The meat and potatoes

A bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical aspects of the work has not changed. But what about the investigative aspect?  Oh yes. That part of DFIR has certainly changed. The key change is geolocation, and it is more important than you may realize at first glance.

The full meal

Every investigation with any aspect of an electronic device has been affected due to COVID-19 and its consequence of stay-at-home/work-at-home. As far as investigations are concerned, device geolocation is perhaps the biggest impact. There are also other subtle aspects of the quarantine to take advantage of in your investigations, whether you are involved in civil or criminal investigations or corporate matters. The benefits are there to be had. Individual privacy is yet another issue but let us start with investigations.

For the most part, the impact of COVID-19 is positive for investigators. Actually, it is practically only positive.  I will be breaking down the pros and cons by way of using the below four broad categories. These are "broad" because overlap exists and it is near impossible to have a clean break from every aspect of DFIR. Every person fits in one or more of those boxes, including the privacy category.

Digital Forensics (DF) & Incident Response (IR)

How does COVID-19 affect DFIR investigations?

For criminal investigations, the geolocation impact is most dramatic. Compare the “before” and the “current” geolocation investigative aspects of COVID-19 (specifically criminals using mobile devices and Internet access points).

In the above comparison, “home” is where a person lays their head. Investigators who pursue criminals focus heavily on the “home” of a criminal, which tends to be the location where the criminal spends most of their time, stores and creates physical evidence, and where they are most vulnerable to arrest. Even one of the most primary and basic goals of law enforcement surveillance is to follow criminals and ‘put them to bed’, which simply means, follow them to their home. COVID-19 makes this much easier since everyone, including criminals, must be home, or at least be at home more than usual.

Side note: An investigative truism for the vast majority of crimes is that criminals must communicate to plan, conspire, and commit crimes. The most convenient and commonly used investigative method to capture communication is focusing on communication devices. Quarantine makes this easier.

COVID-19 Benefits Investigations

--Mobile devices

---Easier to find the home of the owner (suspect) since the device will be home more.

---Easier to identify other devices of the suspect since personal devices are also home with the suspect.

---Cell tower dumps near a crime scene will have fewer devices connected, lowering the list of possible suspects.

---“Burners” are now burned. They now travel less and are quarantined with their owners. Burners can now be easily tied to a ‘home’ and to its owner at that home.

---“Burners” will now always be near their owner’s other devices, tying them together.

---Subsequent forensic analysis post-seizure will have fewer GPS points to investigate. This is good for the purpose of fewer false alibis.

---Higher usage of all devices (burners and personal) results in more data and more evidence. There is also a higher use since face-to-face communications are less due to quarantine/stay-at-home.

--IP Addresses

---Higher use of personal Internet accounts being used.

---Higher use of borrowing neighbor’s Internet access.

---Higher chance of protective measures (VPNs, Tor, etc…) being inadvertently misconfigured or neglected for one or many communications.

With criminals being home more than usual, identifying their devices, tying the devices to them, and identifying the “homes” of criminals has never been easier.  As long as you have either the device information (ex. the phone number) or the home address, tying both together is simpler than pre-COVID 19. Consider that a mobile device, including the ‘burners’, will be living at their owner’s home for longer hours per day than before, because the owner is at home for long hours. Where cautious criminals won't turn on a burner at their home, they don't have much choice now.

• A home address can be assumed and later confirmed by using mobile device geolocation, such as from GPS coordinates obtained from service providers.
• Device information can be obtained by having the home address, such as examining cell tower dumps, or other technical means to obtain mobile device signal connections.

Another side benefit of COVID-19 for investigations is that of increased usage of electronic devices to communicate. Criminals must still leave their homes to commit traditional, non-computer crimes, but the use of mobile device communications still increases. More calls to more phones help build a more thorough link analysis of criminals and their co-conspirators. Traditional policing is also made easier with fewer cars on the road and fewer places for criminals to blend in with the public (such as at a crowded restaurant or park).

Cell tower dumps in the area of a crime, where pre-COVID 19 could result in hundreds of devices per one tower might now only have a few devices which greatly narrows the list of potential suspects of a crime.

Successful criminal hackers take great pains to hide their true identity and location. Whether it be using VPNs or Tor, one of the basic premises is to not connect to the wire with anything that ties to your home or work. For the most part, the quarantine forces the use of a home Internet connection or a nearby neighbor’s connections. One error made in complacency or technical failure can expose everything.  Investigators should take advantage of the increased possibility of tracking a criminal hacker to their home as compared to tracking to any one of thousands of public WiFi spots found at libraries, coffee shops, and throughout entire cities with public WiFi.

One negative with COVID-19's quarantine is not being able to physically place the co-conspirators together by way of geolocation, such as having two devices being at the same place at the same time. In cases that I have had, each time that I could identify the date and place that a group of conspirators would meet to talk, such as at dinner or a parking lot, being able to identify every device in the area was a good operation. This was really beneficial as not every person in an organization will call every person in that organization, so tying devices together requires more labor. Conversely, in the quarantined world, everyone in the organization will need to call more of those in the organization to communicate.

As far as when the quarantine is lifted and we reach the new normal, the historical geolocation data available will still benefit future cases, both with device forensic analysis and with third-party service providers holding the geolocation data.

Electronic Discovery (ED)

Compared with criminal and civil investigations, COVID-19 poses more risk to businesses. Companies who are allowing remote work at their employees’ homes without appropriate precautions are now creating a situation of intermingled personal and business data.

Employees who know have open access to their employer’s systems using personal devices might be the biggest risk to employers in the past decade. On one hand, data mingling can cause a substantial legal issue in litigation, where company data might be intentionally or inadvertently saved onto personal computers. Additionally, personal computers that may have outdated anti-virus or unsupported operating systems could increase the chances of a company being compromised through an employee’s personal system.

Companies that had been supporting remote work by way of providing systems that are maintained by internal IT staff and using protected connections (not simply directly connecting to the network…), have no concerns that they did not have before COVID-19. For the rest, I can foresee some problems.

Open Source Intelligence (OSINT)

OSINT is fun for the curious. It is also an effective investigative method as well as an effective victimization tool. With COVID-19’s quarantine, the impact is that for those who want to remain semi-private regarding their homes, yet still remain socially available online, they will be more at risk of exposure.

Being at home more means most photos to be posted on social media will be those taken from the home. More family photos. More photos of a home’s interior and exterior. All of which can build upon safety concerns for some.  

For investigators, applying OSINT to cases where suspects are using social media simply means gathering more relevant and home-based geolocation data.

Privacy & Surveillance

Being anti-crime does not mean that you must be anti-privacy, but most governments will try to convince you otherwise. All of the above-mentioned benefits of COVID-19 as it relates to investigations to solve crimes have a perverted relationship in potential loss of personal privacy. The key questions are who is being watched, for what reason, and for what justification.

Right behind any government are the many tech companies with the ability to collect personal data from its users, privacy be damned. The intention is for the public good as it is primarily, if not solely, used as a revenue source (your data is sold and sold and sold again). Now, we are online more because we are home more (practically 24/7), which creates more data to be collected on the websites we visit, the online shows that we watch, the videos, and online purchases.

A government’s view of “data hoarding” is for the public’s benefit.

A corporate’s view of “data hoarding” is for corporate benefit.

Now comes COVID-19 and there is a merge between the two. Corporate tech giants (small tech too!) are partnering for both the public good of tracking people via mobile devices and certainly the sale of the data. The most effective way to convince anyone to give up a bit of privacy is to promise a chunk of security in exchange.  In times of panic or worry, not only is this easy to accomplish, but it is more of an exchange of a large piece of privacy for a false hope of security.

https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/

Post COVID-19

I can expect to see the mobile apps being developed today that track infected persons and their interactions with non-infected being more commonly used. The Apple-Google efforts of using Bluetooth technology to track people in the name of public safety can be easily applied to many other things, much like the dating apps and other friendly location sharing apps do as well.

For the investigator, these data sources have always been treasure troves used to place a suspect at a scene but will now jump into hyperdrive in doing more by collecting data with willing user-consent, default configurations of apps, and covert monitoring.

Summary

Forensic analysis is the same. Investigations have (temporarily) changed. Good investigators continually look for breaks in a case, are always open to a break in a case, ready to exploit a break in a case, and are creative in trying to find a break in a case. Don't let COVID-19 be anything else other than a potential way to solve a case. For the business owners and managers, it is not too late to update computer use policies to protect how employees connect to the company's data.

Committing crimes today is not as easy as yesterday. Neither is keeping your privacy.

The short story on the newest Mini-WinFE 10 (aka, the download link):

Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for Mini-WinFE) at https://www.patreon.com/posts/34814255.  The Mini-WinFE builder is a free download.

Are forensic bootable OSs still useful today?

Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.

What is (Mini) WinFE?

WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.

Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE.  I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.

Mini-WinFE 10

WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson.  Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices.  The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder.  Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.

The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).

WinFE 10

Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.

For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.

https://www.winfe.net/

WinFE Resources

WinFE Documentation

Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version.

DFIR books:  Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.

Training

If you are in law enforcement (LE), there are a few sources of WinFE training:

• SEARCH   https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
• RCFL   https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
• Others As part of FLETC, IACIS, short conference presentations, and others.

For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.

An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining.  The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too.  The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.

The future of WinFE

Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!

Something good and something not-so-good on learning DFIR

The good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and gain skills in this career than most any other professional career.

*  Resources are plentiful (such as thousands of websites, hundreds of books, colleges, trade schools, etc..)

*  Skills (aka: competence) are generally more important than pieces of paper (i.e.: certifications)

*  The DFIR field is segmented into many specific jobs (at least one surely fits you best!)

The not-so-good thing is the time and effort needed. Plus it is scary because of the time, effort, and money involved is a virtual unknown when you start out.  Then again, anything worthwhile is worth the effort and time. The time and effort needed is actually the most common obstacle that everyone faces to get into the DFIR field. Keep in mind that no matter which path in DFIR that you embark, you have a lot of barrels to jump over and they just keep coming. Sometimes, it seems that there are so many that you feel that you will never make it. Everyone gets frustrated. Many give up. Some keep going (this is you).

Let’s get something out the way first

In this game of getting of getting into DFIR, or growing your skills in DFIR, everyone has to jump over the same barrels, meaning, there are subjects and skills that you must learn, just like everyone else. No one has a shortcut to reach the end.  (PS: there is no end to what you need to learn to stay relevant and current). There is one tip that I found to work for me that might work for you. By the way, I am far from perfect, far from the smartest, and far from the best. It feels like that I have to work twice as hard as everyone else, but I realize that everyone has to work hard regardless of who you are or what your background experience may be.

First things first.

Keeping your DFIR skills up is no easier than it is to get the skills in the first place. We each know that because we know how difficult it is to get started. We are reminded of this sometimes-painful trek into DFIR each time we hear the question asked, “How do I get started?”.

As for me, as it applies to anything that I wanted to learn, the first lesson that I learned still applies today as it did the first time I really wanted to learn. That lesson is..

Eat your broccoli first.

Translated, this means to first do the things that you don’t want to do but you know have to get done. Get it over with as quick as possible. Push yourself through it. Your desire to only do what you want to do and not do what you don’t want to do is not only irrelevant, it is counterproductive.  But how does that apply in the DFIR world?

The broccoli

If you love broccoli, then broccoli is a bad analogy. But I think you see my point. I am not the biggest fan of broccoli, so when it is on my plate, I eat it first, because I don’t like it. I like the health benefits, but not the broccoli itself.  But I know by eating it first, I won’t have to suffer eating it later when it is cold and staring me in the face for 20 minutes after I finished eating my steak. To be fair, by eating my broccoli first for years, I now like it.

In DFIR, we have lots of ‘broccoli’ to eat. Hexadecimal may be one for you (unless you like hex from the beginning). Basic computer repair (A+) for another.  Network topology may be another one for you. And the list goes on. The things that are not exciting, but necessary to do the DFIR work, must be learned, otherwise, they will stare at you later as you regret not mastering these topics first.

Luckily, in the broad category of DFIR, you can avoid much of what you might not like if you choose your job carefully. I doubt you can avoid the broccoli all together, but you can minimize quite a bit by avoiding the type of jobs that require learning what you don’t want to learn. But generally, across the board, there are quite a few topics in DFIR that everyone should know. Some of the topics fall into the “must know” category. Other topics are specific to the specific type of job in broad category of DFIR.

The way I handle the topics that bore me, or that I don’t initially think to be important, is to make those topics a priority. Learn them. Become competent enough, and then move onto the things that I want to do. Otherwise, if you skip over the basics or the boring things, the day will come when you will suffer at having not done the first things first.

Programming (your brain)

For me, at this stage of life and work, I actually like the boring topics, because I have seen where a basic fundamental aspect of DFIR will cinch a case shut. Many in the field skip the basics and that is where the big failures come. I have also seen some turn a “basic” forensic thing into a whole new world of how to do forensics.

Let me reiterate

*  There is no free lunch.

*  You cannot fake competence (for long).

*  You can’t buy competence.

*  You can’t buy experience.

*  You can’t buy knowledge.

* You can’t buy determination.

*  You can’t buy dedication.

*  There are no shortcuts.

I screwed up

If I don’t catch myself making an error somewhere at some point, that means I am missing my mistakes. We all make them because we are human. The people who claim to never have made a mistake, or an oversight, or any fragment of an error only fool themselves.

The path to learning DFIR, whether new to the field or in it for decades, resembles the act of shopping for a car.  Or dishes.  Or groceries.  Or a computer. No matter which thing you choose to buy at the time, eventually you discover that you should have bought something different or at a different place for a better price. That is the way it works buying things and the way it works learning things. Some of the things work out. Some were not the best idea. But sometimes you need to have your path diverted intentionally, inadvertently, or unknowingly in order to get where you need to be.

Some of my greatest hits of learning DFIR screwups

*  Studied like crazy for a cert and failed just as crazily. Then failed again. I even failed a third time. Just call me rock.

*  Not studied at all for a cert due to over confidence (arrogance probably) and failed just as miserably. Twice.

*  Paid for certs that did absolutely nothing for me because 'everyone' says you need these.

*  Refused to get a specific cert out of spite even though it probably would have helped me get hired.

*  Renewed same certs…for no good reasons other than acronyms to put on a CV.

*  Paid for membership in “high tech” orgs that provided nothing more than a certificate of membership.

*  Paid for a cert that required no test, no exam, nothing. Too embarrassed to ever write that one on my CV.

*  Paid for an expensive course that was WAAAAYYYY above my level at the time. Gained practically nothing in the course.

*  Paid for an expensive course that was WAAAAAYYY below my level at the time. Also, gained practically nothing in the course.

*  Bought expensive software and hardware that I didn’t need, but everyone said that I did.

*  Didn't buy expensive software and hardware that I knew I that I needed, but wrongly assumed that I could use other software and hardware.

*  Not listened to advice from experienced mentors.

*  Listened to advice from experienced mentors (sometimes it works, sometimes it doesn’t…)

*  Took on cases that I ‘assumed’ I could handle, resulting in hiring people who could actually handle the cases that I assumed I could do.

*  Take the above listed items, multiply by a factor of 4, maybe 5 or 6, and that's my life in learning DFIR..

But with that, a few neat things happened along the path..

*  Hired to teach forensics at a university that rejected me as a student several years prior.

*  Hired to teach forensics to a federal agency (same agency that also didn’t hire me when I applied…).

*  Turned down a request to apply to that same federal agency that didn’t hire me (life had changed in a different & better direction).

*  Taught forensics to a packed room of PhDs who teach forensics, yet never did forensics, but wanted to learn forensics!

*  Met some of the smartest people in the world in this field, and most all have been great people!

*  Worked some of the most amazing types of cases with incredible government agencies and law firms from class action litigation to the “T” type cases (if you worked in an alphabet agency, you probably know what I mean by T…….. case).

Perceptions change

Here is how I initially looked at everyone who was working in DFIR (even before ‘DFIR’ was coined);

Wow. They are so lucky. They had all the opportunities. They must all be geniuses. They must have had it so easy their entire life. I am so unlucky compared to them. Life is so unfair. I have to work so much harder to get where they are at. They are younger than me (or older), taller (or shorter) than me. You name it, I thought it. I feel pretty stupid thinking today about what I was thinking about all the DFIR folks at that time...

Here is how I look at them now;

They had to have worked hard. They had to have had amazing obstacles to overcome. They most likely had personal issues to handle at the same time of learning this work. They struggled like me. They most certainly are determined. They most certainly know that you have to put in the work. They are definitely still learning. They surely know that they don't know everything and never will. They all had different paths, and every path had it's own obstacles and challenges.  They also know to eat the broccoli first.