didn’t cover 10% of what is covered today.  Can anyone name a case where memory forensics played a role in the 90s?  Did anyone even capture memory in the 90s?  See what I mean..

I have seen the days when shopping for any forensic book meant being able to choose between the only three books in existence. 

Tools? I remember the days of Norton Disk Editor, Maresware, and NTI tools being “it”.

Conferences? Sure.  A few hacker Cons, but not much more than that. 

Communication with other forensic folks?  Not really.  Small group contacts, but not really more than that either.  It was a small world.

Fast forward to today.

There are more books to choose from than you have time to read.

There are more blogs, websites, forensic tools, and hardware than ever before.

Communication and information sharing is on full fire hydrant blast.  You want to learn something? The information is there to learn it.

Skills and techniques are developed all the time.  If some “thing” stores data, we can get it or find out how to get it off that “thing”.   The list of impossible has grown shorter every day. Plus, we find new places where data is stored constantly.

No longer are retired detectives the main source of employees.   We have colleges graduating students in many aspects of forensics from undergraduate to PhD degrees.  High schools are teaching forensics!  “Cyber” jobs are in such high demand with a such a large pool of applicants that employers can cherry pick exactly who they want.

Anyone in the field can create a blog in minutes to post something they just found and share with the world.  The names in DFIR are now recognizable, where before, few even wanted their name in public.  The world of DFIR is different now, in a better way.  We are better in our skills and I credit sharing information as the main reason, if not the only reason. 

 

As for the bad…

All knowledge is available to everyone and anyone.  That includes the bad guys too.  The tools and skills to do good are just as well known as the skills and tools to do bad.  A crime that took months to plan in the past, can be planned and committed in minutes without leaving behind any of the clues of traditional crimes such as a bank robbery using guns…now it is a keyboard behind proxies with dark money and virtually untraceable Internet use.

Getting into the DFIR field has always been difficult, but now it’s difficult for different reasons.  Where before, you just needed to have the skill to do the job, you now need certifications, degrees, diplomas, and experience because the pool of competing applicants is probably 100x what it was a few short years ago.  If you want in the field today, plan to spend years learning and prepping to compete against some very bright graduates.

I like being a digital immigrant, having been able to see the transition from analog to digital, privacy to publicity, and selfish to sharing.  I enjoy the conferences that started with a few people and have grown to thousands.   At this last Enfuse conference, I have seen so many new faces, heard so many new names, that I feel honored to be in such a growing community.  It is getting harder each year at conferences to find those who I met the prior year, only because of so many new faces.  This is pretty cool.  

 

311 Hits
0 Comments

Trading Personal Information for Price Quotes. Why do we do it?

usedcar

Whenever I have to buy a dongle (ie…a license for a software I don’t have or an additional license to a software I do have), I go through periods of frustration lasting 2 or 3 days.   In short, I just want to know how much to pay.  That is all I ask.  How much does it cost?  Nothing more, nothing less.

The 2 or 3 days of frustration is having to wait for price quotes via email.  Yes, I can call and ask, but I have done that before and felt like I was talking to a telemarketer where it took 30 minutes to get an idea of the price before having to still wait for an emailed quote the next day. 

For businesses, the tactic of requiring the act of requesting a price is effective.  The potential buyer must submit their name, company, telephone number, email address, and sometimes their position/title and maybe even their address.  So, rather than purchase an email list, a business simply requires the same information by withholding pricing until the information is provided.

Then comes the hard sell.  I have had phone calls, emails, and snail mail sent to me after submitting a single price request…for years after the fact…even when I ended up not purchasing a particular software. 

On one occasion, I sent two separate price requests to the same company for the same software with one of the requests coming from a fake name/company.  Result: different prices, not by much, but different.  The same request for the same software = different price. Huh?

On top of that, the price quotes are valid for a brief time period.  If you want that price, you have to buy before this date otherwise, we can’t promise you that the price won’t increase if you ask in a few weeks from today.  I personally find it difficult to accept that the price of a product from the manufacturer (or developer) will fluctuate so much within a month that fear is used to push a purchase to happen.  I have even seen (on a tweet) that the licensing for one DFIR software starts on the day of the quote and not on the day of the purchase or first use.  So...ask for a price and buy it at the end of the quote period and you lose a month of licensing.  Cool...right?  I guess that is a way to push you over the edge to buy it in a hurry.

I know that this is an industry standard for some forensic tools. Guidance Software and Magnet Forensics as two examples that require your personal information before you simply get a price of their product that you wish to purchase.  Other forensic tools put their price online for the world to see it.  It’s the same for everyone.  It takes 1 second to find how much you put on your card and you can order it on the spot within a minute. X-Ways Forensics and Paraben Forensics are examples of simply posting the price of a product.   Other tools take days to get a price and it’s nearly a week before you make a purchase.

I get it.  Potential customer information is valuable, especially when you have a direct telephone number, email address, job title, and have a good gauge of the revenue based on the company name.  I can imagine that a price quote request for a single license from the Boeing Company could be different than a price quote from Joe Blow’s Forensics Services.  Maybe it’s the same price for both, but there is no way to tell. I have seen small print on quotes to not distribute the quote to anyone else.  Seriously?

If you develop forensic software, listen up.  I do everything I can to avoid buying the software if I have to ask for a secret quote.  It’s not that I’m impatient, but yeah, I’m impatient because I have work to do.  When I need a tool, I just want to buy it and not go through 18 steps of emails, phone calls, and printing out quotes to figure out pricing. I also don't trust secret prices based on secret sauce and 'who you are' or 'who you work for'.  

The reason we trade personal information for price quotes is because if you want that specific software, you have to give it up.  Your name, phone, email, company, job title, and sometimes even more...just to get the price of something you may not even purchase.  This is worse that trying to buy a used car.

 

235 Hits
0 Comments

The 2 Easiest Ways to get into DFIR

laptop-computer_fkPO8qH_

One of the greatest questions in the field of DFIR has nothing to do with analysis, but rather, “How do I get started in DFIR?”

Using Google-fu, you can find plenty of answers reaching back a decade or more of blog posts and forum threads of how to get into DFIR.  To add to the Internet resources, here is some methods of getting in that you may or may not have found elsewhere.

The easiest 2 ways to get into DFIR

  1. Your current employer chooses you for the job and..
    • Sends you to training
    • Pays for college tuition
    • Pays for all the tools
    • Gives you time to learn and practice
  2. You get hired specifically for DFIR without any experience and your new employer…
    • Sends you to training
    • Pays for college tuition
    • Pays for all the tools
    • Gives you time to learn and practice

Both of these are generally going to be government jobs, including the military.   Either you currently have the job (such as a police detective) or willing to join the military to get it.  Nothing wrong with either method, but it requires lots of prior work before even getting to that point of learning DFIR skills, like physical examinations, physical fitness tests, psychological examinations, academies or boot camps, and so on…  Going the military route pretty much takes care of everything.  You will be given everything you need with expectations already set out.  You essentially are putting your life at risk for the community or country.  Very respectful and honorable, but is not for everyone.

The other route to DFIR, which is probably more common:

Research first

  1. Figure out if you want to do the DF or the IR or both.
    • Digital forensics is generally forensic analysis ‘after the fact’ of storage media, such as someone being arrested for a crime and a computer is seized as evidence.
    • Incident response is generally a forensic analysis ‘after the fact’ of networks, such as a breach in a network.
    • Within DF/IR, there are many sub-categories to choose from (based on operating systems, devices, networks, etc…). Find what you think you may want to specialize in.
  2. Decide on who you want to work for/with.
    • Government: Local, state, federal (or military as previously mentioned).
    • Private: Internal job in a corporation or company that provides DF/IR services (or start your own company).
    • Read the job requirements and plan to obtain those specific requirements (if a BS degree is required for the job you want, plan to get a BS degree).
  3. Plan your path of education and experience
    • Education: Will your current employer pay for training/education or will you be paying on your own?
    • Experience: Can you get experience in your current job or do you need to find experience on your own?

Put your plan into motion

  1. Self-learn from this second forward until you no longer work in the field
    • Scour the Internet for resources (white papers, forums/blogs) and read everything
    • Obtain software (open source or commercial) and start practicing with imaging and analysis based on what you read. Mirror what others have done that you find online, such as with practice images.
    • Check out, purchase, and borrow DF/IR books. Read them.  Read more of them.
  2. Get educated
    • If your employer will pay for education/training, sign up and go.
    • If you will be paying, accept that your vacation days will be used attending courses.
    • Take night classes at the local community college in DF/IR/IT.
    • Consider that the majority of your pleasure reading will be DFIR and not the latest James Patterson book.
  3. Get experience
    • If you can get experience at your current job, take advantage of it. Can you help out someone in your company with imaging? Do it.  Can you help with packaging electronic evidence? Do it.  Get hands-on experience every second you can.
    • Can you volunteer or be an intern at a DF/IR provider or organization? Spend your time volunteering if you can in order to get hands-on experience.
  4. Get recognized
    • Join local, national, and international DFIR associations.
    • Go to conferences and meetings
    • Write papers on that which you learned and mastered. You don’t need to know everything about everything in DFIR in order to masterfully write about a specific nuance in the field that you learned or tested.
    • Start a blog.
    • Share your work. Make your testing results public.

Keep moving forward

  1. Once hired, research to improve your skills.
    • Prove or disprove something in the field.
    • Find previously unidentified artifacts.
    • Find better ways of doing something.
    • ‘Break’ tools so that they can be improved.
    • Write better tools.
  2. Keep educating yourself.
    • Do NOT rely on anyone else to teach you.
    • Teach yourself from today and forever.
  3. Keep practicing.
    • Practice doing it right.
    • Practice doing it right.
  4. Go public with your work and share.
    • Do not be shy.
    • Do not be stingy.
  5. Keep reading.
    • Read what others publish online and in print.
    • Read the reports and affidavits your peers have written.
  6. Mentor others.
    • Encourage today’s youth.
    • Encourage career changers.
  7. Teach
    • You will learn by teaching.
    • You will help the field by teaching.
  8.  Do it. Write it. Publish it somewhere.
  9. Research more.

What not to do

  • Wait for your employer to pay for everything.
  • Refuse to read books unless you are required to read them.
  • Refuse to spend time self-learning.
  • Quit self-learning once you are getting a salary.
  • Keeping to yourself and never sharing your research.
  • Believing you know enough.
  • Believing you know everything.
  • Believing that there is nothing else to learn.
  • Believing that your job is safe because you learned all you need to know.

 

The bottom line is that you need to work hard.  You need to self-learn.  You need to put yourself out there in the public eye.  You need to do everything because the DFIR field will eventually be so competitive that just doing the minimum will get you nowhere.

As one example, take a look at this student’s tweet:

 

 

I have no idea who she is, other than a Champlain College student.  But I know from experience that this type of project is not easy, cannot be done in a weekend, and the guts to put it online and post about it means she has the potential to be in front of a classroom teaching DFIR or writing a book about DFIR or discovering something new in DFIR at some point in her career.   In technical terms, we call that “employable”.

Bottom line. It takes hard work.   

325 Hits
0 Comments

My #DFIR Books of the Month

Before I get started talking about the #DFIR books I’ve read, don’t be too excited that I’ll have a ‘book of the month’ post more than once.  With forensic books, there just isn’t enough to do a book of the month review.   With that, I do want to post a bit about the books I have enjoyed and some that I have not.

These are only the books that I have personally read or skimmed.  Other books surely belong on the list, more are pre-ordered that I am waiting on, and some I will never read for one reason or another.  Books you see in the “Avoid if you can” column were promptly sold off at Half-Price Books.  I have had more books than this list, but I just can't remember what they were, which could be positive or negative about the books.

There are some books that I do not recommend.  Surely, the list is longer than what I have, but this list is mine.  If you can avoid buying these books, do so.  Each book has problems that just rubbed me the wrong way.  For example, one is so basic but claims to be advanced, however the authors write it assuming you don’t even know what a computer is.  Another book is so haphazardly organized and written by so many different authors with conflicting information that it reads like a book designed to frustrate most readers.  Any book written as a textbook is an automatic failure for me.  I do not want a book written to fit into a semester.  I do not want a book that requires an instructor edition to use, written at a 10th grade level, or with such a broad overview to meet the ‘majority’ of students' needs that it misses what I am looking for.

I want a book that I can put to use on the same day I start reading it.

Legend:

Green big thumbs up:  A Must-Have book.  You should already have it or read it or wrote it.

Green small thumbs up:  Helpful, especially if it fits what you are doing.

Red thumbs down:  If you buy this book, it's all on you. 

 

 

Book

Helpful to have or must-have

Avoid if you can

Notes

 

*notes are at the end of this post.

 

 

 

The book that got me excited about forensics in the beginning.

 

 

 

I’m sorry if your instructor makes you buy this one.

   

 

Short and sweet. Good if you are thinking about getting into forensics to get a clue of what it is.

 

 

 

Good info.

 

 

 

A classic.

 

 

 

Looks advanced, but tries to take a big bite in such a broad topic.

 

 

 

Good tips in here.

 

 

 

I didn’t like it.

 

 

 

Getting started in “cyber”, maybe you’ll like this one. Not for me.

 

 

 

Nope. Didn’t like it.

   

 

Good info if you are new to the field and need to know the legal end of the work.

 

 

 

Nope. 

 

 

 

Straight to Half Price Bookstore.

 

 

 

Bought it for my certification prep. Reads more than a basic forensic book than how to use EnCase.

 

 

Required reading.

 

No much to say, because I know you already have this book as well you should.

 

   

 

If only for reading what constitutes Free and Open Source forensics tools, it’s worth it.

   

 

Do you do Windows forensics? Then get this book, every edition.

 

 

 

I’m not sure how to rate this one.  Just didn’t do it for me, but not so terrible.

   

 

Certainly worth it.

   

 

Good to know as much as you can about building out a lab.

   

 

I call it “basic” in that this book is a little old now, but still has good info in it.

 

 

 

“Mastering” needs to be removed from the title.

   

 

A few good points in the book to know. Worth it.

 

 

 

Better to spend time reading the FTK manual.

 

 

Required reading.

 

You need this book.  Seriously.

 

 

Now this is a PACKT book that works!

   

 

Whether you do IR or not, this is good stuff to know.

 

 

Required reading.

 

Don’t tell you me that you don’t have this book yet..

 

 

Required reading.

 

This one and every edition of the book.  They are already on your shelf, right?

 

 

 

Trying not to bash basic books, but this one didn’t do it for me.

 

 

If you use X-Ways, it is required reading.

 

If you don't use X-Ways, don't get the book unless you are considering X-Ways.  It doesn't teach forensics.

If you use X-Ways, it is required reading.

   

 

If you do this type of work, this book is worth the time and money.

   

 

See above.

 

 

 

Again, not sure what I can say.

 

 

 

Basic. And it’s written as a textbook.

 

 

 

Take out “Mastering” and you have an ok basic book.

   

 

Personally, any book on operating systems is worth it unless it is really bad.

 

 

 

I’m into Android forensics, so yeah, I read every book on the subject I can.

   

 

Yeah, this too.  Even the older books have some bits of knowledge that make it worthwhile.

 

Required reading.

 

One of the better investigative books, which is a skill solely missing in many DFIRs.

Required reading because you need an investigation reference.

 

 

 

This book could have been so so much better.  Lots of research done, but really not much in substance.

   

 

Another subject I am ‘into’, therefore, worth the time to buy and read.

 

 

 

I’m not getting into the PACKT books at all.

 

 

 

Mid-way through, I forgot it was an Internet Forensics book.

 

 

No other books on this subject, and you’ll find something of value.

 

 

Should know these things about CD/DVDs even as we find fewer and fewer of them.

 

 

 

Run away from this book and don’t look back.  This is a straight-to-Half-Price-Books book.

 

 

 

Another book that the title implies that it should be so so much better.

   

 

Neat topic, comes up in casework and worth the time and money.

   

 

Lots of good info and worth it.

 

 

 

Good grief.  Yet another book title that could have been so so much better.

   

 

Good info, worth the time and money.

 

 

Required reading.

 

Should be required reading for everyone in DFIR. The title states what you should be doing every day.

 

 

 If I offended anyone with my opinions of any book, I can't really apologize since either I liked the book or didn't (or it just didn't apply to what I was looking for in that topic).  The required readings are required readings for me and anyone I mentor or teach, again, based on my personal opinion.

**Book addition update: 6/5/2017**

My order of Digital Forensics Trial Graphics finally arrived.  I have been waiting for a year for this book to come out.  Two known authors on a topic that needed to be written.   I didn't bat an eye at the $50+ price tag.  However, when the mail came, the package that had the book was small and light, so small and light that I thought that it could not be the book in it.  But it was.

It's smaller than my iPad in overall length and width and thickness.  I figured, "there must be dynamite in those few pages".  After less than a minute flipping through the book, I realized that I had been had.  The content is nothing more than putting together a powerpoint.  The pages (all 96 of them) seem to be filler.  In fact, the last 6 pages of the book are blank pages.  For the time to wait a year for this book, it reads like it was written last weekend and printed on a laserjet on Monday to be shipped out on Tuesday. The cover was also different than originally marketed, but that is nothing if the content is worthwhile.   Few DFIR books have ever made it to this low on my list.

589 Hits
0 Comments

Website Updates (more search warrants, affidavits, forms, etc..)

Website Updates (more search warrants, affidavits, forms, etc..)

A few changes to the DFIR.training website.   First, several lists have been updated (bad links removed, more links added). 

The event calendar has been removed. 

Too many courses have been canceled or changed to keep up with as I have curated most of the courses myself with only a handful of providers updating their own training.  So, now there are direct links to the course provider calendar pages. http://www.dfir.training/index.php/education

 I did add a few more colleges, but did not go overboard with searching for more.  Today, we are almost at the point that if you are wondering if a college has a DFIR program, it is the same as wondering if a college has an English or History program.  Meaning…most colleges are beginning to add some sort of DFIR program to their catalog.

More search warrants! 

On the search warrants and templates, if you see something you like, you may want to download it right away because they can disappear anytime.  I am not hosting the files and simply linking to the affidavits and other forms.   I put a wide variety of forms and warrants/affidavits to help anyone who (1) is a student and wants to see real warrants, (2) current write affidavits and want to see how other people write.  There is some good stuff in some of these affidavits to take a look at. http://www.dfir.training/index.php/lists/dfir-forms-and-examples

News feeds…

The RSS feeds were bogging down the site.  There are so many of them and I cannot trim any more since the remaining feeds are active and great blog resources.   However, I am working on configuring the feeds differently with cache settings and alternative methods (different Joomla extensions) to display the feeds.  You will see the News Feed page (http://www.dfir.training/index.php/news-feeds) work and not work over the next days until I can get the settings to a point where the website doesn’t crash or grind to a halt.

DFIR Tool Database

No changes.  This database rocks!  Approaching 1,000 DFIR tools.  There is no other database like this one.  Yes, some tools may not work as good as other tools, but every situation is different.  Sometimes Tool A works better than Tool B in one case, but in another case, Tool C works better than Tool A.  You can add a tool to the database by submitting it online (http://www.dfir.training/index.php/contact) or Tweeting it with @DFIR_tools in the tweet so I can see it.

162 Hits
0 Comments

3 Tips to Keep Your Name out of the News

A police officer called me about a private sector case referral that ended up being a hornet’s nest of problems.

The story goes:

Victim company fires an IT employee.  Rather than escorting him out at the same time of revoking all access to the company network, they gave him the afternoon to clean out his desk.  In that time frame of unsupervised “desk cleaning”, the employee did a number of things.   After the ex-employee left the property, this is what the newly promoted IT guy discovered;

  • Missing laptop (was there at the time and had been assigned to the fired employee)
  • Missing tech gear (enough to fill a hockey bag)
  • C-level staff receiving emails from clients asking if the C-level staff email accounts were hacked
  • Access failure on a server.  Everything deleted..
  • Physical backup tapes on that server missing.

Company calls 911 to report theft and "cybercrime"

Patrol Officer shows up.

Patrol Officer calls the ‘cyber unit’ (yes, they call it the “cyber unit”).

Cyber Unit Detective shows up and patrol officer departs.

After telling the detective everything they found up to that point, the detective classifies it as a civil matter since it was a fired employee and is “not a police issue”.   The detective then leaves.  Company calls a Sgt at the police department and the Sgt says, “If the detective says it’s a civil matter, then it’s a civil matter.”

The patrol officer calls me and has the company call me.  When I show up and hear the story (with in-house counsel), I agree to take the engagement.  It was easy enough to see the activity in a 4-hour window on the ex-employees desktop (lots of file access…external drive connection…and accessing MS Exchange accounts…).  I called the detective and explained a half dozen felonies, but because it’s a civil matter….

I even asked the detective to have a theft report taken of the property.  No-go.  It’s a civil matter.  I called the local sheriff’s department, who referred me back to the local PD.  Nope. Not doing that again.

So then, I explain to the company and its attorney that the local PD refuses to do anything and that the county simply refers back to the local PD. They can keep going and ask a federal agency if they want, or I can get to work now and they can figure it out later.

End result:

Company called the police chief.  Police chief didn’t seem to understand the gravity of stolen IP (probably 500GB+ of CAD designs, images, plans, code, etc…). 

Company told me to get to work, damn the torpedoes, and cost is of no concern.

Company CEO is calling the media today……

Moral of the story is:

Don’t be the DFIR guy that doesn’t know what to do AND won’t admit it or ask someone for help.

Oh yeah, the 3 tips to keep your name out of the news...

1) If you don't know how to do something, just ask someone who knows how to help.

2) If you have a duty or responsibility to do something, best is to do it.

3) Refer back to #1

 

 

 

****note***

I am not bagging on LE in the least bit (or byte).  I have seen this in the private sector too, but generally this type of person is fired whereas a govt employee is not.  I realize in the private sector, the individual has to soak up the majority of costs for training and education, whereas in govt, the govt entity picks up the tab for training.  When it comes to many govt employees, they do not expand their training beyond that which is provided by their employer. I believe that to be a loss in learning in this profession.

477 Hits
0 Comments

I only do 10%.

I only do 10%.

I’m on the second day of a conference for the second time this year and 90% of the time, I am hearing information that is more or less, a “refresher”.  Before you take that as a complaint, stop right there.  If anything, I am complimenting that there is 10% that is super great information, in effect, “refreshing” information.  My goal is to find that 10% so I don’t waste time on the 90% I don’t need right now.

Most likely, you are like me in that time is scarce to not only spend learning the latest and greatest things, but scarce in trying to keep up with the field.  To solve this problem, I have my 10% rule.  I focus only on 10% of what I need at the time I need it.   The trick is quickly figuring out the 90% to avoid wasting time on it.

I also know how I learn, which is probably the most important thing to know in any line of work.  If you learn by doing, but spend all your time trying to learn in classrooms, you won’t be effective in learning.  For me, I am a visual-hands-on learner. I watch and physically repeat what I saw (listening is important too, but primarily if I ‘see it’, I can ‘do it’).

For any task or skill, I immerse myself in it completely, ignoring everything else, with the goal of mastering 10% of the skill quickly and soundly.  From there, learning the remaining 90% will come through practice as I get to it.  But I have to master the 10% first.   As an example, take the Windows registry.  You don’t have to master the entire registry to be an expert for the most common artifacts of the registry.  Master the basics first.  Learn the advanced as it comes.

Little things I do to learn in the DFIR include;

-Taking copious notes.  I write down everything. I have notes in every DFIR book I own. I have highlighted my books in every color ever manufactured. I do this because I most always need to refresh what I learned or check back on a point I made to myself.  Don’t worry that the book you bought cost more than $50. Write in it! Highlight it!

-30 minutes a day dedicated to something in DFIR, every day.  I spend 30 minutes every single day, unless I am physically incapacitated with an illness, to consistently learn something specific.  This comes out to over 100 hours a year if you count the days that I simply can’t spend 30 minutes to study.   The level of skill you will achieve doing this will make you an expert in that subject within a year.  Don’t believe me? Try it for a year.  Get up 30 minutes earlier every day for a year, sit down and learn one thing for a year.  You..will..be..an..expert..in..that..subject.  I promise.

-I am super selective in who I learn from.  Because of I have spent way more time that I wanted with poorly written books, incompetent instructors, travel, and high tuition of courses that I will never get back any return of investment, I have become extremely choosy.  I have cut my conferences down to only two per year, maximum, whether I am attending or presenting.  It’s not the cost of attending as much as it is 90% of what I don’t need.  And for each class I take, I prefer to take from someone who I know knows what she or he is talking about. 

-Repetition saves me.  If I can repeat what I see, I can learn it. If I can learn it, I can master it.  If I can see it more than once, it speeds my process of mastering it.   This is the biggest reason I am a fan of recorded courses, because I can rewind, watch, practice, rewind, watch, practice, master the skill. 

I have said on many occasions that I am not a fan of cheaply made videos (Udemy and YouTube come to mind) for several reasons (http://www.dfir.training/index.php/blog/free-dfir-training-is-great-except-when-it-s-not), which I won’t repeat in this post.  I like training videos.  Correction, I thrive on training videos, but only the good ones. Yes, even a cheaply made can have great info, but I don't have the time to spend the time to weed through a dozen hours of videos to find 10 minutes of gold nuggets.

Some tips on avoiding the 90% of material you don’t need:

  • Don’t read books cover to cover.
    1. Read the sections you need, when you need it.
    2. Read the rest of the book when you have nothing else to do.
    3. I read and write/highlight and move on.
  • Don’t take any course that you don’t need.
    1. Sure, “Conducting Memory Forensics Underwater” sounds cool, but is it necessary?
    2. You already took “Bootcamp 101”? Do you really need to take it again?
  • Check the conference agenda BEFORE registering.
    1. “Just because everyone attends” is not good enough reason.
    2. Go to the breakouts that matter. Skip everything else.
  • Staleness
    1. Is the thing you are looking at more than 2 years old? Is it still relevant?
    2. Some things never change, some things change weekly.
  • Choose what you want to learn and only what you want.
    1. Ignore the rest.
    2. Focus (master) what you want/need to learn.

As far as training vs education vs self-learning, I do all three.  But I only do 10% of it.

ps...If you teach anything in DFIR, be sure to teach the 10% and don't fill time with the 90%.  And if you find someone who teaches the 10%, stay with that trainer or organization for the biggest time saver you can have when mastering skills.

 

316 Hits
0 Comments

Forensic 4:cast Awards

Forensic 4:cast Awards

Sadly, dfir.training didn’t make it as a nomination for Digital Forensics Organization of the Year Award, but still, I’ll be there for the award presentations (I have a ticket in hand, or rather, in my email).  I suggest that you vote in the awards to show appreciation for those in the field who do a lot for the rest of us in the field. 

The physical awards in and of themselves aren’t as important as the recognition the community gives in the form of voting.  Voting shows support and support is truly appreciated.  If you do nothing more in the advancement of the community than voting, you are doing something that makes a difference.

Everyone votes differently.  Some may vote for popularity while others may vote based on contributions made by a person/organization.  Whichever way you feel is irrelevant as long as you vote. 

One thing about the 4:cast award categories is that you may not have an opinion in one or more categories because you might not have used one of the tools listed, or read one of the books, or know what a person contributed.  That's ok.  But, a quick Google search can help guide you in the right decision to vote in what you feel fits your input.

In case you want to see how I would vote…take a look below ?.  This is by no means to influence you, but to show that I am certainly going to vote, hope that my choices win, and that I feel bad about some of the people that I couldn't vote for.  It is difficult to make a choice between great competitors, but alas, one vote is what you get for each category.

See you at the Summit!

And don't forget to push Submit! 

 

 

 

 

 

by the way, did aboutdfir.com win the popular vote or the electoral college vote?....

Tags:
352 Hits
0 Comments

We catch the smart criminals too.

We catch the smart criminals too.

I just finished reading “The Art of Invisibility” by Kevin Mitnick.  The book is full of tips on how to be anonymous on the Internet.  Nothing in the book was a surprise or new information to me and most likely won’t be new to anyone who works in DFIR/Infosec, which leaves the information on how to be anonymous out of the comprehension range of the average Internet user.  Unfortunately, the book doesn’t really help computer professionals (we already know what an IP address is) and it doesn’t help the average Internet users (they don’t care to know what an IP address is).

The biggest takeaway from the book was the reassurance that no matter what a criminal does with computer technology, if you look long enough and have patience, you can catch them.  Again, this is not new to those who investigate criminal cases or civil violations.  Police typically solve cases because the criminal makes a mistake, not because the police are supernaturally gifted.  Any person that wants to commit a crime through the Internet risks getting caught by a myriad of reasons, with the most likely reason being lazy and/or making a mistake.  By the way, this book is not about how to get away with crimes, nor is it how to catch criminals.  

In the DFIR/Infosec world, we live on capitalizing on the mistakes made by those using technology to commit crimes, regardless if it is an intrusion investigation or possessing child pornography.  We don’t only catch the dumb criminals.  The dumb criminals are easy to catch.  We can do that during a lunch break.  But we also catch the smart criminals because all humans make mistakes.  in every DFIR case I work, I am looking for the mistakes that the suspect made because the one mistake you find can break open the entire case, regardless if it is a "little" oversight or major error.  I once broke a case by finding a single USB entry in the Windows registry.  That one entry tied the computer to a known USB, which tied it to the known owner, which led to the discovery of multiple devices that had all the evidence needed for the case.  The suspect lazily plugged in a USB flash drive when he kept everything else separate. One registry entry = a decade in prison.

It is certainly true that criminals have to be lucky/good ALL the time.  You only have to be lucky once. That is the crux of the book.  One mistake and anonymity is broken.

461 Hits
0 Comments

The #1 Tip to Solve your DFIR Case Problem

The #1 Tip to Solve your DFIR Case Problem

Have someone else take a look at it.

That’s the best tip you can do for any problem that you cannot solve; have another set of eyes take a look.  I personally know investigators (in LE, or DFIR, or LE DFIR) who refuse to ask for help because, as I am told, they can do it better than anyone else.

This reasoning is understandable, especially if you are highly skilled and have massive experience.  Why would any highly skilled DFIRer ask help from a junior examiner?  Seriously.  If the expert can’t figure it out, how can a lowly, low-skilled, less-experienced person figure it out?


The answer is that it is not the skill or experience level that can solve your problem. It is the simple act of looking at your problem from a different point of view.  I have seen complex criminal investigations, including a murder case, that was solved simply because someone looked at the case and asked a simple question that made everything come together.

Sometimes, we need help because we just forgot to look somewhere for some artifact that we overlooked.  Or maybe we see it, but don’t recognize it.  The answer may be right in front of your nose but it takes someone else to point it out.

Asking for another set of eyes does not mean you admit defeat, that you are incompetent, or that anyone else is ‘better’ than you. It means you are thorough. It means you are good.  Most likely, you do this anyway, but not by asking for someone else to look at the problem, but by stepping back for a time and coming back later to look at it.  Giving your eyes a break (physically and mentally) can solve 90% of anything you come across.  I am talking about that 10% of the time where no matter how much effort you expend, you are not going to find the solution.  You need to ask.

Don’t think this works? Then you have never tried it.  Cold cases are solved with this same concept.  When a case is given to someone else, many times it is closed quickly solely because a different perspective took a look at it.

Want to be the best?  Want to be known as someone who can work a case?  All you gotta do is to remember to ask for help and borrow someone’s eyes.   That’s the number 1 tip.

267 Hits
0 Comments

3 Animalistic Tips to Bust Open Your DFIR Job.

3 Animalistic Tips to Bust Open Your DFIR Job.

1. Be the Bloodhound.

The Bloodhound has the best nose to find anything.  A DFIR’er should be like the Bloodhound, in that if the evidence exists, you can find it.

Evidence: Where is it?

Tools: Where can I find the tools?

Training: Where is the training?

2. Think like the Squirrel.

Squirrels may look cute and innocent, but they are always thinking, planning, and being deceptive in what they do.  The better DFIR’ers are constantly thinking, planning, and being a step ahead of every obstacle that comes up.

Training: Which training do I need? Which training fits me best to learn?

Evidence: What constitutes evidence in a specific analysis?

Analysis: What does the data mean?  How do I interpret it? What are the connections?

Investigative:  What is the adversary thinking? What was the adversary’s plan?

Reporting: How do I accurately and concisely get the point across to someone else?

3.Work like the Honey Badger

The best DFIR’ers don’t give up.  They dig and dig and dig until they get what they need to solve a problem or solve a case.  The only time they might give up is when forcibly taken off a case and put onto another. Otherwise, once they have been given a mission, it is followed through until completion.

Tenacity: What will it take to overcome every obstacle in this field, this case, or this one problem.

 

Some lucky DFIR’ers instinctly have all of these traits.  Others have some or maybe only one of these traits.  All DFIR’ers can learn and employ all of the traits if effort is applied and time is carved out is made. 

Do you want to know the secret to getting this?

The secret is that there is no secret.  The way the most famous or most competent DFIR person does it is no different than the high school student learning how to do it.  For example, read a book on the subject. Watch a video.  Take a class.  Practice on your personal device.  Search and experiment with different tools.  Really. That’s it.  No one has special access to special tools.  Everyone has access to the same thing, however, it is what you do with what you find that makes the difference.

Take a forensic artifact of your choice as an example.  It may not take extreme skill to find an artifact using any selection of a forensic tool.  But, it takes the 1,2, and 3 tips to use a forensic tool artistically, scientifically, and even experimentally to exploit the artifact to get what you need in a case. 

Never sit idle.

The day you think you know it all or know enough is the first day your competence will degrade.  Period.  As an example, if you did nothing to improve upon your job today, your skill and knowledge degraded.  BUT, if you did just one thing, such as watching David Cowen’s forensic lunch, you would have learned (if you didn’t already know):

And this knowledge takes less than an hour of time with virtually no physical effort other than focusing on the discussion and taking notes when you hear something to follow up on later.  Do something every day, whether it  takes 5 minutes or an hour.

If you happen to be naturally inclined for DFIR work, congrats.  I’m a bit jealous, but certainly not in the least bit discouraged, because I am the Bloodhound, I  think like the Squirrel, and I work like a mission-focused Honey Badger.  You can do the same, and maybe even better :)

 

746 Hits
0 Comments

3 Steps to be a DFIR Superhero

3 Steps to be a DFIR Superhero

  • Know your job
  • Know your tools
  • Know what your client wants

If you can do steps 1-3, you can be a DFIR superhero.   It may look easy, and it is, sort of. 

  • Knowing your job is simply knowing what to do in a given situation. Clock in on time.  Fill out paperwork correctly.  Keep the ship afloat on a day-to-day basis.

There are days that DFIR work is mundane.  Actually, many days are mundane.  Whether you are looking at an image of an employee workstation or trying to keep the network safe from attacks, most days are routine and mundane.  The occasional emergency is something different and if your company is full of emergencies, that’s another story.  If you can show up to work, take a lunch break, and leave on time, then you are probably handling the job tasks fine.

  • Knowing your tools goes beyond using the tools you have always used. This also means keep up with the new tools that come out that might be better than the tools you have been using

Seriously.  If you have been with so-and-so DFIR tool since version .0001 when it was on a floppy disk, you may want to revisit the tools that have been developed since 1997…  There now more tools that can do more things compared to the 1990s.  Know your tools!  Keep up with the new tools!

  • Know what your client wants is the hardest. Your client can be your boss or a third party that hires you.  You know what your clients need.  Your clients may not know what they need, but they certainly know what they want.  Knowing how to navigate between a client’s wants and needs takes skill.

When your client ‘wants’ you to image every single computer on their network for forensic analysis to find the employee stealing data but you know that the client actually needs a lot less, you will find yourself in the world of want vs need.  If you are really good, you can pull your client into the ‘need’ and out of the ‘want’ without any issues while receiving a job-well-done by your client.  If you have no tact, the outcome will either your client being unhappy because you did what was ‘needed’ and not ‘wanted’ or you feel like you did a poor job by doing what was ‘wanted’ but that which was ‘needed’.  Luck is when the wants and needs are the same.  I’m waiting for that day myself…

294 Hits
0 Comments

Dead-box forensics is not dead

Spirited debates can be draining

I use the acronym “DFIR” as loosely as everyone else does.  I know exactly what it refers to, both “digital forensics” and “incident response”, but that it also implicitly refers to “ethical hacking”, “infosec”, and other related disciplines.   I don’t see any way someone can misuse “DFIR” when speaking generically.  Of course, when you get down to the nitty gritty, specifics matter.  But I'm not talking about specifics here.  I'm talking about a near all-out-craz-out by an "IR" guy..

Not that I like debates, arguing, confrontations, or disagreements, but good grief…I sometimes find myself dodging arrows and darts.   As a recent example, right before leaving a conference (within the last two months…just to muddy the number of conferences to avoid guessing which one), in passing, I mentioned “digital forensics” to an “incident response” person that ended up with me being told that those in “digital forensics” are dinosaurs heading to the graveyard if they don’t do “incident response”.   The guy went down the path that ‘dead box forensics is dead’ and that no one should focus on dead box forensics and if you do, you'll be out of business in a year.

All I responded with was that someone has to do dead-box forensics, some cases are solely dead-box forensics, and even incident response deals with dead-box forensics.  If no one does dead-box forensics, then what?  I also agreed that anyone doing dead-box forensics needs to expand their repertoire a bit, not because dead-box forensics is useless, but that getting outside that box will lead to more evidence (via clues) inside the box.

I am giving the guy a break in that maybe he drank too much the night before, didn’t get any sleep, or maybe is getting audited by the IRS. Whatever the reason, the fever he had that having “DR” as part of the “DFIR” acronym is sacrilegious and dead-box forensics folks are incompetent in the field just reminded me of how many Type A personalities we have in DFIR.  To the credit of Type A personalities, that is kind of what is needed in this field to begin with, but it’s a double-edged sword when two Type As work together or even sit together in a conference..

My points are;

There's nothing wrong with the term “DFIR.  Dude, we work in the same field. It’s not combat against each other.

Dead-box forensics is not dead.  Many cases come down to a hard drive.  It’ll be around for a long time.  If you just do dead-boxes, be sure you can dive deep.

 

By the way, DFIR doesn't always mean "DFIR"...

 

 

 

 

Tags:
833 Hits
0 Comments

Don’t be that DFIRer.

When you have a cup of coffee with your co-worker, peer, boss, subordinate, or opposing expert, don’t be the expert who didn’t read the latest and greatest finding posted yesterday or today by someone in your field.  Seriously.  I’ve seen this happen.  One person knows the newest discovery in forensics and the other guy doesn’t.  Don’t be that DFIRer. Keep up on the blogs!

DFIR.training has an extensive listing of RSS feeds for blogs and podcasts, separated by category.  This list does not include every single (or even the majority) of available blogs on the Internet.  There are several reasons RSS feeds are not listed on the front page:

#1 – No date on the blog posts.  Is the information from 1999 or 2017? Who knows??

#2 – Inactive.  If the most recent post is over a year old, is the information still relevant today?

#3 – Selling their product every other post? I don’t want to read that blog.

#4 -  Hard to find RSS feed on the blog? If I can’t find it, and my reader can’t find it, I’m not reading it.

#5 – Difficult to read website? Lots of flashy colors and crazy fonts? Not for me.

#6 – Need an invite to view the blog?  Forget that.

I also do not put the “Paper Li” feeds on dfir.training.  The Paper.Li set up just doesn’t do it for me at all.

During my search for blogs and podcasts for the dfir.training website, I kept coming up with blogs so old that the information can’t be relevant today.  Surely, if a blog’s last post covered Windows XP, then not much will be of value today. Too much has been researched and written since 2007 (or 2015 for that matter)

Other blogs found by Google no longer exist, which is natural since no blog lasts forever.  But, some of my favorite blogs from long past are in that group. I miss those blogs….

 

This is what you get for blogs at dfir.training:

The front page lists the most recent posts in categories of DFIR, Podcasts, eDiscovery, Security, and Hacking.  If you are like me and check on a dozen or more blogs from the most active DFIR bloggers and podcasters, you get frustrated when you don’t see anything new from the day before because you spent time clicking and looking for dates/titles.  HOWEVER, on the front page of dfir.training, you’ll see listed, by date,title, and blog name, and in order of most recent updates, from top to bottom.  You won’t find posts updated a month prior, because the intent to keep the very newest posts listed on the front page.  That is what we need; the most current information, listed right in front of our face. 

You can see the list of RSS feeds on this site here: Blogs 

Keep in mind that some of the listed feeds and blogs may not be getting updated by the respective author.  For those, they are not going to show on the front page of the website.  The front page is where you go to make sure you don't miss something important.  In 2 minutes, you can check if anything happened in the DFIR blogosphere that pertains to your job. To stay up to date, follow these three easy steps:

1) Boot you computer.  

2) Run your browser.  

3) Make the homepage dfir.training

 

Tip: If you write a blog and I have it on the list, the more you write, the more you are on the front page.  Want to be top of the list? Post often.

671 Hits
2 Comments

‘Yes’ means ‘yes’. But ‘no’ could mean 'maybe' or 'maybe not', but 'no' never means 'never'.

A recent forensic course I attended gave me a little bit of high blood pressure, which was my own fault.  I try to only take courses where I know I don’t know the content, but should learn it.  Sometimes it turns out that I should have asked to teach the course rather than take it (or pay for it).

In the last course I took, the instructor presented on USB devices and finding artifacts of use.  Easy enough, good refresher, learned a thing or two on how to do something a little differently.  Fair enough.

The issue I had was when the instructor said if there is no record (artifact) of the USB device by name or serial number, then that USB has not been connected to the system.

Now…I come across this often.  The client, always an attorney, asks a simple question in many  of my cases:

While holding a USB flash drive, asks me “Can you tell me affirmatively if this USB has ever been plugged into that laptop?” while pointing to a laptop on the desk.  The answer will be:

Yes, or maybe, or maybe not.

I tried to relay to the instructor during a break that it is most always impossible to prove a negative without some other information outside the hard drive.  I gave about a half dozen examples besides of forensics.  Simple things that can’t be proven.  Still, his point was that if a system has no record of a specific device being plugged in, then the answer is an affirmative ‘no’.  Reformatted drives, reinstalled OSs, swapped hard drives, data wiping, booting to a CD/USB, and registry cleaning did not change his mind.

I would have let it go had it not been for some new DFIRrs in the room.  Teaching new DFIRers incorrect information will only come back hard later.  Can you imagine defending your position on the stand saying that without a doubt, no question about it, but this USB device was never plugged into the defendant’s computer, based only a forensic analysis of the hard drive?  You just can’t do it.

Of course, it is easy to say “yes” when you find the artifacts in the system.  If the registry shows evidence that same make, model, and serial number of the USB device exists on the machine, then of course, it was connected at one time (at least once).  But to say that something never happened is a risky path to take.

The point being, and the point I made in the class, was that it is best to never say never, because you really don’t know what happened when there is a lack of data.  It’s like asking if we can prove a tidal wave ever washed across Kansas during the last million years.  Maybe it did.  Maybe it didn’t.

I admit that some negatives are possible to prove, but these are beyond the scope of what is reasonable when solely looking at data on a hard drive. 

Points to drive home:

1)  If you can’t prove it in the AFFIRMATIVE, that does not necessarily make it a NEGATIVE.

2)  If a student in the class you are taking seems to have an answer that is different than the instructor, consider both answers and test to see which is right.  They can both be wrong, both be right, or one can be right.  TEST IT YOURSELF!

ps. Yes, before taking this course, I did due diligence to make sure I was spending my money and time wisely.  Unfortunately, I should have stayed in the hotel room and watched HBO.

 

 

 

393 Hits
0 Comments

So…who are you voting for?


I have submitted nominations and voted every year for the Forensic 4:cast awards.  Although it may seem like a popularity contest, it actually is a popularity contest.  The more ‘popular’ someone or something is, the more votes that person or thing gets.

For those who (1) do not really know what to vote for, or (2) want to do as little research/thinking as possible, but still want to vote, here are my top contenders in this year’s Forensic 4:cast awards.  I have nominated every category.  I am only listing two for each, but at least you have an idea of what to look for when you decide to vote.

What is your nomination for Open Source Forensic Software of the Year?

Bulk Extractor http://www.forensicswiki.org/wiki/Bulk_extractor

Recall  http://www.rekall-forensic.com

What is your nomination for Digital Forensic Blog of the Year?

This Week in 4n6 https://thisweekin4n6.com/

Malware Jake https://malwarejake.blogspot.com

What is your nomination for Phone Forensic Hardware of the Year?

UFED Touch.

There is no second in my opinion…

What is your nomination for Computer Forensic Software of the Year?

X-Ways Forensics.  http://www.x-ways.net

Carbon Virtual Forensics Suite https://sumuri.com/software/carbon/

What is your nomination for Digital Forensic Book of the Year?

Windows Registry Forensics (Harlan Carvey) https://www.amazon.com/Windows-Registry-Forensics-Second-Advanced/dp/012803291X/ref=pd_sbs_14_t_0?_encoding=UTF8&psc=1&refRID=0KDHTZXWWMH0FQ29M90P

Hiding Behind the Keyboard (Brett Shavers) https://www.amazon.com/Hiding-Behind-Keyboard-Uncovering-Communication/dp/0128033401

What is your nomination for Computer Forensic Hardware of the Year?

Velocity T1000 Workstation  http://www.tritechdf.com/velocity-t1000-df-workstations.html   

Forensic Duplicator https://www.digitalintelligence.com/products/forensic_duplicator/

What is your nomination for Phone Forensic Software of the Year?

UFED http://www.cellebrite.com/Mobile-Forensics/Solutions?gclid=CJCKhfnH5tECFUlNfgodhCoEMA

MobileEdit http://www.mobiledit.com/forensic-solutions/

What is your nomination for Digital Forensic Organization of the Year?

http://www.Dfir.training  (of course!)

http://www.Aboutdfir.com  

Who is your nomination for Digital Forensic Investigator of the Year?

David Cowen https://twitter.com/HECFBlog

Heather Mahalik https://twitter.com/HeatherMahalik

The main point of this is to get you to vote.  Fill in the online form, and hit SUBMIT.  Help get your favorite category to be nominated.  And seriously, it takes 3 minutes of your time.  Don't feel obligated to vote for any of the two I selected.  These are just starting points for you to consider and think about other choices. I will say that I have nominated one of the above in each category and believe any choice listed is well worthy of a nomination.  The order I typed them does not indicate the choice I made.  If I spent more time on this, I could easily picked another 10 choices for each category because some categories have many great choices out there.

Most importantly, if you are only going to vote in one category, make it……

What is your nomination for Digital Forensic Organization of the Year?

http://www.Dfir.training  (of course!)

 

 

656 Hits
0 Comments