Brett's Ramblings
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in, literally puking . The inspiration for this post I listened to a well-done presentation not too long ago, and afterward, I went to the restroom. When I walked in, I heard someone puking their guts out . It turned o...
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner had the journalist just asked. I find this tweet to be an extremely important tweet that affects many in forensics (see my side note on 'forensics'). Lesley's tweet was in an article about a nation...
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was ‘issued’ a USB flashdrive to temporarily store our reports. In theory, we would be able to write reports in our patrol car laptops (MDCs/MDTs), store the reports on the flashdrive, and then plug into the network to...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and gunning, saving the world, hacking into remote systems, and stopping bombs from exploding seconds before the countdown timer expires! At least it looks that way from the outside. But seriously, DFIR work is ...
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not mean that they took on more than what they could handle, but that they started down a path, committed themselves to it, and refused to adapt to the changing environment. Here is one example tha...
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that the article brings up a few questions and assumptions to think about on any legal matter. {source} <blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">This should be a m...
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions ( https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html ). I agree with everything he points out about book writing, so no need to regurgitate any of what he wrote, except to say, ‘ ditto ’ on the book stuff. The...
During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he kept asking me over and over again for the answer to one of his cases. A ton of ‘hypotheticals’ and another ton of ‘what ifs’ and a half ton of ‘that does not apply to my case’. One thing about these types of qu...
The bad cons are the criminals that victimize you. The good CONS are the conferences that you were glad to attend. CTIN is one of those good CONS. I’m partial to CTIN because it was the first organization that took me in when I was but a babe-in-arms as far as digital forensics goes. I am also partial because the people in it have ...
The #1 factor is not giving up . The #2 factor is talent . Actually, scratch #2. You can make it without talent if you don’t give up. Talent is overrated. <sounds of desks being pounded> Let me explain what I mean before going further. Not giving up has to be the most important, because if you give up, no matter how good you are, you will not...
Short version:
- Bring your A Game
- Don’t hold back
- Be prepared
- Know what you claim to know
- Fight complacency
This week, @taosecurity ( Richard Bejtlich ) wrote an important blog post on managing burnout ( Managing Burnout ). As he mentions in the first sentence, he is not talking only about information security, but burnout in any profession. I’m certainly no expert in preventing burnout, other than regularly bringing myself to the burnout line, because t...
Call me paranoid. It’s okay. I’ve been called worse. Nothing I am saying in this post will harm officer safety and actually should increase it. The public needs to tell cops to stop being online marketing tools. PIOs choose to be a public figure, but the everyday patrol officer is a law enforcement officer, not a marketing tool. Officer safety is r...
Stand by, here comes my opinion on forensic tools (software and hardware) I tend to prefer having the option to pick among a large selection of tools to be highly specific in solving problems. The fewer options I have, the more likely I will be doing an “OK” job instead of doing a “good” job. Worse still, when not having the right tools, I may not ...
The mechanics of digital forensics (and its related cousin, incident response) are fairly easy. A computer is a computer is a computer. Collecting data is collecting data. And an artifact is an artifact. As long as you follow the basic mechanical principles and concepts, you should be able to do the work without impossible obstacles. A most basic e...
For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “ Do you recommend we pay if it happens to us? ” The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network ...
I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done ). With that, I completely understand that the “IR” in “ DFIR ” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but st...
Some have found a Patreon page that I created for the DFIR Training website ( http://www.patreon.com/dfirtraining ). Here is a short description of what is going on with me, DFIR Training, and Patreon. First off, Patreon is just a way for you to support DFIR Training (and me!). You simply choose to subscribe at a level of support that you want. Rig...
The short version: Support DFIR Training on Patreon and get this X-Ways Cheats ebook for free! The longer story: One of the most useful things I made for the 101+ Tips & Tricks X-Ways Forensics course was the Ultimate DFIR Cheats! X-Ways Forensics ebook. This is a 118-page book that is a free ebook download in the course, or yo...
For those working in DFIR , there are some who don’t travel, some who travel a lot, and some who travel all the time. Depending on the person, any of these can be enjoyable or exhausting. Right to the point If you travel for business, try to carve out a little time for sanity and lifetime experiences. It may not cross your mind at the time, bu...
If you haven’t seen yet, I started a Patreon page for DFIR Training ( www.dfir.training ). I’ve done this for a few reasons to benefit those interested and me personally. I think if you see the why, you may want to jump over and support the page. If you support the Patreon page, you’ll get access to the training courses that i have created and...
Twitter had some great commented threads on the North Korean government hacker (PARK) who was criminally indicted by the United States. The main point in the threads that I read revolved around whether or not the NK hacker should have been indicted as he was ‘only following orders’. If we assume the attribution of PARK is correct, in that...
Let me get something out of the way: X-Ways Forensics (XWF) is not the only forensic suite I use . It just happens to be one that I use a lot, and I like it a lot. I also like plenty of other forensic suites, but XWF is my go-to, especially for deep dive forensics. To help me learn XWF, I wrote a QuickStart Guide , a book (with Eric Zimmerman...
So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department? Want some tips? If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-time, commissioned examiners. But if you (2) work for a small to mid-sized agency, your departmen...
I had the pleasure of talking to a group of high schoolers about digital forensics recently. After showing some neat things to get interest, the fun really started with getting hands-on demonstrations. I decided to use X-Ways Forensics for the hands-on fun (t ip: be sure to register your dongles with X-Ways Forensics insurance feature ). Since the ...
I’ve read some really good material on the importance of taking notes over the years and a recent post written by @mattnotmax is no exception ( Contemporaneous Notes: a forensicator's best friend ). There are plenty of really good DFIR related blog posts on note-taking (like here: https://www.forensicnotes.com/digital-forensics-do...
Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked t...
Posts List
Tag Cloud
Volume Shadow Copy
Windows Forensic Environment
Virtualization
Hiding Behind the Keyboard
Hacker
Placing the Suspect Behind the Keyboard
presentations
tor browser
imaging
Jimmy Weg
University of Washington
windows forensic environment
book
gmail
X-Ways Forensics Practitioner's Guide
winfe
phishing
training
North korea
surveillance
case studies
email
bitcoin
RegRipper
Bitcoin Forensics
Registry Forensics
privacy
investigation
X-Ways Forensics
dfir
investigations
windows fe
forensics
wiretap
writing
4cast
bitcoin forensics
Search Blog
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
© 2019 Brett Shavers