There comes a time in this line of DFIR work where any of us, or all of us, stand to make a judgment on what the world of DFIR is as it relates to our work. Be prepared for this to happen to you, but don’t let it.
No profession is immune to the perceptions of the practitioners to bleed into their outlook of the world. For example, law enforcement officers who work a particular type of crime may begin to see the world stained by that crime, such as working the digital forensics end of child exploitation cases. Narcotics detectives go through the same thing. Practically everyone that a narcotic investigator will contact (outside of law enforcement) is somehow related to the drug trade, which can tend to color their world as contaminated with drug traffickers.
In the DFIR world, working any type of case or incident will eventually lead you to believe any number of things that are may or may not be necessarily accurate. If you are hired to respond to security breaches, then you will only be seeing breaches in your line of work and may start assuming that everyone is doing it wrong. But, you are only seeing the sliver of those doing defense wrong because someone doing it right probably won’t call you…
This is because you are looking at your line of work as if you were watching a football game from behind a fence, between two slats of wood. You only see a sliver of the game and are missing out on everything else.
Do not believe that this cannot affect you, even if you “just” work civil cases. I say that not to dismiss civil cases, but to stress that because everyone is susceptible to seeing a sliver of the whole, and making uninformed decisions. The danger is that when you begin to believe that every case (civil or criminal or internal) that you have involves some sort of wrongdoing, you will start down the path of having preconceived notions that can affect your analysis and your conclusions.
The day that you pick up a hard drive, an image, or a file and automatically assume that “bad stuff” must be on it (otherwise, why would you have it?), is the day you have to sit down and reflect on the big picture, not the sliver of the whole, and get your mind back to where it belongs. Don't be a hired gun, but be a neutral, disinterested party, focused on the truth of the matter based on the evidence you found through the clues that led you there.
Easier said than done.
Here are a few things that I do to keep me focused on the facts of the case, and outright remove preconceived beliefs or notions that can creep into any case:
Assume that others have preconceived beliefs and expectations in what “should” be found in the data, and to not be affected by it.
* Plaintiffs and defendants need evidence to support their arguments, and typically believe it to be in the data that you have. You don’t need the data to do anything except to tell the story as it sits, as if encased in amber, unchanging and unmistakably clear. The data tells the story, not you.
* Listen to your client’s story, but search for the truth. Trying to prove their story may guide your work to fit their story, which may or may not fit the facts that you find or the facts you subconsciously overlook if they don’t fit the client’s story.
* Know from the beginning that you may have to give bad news to the end client (prosecutor, defense attorney, etc…), because the data may paint a completely different picture than they expected. I tell clients this upfront, that whatever I find is written up as I found it, regardless if helpful or harmful to the case.
Assume that there may be no data worthwhile that you find at all
* If you can’t find the evidence, and you looked everywhere using everything you have, it’s probably not there.
* If you didn’t find it, then that’s all you can do. Maybe you missed it, maybe it’s not there, maybe it never was. You may never know. But you know that you didn’t find it.
* Accept this from the beginning before starting any work. You may have a ‘nothing hard drive’ insofar as evidence. If you assumed that something must be on it, you could look for years and start finding things that aren’t evidence at all, but try to write it up as related to prove to yourself that something must be on the media. Either it is or it isn’t and you won’t know until you look. Don’t assume one way or the other before you even start.
Remind yourself of the big picture
* If you live and breathe your work, your life will become your work, and everything you see will be judged by that. Look at the big picture. Not every company does bad security. Not every person is a pedophile. Not every computer has bad stuff on it. It is just most of the cases that you work. The world is bigger than that.
* We tend to think that we (as in “me” or “you”) are the only people who do this stuff right. Anyone else we meet, well, they don’t know what they are doing. We believe this because when we meet others, it is usually during times of disaster to fix things that are broken or find the bad things that a bad person did. When you do this a lot, it feels like everyone must be incompetent or bad, when in fact, most everyone is doing a good job and knows what they are doing, and are good people. We just see the storms, not the daily grind that everyone does for their job to keep things working.
Expecting the worse, every time
* When called for a case (or whatever it is you get called to do), do you cringe because you know it is going to be bad? This is a sign of preconceived notions. Even a 1am call with a panicked person on the phone only means that there is a panicked person on the phone. You have to figure out if there is reason for panic, and not expect the story to be exactly as told to you in the beginning. You are the detective (or the firefighter) to figure out the story, not rely upon someone else’s version of it.
* Any call to do anything is just the first step to figure out what happened. Regardless of what someone tells when you don’t have the facts, assume nothing until you get hands on the data. Your final product will be cleaner and more accurate that way.
Build your reputation as one at calm with the world, with decisions based on the facts that you find
* Screaming fire when there is no fire is not the sign of a professional. Also, declaring that bad things happened on a computer when there are no facts to support it surely ends any doubt that you are not a professional either. Speak to the facts, give your opinion when asked. And remember that your opinion is based on the facts and your personal experience, training, and education. Opinions based on emotion are personal beliefs without basis in fact. That means that you are going to be wrong.
* Focus yourself on being the person that if given electronic storage media, you (1) will do your best to find the facts, (2) give the facts as they exist in the data, and (3) keep your opinions to those facts. This directly affects attribution claims, user-activity allegations, and conclusions you may have all based on the facts at hand. You can’t testify to something that you hand no firsthand knowledge, so keep it to what you personally know.
Remember, when the world is on fire, people want answers to fit their beliefs. Don’t fall for that.
* It is so easy to be pressured to do a quick job and find just the facts that fit the allegations (either to prove or disprove, whichever you are being hired by to do). Time may be short. People may be yelling. The world may feel like it is on fire, but remember, the fire drill will end and that is when everyone who had been yelling at you to hurry will later ask you why you rushed and didn’t do a perfect job.
* Unless you are getting shot at or bombed, take the time necessary to do the best job that you can, knowing that the same people demanding that you do a rush job will be the same people complaining later that you did a rush job . Re-read that part again.
The point of this is a friendly reminder that if you work in a field in which serious decisions are made based solely, primarily, or even partially on your work, do a good job. Someone’s business, safety, livelihood, or liberty is at stake and you need to get it right.
Remember that you are looking at the field through a slit in a fence and not seeing the whole picture. Pull out the canvas and brush. Paint the picture using facts, and let the facts of what you found tell the story as it happened, as everyone can see for themselves, as it cannot be disputed, because the data is what the data is . Don’t make it otherwise.
This is totally an opinion piece on my part. To be honest, I think every person presenting in DFIR (or presenting on anything to anyone at any place) has different fears, or more or less fears, and there might be one person without any fear in presenting in front of others. I say ‘one person’ because I have not yet met that one person and I even question the existence of such a human.
For those who haven’t presented much, or at all, or wonder what other presenters are afraid when they are speaking, this is for you.
Everyone knows more than you
This is true. Everyone does know more than you. But you most certainly know your topic better than anyone else in the room. That is how this presenting-a-topic thing works. They are there to learn from you and the work you did to get onto that stage.
You study, research, prepare, practice, and present. Usually that means you really get to know the topic that you will be speaking on much better than anyone else in the room. So, don’t worry about this one.
Everyone will go to a more popular speaker in my time slot
Stress is when you see your name in the same time slot as someone else who you feel is going to be more popular. I feel this way all the time, even to the point that sometimes I wish that I could attend the competing speaker’s talk….
In reality, your talk is most likely to be as popular as the next. We all have different needs, different expectations, and want to learn different things. Don’t worry about.
By the way, kudos to the inspiration of this post goes to:
For a speaker the presentation is the payoff after an endless drill. The interaction with the audience & the energy in the room _is the fun part_.— Hynek Schlawack @ #PyCon2019 ?? (@hynek) May 3, 2019
I spoke to a spread-out, 1/3 full room in 2015 & it crushed me so hard I almost ended my speaking career right there. #PyCon2019 https://t.co/SNx3abod0Y
But what if you get a smaller showing? Then everyone in the room gets a more personal presentation. Engage the audience. Talk directly to each person. You can get down to brass tacks with questions and more demonstrations with a few people than you can with a big room. Give it your all as if you had 1000 in the room and you will have no regrets. I can also promise that if you give your all to a few, as you would have given to many, the few will be more than satisfied. Be the presenter that gives all, all the time, regardless of the audience or venue.
In this same vein, I have been asked to present to a small audience, came prepared for 40 people to be in the room. When I arrived, there were 500 chairs and my first plan was that I would be telling 40 people to please move up front as I expected everyone (as usually happens) would be sitting in the back. Surprisingly, it ended up being standing room only. Every seat was taken and people were standing in the back.
My point being:
1-plan on one person
2-prepare for a thousand
3-give it your all regardless of how many actually show up
I will do terrible and embarrass myself
I am not sure if this is my top fear, but it is a constant fear. I want to do a good job (actually, I want to always do a great job!) to make the time spent in preparing a talk worthwhile to those spending the time to hear me talk.
The little things of embarrassment, like malfunctioning equipment, or dropping a microphone, or tripping on stage are the things that you can’t control. It happens and by the way, no one cares. My feet grow two sizes larger as soon as I step on stage. I know this to be true because it feels like I am wearing clown shoes when I walk…<is this just me?>
The real things that I worry about is getting my information correct. I want to be 100% certain that everything I say is correct. That is my worry of getting something wrong. So I prepare like a madman. One hour of a presentation is more hours of preparation that I care to say openly. An entire workshop…that is a whole lot of preparation time to make sure everything is good to go without have to spot check during the presentations if I did something right or not.
My background is not like yours. Yours is not like someone else’s. The recommendations that I have may or not fit your needs, but I believe there are some things you can do that will make every presentation that you do in the future, to be the best that you can do.
1-Take a course on presentations, teaching, or instructing
2-Double check everything you will be talking about one time more than you think you need
3-Go over your presentation one time more than you think you need
Of these, I found that being taught how to teach has been the most effective in giving presentations. It is one thing to know the material, but it is quite another to deliver it effectively. Let me date myself…..
In 1988, I attended a Marine Corps instructor course, and on the first day, the instructor (a Gunny) said, “In every presentation, watch me in how I teach you how to teach others.” That course blew me away in how to give instruction and every rule, every tip, and every method applies to every presentation that I have given since. I took another USMC instructor after that as well. Same goodness in the second course.
Years later, I attended an Army instructor course. Not bad. Reinforced what I previously knew, but gained a few new tips. Worth the time.
Years later, I took more than two dozen law enforcement instructor courses. Some were specific to a topic (like firearms instructor, etc..) and some were simply instructor courses, on how to teach.
Out of all of these, the most helpful training courses have been the purely simple courses on “ How to teach ” or “ How to present ” or “ How to instruct ” type of courses. There are so many nuances in effective instruction that will make an extreme difference in a presentation, that you can improve upon every presentation that you do without much effort at all.
So if you have a dozen fears, taking a course on how to present will reduce that dozen to three. These are the three that I just can’t get rid of, mostly because if I have no fear whatsoever, that means that I am not going to improve and not going to give my best. I need these three fears to stick around.
There is this one thing about speaking in public, but it's a small thing you shouldn't worry about...puking in dfir...
I cannot overstate the benefit that everyone, and I mean everyone, receives with DFIR Review. That includes YOU, whether you submit research to DFIR Review, or if you read research published on DFIR Review, or if you need to cite research on DFIR Review.
Refresher on DFIR Review
This is a merge of the traditional “academic peer review system” and “blogging your research ”. In short, we have taken the benefits of academic peer review and the benefits of DFIR blogging, to create a simple and fast way to have your work peer reviewed.
Academic peer review is important and should be considered for most research as it is peer reviewed by academia. But it takes a long time and is typically used for longer research projects.
DFIR blogging is also important and should be considered for most research as it is quick to publish and instantly available for others to use. But it is not formally peer-reviewed and not immutable as it may change or disappear after you have either cited it or used the information.
DFIR Review merges both the speed of blogging and the credibility of peer review. Here are the benefits, depending on which position you are taking.
Researcher (aka DFIR blogger)
You are doing the research and writing about it. You spend and money and more time to figure something out, write about it, edit the writing, re-write your work, and publish it on your blog for all to use/learn from. That is very cool of you to share!
Your benefit in DFIR Review is that all your work gets validated by a team of DFIR reviewers. The team is not there to knock down your work, but to help get it validated and pushed out to the world with a stamp of community approval. As a personal benefit, you get your name stamped indelibly on your work.
Furthermore, as a researcher, you can jump off from someone else’s DFIR Review’s validation and expand the research using other peer-reviewed work.
Practitioners (aka, those doing the work)
You typically, if not always, come across non-researched or poorly documented research on an artifact or topic. Relying upon unvalidated, non-peer reviewed, or otherwise poorly documented research means that you simply must start from scratch. Without re-doing the research completely, simply citing a blog post in a legal document (affidavit, complaint, statement) is not going to hold much weight.
Your benefit is that when you see "DFIR REVIEW-DFRWS" on a peer-reviewed blog post that you wish to reference or cite, you are 100x ahead of the game. This means that citing peer-reviewed research to bolster your own findings as being valid, your work’s credibility is heavier.
Authors (of the DFIR books)
Oh so much better to reference peer-reviewed research than a blog post. Personally, the number one reason (other than the research being validated via peer-review), is that the “blog post” is now permanent! Too many books reference URLs that disappear in the night, which can totally ruin an entire paragraph or chapter when the author moves the page, or the website disappears. Not with DFIR Review! The point is to preserve that which has been peer-reviewed.
Your benefit is that your sources of validated references has increased with up-to-the-minute, latest research, beyond the years’ old research of traditional peer reviewed papers.
Students (aka, those learning in school but not yet practiced)
Your benefit is that before you even hit the streets to grab real-world data, your innovative research can be peer-reviewed before you even graduate. There are few ways to bolster a resume or CV than to graduate from a college program and already have created peer-reviewed DFIR research that is being used in the real world.
Is it worth the time?
In short, yes. No question.
Longer answer; you are doing the research already. You are sharing your work already. People are citing your efforts (sometimes even stealing credit…) already. You stand to gain everything by simply submitting that which you already wrote to DFIR Review that you believe should be peer reviewed. It’s free. It encapsulates your work with your name on it. And you get the cred that you deserve.
Your next steps
Take a look at what has already been put out with DFIR Review. Have you blogged your research in the past? Consider submitting it! Do you see someone else’s research that should be submitted to DFIR Review? Let them know, or let the DFIR Review board now and someone will contact the researcher.
Especially if you are using someone else’s research (blog posts) and you wish to cite with full references in your work (legal or academic), wouldn’t it be nice if those references were given some street cred by being peer reviewed by DFIR Practitioners and DFIR Academics? You can easily help by nudging some cool research you find in a blog toward DFIR Review. That’s pretty cool.
Every now and then (actually, more often than not), I come across a short statement or question on Twitter that packs more punch on second glance than you would first think about.
Justin Boncaldo tweeted yesterday, “What is your favourite way to start an analysis? Mine is with the registry!”
What is your favourite way to start an analysis? Mine is with the registry!— Justin Boncaldo (@BoncaldoJ) April 4, 2019
This is an important question to ask because if you start on the wrong path of an analysis, the best result will be that you realize the wrong start, re-start, and accomplish the analysis objective. The worst result is never finding out and not coming to a reasonable conclusion, or any conclusion, or a wrong conclusion in that analysis.
Everyone has their own way of doing things, even in the DFIR world. As long as the commonly accepted methods and processes are followed, we are each free to choose the path that best suits our personalities and skill levels if the path solves our case objectives. Usually, when starting out in a new field, we tend to want to know exactly what to do, step-by-step, because we don’t have the experience to make slight deviations from one task to the next. Normal and expected, and I mean expected in that it should be this way rather than 'winging it' without having any experience to back it up.
Experience* typically gives us the ability to make quicker and better decisions. This applies to any job. A new police detective goes through the same process of learning as does a new forensic analyst. When I first became a detective, I typed a series of lists and steps of how to work a case, from start to finish. Things like: Who to call. The order of the reports in a case jacket. Who gets a copy of the case. Which judges to call for a search warrant. And so forth.
Everything was in a list because I didn’t have the experience to do it any other way. My cases were really small-time in the beginning and took a long time to wrap up each one of them. Experience allowed me to really work the cases by being able to deviate from ‘lists’ as dictated by what happened dynamically in the investigations. Eventually I could work a case at any level, from buying a quarter gram of crack at the local crack house to ordering a shipping container of drugs from an international crime ring.
The key that I learned in working criminal cases, whether it was a stolen bike report or a homicide, is that before starting the case work, ask questions.
In the DFIR world, this is really important because the amount of data that is generally in front of you can be a career maker (or career killer) in that you could spend an entire career looking at it and never reach your goal, or you may be able to solve it in mere minutes.
Simply, the questions that I ask in every forensic endeavor are the same, and I need the answers before I can make a reasonable start of a plan.
Here are my reasons for these questions, at least for me:
What is the OS?
This is the first question because the rest of the questions hinge on the type of OS. Windows is different than Linux. Encryption is different than non-encryption. An iPad is different than a laptop. Knowing what the OS (and device) is automatically puts my mind in the mode of thinking of where data is stored on the device, how it is stored, and the kind of data that is stored. As an example, I like the Windows registry a lot because of the goldmine of evidence in it, but if the evidence container is a Linux box, thinking about the registry is out of my mind and I can think about Linux-related artifacts.
The OS/device also blends right into the tools that I start planning on using. Yes, I have a favorite tool or two, but my favorite tool for a Windows box is different than my favorite tool for a Mac.
What is the case?
I have been handed machines and been asked to ‘find the evidence’ without knowing what the case was, or at least the details of a case. I need to know the details of the case, otherwise I promise that I will miss evidence, so I ask and hope that I get the answers to the questions that I ask.
By knowing the case details, I can start some assumptions on what may have happened on the device, and the types of artifacts related to this specific type of case, which blends into the types of tools that I may need to get started.
What is the case objective?
This is a big question because my case objective may or may not be the same as the end client. The end client can be a prosecutor in a criminal case, an attorney in a civil case, or a manager in an internal case. The client, which is the person that you are to provide answers, has an objective to meet. I need to know the objective in order to meet it. So I ask, “What do you need out of this analysis?” This is not the same as asking “Do you need me to make sure this person is innocent or guilty”, but rather, "What exactly do you need to solve this case?"
There are times where I feel that the client may have the wrong objectives, but that doesn’t mean that I go rogue and do what I feel is needed. It does mean that I give my opinion and still let the client decide what is needed because the client probably knows best about what is needed for their case in regards to solving a problem. I am not saying that the client determines how you do an analysis, but that the client knows what they need to answer questions that they have been asked or need to present answers for. I try to be on the same page with the client to have the best work presented to the end audience. Communication is important!
What is the time (and money) allotted?
Like it or not, time and money is a thing that affects every analysis, whether you are in the public or private sector. Time and money is dependent upon how important the analysis is to your client. A “small” case where maybe $100 was stolen may be extremely important to spend all resources on if the $100 theft was from an ultra-secure facility that is responsible for national security. It may be the 'how did this happen' as the most important objective and not the actual $100. Importance is determined by your client (again, the client is whoever is asking you to do the analysis).
Knowing a ballpark figure of how much time that I have to work a case determines how much depth I will go with an analysis, and how fast the analysis goes as well. This also blends right into the types of tools, the specific processes and methods to choose, and determining which areas to focus on while bypassing others due to a lack of time. Lack of time can be due to lack of resources (money for one), or time sensitive (like a missing child).
In most cases, I ask these questions more than once during the analysis because of what I find (or don’t find) in the analysis. Sometimes the objective can be found early in the analysis and other times it may take longer. Some evidence that I find may even change the objective, such as identifying a more serious allegation/crime.
Your questions will be different from mine and that is okay. But you can use mine if you like ?
*I inserted "typically" because sometimes, some people refuse to learn from experience, which is defined as both learning from mistakes and learning from doing things right.
For those in the DF/IR world who started in this business way back when (or maybe you were part of the crowd who actually started this business), you'll know exactly what I mean when I say...
"That which was impossible yesterday, is possible today."
What I mean is that the tools of yesterday were great at the time, but today, not so much, or actually not at all. I remember the first time that I carved out images (pictures) from an image (as in disk image) using a DOS software. I was amazed. Then I was running around the entire City Hall finding any floppy disk laying around to practice magic . Word documents! Spreadsheets! I WAS ON TOP OF THE WORLD! Oh yeah, the stuff I found those 'formatted' floppies was really neat too.....
There were a lot of impossibilities back then, or at least things that just weren't done. Volatile memory? Nope. Cell phones? Nope (tbh, the early phones wouldn't have anything on them anyway...). Encryption? Forget about it. How about the Windows registry? Nope. Not much work done in there either.
Today is different. Way different.
We have more forensic software and hardware than any one person could ever hope to use or see in a career. Not only that, but there are outstanding practitioners writing outstanding software. Any of these tools would have saved me so much time years ago, but that is how it works.
Commercial tools are no different. Exams that would took weeks just to process data now only takes days or hours , and that is with 10x the size of datasets! So, yesterday's impossibilities are possible today. I would love to go back in time to re-do some of my exam using today's tools, because I would find more relevant evidence, faster.
Don't get me started on hardware. One of the reviews/comparisons I will be doing will be on a new hardware device. Oh my. I can't wait.
Tomorrow is different.
Here is the flip side. What is possible today may not be possible tomorrow. I mean that there are things that we do today, that we may not be able to do in the future. What are these 'things'? I don't know, but I know that as technology changes, some things in DF/IR become easier, and some things become harder if not all out impossible/impractical. Whether it be due to devices, operating systems, encryption, or whatever is unsure. One thing that is for sure is that as we entered this world of practitioners building tools , we are on the cusps of keeping up with the tasks we need to do. From determining guilt, tracking criminals, and defensive ops, we have gotten better and continue to do so.
The main point
When something doesn't work. When you realize that the 'old way' does not work anymore. When you want to complain about what is broken. The solution is not to complain . The solution is to state the obvious as a positive and move forward. We should have imaged RAM from the beginning, but we didn't know how or realize the importance. Now we do. We moved on. So the next thing you find that needs improvement...simply state:
"Hey, we've been doing it the best way that we knew how, but I think it is time to figure out how to do it better. I have some ideas to test."
And then we share. That's the main point.
Over the past year, many articles, blogs, and actual news stories have talked about the extreme shortage of “cyber” applications. Yes, I said the word “cyber”, and I am using that term to encompass everything in information security (like the DF and the IR and the infosec).
Lately, many blogs have been talking about the shortage not actually existing, and that it is the fault of hiring departments not hiring the available pool of applicants.
There is the split in the road, and as far as I am concerned, I agree with the pool of qualified applicants being WWWAAAAYYYYY larger than the available jobs. This goes directly against all the talk that we have a shortage. Looking at it from both perspectives, each side (the HR side and the ‘looking for a job’ side) both see a shortage on the other side. In reality, I believe the shortage is manufactured for several reasons that can be fixed in 30 minutes, because that's how long it takes to type and upload revised job requirements.
Here is the most glaring and talked about issue:
Within this issue, there are many smaller, but just as important, issues. One is advertising a job with requirements that don’t actually match the job being advertised. Some that I have seen are different that it would be like a café advertising for a barista but posting the requirements of truck mechanic and a repair shop posting the requirements of a barista. When this happens, the barista job doesn’t get filled and the truck mechanic doesn’t get a job and the repair shop is short a mechanic.
That’s really what it’s all about, for at least 95% of hiring problems in not being able to find a suitable applicant.
But I want to get a little deeper in this issue. When a job requires the world (degree, competence, and experience), this appears a clear attempt to either thin the herd in order to cut down on the number of applications to review or it is an unfortunate misunderstanding of reality. By the time someone has a degree specific to ‘cyber’, experience to back the degree, and competence gained by experience, then that someone is either running their own business or is at a place they will never leave. To narrow this even smaller, many of the most highly competent and most experienced cyber folks don’t even have a degree, or if they do, it is nothing related to cyber. Mainly it is because they practically invented the field, mold the field, and teach the field.
This leaves a very small number of folks that can meet this unworldly criteria of competence, experience, and education. I want to get a little deeper in each of these for a bit, and I’ll get into my opinion on what you can do to get hired and what you can do to find these great folks.
As I mentioned, many don’t have cyber degrees or any degrees, but are competent and experienced. When a degree is required, this means the ‘student’ is not going to have much in the way of experience or competence. Sure, there is some practice with a software tool in a class, and maybe exposure to case studies of some sort, but if you rely solely on a degree, expect that you are basically getting a paid intern for a year or two while they get experience on the way to gaining competence.
HR Tip: Consider a college degree in “cyber” as a bonus or a tie breaker when all else is equal. Making it a requirement means you will not have access to all the best applicants.
Getting hired tip: If the job requires a degree….get the degree. If you want a federal job as an example, you will probably need a degree in practically anything . They don’t really care as long as you have a degree in something . Brett’s advice: be competent too. Don’t go in with just a degree, but really learn your stuff because I want you to stand out like a sore thumb of handling business when you get hired.
This is a tough one if you are looking for easily validated experience. Easily as in, getting an internship that can validate that you have experience. In this field, trying to get experience on your own can be risky. For example, “ethical hacking” can turn into criminal charges if you go outside the law, even accidently. This is tough one. Even if you wanted to volunteer for free, the legalities and non-disclosure agreements that companies have are problematic if considering unpaid interns will see confidential data. The requirement to be experienced with specific software/hardware is also a deal-killer for many. The use of any DFIR tool is many times a personal choice or mandated through an employer.
HR Tip: If you have someone pounding on your door, with all the tell-tell signs of being one of the hardest workers on the planet, but they have no experience, open the door. Open the darn door to at least talk to the person. I promise that one of these folks will rock your company and be a star. On the tool requirement….you don’t want someone that can run a specific tool. You want someone who can run any tool.
Getting hired tip: Pound on doors. Keep pounding on the doors. You have to find that one HR who will take a chance on you because of your tenacity, your positivity, and your promises of being ‘the one’. Brett’s advice: this sucks as a way to get hired because you will get 99% rejections. But if you can stick it out for that 1%, you just found exactly what you need. And so did that company.
Education helps. Experience helps. And self-learning helps. Each of these help in a different way, and it depends on your learning style. Do not think that you need education to be competent, or that you need experience to be competent, or that you need to only self-learn to be competent. You should know by now the best way you learn. If you don’t, then sit down and think about it. What did you learn recently and how did you learn it? Did someone teach you? Did someone tell you to figure out it? Or did you bear down and figured it out yourself? Whichever works for you, do it. What works for me probably doesn’t work for you. Or maybe if you are lucky, you can learn practically with any method (which means you are lucky and I am a bit jealous…).
HR hiring tip: Competence is difficult, if not impossible, to judge on an application, so stop putting it in there because some of the things you want competence in are not required for the job you are advertising!
Getting hired tip: Get competent. Do it the way that you do it the best. If the hiring manager requires competence in something, whether or not the job needs it, you may just have to learn something that you won’t need to do, but need to get hired. Sucks, but until hiring managers figure it out, if you want that job, you’ll have to pound on the door to convince otherwise, or you have to have what they want.
Ok, here’s a personal story on how messed up this was for me.
I was once ‘recruited’ to apply for a cyber job and given the job description. I applied and got an interview, but when I started the interview process, it took me about 15 minutes to realize that I was interviewing for a different job than what I had been recruited for.
But I went through it anyway. I was incompetent in some of the things needed, as in totally incompetent because I never did that work before! Then, as I started figuring out what the job actually was, it was a job that I even didn’t want to do.
End result was that the entire process was a cluster. I turned down the job before they had a chance to either offer it to me or turn me down. I was a bit disappointed because I actually wanted the job that I had been asked to interview. I have heard this happening to one other person, so I imagine this is not unique to me and one other person.
If you have been keeping up with online conversations about DFIR research being peer-reviewed outside the academic review process, then this post is for you because…
What is DFIR Review?
Short version : Your DFIR research can be peer-reviewed in less than a month, published as peer-reviewed by a committee, you get the credit for your effort, the community shares (and grows with) your work, and you are encouraged to further develop your research as you see fit.
Longer version : Back in June of last year, I posted an idea of peer-reviewing DFIR bloggers’ research . The idea evolved through several additional posts (and response posts from others) until finally reaching today’s jump off of DFIR Review. There has been lots of effort, lots of online conversations, and lots of coordination to get this off the ground. Joshua James posted " DFIR already has Rapid Peer Review - we can do better ' as part of this process.
Although Jessica Hyde has been instrumental in moving this effort forward, every person named on the list below has publicly put their name on this project to support it in one way or another. I certainly have not been the first to talk about this since the topic has been around for some time.
In my opinion, this idea is well past needed. The current peer review process is fine for its purpose, but I have always felt that the traditional method of writing up an idea or research in a blog or document to be uploaded to a website does not do its author nor community service as much as having a peer review system that addresses these kinds of research.
Basically, uploading a PDF or writing a blog post on your great research only goes so far. But if you allow it to be stamped as “peer-reviewed”, you and the community gain so much more from your work. From my post on The Dearth of Documentation in DFIR , a visual that I made to show the value of social media posts (like Twitter) compared to a blog post illustrates the need for something that lasts longer on the Internet. Books and journals can be effective and easily found for 10 years or more with blog posts lasting about 2 years… social media posts are measured in minutes.
DFIR Review takes your research that you want to share from lasting minutes to lasting years. The effect of this is that your work will spur, inspire, and support the research of others well beyond the work you initially did. This means you can affect the community more directly, substantially, and for some time to come.
Show me the money!
In short. There is none . None for you. None for the volunteers . None for anyone. At one point, I had been communicating with some about the commercial aspect of DFIR Review. My point is that there is no aspect of commercialization, and posted more details about it with Getting Your Blog Post Officially DFIR Peer Reviewed – An Update . The peer reviewed papers are not going to be behind a paywall.
What you won’t get
I put out a bit about the benefits you can get with a peer review with The Rapid Peer Review , and in that post, I state the things you won’t get. This is what you won’t get:
* You won't get a certificate.
* You won't get more initials after your name.
* You won't get a coin.
The intention is simply to be a bridge between a blog post and a scientific journal.
Are you still against peer review?
I only ask because a few of the heated private exchanges I had of adding yet-another-thing to DFIR documentation and research felt this is unnecessary. So I wrote a few points with If Peer Review is so Important, Why Doesn’t Everyone Do it ? I wrote that we do research correctly, but we don’t follow through enough with the publication and immutability of our work. There are reasons for this, mostly due to the extra time involved to get formally published in a journal or book. DFIR Review bridges that gap.
I illustrated the time problem of formal publishing of this in a post Publish your #DFIR research ! The example I gave compared a paper (a PDF….) that I wrote on virtualization forensics and a book written on the same topic by someone else. As soon as I finished writing the paper, it was online at www.forensicfocus.com in a matter of days, whereas the book took 2 years to be in print (the book even referenced my paper....). My point is that between the time my paper was put online and the time that the book came out, I am assuming some examiners were able to benefit from my paper during that time, where they weren’t able to benefit from a book to be published years later.
How difficult is this going to be for you?
It is not difficult at all. I expect some things to pop up that will slow the process down a little, but nothing that will not be solved in a day. For the researcher, all you have to do is submit your work. That’s it. You won’t even have time to forget that you submitted it before the peer review is done. Then, what you choose to do with your research is up to you.
As for me, I support you submitting it to a journal, or finessing it into a book, and researching more. Get your work in the hands of the community while at the same, getting credit for your work. This is not about ego, but about getting great research out in the public, with your name on it. That’s pretty cool.
As for the tweet that started all of this, at least for me.....
In host forensics more than any other evidence realm I struggle with the lack of solid authoritative sources. At least on the network side there are RFCs.— Chris Sanders (@chrissanders88) June 7, 2018
This is a place where the OS vendors should lead. The best information we have shouldn’t be scattered amongst blogs.
An interesting Twitter thread popped up on forensic imaging. Good points were made on whether or not to create full disk images, sparse images, or even to image at all.
There are so many factors to consider in such a decision, that I believe it unreasonable to have a simple catch-all solution. Civil vs criminal case. Legal authority. Resources and time available. Type of case. Type of system. Amount of data. Number of systems. And other unforeseen situations.
But I believe that quite simply, if legal authority exists, and resources are available, why not create full disk images? To clarify, "available resources" means that you have the time, the tools, the staff, the storage, the funding, and the capability to do it. You can obviously choose not to image or create full disk images even though you have available resources, but if you can, why not? It's better to grab as much (all) that you can and filter out the garbage later, than it is to hope you got what you needed on a sparse collection.
I understand that some cases may involve hundreds or even thousands of machines. I understand that some DF/IR organizations (public or private) may not have the physical resources to do such massive data collections. I also understand that some cases have priority over other cases.
However, I believe that my take on imaging is solid as it rests upon available time and resources. If a DF unit has the capability to image a thousand computer drives and do the analysis, then why wouldn’t they if they have legal cause and authority to do so? This is an extreme example, but the math works out. If you have the time and resources to do a complete job, then there is no reason to not do a complete job.
On to triage.
Triage is great for two big reasons:
#1 – is there evidence that I can find right now that justifies seizing this system, and/or
#2 – how important is this system in the grand scheme of priority examinations.
Triage is not a replacement for imaging. It is to give you guidance on priority of analysis and if you need to collect it at all. Even then, triage only gives you guidance to make a decision, since triage may not reach into an area of evidence that you needed to make a fully informed decision. It’s best guesswork, but works pretty well in prioritizing cases.
In my experience, I have examined images from years prior to find evidence that was unknown at the time of seizure, and was overlooked by prior examinations. Not due to skill level, but due to new information coming to light later in the cases. I think this holds true across the board. You don’t know what you don’t know, so if you can image it all, why not? Creating full disk images does not mean you must do a complete forensic exam, but you have the option if you need. Incomplete images means that you can will never be able to do a complete forensic exam to find either inculpatory or exculpatory evidence. I have not heard of the defense yet, but I will not be surprised to hear about a case where the defendant swears that there was exculpatory evidence on the drive that was not completely imaged, and the original system no longer exists.
I would dread being asked in court, "You said you had the opportunity to create a full disk image. You had the resources. You had the time. Yet you didn't. Why didn't you image the complete drive?"
Back to the time and resources
Given that you have time , and you have the resources and legal authority to image everything, I personally believe that you should. You can still triage during the imaging process or even triage afterward. You don't need to do a complete exam on everything, but you can if you need.
And I understand reasons why not to image or only take sparse data, simply because that is not the investigative model for the specific task at hand, like when you have 20,000 nodes and 100,000 virtual machines, and “I have no idea how many physical machines we have’ and ‘I just need pst files’ sort of scenarios.
But I am talking about exploitation, missing persons, homicide, and some civil case matters. If you can seize it all, why not? I would compare this to serving a search warrant on a large house. You could “triage the house” by walking through it quickly while looking for evidence on the kitchen table and living room, but not by looking in the dresser drawers or under the bed. Or, you can go through everything. Or do both. Certainly, if the search warrant is a serious case, simply walking through the house isn’t going to cut it. You need to throw on some gloves and start digging through everything.
I am also aware of great research being done in the area of "sifting data", "sparse collections", "targeted collections" and so forth. Each of these are "incomplete" collections no matter how you look at it, but surely has its place. One paper that I read states:
"In general, only a small portion of the data on a disk has any relevance or impact on forensic analysis. The vast majority of sectors and files contain data irrelevant to most investigations; in fact, many sectors are either blank or contain data that is found verbatim on numerous other systems (e.g., operating system and application components). Fig. 1 depicts various categories of data present on a typical disk. For some investigations, executable files may be of interest. For others, browser artifacts are of primary interest. Blank space is virtually never of use. The rest of the data, beyond what is deemed relevant to a case, and which constitutes the vast majority of the collection, could actually be replaced by random noise without affecting the forensic analysis." - Rapid forensic imaging of large disks with sifting collectors
The problem with this theory of capturing the high value data is that you don't know which is the high value data. I've never returned to a house after a search warrant and asked, "May I search your home again? I neglected to check your basement the first time."
So….if you have the time, the resources, and the legal authority to create complete images, why not?
A few more points..(thanks PM!) is that if you can seize the entire media, you can always go back to it later at some point if needed without creating an image at all (put it in evidence, pull it out when ready to image/examine). In civil litigation cases, you don’t usually have that luxury. Most times it is (1) arrive onsite, (2) collect data, and (3) leave without the original media. By the time there is a concern to go back to the original media, the media either no longer exists or has been modified to the extent of being irrelevant. Ironically, civil case matters many times only allow for targeted data collection.
My point is that ”if” you can, you “should”. With the “if” being time & resources available and legal authority.
Patreon allows anyone to create a personal webpage, create and post content to the page, and charge visitors (patrons) to access the content. That’s all there is to it.
Patreon is one of the first of these types of platforms to take a foothold in this space, and is still working through growing pains. But, all in all, it works as advertised. The vast majority of content on Patreon is not computer related. That which is computer related, even less is DF/IR related. But it is there, I have seen more DFIR pages being created and expect more to be created. You could be next to create your own Patreon page!
Of course, I’m talking about Patreon because DFIR Training has its own Patreon page where I am creating content, giving access to courses, podcasting, and blogging exclusively for members. But just as important, I want to bring Patreon to your attention for several more reasons:
Here’s the thing on training, books, references, resources, and even how time works: nothing is truly free , and even those who give everything freely, eventually cannot continue at some point. Platforms like Patreon help DFIR content creators and software developers further their efforts. Actually, they help creators develop faster like spraying nitrous oxide into an engine. As an example, Github (or any platform providing free storage for free software) is a wonderful resource of open source tools, but you will find that so many tools are started but eventually abandoned. This is not because the tool failed, but because the time and effort needed to sustain development cannot continue without eating away at other aspects of life.
There's a neat story that I like to tell in order to make a point about supporting DFIR tool/content developers. A small software was developed years ago and the developer was giving it away as freeware while asking for donations. I donated and emailed the developer that I thought his tool was really neat. I donated because I really liked the tool and hoped it be developed further. Ten years later (probably a little less?), that small free tool evolved to become a major contender in the forensic software industry. I had maybe a .000001% impact on its development with my donation and verbal support, but I surely feel good that I helped it even a little.
I will say that there are a few free small forensics tools available today, that if the developers tweaked their goals just a little, could end up in the same boat of running neck in neck with the big named forensic software companies in a few years. Unless they eventually give up development because the time required becomes too much to keep giving it away. This hurts the community and our forward momentum.
On the DFIR Training Patreon list, I selected several DFIR related Patreon accounts as potentially good DFIR references. You will recognize some of the accounts right away. Phill Moore , Eric Zimmerman , and other respected members of the DFIR field have created Patreon pages. Consider supporting those who you wish to continue in their efforts of supporting the field with what you can, when you can.
Another point on free DFIR stuff. Everyone can access the free stuff, but not everyone chooses or has the opportunity to access the non-free (especially the expensive!) stuff, like training and software. This is an unfortunate fact in any industry, in that ‘things’ cost money, and to access certain ‘things’, you have to pay for access and use, such as licensing fees. I see Patreon offering a sliver of hope of not going broke for some cool DFIR content, as much of it is still free on Patreon. Eric Zimmerman’s tools are a primary example of the awesomeness you can get for free, and support directly with what you can, when you can. Patrick Wardle is yet another with amazing tools that he gives away and at the same time, is supported on his Patreon page. Pretty cool.
As to the DFIR Training Patreon page, I plan on stuffing it with exclusive content for the members and ask that you check it out. You just might find some cool stuff :)
Here is something I do. I make it a point to write down something that I learned each month. No, I don’t sit and think about what I learned, then write a poem about it. When I learn something that impacts what I do in DFIR, I write it down as I soon as I “learned” it. By learning, I mean either I figured it out through research, or watched it in a video, or a class, or a blog. This happens several times a month…but I want to have at least one thing that I learned per month.
At the end of a year, I can look at the major things I learned and put an importance on newly learned thing by simply writing a few words about it. From this, I personally share with or teach others. I call these the “neat things”.
I know that you also learn something new every month (day?) too. We pretty much all do. But the suggestion I have for you is to jot a note down for the big ones that make you stop and think. There are a lot of fairly innocuous things we learn all the time, but sometimes, we learn something really neat that impacts what we do more than anything else.
By “impact”, I refer to those neat things that may save me time, or give me a new skill, or plainly teaches me something so cool that I can’t wait to tell someone. Your “neat things” will be different from mine, and that is the way it is supposed to work. I admit that sometimes I come across something that is neat to me, and when I tell someone else, they already knew about it ☹. Still, new to me is a personal improvement that I can make.
I keep this in mind all the time I am at a digital device, and surely, you do too. You type, click, type, click, and during the typing and clicking, you learn something about an artifact or how a tool works or some way to do something a little more efficiently. We do this and improve individually, but what we don’t do is stop and realize just how much we are learning. Note-taking helps me reflect that (#1) I am constantly learning, and (#2) I should be sharing what I learned in case someone else doesn’t know. It is also personal proof that I am not stagnant in keeping my skills up to date.
Here is something to be aware if you meet me somewhere. If something comes up that I know about (and excited about), and you have not heard about it, I’m going to fill you in on it. If it is a software that I found to be awesome and you haven’t tried it yet, guess what we will be talking about for the next 10 minutes….
A lot of what I have learned is also probably the way you learned too: Through mistakes and errors.
But that’s okay too. Any of my mistakes are burned into my cranial cavity enough to remind me for a long time. Plus, I tend to talk about how I royally screwed something up only to come out of it a better person. Basically, I tell people, “Guess what? I touched a hot stove and it was hot.” That is not as embarrassing as saying that I keep touching a hot stove and haven’t learned from it. Bottom line is that making mistakes and recognizing the mistakes is good for growth and improvement. Hiding mistakes (or worse, denying ever making mistakes!) stunts growth.
The DFIR Training website
I'll also admit that I am learning and re-learning so many neat things with the DFIR Training website. It takes time to manage, but my personal benefit is entering 1,400 different software applications, reading dozens and dozens of white papers, and now going through one forensic artifact at a time. My motivation is both selfish (I want to learn!) and altruistic (I want you to learn too!). Here is where I am finding the biggest learning experience with DFIR Training; the forensic artifact database. Although it is new and has a lot more to go before being the go-to artifact database, it is incredible as to what you can learn by going over an artifact by curating white papers, tools, references, and videos about each artifact. So cool to do and I hope to be cool to you too.
I suspect the forensic artifact database to easily reach over 1,000 artifacts in time. Given over 1,000 DFIR tools and soon enough to be over 1,000 forensic artifacts , all cross referenced by tool-to-artifact, artifact-to-tool, and citable references, this is a very cool undertaking that I can learn by putting together and anyone can learn by simply searching or browsing for what is needed.
Spreading the news about the neat things
So over at the DFIR Training Patreon page , I’m going to keep talking about neat things. I have software on my desk that I will comparing and reviewing, book reviews to write and make videos about, and talk about all the little things that I have come across over the years that might make someone else’s day easier.
On my podcast , I am giving some war-stories as examples to the topics I want to share. Probably every “war-story” is an incident where I fell on my face, or boogered up something, or plainly just messed up something. I am not trying to sound like I am uncoordinated or unskilled or born to be a goof, but that I have learned some things the hard way for whatever reason, and that I can share how not to do that. If one story that I tell can save someone from hours of work or public embarrassment or better yet, solve a good case, then it is worth it.
Here’s one war-story from my former law enforcement work that shows why I want to share the things I know. As a use-of-force instructor, I was giving training on a specific threat* and a specific reaction to handle that threat over a period of years (I thought it an important topic enough to repeat it often). One day, an officer in my agency was thrown into an officer-involved shooting, survived, and sought me out afterward. He gave me a hug and said that the only thing going through his mind were the words that I kept repeating in training. Of course, I was happy to be a part of the outcome of the shooting, but in all fairness, he was there and handled it, not me. The same goes to forensic work. I can give my opinions and suggestions to help, but it is the receiver who chooses to put it the words to work. I am just glad to be part of it.
More importantly, you should too.
*sorry, not going to talk about the specifics of the threat or how to handle it..
Everything you need for DFIR is ending up on www.DFIR.training. Software. Hardware. Artifacts. Resources. References. Citations. Forms. Templates. Affidavits. Keyword lists. Forensic Test Images. White papers. Books. Jobs. Videos. Podcasts. Infographics. Blogs. RSS feeds. Events. Research. And Community!
More tool listings!
Of course. More categories too since there are just so many tools to search through. If you don’t see a tool, let me know and I will add it. No tool too big or too small. Currently, there are 1,400 tool listings in 238 categories. Even cooler is that all tools are cross-referenced between the categories :)
The one field that I recently added for license type (commercial, free, multi-license) is still be populated, but when finished, you can search for tools with a filter by license type. I should have started this early on rather than when the tools hit 1,400 in number. But it will be done for all the tools. As of now, searching for a specific license will give incomplete results.
I started a forensic artifact database of sorts previously, but it was too complicated and time consuming to put together and manage. So, not only did I now make it easier to manage, but easier to find what you are looking for. As of today, the database is incomplete, but artifacts are being added and eventually, you will have a serious start for looking for artifact resources.
Here is the basic template for the forensic artifact database:
The DFIR BookShare Challenge
So far, so good, except I’m running out of author signed books! If you are a DFIR book author and want to join in, send me a note ! I want your book! They are going out all over the world and is having a good impact on the community for those who are passing them around.
Book reviews will be published from January as well. Editing what I wrote, finishing up others that I started. And learning that writing a review of a book takes more effort and time than reading the book itself!
The intention of the training listings is to have as many training providers post their training as possible. Trying to find DFIR training is not as easy as you would think, as you have to go to individual providers, or find incomplete listings. So, this endeavor hopes to capture them all to make it easier for everyone to find relevant training. You can help by suggesting to vendors to post their training at DFIR Training.
How about that Patreon Page?
Check out what is going on at the DFIR Training Patreon page for next year: https://www.patreon.com/posts/year-end-review-23648997 . I created several tiers of membership, and as each tier sells out, that only leaves the next higher tier to join. But once you join at a tier, you can stay at that price for as long as you want.
Your membership on Patreon gives you access to lots of courses and freebies, which I suggest taking a look at the Year End Review post on Patreon. In just a few weeks, membership went from zero to 135, 10 books were shipped out to one tier membership level, and new courses are being added in January, February, March, and more!
As a side note, everything on www.dfir.training is still free and the DFIR Training Patreon page is simply going way further with benefits , rewards , and exclusive content for members. Completion of the courses gives you printable proof of training that may make your employer happy with training hours and something you can prove on your CV/resume; something you can't get with Youtube videos.
2019 is the year that I start software comparisons and reviews. I will also be doing comparisons on the Patreon page in more detail, but generally, I will have the basic reviews available on dfir.training. If you are a developer and want to have your tool compared, send me a note ! I have a few apps on the desk to get through first, but I’ll take as many that I can do.
Here’s the plan: I’m picking two or more tools that do the same thing (or one same specific thing) and comparing both of them. What I like, what I don’t like, the output, the ease of use, speed, etc… The more tools the better and I’ll simply just rank them as I compare them. Also, I am not averse to having some prep time with a developer to make sure that I do not miss a feature or misstate something about a tool. My goal is accuracy and honesty.
My goal for you
To build up DFIR Training to be your most valuable resource for all things DFIR. That’s it in a nutshell. Although I enjoy adding to the website, it does take time. But with the traffic and emails I receive about the site, it makes the effort much more worthwhile. I do intend to add more advertisers on the website to cover expenses and time, but those to be added are truly those companies doing great work in DFIR that you should know about anyway. But don’t worry. No popups. No spam email. Nothing that will get in the way of searching for something you need in DFIR and finding it quickly and easily.
About Advertising on DFIR Training
Send me an email and I’ll send over a Media Kit. Let me help you pick out what will be the best for what you are looking for. You won’t find a more targeted audience that the visitors to DFIR Training, especially in the numbers. The numbers..quite amazing.
Some visitor stats for those interested in just how many people use DFIR Training.
Alexa (Alexa makes it easy to compare traffic, so you can see how dfir.training compares to other related websites).
Patreon Ranking (continual upward trend!)
Raw stats (excluding bots)
First the bad news
I’m re-doing the database and starting from scratch.
Now the good news
It will be so much better than I originally planned.
The intention of the artifact database
The forensic artifact database is not intended to get into the weeds of forensics. Some aspects may be detailed, but generally, this database is not going to replicate that which has already been done elsewhere and everywhere else.
With that, the database is intended to point you in the right direction to what you are looking for, quickly and easily. As an example, each category will have topics that will give you a broad overview of the artifact, training resources, software, published resources (books and papers), videos, and other direct links to citations that you can use. It's like Google, but faster, and curated specifically for each artifact. And cross-referenced as needed with other artifacts, operating systems, and forensic software apps.
Another intention is to spark ideas for your analysis. By listing clearly artifacts, the listings may give you ideas on things you may have forgotten or didn’t know, simply by entering search terms for what you need, such as searching for “USB” or “network connections”.
When will it be done?
Good question. The best answer is that it will never be completely done as artifacts will be added as they are discovered and published. It’s a living database. But you probably want to know when it will be done enough to be useful…I suspect it may be a few months before there is enough content in the database to cover the basics of what you need.
If you see something wrong with the content, or have something to suggest to make it better, I am one big ear to listen. That’s my goal: make it easy for you to use and worthwhile.
How much is this going to cost you?
Nothing. Nada. Zip. I’m making for the DFIR community to use. No strings attached.
I participated in an interesting thread on the Forensic Focus forum regarding software licensing recently.
There were good points made in response, such as suggestions to use open source tools and that the answer to the question is an unquestionable “NO”.
Countering the good suggestions were some terrible replies. Like, it’s okay to use cracked versions of software and that playing around with hacked versions of commercial tools as long as you don’t make money from it. And don’t forget the cover all excuse of ‘ everyone does it’ . Holy smokes!
That’s it. Generally, there is a software licensing agreement for all software. Some is written explicitly and specifically by the developer (name your commercial tool as any example), and other software may be uploaded to repositories using one standard licensing agreement to cover everyone’s uploaded software.
In my experience, here is how I see EULAs related to digital forensic working: You may or may not be able to copy, modify, distribute, sell, use for profit, and/or share. Know what you can do with each tool that you use. If you violate one or more permissions, your professional credibility may be damaged and the results of an examination may be inadmissible.
In particular, I have seen some freeware EULAs specifically state no commercial use of the software. One personal example, an opposing ‘expert’ in a case that I was hired to testify had used freeware in his analysis and by chance, I knew the software he used prohibited commercial use. Of course, that was brought up in court. I would not imagine him doing the same thing ever again after that day.
EULAs cover a lot of ground in a lot of small print. Using common sense, you’ll probably never violate a EULA. Cracking the software is not common sense. Trying to break it is not common sense. When in doubt, read the EULA.
For those in the DFIR community, I urge you to not even lightheartedly suggest that using cracked or pirated software is fine, regardless of the circumstance, so as not to negatively impact those working to get into the field.
As for me, no one will ever be able to say, “Brett Shavers said it was okay to use cracked forensic software, and said that everyone else does it, so I did it too”. Never will happen . Ever. You should be in the same boat.
PS: Notice I didn’t get into any of the ‘moral’ reasons to pirate or crack software, because there are none. And besides, the ‘legal’ aspect outweighs any ‘moral’ belief every time in court. I also focused only on one aspect of EULAs, in that of pirating or cracking software is generally not permitted by a EULA with nearly all proprietary code.
I'm putting together a list of guests for the DFIR Training podcasts for 2019. The podcasts will be different than podcasts currently being done. Short and sweet. To the point with a dash of humor.
The goal is to have something you can listen from start to finish in less than 15 minutes, in which you can get some nuggets to help you in your job or help get you through the next committee meeting, or while you watch a progress bar not move...you know what I mean ;)
I am open to practically guest, which means practically any guest, in addition to those I am personally seeking out. Be forewarned that I may be sending an email to you to come onto the podcast, but also, don't worry. It'll be less than 10 minutes of your time, which is less time to microwave a lunch.
The podcast will be available through https://www.patreon.com/DFIRtraining , which reminds... have you signed up yet? The earlier you sign up, the better jump-in price you get. There is even a short-run holiday special offer going on right now through January 31 (limited to only 50!). The first tier level already sold out, and I expect the next tiers to sell out as well, only because you get a lot. Take a look at some of the benefits you get through DFIR Training's Patreon:
Every week, barring sudden illness or natural disasters
Access to everything above and everything else that is coming for as long as you are a member. The first tier level of $20 sold out. The Holiday Special at $25 is already starting to go. The next tier level is $30. Then $40. Then $50. Then...