For those in the DF/IR world who started in this business way back when (or maybe you were part of the crowd who actually started this business), you'll know exactly what I mean when I say...
"That which was impossible yesterday, is possible today."
What I mean is that the tools of yesterday were great at the time, but today, not so much, or actually not at all. I remember the first time that I carved out images (pictures) from an image (as in disk image) using a DOS software. I was amazed. Then I was running around the entire City Hall finding any floppy disk laying around to practice magic . Word documents! Spreadsheets! I WAS ON TOP OF THE WORLD! Oh yeah, the stuff I found those 'formatted' floppies was really neat too.....
There were a lot of impossibilities back then, or at least things that just weren't done. Volatile memory? Nope. Cell phones? Nope (tbh, the early phones wouldn't have anything on them anyway...). Encryption? Forget about it. How about the Windows registry? Nope. Not much work done in there either.
Today is different. Way different.
We have more forensic software and hardware than any one person could ever hope to use or see in a career. Not only that, but there are outstanding practitioners writing outstanding software. Any of these tools would have saved me so much time years ago, but that is how it works.
Commercial tools are no different. Exams that would took weeks just to process data now only takes days or hours , and that is with 10x the size of datasets! So, yesterday's impossibilities are possible today. I would love to go back in time to re-do some of my exam using today's tools, because I would find more relevant evidence, faster.
Don't get me started on hardware. One of the reviews/comparisons I will be doing will be on a new hardware device. Oh my. I can't wait.
Tomorrow is different.
Here is the flip side. What is possible today may not be possible tomorrow. I mean that there are things that we do today, that we may not be able to do in the future. What are these 'things'? I don't know, but I know that as technology changes, some things in DF/IR become easier, and some things become harder if not all out impossible/impractical. Whether it be due to devices, operating systems, encryption, or whatever is unsure. One thing that is for sure is that as we entered this world of practitioners building tools , we are on the cusps of keeping up with the tasks we need to do. From determining guilt, tracking criminals, and defensive ops, we have gotten better and continue to do so.
The main point
When something doesn't work. When you realize that the 'old way' does not work anymore. When you want to complain about what is broken. The solution is not to complain . The solution is to state the obvious as a positive and move forward. We should have imaged RAM from the beginning, but we didn't know how or realize the importance. Now we do. We moved on. So the next thing you find that needs improvement...simply state:
"Hey, we've been doing it the best way that we knew how, but I think it is time to figure out how to do it better. I have some ideas to test."
And then we share. That's the main point.
Over the past year, many articles, blogs, and actual news stories have talked about the extreme shortage of “cyber” applications. Yes, I said the word “cyber”, and I am using that term to encompass everything in information security (like the DF and the IR and the infosec).
Lately, many blogs have been talking about the shortage not actually existing, and that it is the fault of hiring departments not hiring the available pool of applicants.
There is the split in the road, and as far as I am concerned, I agree with the pool of qualified applicants being WWWAAAAYYYYY larger than the available jobs. This goes directly against all the talk that we have a shortage. Looking at it from both perspectives, each side (the HR side and the ‘looking for a job’ side) both see a shortage on the other side. In reality, I believe the shortage is manufactured for several reasons that can be fixed in 30 minutes, because that's how long it takes to type and upload revised job requirements.
Here is the most glaring and talked about issue:
Within this issue, there are many smaller, but just as important, issues. One is advertising a job with requirements that don’t actually match the job being advertised. Some that I have seen are different that it would be like a café advertising for a barista but posting the requirements of truck mechanic and a repair shop posting the requirements of a barista. When this happens, the barista job doesn’t get filled and the truck mechanic doesn’t get a job and the repair shop is short a mechanic.
That’s really what it’s all about, for at least 95% of hiring problems in not being able to find a suitable applicant.
But I want to get a little deeper in this issue. When a job requires the world (degree, competence, and experience), this appears a clear attempt to either thin the herd in order to cut down on the number of applications to review or it is an unfortunate misunderstanding of reality. By the time someone has a degree specific to ‘cyber’, experience to back the degree, and competence gained by experience, then that someone is either running their own business or is at a place they will never leave. To narrow this even smaller, many of the most highly competent and most experienced cyber folks don’t even have a degree, or if they do, it is nothing related to cyber. Mainly it is because they practically invented the field, mold the field, and teach the field.
This leaves a very small number of folks that can meet this unworldly criteria of competence, experience, and education. I want to get a little deeper in each of these for a bit, and I’ll get into my opinion on what you can do to get hired and what you can do to find these great folks.
As I mentioned, many don’t have cyber degrees or any degrees, but are competent and experienced. When a degree is required, this means the ‘student’ is not going to have much in the way of experience or competence. Sure, there is some practice with a software tool in a class, and maybe exposure to case studies of some sort, but if you rely solely on a degree, expect that you are basically getting a paid intern for a year or two while they get experience on the way to gaining competence.
HR Tip: Consider a college degree in “cyber” as a bonus or a tie breaker when all else is equal. Making it a requirement means you will not have access to all the best applicants.
Getting hired tip: If the job requires a degree….get the degree. If you want a federal job as an example, you will probably need a degree in practically anything . They don’t really care as long as you have a degree in something . Brett’s advice: be competent too. Don’t go in with just a degree, but really learn your stuff because I want you to stand out like a sore thumb of handling business when you get hired.
This is a tough one if you are looking for easily validated experience. Easily as in, getting an internship that can validate that you have experience. In this field, trying to get experience on your own can be risky. For example, “ethical hacking” can turn into criminal charges if you go outside the law, even accidently. This is tough one. Even if you wanted to volunteer for free, the legalities and non-disclosure agreements that companies have are problematic if considering unpaid interns will see confidential data. The requirement to be experienced with specific software/hardware is also a deal-killer for many. The use of any DFIR tool is many times a personal choice or mandated through an employer.
HR Tip: If you have someone pounding on your door, with all the tell-tell signs of being one of the hardest workers on the planet, but they have no experience, open the door. Open the darn door to at least talk to the person. I promise that one of these folks will rock your company and be a star. On the tool requirement….you don’t want someone that can run a specific tool. You want someone who can run any tool.
Getting hired tip: Pound on doors. Keep pounding on the doors. You have to find that one HR who will take a chance on you because of your tenacity, your positivity, and your promises of being ‘the one’. Brett’s advice: this sucks as a way to get hired because you will get 99% rejections. But if you can stick it out for that 1%, you just found exactly what you need. And so did that company.
Education helps. Experience helps. And self-learning helps. Each of these help in a different way, and it depends on your learning style. Do not think that you need education to be competent, or that you need experience to be competent, or that you need to only self-learn to be competent. You should know by now the best way you learn. If you don’t, then sit down and think about it. What did you learn recently and how did you learn it? Did someone teach you? Did someone tell you to figure out it? Or did you bear down and figured it out yourself? Whichever works for you, do it. What works for me probably doesn’t work for you. Or maybe if you are lucky, you can learn practically with any method (which means you are lucky and I am a bit jealous…).
HR hiring tip: Competence is difficult, if not impossible, to judge on an application, so stop putting it in there because some of the things you want competence in are not required for the job you are advertising!
Getting hired tip: Get competent. Do it the way that you do it the best. If the hiring manager requires competence in something, whether or not the job needs it, you may just have to learn something that you won’t need to do, but need to get hired. Sucks, but until hiring managers figure it out, if you want that job, you’ll have to pound on the door to convince otherwise, or you have to have what they want.
Ok, here’s a personal story on how messed up this was for me.
I was once ‘recruited’ to apply for a cyber job and given the job description. I applied and got an interview, but when I started the interview process, it took me about 15 minutes to realize that I was interviewing for a different job than what I had been recruited for.
But I went through it anyway. I was incompetent in some of the things needed, as in totally incompetent because I never did that work before! Then, as I started figuring out what the job actually was, it was a job that I even didn’t want to do.
End result was that the entire process was a cluster. I turned down the job before they had a chance to either offer it to me or turn me down. I was a bit disappointed because I actually wanted the job that I had been asked to interview. I have heard this happening to one other person, so I imagine this is not unique to me and one other person.
If you have been keeping up with online conversations about DFIR research being peer-reviewed outside the academic review process, then this post is for you because…
What is DFIR Review?
Short version : Your DFIR research can be peer-reviewed in less than a month, published as peer-reviewed by a committee, you get the credit for your effort, the community shares (and grows with) your work, and you are encouraged to further develop your research as you see fit.
Longer version : Back in June of last year, I posted an idea of peer-reviewing DFIR bloggers’ research . The idea evolved through several additional posts (and response posts from others) until finally reaching today’s jump off of DFIR Review. There has been lots of effort, lots of online conversations, and lots of coordination to get this off the ground. Joshua James posted " DFIR already has Rapid Peer Review - we can do better ' as part of this process.
Although Jessica Hyde has been instrumental in moving this effort forward, every person named on the list below has publicly put their name on this project to support it in one way or another. I certainly have not been the first to talk about this since the topic has been around for some time.
In my opinion, this idea is well past needed. The current peer review process is fine for its purpose, but I have always felt that the traditional method of writing up an idea or research in a blog or document to be uploaded to a website does not do its author nor community service as much as having a peer review system that addresses these kinds of research.
Basically, uploading a PDF or writing a blog post on your great research only goes so far. But if you allow it to be stamped as “peer-reviewed”, you and the community gain so much more from your work. From my post on The Dearth of Documentation in DFIR , a visual that I made to show the value of social media posts (like Twitter) compared to a blog post illustrates the need for something that lasts longer on the Internet. Books and journals can be effective and easily found for 10 years or more with blog posts lasting about 2 years… social media posts are measured in minutes.
DFIR Review takes your research that you want to share from lasting minutes to lasting years. The effect of this is that your work will spur, inspire, and support the research of others well beyond the work you initially did. This means you can affect the community more directly, substantially, and for some time to come.
Show me the money!
In short. There is none . None for you. None for the volunteers . None for anyone. At one point, I had been communicating with some about the commercial aspect of DFIR Review. My point is that there is no aspect of commercialization, and posted more details about it with Getting Your Blog Post Officially DFIR Peer Reviewed – An Update . The peer reviewed papers are not going to be behind a paywall.
What you won’t get
I put out a bit about the benefits you can get with a peer review with The Rapid Peer Review , and in that post, I state the things you won’t get. This is what you won’t get:
* You won't get a certificate.
* You won't get more initials after your name.
* You won't get a coin.
The intention is simply to be a bridge between a blog post and a scientific journal.
Are you still against peer review?
I only ask because a few of the heated private exchanges I had of adding yet-another-thing to DFIR documentation and research felt this is unnecessary. So I wrote a few points with If Peer Review is so Important, Why Doesn’t Everyone Do it ? I wrote that we do research correctly, but we don’t follow through enough with the publication and immutability of our work. There are reasons for this, mostly due to the extra time involved to get formally published in a journal or book. DFIR Review bridges that gap.
I illustrated the time problem of formal publishing of this in a post Publish your #DFIR research ! The example I gave compared a paper (a PDF….) that I wrote on virtualization forensics and a book written on the same topic by someone else. As soon as I finished writing the paper, it was online at www.forensicfocus.com in a matter of days, whereas the book took 2 years to be in print (the book even referenced my paper....). My point is that between the time my paper was put online and the time that the book came out, I am assuming some examiners were able to benefit from my paper during that time, where they weren’t able to benefit from a book to be published years later.
How difficult is this going to be for you?
It is not difficult at all. I expect some things to pop up that will slow the process down a little, but nothing that will not be solved in a day. For the researcher, all you have to do is submit your work. That’s it. You won’t even have time to forget that you submitted it before the peer review is done. Then, what you choose to do with your research is up to you.
As for me, I support you submitting it to a journal, or finessing it into a book, and researching more. Get your work in the hands of the community while at the same, getting credit for your work. This is not about ego, but about getting great research out in the public, with your name on it. That’s pretty cool.
As for the tweet that started all of this, at least for me.....
In host forensics more than any other evidence realm I struggle with the lack of solid authoritative sources. At least on the network side there are RFCs.— Chris Sanders (@chrissanders88) June 7, 2018
This is a place where the OS vendors should lead. The best information we have shouldn’t be scattered amongst blogs.
An interesting Twitter thread popped up on forensic imaging. Good points were made on whether or not to create full disk images, sparse images, or even to image at all.
There are so many factors to consider in such a decision, that I believe it unreasonable to have a simple catch-all solution. Civil vs criminal case. Legal authority. Resources and time available. Type of case. Type of system. Amount of data. Number of systems. And other unforeseen situations.
But I believe that quite simply, if legal authority exists, and resources are available, why not create full disk images? To clarify, "available resources" means that you have the time, the tools, the staff, the storage, the funding, and the capability to do it. You can obviously choose not to image or create full disk images even though you have available resources, but if you can, why not? It's better to grab as much (all) that you can and filter out the garbage later, than it is to hope you got what you needed on a sparse collection.
I understand that some cases may involve hundreds or even thousands of machines. I understand that some DF/IR organizations (public or private) may not have the physical resources to do such massive data collections. I also understand that some cases have priority over other cases.
However, I believe that my take on imaging is solid as it rests upon available time and resources. If a DF unit has the capability to image a thousand computer drives and do the analysis, then why wouldn’t they if they have legal cause and authority to do so? This is an extreme example, but the math works out. If you have the time and resources to do a complete job, then there is no reason to not do a complete job.
On to triage.
Triage is great for two big reasons:
#1 – is there evidence that I can find right now that justifies seizing this system, and/or
#2 – how important is this system in the grand scheme of priority examinations.
Triage is not a replacement for imaging. It is to give you guidance on priority of analysis and if you need to collect it at all. Even then, triage only gives you guidance to make a decision, since triage may not reach into an area of evidence that you needed to make a fully informed decision. It’s best guesswork, but works pretty well in prioritizing cases.
In my experience, I have examined images from years prior to find evidence that was unknown at the time of seizure, and was overlooked by prior examinations. Not due to skill level, but due to new information coming to light later in the cases. I think this holds true across the board. You don’t know what you don’t know, so if you can image it all, why not? Creating full disk images does not mean you must do a complete forensic exam, but you have the option if you need. Incomplete images means that you can will never be able to do a complete forensic exam to find either inculpatory or exculpatory evidence. I have not heard of the defense yet, but I will not be surprised to hear about a case where the defendant swears that there was exculpatory evidence on the drive that was not completely imaged, and the original system no longer exists.
I would dread being asked in court, "You said you had the opportunity to create a full disk image. You had the resources. You had the time. Yet you didn't. Why didn't you image the complete drive?"
Back to the time and resources
Given that you have time , and you have the resources and legal authority to image everything, I personally believe that you should. You can still triage during the imaging process or even triage afterward. You don't need to do a complete exam on everything, but you can if you need.
And I understand reasons why not to image or only take sparse data, simply because that is not the investigative model for the specific task at hand, like when you have 20,000 nodes and 100,000 virtual machines, and “I have no idea how many physical machines we have’ and ‘I just need pst files’ sort of scenarios.
But I am talking about exploitation, missing persons, homicide, and some civil case matters. If you can seize it all, why not? I would compare this to serving a search warrant on a large house. You could “triage the house” by walking through it quickly while looking for evidence on the kitchen table and living room, but not by looking in the dresser drawers or under the bed. Or, you can go through everything. Or do both. Certainly, if the search warrant is a serious case, simply walking through the house isn’t going to cut it. You need to throw on some gloves and start digging through everything.
I am also aware of great research being done in the area of "sifting data", "sparse collections", "targeted collections" and so forth. Each of these are "incomplete" collections no matter how you look at it, but surely has its place. One paper that I read states:
"In general, only a small portion of the data on a disk has any relevance or impact on forensic analysis. The vast majority of sectors and files contain data irrelevant to most investigations; in fact, many sectors are either blank or contain data that is found verbatim on numerous other systems (e.g., operating system and application components). Fig. 1 depicts various categories of data present on a typical disk. For some investigations, executable files may be of interest. For others, browser artifacts are of primary interest. Blank space is virtually never of use. The rest of the data, beyond what is deemed relevant to a case, and which constitutes the vast majority of the collection, could actually be replaced by random noise without affecting the forensic analysis." - Rapid forensic imaging of large disks with sifting collectors
The problem with this theory of capturing the high value data is that you don't know which is the high value data. I've never returned to a house after a search warrant and asked, "May I search your home again? I neglected to check your basement the first time."
So….if you have the time, the resources, and the legal authority to create complete images, why not?
A few more points..(thanks PM!) is that if you can seize the entire media, you can always go back to it later at some point if needed without creating an image at all (put it in evidence, pull it out when ready to image/examine). In civil litigation cases, you don’t usually have that luxury. Most times it is (1) arrive onsite, (2) collect data, and (3) leave without the original media. By the time there is a concern to go back to the original media, the media either no longer exists or has been modified to the extent of being irrelevant. Ironically, civil case matters many times only allow for targeted data collection.
My point is that ”if” you can, you “should”. With the “if” being time & resources available and legal authority.
Patreon allows anyone to create a personal webpage, create and post content to the page, and charge visitors (patrons) to access the content. That’s all there is to it.
Patreon is one of the first of these types of platforms to take a foothold in this space, and is still working through growing pains. But, all in all, it works as advertised. The vast majority of content on Patreon is not computer related. That which is computer related, even less is DF/IR related. But it is there, I have seen more DFIR pages being created and expect more to be created. You could be next to create your own Patreon page!
Of course, I’m talking about Patreon because DFIR Training has its own Patreon page where I am creating content, giving access to courses, podcasting, and blogging exclusively for members. But just as important, I want to bring Patreon to your attention for several more reasons:
Here’s the thing on training, books, references, resources, and even how time works: nothing is truly free , and even those who give everything freely, eventually cannot continue at some point. Platforms like Patreon help DFIR content creators and software developers further their efforts. Actually, they help creators develop faster like spraying nitrous oxide into an engine. As an example, Github (or any platform providing free storage for free software) is a wonderful resource of open source tools, but you will find that so many tools are started but eventually abandoned. This is not because the tool failed, but because the time and effort needed to sustain development cannot continue without eating away at other aspects of life.
There's a neat story that I like to tell in order to make a point about supporting DFIR tool/content developers. A small software was developed years ago and the developer was giving it away as freeware while asking for donations. I donated and emailed the developer that I thought his tool was really neat. I donated because I really liked the tool and hoped it be developed further. Ten years later (probably a little less?), that small free tool evolved to become a major contender in the forensic software industry. I had maybe a .000001% impact on its development with my donation and verbal support, but I surely feel good that I helped it even a little.
I will say that there are a few free small forensics tools available today, that if the developers tweaked their goals just a little, could end up in the same boat of running neck in neck with the big named forensic software companies in a few years. Unless they eventually give up development because the time required becomes too much to keep giving it away. This hurts the community and our forward momentum.
On the DFIR Training Patreon list, I selected several DFIR related Patreon accounts as potentially good DFIR references. You will recognize some of the accounts right away. Phill Moore , Eric Zimmerman , and other respected members of the DFIR field have created Patreon pages. Consider supporting those who you wish to continue in their efforts of supporting the field with what you can, when you can.
Another point on free DFIR stuff. Everyone can access the free stuff, but not everyone chooses or has the opportunity to access the non-free (especially the expensive!) stuff, like training and software. This is an unfortunate fact in any industry, in that ‘things’ cost money, and to access certain ‘things’, you have to pay for access and use, such as licensing fees. I see Patreon offering a sliver of hope of not going broke for some cool DFIR content, as much of it is still free on Patreon. Eric Zimmerman’s tools are a primary example of the awesomeness you can get for free, and support directly with what you can, when you can. Patrick Wardle is yet another with amazing tools that he gives away and at the same time, is supported on his Patreon page. Pretty cool.
As to the DFIR Training Patreon page, I plan on stuffing it with exclusive content for the members and ask that you check it out. You just might find some cool stuff :)
Here is something I do. I make it a point to write down something that I learned each month. No, I don’t sit and think about what I learned, then write a poem about it. When I learn something that impacts what I do in DFIR, I write it down as I soon as I “learned” it. By learning, I mean either I figured it out through research, or watched it in a video, or a class, or a blog. This happens several times a month…but I want to have at least one thing that I learned per month.
At the end of a year, I can look at the major things I learned and put an importance on newly learned thing by simply writing a few words about it. From this, I personally share with or teach others. I call these the “neat things”.
I know that you also learn something new every month (day?) too. We pretty much all do. But the suggestion I have for you is to jot a note down for the big ones that make you stop and think. There are a lot of fairly innocuous things we learn all the time, but sometimes, we learn something really neat that impacts what we do more than anything else.
By “impact”, I refer to those neat things that may save me time, or give me a new skill, or plainly teaches me something so cool that I can’t wait to tell someone. Your “neat things” will be different from mine, and that is the way it is supposed to work. I admit that sometimes I come across something that is neat to me, and when I tell someone else, they already knew about it ☹. Still, new to me is a personal improvement that I can make.
I keep this in mind all the time I am at a digital device, and surely, you do too. You type, click, type, click, and during the typing and clicking, you learn something about an artifact or how a tool works or some way to do something a little more efficiently. We do this and improve individually, but what we don’t do is stop and realize just how much we are learning. Note-taking helps me reflect that (#1) I am constantly learning, and (#2) I should be sharing what I learned in case someone else doesn’t know. It is also personal proof that I am not stagnant in keeping my skills up to date.
Here is something to be aware if you meet me somewhere. If something comes up that I know about (and excited about), and you have not heard about it, I’m going to fill you in on it. If it is a software that I found to be awesome and you haven’t tried it yet, guess what we will be talking about for the next 10 minutes….
A lot of what I have learned is also probably the way you learned too: Through mistakes and errors.
But that’s okay too. Any of my mistakes are burned into my cranial cavity enough to remind me for a long time. Plus, I tend to talk about how I royally screwed something up only to come out of it a better person. Basically, I tell people, “Guess what? I touched a hot stove and it was hot.” That is not as embarrassing as saying that I keep touching a hot stove and haven’t learned from it. Bottom line is that making mistakes and recognizing the mistakes is good for growth and improvement. Hiding mistakes (or worse, denying ever making mistakes!) stunts growth.
The DFIR Training website
I'll also admit that I am learning and re-learning so many neat things with the DFIR Training website. It takes time to manage, but my personal benefit is entering 1,400 different software applications, reading dozens and dozens of white papers, and now going through one forensic artifact at a time. My motivation is both selfish (I want to learn!) and altruistic (I want you to learn too!). Here is where I am finding the biggest learning experience with DFIR Training; the forensic artifact database. Although it is new and has a lot more to go before being the go-to artifact database, it is incredible as to what you can learn by going over an artifact by curating white papers, tools, references, and videos about each artifact. So cool to do and I hope to be cool to you too.
I suspect the forensic artifact database to easily reach over 1,000 artifacts in time. Given over 1,000 DFIR tools and soon enough to be over 1,000 forensic artifacts , all cross referenced by tool-to-artifact, artifact-to-tool, and citable references, this is a very cool undertaking that I can learn by putting together and anyone can learn by simply searching or browsing for what is needed.
Spreading the news about the neat things
So over at the DFIR Training Patreon page , I’m going to keep talking about neat things. I have software on my desk that I will comparing and reviewing, book reviews to write and make videos about, and talk about all the little things that I have come across over the years that might make someone else’s day easier.
On my podcast , I am giving some war-stories as examples to the topics I want to share. Probably every “war-story” is an incident where I fell on my face, or boogered up something, or plainly just messed up something. I am not trying to sound like I am uncoordinated or unskilled or born to be a goof, but that I have learned some things the hard way for whatever reason, and that I can share how not to do that. If one story that I tell can save someone from hours of work or public embarrassment or better yet, solve a good case, then it is worth it.
Here’s one war-story from my former law enforcement work that shows why I want to share the things I know. As a use-of-force instructor, I was giving training on a specific threat* and a specific reaction to handle that threat over a period of years (I thought it an important topic enough to repeat it often). One day, an officer in my agency was thrown into an officer-involved shooting, survived, and sought me out afterward. He gave me a hug and said that the only thing going through his mind were the words that I kept repeating in training. Of course, I was happy to be a part of the outcome of the shooting, but in all fairness, he was there and handled it, not me. The same goes to forensic work. I can give my opinions and suggestions to help, but it is the receiver who chooses to put it the words to work. I am just glad to be part of it.
More importantly, you should too.
*sorry, not going to talk about the specifics of the threat or how to handle it..
Everything you need for DFIR is ending up on www.DFIR.training. Software. Hardware. Artifacts. Resources. References. Citations. Forms. Templates. Affidavits. Keyword lists. Forensic Test Images. White papers. Books. Jobs. Videos. Podcasts. Infographics. Blogs. RSS feeds. Events. Research. And Community!
More tool listings!
Of course. More categories too since there are just so many tools to search through. If you don’t see a tool, let me know and I will add it. No tool too big or too small. Currently, there are 1,400 tool listings in 238 categories. Even cooler is that all tools are cross-referenced between the categories :)
The one field that I recently added for license type (commercial, free, multi-license) is still be populated, but when finished, you can search for tools with a filter by license type. I should have started this early on rather than when the tools hit 1,400 in number. But it will be done for all the tools. As of now, searching for a specific license will give incomplete results.
I started a forensic artifact database of sorts previously, but it was too complicated and time consuming to put together and manage. So, not only did I now make it easier to manage, but easier to find what you are looking for. As of today, the database is incomplete, but artifacts are being added and eventually, you will have a serious start for looking for artifact resources.
Here is the basic template for the forensic artifact database:
The DFIR BookShare Challenge
So far, so good, except I’m running out of author signed books! If you are a DFIR book author and want to join in, send me a note ! I want your book! They are going out all over the world and is having a good impact on the community for those who are passing them around.
Book reviews will be published from January as well. Editing what I wrote, finishing up others that I started. And learning that writing a review of a book takes more effort and time than reading the book itself!
The intention of the training listings is to have as many training providers post their training as possible. Trying to find DFIR training is not as easy as you would think, as you have to go to individual providers, or find incomplete listings. So, this endeavor hopes to capture them all to make it easier for everyone to find relevant training. You can help by suggesting to vendors to post their training at DFIR Training.
How about that Patreon Page?
Check out what is going on at the DFIR Training Patreon page for next year: https://www.patreon.com/posts/year-end-review-23648997 . I created several tiers of membership, and as each tier sells out, that only leaves the next higher tier to join. But once you join at a tier, you can stay at that price for as long as you want.
Your membership on Patreon gives you access to lots of courses and freebies, which I suggest taking a look at the Year End Review post on Patreon. In just a few weeks, membership went from zero to 135, 10 books were shipped out to one tier membership level, and new courses are being added in January, February, March, and more!
As a side note, everything on www.dfir.training is still free and the DFIR Training Patreon page is simply going way further with benefits , rewards , and exclusive content for members. Completion of the courses gives you printable proof of training that may make your employer happy with training hours and something you can prove on your CV/resume; something you can't get with Youtube videos.
2019 is the year that I start software comparisons and reviews. I will also be doing comparisons on the Patreon page in more detail, but generally, I will have the basic reviews available on dfir.training. If you are a developer and want to have your tool compared, send me a note ! I have a few apps on the desk to get through first, but I’ll take as many that I can do.
Here’s the plan: I’m picking two or more tools that do the same thing (or one same specific thing) and comparing both of them. What I like, what I don’t like, the output, the ease of use, speed, etc… The more tools the better and I’ll simply just rank them as I compare them. Also, I am not averse to having some prep time with a developer to make sure that I do not miss a feature or misstate something about a tool. My goal is accuracy and honesty.
My goal for you
To build up DFIR Training to be your most valuable resource for all things DFIR. That’s it in a nutshell. Although I enjoy adding to the website, it does take time. But with the traffic and emails I receive about the site, it makes the effort much more worthwhile. I do intend to add more advertisers on the website to cover expenses and time, but those to be added are truly those companies doing great work in DFIR that you should know about anyway. But don’t worry. No popups. No spam email. Nothing that will get in the way of searching for something you need in DFIR and finding it quickly and easily.
About Advertising on DFIR Training
Send me an email and I’ll send over a Media Kit. Let me help you pick out what will be the best for what you are looking for. You won’t find a more targeted audience that the visitors to DFIR Training, especially in the numbers. The numbers..quite amazing.
Some visitor stats for those interested in just how many people use DFIR Training.
Alexa (Alexa makes it easy to compare traffic, so you can see how dfir.training compares to other related websites).
Patreon Ranking (continual upward trend!)
Raw stats (excluding bots)
First the bad news
I’m re-doing the database and starting from scratch.
Now the good news
It will be so much better than I originally planned.
The intention of the artifact database
The forensic artifact database is not intended to get into the weeds of forensics. Some aspects may be detailed, but generally, this database is not going to replicate that which has already been done elsewhere and everywhere else.
With that, the database is intended to point you in the right direction to what you are looking for, quickly and easily. As an example, each category will have topics that will give you a broad overview of the artifact, training resources, software, published resources (books and papers), videos, and other direct links to citations that you can use. It's like Google, but faster, and curated specifically for each artifact. And cross-referenced as needed with other artifacts, operating systems, and forensic software apps.
Another intention is to spark ideas for your analysis. By listing clearly artifacts, the listings may give you ideas on things you may have forgotten or didn’t know, simply by entering search terms for what you need, such as searching for “USB” or “network connections”.
When will it be done?
Good question. The best answer is that it will never be completely done as artifacts will be added as they are discovered and published. It’s a living database. But you probably want to know when it will be done enough to be useful…I suspect it may be a few months before there is enough content in the database to cover the basics of what you need.
If you see something wrong with the content, or have something to suggest to make it better, I am one big ear to listen. That’s my goal: make it easy for you to use and worthwhile.
How much is this going to cost you?
Nothing. Nada. Zip. I’m making for the DFIR community to use. No strings attached.
I participated in an interesting thread on the Forensic Focus forum regarding software licensing recently.
There were good points made in response, such as suggestions to use open source tools and that the answer to the question is an unquestionable “NO”.
Countering the good suggestions were some terrible replies. Like, it’s okay to use cracked versions of software and that playing around with hacked versions of commercial tools as long as you don’t make money from it. And don’t forget the cover all excuse of ‘ everyone does it’ . Holy smokes!
That’s it. Generally, there is a software licensing agreement for all software. Some is written explicitly and specifically by the developer (name your commercial tool as any example), and other software may be uploaded to repositories using one standard licensing agreement to cover everyone’s uploaded software.
In my experience, here is how I see EULAs related to digital forensic working: You may or may not be able to copy, modify, distribute, sell, use for profit, and/or share. Know what you can do with each tool that you use. If you violate one or more permissions, your professional credibility may be damaged and the results of an examination may be inadmissible.
In particular, I have seen some freeware EULAs specifically state no commercial use of the software. One personal example, an opposing ‘expert’ in a case that I was hired to testify had used freeware in his analysis and by chance, I knew the software he used prohibited commercial use. Of course, that was brought up in court. I would not imagine him doing the same thing ever again after that day.
EULAs cover a lot of ground in a lot of small print. Using common sense, you’ll probably never violate a EULA. Cracking the software is not common sense. Trying to break it is not common sense. When in doubt, read the EULA.
For those in the DFIR community, I urge you to not even lightheartedly suggest that using cracked or pirated software is fine, regardless of the circumstance, so as not to negatively impact those working to get into the field.
As for me, no one will ever be able to say, “Brett Shavers said it was okay to use cracked forensic software, and said that everyone else does it, so I did it too”. Never will happen . Ever. You should be in the same boat.
PS: Notice I didn’t get into any of the ‘moral’ reasons to pirate or crack software, because there are none. And besides, the ‘legal’ aspect outweighs any ‘moral’ belief every time in court. I also focused only on one aspect of EULAs, in that of pirating or cracking software is generally not permitted by a EULA with nearly all proprietary code.
I'm putting together a list of guests for the DFIR Training podcasts for 2019. The podcasts will be different than podcasts currently being done. Short and sweet. To the point with a dash of humor.
The goal is to have something you can listen from start to finish in less than 15 minutes, in which you can get some nuggets to help you in your job or help get you through the next committee meeting, or while you watch a progress bar not move...you know what I mean ;)
I am open to practically guest, which means practically any guest, in addition to those I am personally seeking out. Be forewarned that I may be sending an email to you to come onto the podcast, but also, don't worry. It'll be less than 10 minutes of your time, which is less time to microwave a lunch.
The podcast will be available through https://www.patreon.com/DFIRtraining , which reminds... have you signed up yet? The earlier you sign up, the better jump-in price you get. There is even a short-run holiday special offer going on right now through January 31 (limited to only 50!). The first tier level already sold out, and I expect the next tiers to sell out as well, only because you get a lot. Take a look at some of the benefits you get through DFIR Training's Patreon:
Every week, barring sudden illness or natural disasters
Access to everything above and everything else that is coming for as long as you are a member. The first tier level of $20 sold out. The Holiday Special at $25 is already starting to go. The next tier level is $30. Then $40. Then $50. Then...
So far, in my opinion….this DFIR Bookshare Challenge is awesome !
Sure, there is some work to it. Getting the books (and signed by the authors!), getting the word out, managing the hundreds of entries, making random drawings, getting confirmation from winners, then getting the addresses, then the mailing of each book (in and out of the USA). But even at that, this is totally awesome! Awesome because so far, the winners are welcoming the challenge to share after reading the books. That is so super cool. Even cooler is that you don't need to spend a dime in buying the book, shipping fees, or anything. Just the time to enter is all that is needed and I'll mail the book to you if you win.
To get one entry per drawing, be sure to create a free account here: https://www.social.dfir.training/groups/viewgroup/3-dfir-book-giveaways . I am only requiring creating an account so that I can export a csv with email addresses...in order to make the drawing. You can use any email address you want, but make it one that you will check the emails to see if you won. If I don't hear from the winner in a few days, I'll be moving on to the next person. I prefer #1 win, but the book has got to be sent out for its new life to be passed around :)
Where have the books gone so far? Here is the current map, and remember, this will be happening every month until I run out of author signed books:
Oh yeah…..the book reviews…
I have to admit that I am behind on the reviews. I probably bit more than I can chew with giving away so many books in such a short time, which includes me reading each book in order to review them all. I plan to get through the all the reviews over the holidays.
I’ve been working on Patreon for several reasons, all to benefit everyone looking to connect with the community and get some training (and ebooks). The goal is to build up the Patreon page in order to be able to commit more time to give more, such as more courses, more podcasting, more writing, more www.dfir.training content, and more sharing.
I encourage you to check it out: http://www.patreon.com/DFIRTraining . To gain access to the courses and posts, sign up at one of the tier levels of your choice. Tier levels at $20 or higher access everything, although the $20 tier level just sold out. There are spots at the $30 tier level, and when they sell out, the next level is $40, and so forth. Get in early and enjoy the lower tier prices. And once you join at a certain tier level, you can keep the subscription price for as long as you want without any increase. But when you leave, you will lose your early discount spot and would have to come in at a higher tier when you decide to come back. Basically, innovators and early adopters get the biggest benefits, so get in early!
Back to the DFIR Bookshare challenge ...as a benefit for the Patreon members, each member at tier levels of $20 or more are getting 21 entries to win a book, each time. Everyone else receives one entry. That doesn't mean that only patrons win, but they have more chances to win.
The next big thing in the Patreon is the updated WinFE. If you haven’t heard, it will be a major update in what it can do. The current version built with WinBuilder is still valid, and will continue to be valid as the write protection method is the same. The new WinFE has a few more features that extend WinFE’s usage, which I will detail in Patreon through added videos in the WinFE course and through an ebook that you can download for free if you are a patron of Patreon. I am excited for the new update to be released and I know that you will be too ( the new WinFE is seen below running in ARM64 !). Kudos to Colin Ramsen on his write protect app!
For those who are supporting through Patreon, you folks are, well, just plain awesome! (That’s the last time I use awesome in the post, I promise..).
The visitor stats are incredible, so I appreciate the suggestions and corrections that I am sent. Keep it up. Still averaging over 35,000 unique views a month and hit 70,000 in one month recently, typically a million hits a month, a bounce rate of 13.10% (if you know about bounce rates, you know this is incredible), 15 daily page views per visitor, and visitors spending 25:15 minutes on the daily (average).
A few sponsors are coming on board, so that is nice to help compensate for time to manage the site. There are lots of items on the site and more is coming. All is free to access for everyone.
I will be adding a few new features here and there, all the while as I update the content with tool listings, event listings, artifacts, and more.
If you see something that you don’t like, or like, or could/should be different, don’t be shy to let me know via the contact form or directly via email.
We each have our own preferences in what we want to see in forensic tools. Some live and die by the CLI , where any GUI is blasphemy to the cause. Others demand that a button exist for everything and don’t even give a sideways glance at anything that requires typing a command or right-clicking to get to a function.
By the way, there’s nothing wrong with anyone’s preferences, as long as you can do the job with the tool you use. But there is something to keep in mind when you stand wholeheartedly fast in your software belief system, and it probably stems from your introduction to the tools. One thing that I have seen in introducing forensic tools, is that the manner of introduction has a long-term effect on future users. If the introduction is poorly done, the odds are that unless the student makes an effort to correct the introduction, the use of that tool probably won’t happen.
Here’s one example.
While at FLETC during BCERT , we had a 3-day class from Accessdata on FTK . FLETC (at the time at least), gave Accessdata three days to teach FTK, gave four days to Guidance Software to teach EnCase, and so forth. X-Ways Forensics had been recently released and there was no training in X-Ways at FLETC/BCERT other than, “This is what X-Ways looks like. Next.”
But here’s the rub. The Accessdata instructor did such a terrible job, that practically everyone in the class was bashing FTK the entire three days. It was that bad. It was the worst that I have ever seen in more ways than I can remember. Many in the course had never seen any forensic tool. let alone FTK, so the only impression was that Accessdata FTK must be terrible because the tool didn’t work and the instructor didn’t know how to use it. Luckily, I had Accessdata training prior, and been using FTK for some time before my FLETC training. The end result is that this particular FLETC course pumped out a bunch of EnCase lovers and FTK haters. All because of three days of ineffective instruction. To Accessdata’s credit, they gave a training pass to everyone to repeat the course at anytime, but I don’t know how many gave Accessdata a second chance.
The obvious intention of FLETC's BCERT was to introduce and give training in several tools so that we could choose that which will fit a case and fit our preferences, based on knowing the ins and outs of a box of software.
I don’t remember that instructor’s name who taught those three days at FLETC, but I can tell you that I used that credit to repeat the course after I left FLETC. For the repeat of this course, Dustin Hurlbut was the instructor. I remember Dustin’s name because his delivery of FTK was spot on. I subsequently had Dustin as an instructor with other Accessdata courses and every time, he did Accessdata very well. In every one of those courses, I am sure that he sent out motivated, new Accessdata users.
So, when I hear that someone doesn’t like a particular forensic tool, I ask specifically, ‘what is it that you don’t like about it?’. If I can’t get an answer that is specific, I assume that their initial exposure was negative, and they don’t really know why they don’t like it. I can work with that when I give training. Sometimes a proper re-introduction can do magic.
For me, I ‘prefer’ tools based on the situation at hand. At times, FTK can rock a specific scenario. EnCase is king in another. Magnet just kicks it in a different case. X-Ways fits the bill in another. Paraben covers a gap that no one can in a different situation. And so forth. When the results are virtually the same (output being only visually different), the tools generally do what you need to be done if you choose a tool that fits your needs. Preferences are valid when you can honestly compare tools against each other. Much like complaining that a stick shift (meaning, you have to change gears manually...and use a clutch....) doesn't work because you don't know how to drive it, isn't really a fair opinion of a stick shift when comparing against an automatic transmission. However, if you can drive both, then not only can you give your personal preference of what fits your needs, but you can pick the transmission type that fits your needs.
If someone else ‘loves’ a tool that you do not, take a step back and ask yourself ‘why?’. Why do they love it? Why do you not? You may discover that you have been missing out on a fantastic tool that could have saved you months of work and frustration as it actually fits your needs, and the only reason you didn't know is because your introduction to the tool was subpar. That’s not your fault way back then, but eventually it becomes your responsibility to find the tools that you need, regardless of any poor introductions made earlier.
Keep in mind, the more tools in your tool box, the more problems you can solve. Otherwise when you only have a little tool bag , you are going to limit your effectiveness. As for me, I prefer to fill the toolbox, just in case.
Harlan Carvey posted an important question ( http://windowsir.blogspot.com/2018/11/basic-skillz.html ) asking for opinions on what should be the basic skills in DF, which moved people to quite a bit of comments and blog posts.
Following up on Harlan's post, I wrote this one ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ) to talk about basic skills in DF/IR, as in, the skills needed to achieve in at a basic, but competent, level.
But I think breaking apart "basic" is the first step in this conversation. By breaking apart, I mean that we have basic skills and basic knowledge to discuss.
Basic skills are those competencies specific to a job or task.
Basic knowledge is that information or awareness (not competence!) of a topic or topics.
Determining basic skills is easy to define, since you can choose a job and then determine which skills are necessary to do that job (as in, bare minimum, basic skills).
Determining awareness/basic knowledge is a little more difficult, as I opin that the basic knowledge should be much broader, across all jobs in both DF and IR. Just as important, I believe that a basic knowledge/awareness should not imply or require competence in any of the DF/IR jobs. It is merely awareness. I blogged a couple times about this in more detail.
In this post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I wrote that basics should be very basic, and include only that knowledge that should be held by those in DF or IR (both should have the same knowledge in legal and technical).
In this post ( https://www.dfir.training/dfir-training-categories-k2/item/165-a-proposal-of-basic-foundational-dfir-knowledge ) I wrote a little more detail about I believe a basic foundation across both DF and IR should be.
When speaking about "the basics", we may want to consider more specifically, which "basics" to which we refer. Do we mean the skills required for a basic competence, or do we mean the basics as a "starting point" of the field to which everyone in the field (both DF and IR), should know as a foundation?
Following up on the DFIR Basic Skillz conversation ( http://windowsir.blogspot.com/2018/11/basic-skillz-pt-ii.html ) and post ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ), I want to drill down deeper to the basics. First, let me define basics as I refer to the term in this post.
Basics = foundation, fundamental, starting point
( SWGDE defines this topic as "awareness..designed to provide the student with a general knowledge of the major elements..." )
To make this short and sweet, I believe that any attempt to create a basic core competence for a specific job in DFIR is way beyond problematic; it may be impractical. Far too many specific jobs have varying degrees of skill levels required in a basic sense, and different skills needed in some jobs but not another. To be accurate, every single job title would need to have its own basic foundation determined individually. Think about the varying degrees of responsibility and job titles in DF/IR and then think about how you could create core competency or basics for each job. Coupled with mechanical evolution (hardware, software, tools), this is a very difficult task.
Drilling down a little more, is that the basic skills in a specific job, such as a forensic analyst will change faster than we can keep up deciding what the basic skills should be. Don’t get me started on what would than constitute the intermediate and advanced skills! An entire team of folks could spend an entire career just writing up core competencies on different DFIR job titles. When you take into consideration operating systems, types of devices, objectives of each incident or case, and the specifics of each incident or case, the basics in one instance could very well be advanced in another.
I refer to the DFIR basics as the foundation of the overall DFIR field. I take into account those skills (more aptly described as 'awareness') which are:
In another post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I touch on this on what a basic foundation could look like:
If you work in DF/IR long enough, you will see more than a few examples of where someone should have known better, and by not knowing better, either a case was mishandled or an incident made much worse. I have seen people fired on the spot, victims lose cases which could have been won, and professional embarrassment over the most basic of skills. In nearly every instance, it was a lack of knowledge, not intentional errors, that caused the problems.
As to how deep the waters should run to have a basic foundation, I truly see no need to go beyond a broad introduction of both the legal and technical aspects that run across both DF and IR. It is not competence building, or even much more than ensuring that those in both DF and IR understand the legal and technical functions of both sides of the field. It is to raise awareness and have a basic foundation across the board in DF and IR, broken down into two components:
---Criminal and civil procedures (legal processes, report writing, etc..)
---Evidence (identification, seizure, preservation)
---A+ and Net + (OSs, hardware, networking, etc..)
---Digital Forensics (high level and specific to forensic analysis)
---Incident Response (high level and specific to incident response)
No one really teaches this. Yes, there are some courses that are considered basic, but nothing that I have seen that fits this model. I believe the reason is that few people would want to spend the time or money in a program where they come out with the same lack of mechanical skills as when they went in. Basically, people want to know how to do the work right away. Principles and concepts? Nah. We want to grab the tools and get to work! This is a bad way to do it. Actually, it is the wrong way.
You make sure that you have the basic fundamentals, regardless of any formal training. It is your responsibility. It is not the responsibility or your employer, or your college, or your parents, or the government (yet). One time in court will be more than enough to either make you seek another career or rush to find training to teach what you should have known. Start now (if not covered already) whether you never handled a hard drive in your life or have investigated nation-state hacking cases on a regular basis.
The community at large should support some level of basic fundamental knowledge. Hiring managers should require it or provide it after employment, or as a condition of employment. Universities and colleges should absolutely provide it as they are issuing degrees (in effect, certifying students!) in DF/IR.
I believe it is so easy, that anyone and everyone should take the time to cover the basics. A few weekends, books, online courses, college courses, or anything else that can cover what can be considered the basic fundamentals. Regardless if you are tip of the spear in the field, or just graduated from school, this is easy to complete, and solidifies your knowledge base. And depending on your experience, you most likely have one of the two components down already.
Just imagine how it would be if everyone working in DF or IR had a common understanding of computer systems, operating systems, networking, and legal procedures. You don’t need to be cop to know enough legal to save the day if the need arises. And you don’t need to be a computer programmer to know enough to save the day if the need arises. You just need a common foundation of the basics to make sure you don’t screw up. Because DF/IR is really really easy to screw up.