DFIR Training

Digital Forensics & Incident Response
Menu
  • Home
  • Resources
    • Blogs
      • DFIR Training Blog
      • Blogger Feeds
      • Blogs list
      • Patreon Pages
    • Books
      • DFIR Book Share Challenge
      • Library
    • CTF & Forensic Test Images
    • Downloads
      • Forms, Templates, & Guides
      • Infographics & Cheat Sheets
      • Keyword Lists
      • Windows Registry
    • Jobs
    • References
      • DFIR Review
      • Threat Maps
      • White Papers
    • Social
      • Twitter lists
      • Social
    • Tool Comparisons
    • Videos
      • Podcasts & Live Streams
    • Wiki and Forums
      • Computer Forensics World
      • Forensic Focus
      • Forensic Wiki
  • Events
  • Tools
  • Artifacts
  • Social
  • About
  • Contact
Logo-DFIR
Logo-Forensic Tools
Logo-Paraben
Logo-Paraben
Logo-CTIN

DFIR Training

Digital Forensics & Incident Response
  • Home
  • Resources
    • Blogs
      • DFIR Training Blog
      • Blogger Feeds
      • Blogs list
      • Patreon Pages
    • Books
      • DFIR Book Share Challenge
      • Library
    • CTF & Forensic Test Images
    • Downloads
      • Forms, Templates, & Guides
      • Infographics & Cheat Sheets
      • Keyword Lists
      • Windows Registry
    • Jobs
    • References
      • DFIR Review
      • Threat Maps
      • White Papers
    • Social
      • Twitter lists
      • Social
    • Tool Comparisons
    • Videos
      • Podcasts & Live Streams
    • Wiki and Forums
      • Computer Forensics World
      • Forensic Focus
      • Forensic Wiki
  • Events
  • Tools
  • Artifacts
  • Social
  • About
  • Contact
Saturday, 21 April 2018 14:33

Know what you want to do before you push that button Featured

Written by Brett Shavers
  • font size decrease font size increase font size
  • Be the first to comment!

Last week, while tech editing/reviewing a chapter in a book that I believe is destined to be one of the most widely used books in digital forensics, I read a short but important point: ‘know what you want to do before you start’ (paraphrased), along with an example of making this point.  Perhaps this simple suggestion in forensic work is way understated.

SQLite Forensics book editors feedback: "Technically understandable and also educationally entertaining" Thanks @Brett_Shavers :) #DFIR

— Paul Sanderson (@sandersonforens) May 23, 2017

Over the past years when I started getting into ‘computer’ forensics at the time when the resources of information were slim, training practically non-existent, and the tools far and few between for much of a choice to use, looking for evidence was pretty much going on fishing trips in data.  For the training courses I did attend in the beginning, the most common approach taught was to;

-Take a full image of everything

-Ingest the images into “name-your-tool” of which you had only a few choices

-Take all the data and process it, index it, sort it, extract it, view it, search it, filter it

-Find the evidence from what you processed by looking at virtually everything…

This method doesn’t work today.  The amount of data is too much.  The common hard drive was less than 50GB way back then, but today you can rarely find a laptop with less than 500GB.  Today’s tools are certainly capable of processing this data way more efficiently than the tools (or the versions) of yesterday.  But even being able to process data faster only means you have more data to fish through in attempts to find evidence.  I don’t remember the last case where I had less than 1TB of data that potentially held evidence.

We have come a long way in training today including improved processes.  When given terabytes of data and asked to find the evidence, no longer do we expect that the terabytes of data to examine will turn into four or ten times the size after we ‘process’ it, because we do it better now.  We are smarter than before.  We ask better questions.  We know more about where the evidence lives within the data.  We have demanded tool-makers develop tools that pinpoint exactly what we are looking for in a quick and efficient manner.  We now;

-Ask “Specifically, what is the problem?”

-Target the places we know the evidence to that problem lives

-Use tools that are narrowly specific to what we want to do

-Follow the evidence we find (one thing points to another, etc…)

-And solve the problem (find the evidence, validate it)

I write this because I still hear requests to ‘ find something on that computer to make this case ’, and each time I kindly remind that fishing for evidence in a hard drive is not only expensive in both time and money, but unproductive without targeting the problem * .

*A problem could be finding a specific user created document, a downloaded image, or an unauthorized access to a computer system.

The point to all of this being, before you push that button, or hit enter on a command line, or even connect a write-blocker to a hard drive, first ask yourself, “what is it that I want to accomplish”.  The next thing you do may either give you weeks of work in vain or solve the problem before dinner time.

 

Last modified on Saturday, 21 April 2018 14:58
Tweet
Brett Shavers

Brett Shavers

More in this category: « Computer owner as victim or suspect? The Best DFIR tools »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Home

Training and Events

Tools

Social Network

Associations and Organizations

Higher Education Programs

Training Providers

Subcontractor Listserv

DFIR Blogger Feeds

Blogs list

Books

Forensic Artifacts

Forms, Templates, & Guides

Infographics & Cheat Sheets

Jobs

Keyword Lists

Podcasts & Live Streams

Test Images & Challenges

Threat Maps

White Papers

About

FAQ

Search DFIR Training

Contact

© 2019 Copyright | DFIR Training