Want to improve in #DFIR? Study someone else’s case work.

Want to improve in #DFIR? Study someone else’s case work.

I recently did a case study for a class, using a real case from one of the students in class.  When I get to do this on a real case, it is quite the opportunity to both learn and teach.  I review cases often, both as a peer reviewer and for personal training exercises, but when I say, “real case”, I mean that is where I get to see the entire case and have access to the investigator/examiner.

Three Types of #DFIR Case Studies

The depth of any case study is limited only by the amount and veracity of the case information. Do not discount any of the following types as not being as good as another because as you will see, each type of source material can give you different types of real benefits.

1-Training/Educational/Commercial-Fictional cases, or real cases that are fictionalized.

These types of cases are generally used to teach DFIR in that the cases are carefully created as examples of real-life cases. Vendors of software/hardware also create these types of case studies.

Benefits: Learning ideal methods and processes to use for the most perfect resolutions. Striving for perfection is not a bad thing, even when knowing that perfection is impossible to attain.

2-Publicly Available– Real cases, posted online, publicly available

     2A-News articles

Quick and easy to learn about a DFIR case, but not much in the way of a case study.

Benefits: Helpful in further online searches of the cases mentioned in the articles to find charging documents (complaints, affidavits, etc.…) for study. The information in the news article may not accurately reflect the actual circumstances for several reasons, such as the details may not be newsworthy.  However, news articles are quick sources to experience the public’s view (CSI effect) of DFIR case work, which can be helpful when giving testimony.

     2B-Accessible online reports/complaints

Although online case documents can be sparse in both number of cases available and the amount of content, these are great sources for case studies. Complaints, affidavits for search warrants, and the limited information contained in some case reports generally give just enough information to get into the investigative and analytic mindset of the investigators and forensic analysts. 

Benefits: Complaints/affidavits for search warrants give just enough information to show probable cause but leave enough for your imagination on the details. For example, a statement of “deleted Internet history was recovered” in an affidavit leaves it up to your imagination as to how you think the investigator recovered the Internet history and how you would do it. The big benefit is stretching your creativity to find the ‘how’ something was done, which may require you to do a little research.

Side note: If you are creative in your analysis, you will have better results. It’s not just pushing buttons; it is conducting an orchestra of software and hardware to tie forensic artifacts and computer activity to specific persons . Rote analysis* only does so much in an examination.

3-Professional– Real cases, not publicly available

     3A-Third Party Peer Review

These are the cases where you are paid to review someone else’s case. Sometimes consultants are hired by a client to review their own expert’s work or the opposing expert’s work, both the reason of uncovering flaws and determining accuracy of processes and findings. Generally, the examiner is not going to be provided for more information as the report itself is the key evidence item being reviewed.

Benefits:  By looking for flaws, holes, poor choices in processing and methods, you can gain quite a bit of insight where a case may be weak. The benefit is learning how not to make the mistakes that you may find in a case that were made by someone else.  Peer reviews are sometimes the easiest to do when looking for errors because humans make errors, but they are also great for being prepared in your cases to not repeat the errors that you found in your peer reviews.

     3B-In-house

Working with others, especially when your co-workers are assigned their own cases, gives you an outstanding opportunity to ask questions of the person who did the exam.  Read the case, consider if you would have done anything differently (for better or worse), and ask questions!

Benefits: You can make assumptions of how the case was worked, consider if you could have done a better (or worse) job, and conclude with asking questions of the examiner/s. Ask for the thought processes. Ask the “why” a certain tool or process was chosen over another. If the case is incomplete, you will make it a better case and both you and your co-worker will benefit.

Something I just observed in teaching a case study

When I am fortunate enough to teach a closed class where someone volunteers to bring their case as a case study, it is an entirely different animal because I can talk to the examiner to get intimate insight to the thought processes and creativity of the examiner. That is what just recently happened.

Bravely, one student brought his entire case to class. The case is in-progress, and all students are from the same agency which made this possible. On this case study, which the class reviewed and consulted with each other for an entire afternoon, not a single person walked out at the end of the day without having learned more about how to work a forensic case than they expected. That included me as well.

The most glaring issue that I saw in this casework was rote analysis. For me, I look at evidence as a canvas, where the big picture tells a story. For everyone in this class, they looked at evidence piece by piece, and generally had a difficult time telling me the story of the pieces of evidence. I believe that this particular instance is due to culture differences, and that was the observation from the students.

Spending hours on what was completed in the case, and then giving unconventional suggestions made improvements as to what the student will do next in his analysis. Although I agree that processes should be as clean (repeatable) as possible, I also believe that when a relevant artifact is found, especially when time is of the essence, that the artifact be examined as a clue to other artifacts. In this example, the student was collecting artifacts just because that is what the tools allowed to do. The tools weren’t telling his brain how to think about the artifacts.

Rote analysis makes the examiner leave the artifact to move onto the next and onto the next, until there is a box of unconnected artifacts and no inferences as to where they fit with each other.  The picture is not painted.

Being creative means that you are not just throwing artifacts into a box, but rather mindfully placing them onto a canvas where they belong. You are allowing the artifacts to paint a picture to tell a story.  This doesn’t mean doing sloppy work; it means uncovering the story of what happened on the device and its relationship to persons. Paint the picture .

Prepare to spend time on a case study

You can spend five minutes reading a news article about “digital forensics” and get the gist of the story. But that is about it.  If you want to improve dramatically over yesterday’s self of you, commit time to case studies.  

The benefits, aka, “What’s in it for me?”

Avoiding mistakes

My number one reason for regularly reviewing cases of others (besides being hired to do so…) is to learn how to reduce the risk of potential errors in my work . In some cases that I have reviewed, I have seen investigative errors and forensic analysis steps leading into rabbit holes and inaccurate conclusions. This happens and can (does) happen to everyone and anyone. However, seeing the errors of others helps me reduce the odds that I will make the same errors. This alone should be enough for anyone to study cases!

Brain work

Reading through someone else’s case or affivadit should naturally trigger responses in your brain to ask questions about what the investigator/analyst did. Questions like, “Why didn’t he triage in the beginning to get intelligence?” or “Why didn’t she use a different software on that operating system?” or any other number of questions. Sometimes you may be able to assume the thought processes of the affiant/analyst and compare how you would have made the same or different decisions.

Discovery of ‘new’ methods

Yes. You will discover methods that are new to you but commonly known to the rest of the community. That is a major benefit because although you may be expected to know everything by a client or court, in reality, you can’t know everything. Case studies helps reduce the instances of not knowing something or some process that you should have known. Yet another good reason for case studies!

Decreased reaction time

Otherwise known as efficiency and effectiveness. When you have read dozens of cases with a critical eye, you are virtually doing those cases in your mind. Visualizing physical actions does improve physical actions and decision-making. Having read a case, or several cases, where a specific investigative technique was used will allow your brain to quickly call upon it when faced with a similar case.

Decreased reaction times means that your approaches to live machines will be better prepared. Also, recovering electronic evidence that is similar to the case studies that you have read should result in better (and faster) decision-making in how to follow the evidence.

* Rote analysis is the type of analysis where the examiner routinely runs the same processes in the same order, without deviation or concern of looking at the totality of the case at hand.

An example of a publicly available case that I studied is below. This type of case study falls under the 2B listed above.

 

Written by :Brett Shavers