We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.
We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”. Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).
Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few of the major highlights to emphasize the growth and changes.
Books
The number of books in a certain field is generally a good indication of that field’s growth and development. The digital forensics field of books is no different.
2001 Warren Kruse tested the waters with Handbook of Computer Crime Investigation.
2007 Harlan Carvey waded in with Windows Forensics Analysis (the FIRST edition).
2010 Into the second decade, many others jumped in headfirst writing books (including me!).
2019 Before the end of the second decade of the 2000s, we had amazing flood of great books on practically every topic and sub-topic in the DFIR world, in the form of ebooks, print books, guidebooks, and textbooks. There is almost no book that you cannot find that focuses on a specific subtopic of DFIR.
Software
The forensic software that started in the last two decades is incredible. Practically anything in use today has only been around for less than 20 years, with not too many choices in the beginning of the century. Many of these tools used today have only been around for less than 10 years!
2000 Computer forensics was mostly DOS based, command-line tools, like those from NTI and Maresware !
2002 Belkasoft opens its door with a forensic suite and continues to grow!
2003 You could buy Accessdata’s FTK (version 1) for $795!
2004 Encase version 4, and it was about $2500!
2004 X-Ways Forensics was born from WinHex (and was less than $350!).
2008 Troy Larson developed the Windows Forensic Environment ( WinFE ) and it remains free today.
2011 Magnet Forensics sprouted from a small forensic tool (Internet Evidence Finder) and company (JADSoftware) into a full-fledged forensic company.
2019 Over a thousand shareware, freeware, open source, and commercial DFIR tools available today, with most of them listed on DFIR Training . Developers are creating and releasing forensic tools on an astronomical basis, like Eric Zimmerman ’s constant showering of amazing forensic applications!
Degrees & Certifications
From having no degrees in “digital forensics” to being able to choose from any level of degree in Cybersecurity, Digital Forensics, etc… across the globe. We’ve also created more “cyber/DFIR” certifications than any one person could ever hope to earn in a single lifetime.
2004 The University of Washington launched a computer forensics certificate program.
2019 Practically every major university and college offers now one or more degrees in cybersecurity, digital forensics, network forensics, cyber security management, and security. Many are listed here: https://www.dfir.training/educational-map
Law enforcement & Military
Sure, there were some forensic cases in the 80s and 90s, but the forensic investigation world didn’t really pick up in law enforcement until this century. Where digital forensics in criminal cases was the outlier before, it has been a central focus now for many investigations.
2000 FBI creates Regional Computer Forensic Laboratories.
2009 The United States Cyber Command was created! The military branches each created their own cyber units under the US Cyber Command!
2019 Virtually every federal, state, and local law enforcement agency adds digital forensics processes to cases involving electronic evidence (whether conducted in-house, by cooperating agencies, or contracting work to private analysts). Rarely does any case not consider electronic evidence as part of the investigation process.
Famous cases
2000 Michelle Theer: E-mails documented a conspiracy to murder her husband
2002 Scott Tyree: Kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. Case solved via a Yahoo screen name and IP address.
2003 Zubulake v. UBS Warburg: This case set the stage for electronic discovery cases!
2005 Dennis Rader , the "BTK" Serial Killer: Case broke by the metadata of a deleted Microsoft Word document on a floppy disk! Software used: Encase!
2011 Capture of Bin Laden: Who knows what intelligence came out of all the collected electronic evidence items (10 hard drives, 5 computers, and over a hundred storage devices) from the Bin Laden operation? Certainly something!
2019 Digital forensics has solved more cases than ever before, sometimes being the only evidence in a crime. It may be fair to say that more crimes are solved in 2019 that have been solved in the entire first decade of this century.
Malware and Ransomware
Cybercrime is regular crime on nitrous. Where one criminal can physically only victimize one or a few people in real life, connected computers and devices make it easy for one criminal to remotely victimize hundreds or millions of people. The past two decades proves this to be true much more than ever before.
2004 Virus.Win32.Gpcode: Early type ransomware that scanned and encrypted a user’s documents, and then deleted the original files. Had a short life due to being easy to detect and crack.
2011 Trojan WinLock: Locked users out of their Windows computers until they called a scam line that racked up a large phone bill to ‘reactivate’ Windows.
2017 Wannacry: Yes, this one made you want to cry. It affected hundreds of thousands of computers in dozens of countries with losses in the hundreds of millions of dollars!
2017 LeakerLocker: Not to ignore mobile devices, here is one which targeted Android devices and threatened to share the phone contents with all the user’s contacts, unless a fee was paid…
Websites
The Internet, for all its faults in facilitating cybercrime, also has been the primary means of investigators sharing information to fight cybercrime. From humble beginnings of one or two digital forensics forums to now an endless supply of websites, the DFIR Internet has grown into a worldwide force of sharing powerful weapons against crime.
2002 Forensic Focus begins! The most popular digital forensics forum is still growing strong!
2003 e-evidence.info curates a massive amount of PDFs and forensic news links. Sadly...it went offline..
2005 Forensicswiki.org opens its doors! Although it has disappeared and reappeared over the years, the wiki is back.
2016 DFIR Training lets loose with the most comprehensive list of DFIR software and grew into one of the most popular DFIR websites on the Internet curating “All Things DFIR”.
2017 AboutDFIR.com gets a website! From a Google Docs spreadsheet to a website, another resource of DFIR curated content goes online.
2019 The Internet became plush with DFIR resources with website, forums such as Reddit , Github, Slack, and Discord .
Magazines
This is one area where I have unfortunately not seen much growth….I suspect it is due to the number of online resources, but still, DFIR became important enough in these two decades to warrant magazines!
2007 The Digital Forensics Magazine (Website) goes online.
2012 eForensicsMag , another magazine focused on digital forensics.
Operating Systems
Just a high-level overview of the systems that are interrogated with DFIR processes, we have come a long way. Many of those working in DFIR judge their time in the field by the OS version that they first examined.
2000 Windows ME and Windows 2000. Oh my!
2001 Mac OS X 10.0 (Cheetah) and Windows XP.
2015 Windows 10
2019 Mac OS 10.15 (Catalina) and Windows Server 2019.
Mobile Devices
In 2001, I sat in a briefing at CRIMES in Portland, Oregon, about how cell phones would play a major a part of crime and forensics in the coming years. The speaker (from ATT?) said that he believed cell phones to be the most prevalent, most used, and most valuable pieces of criminal evidence for the next 25 years. To be honest, as looked at the Nokia in my hand, I took those words lightly. Now, I wish that I paid more attention in that briefing…
2000 The Nokia 5110. It made calls and you could play Snake on it. Forensics was not a thing with this mobile device.
2007 The iPhone was introduced. A computer in your pocket, meaning a new world of mobile forensics.
2019 Mobile devices spanning a range of operating systems, styles, designs, storage capacities, Internet connections, unlimited data, and virtually the same applications as on a consumer desktop computer are now the norm. Mobile device forensics is practically its own field in digital forensics.
Hard Drives
The storage of hard drives directly impacts a forensic analysis, as the larger the harder, the more likely it will have more data to sift through in order to find evidence. Of course, high end computers and efficient forensic software minimize this impact, but then again, massive amounts of data is still massive amounts of data.
2000 The size of most common hard drives in consumer PCs was than 50GB.
2003 Seagate produced the first serial ATA
2005 Hitachi developed the first 500GB drive
2010 When the terabyte barrier broke, for around $100 you could get a 1.5 terabyte drive.
2013 Solid state drives are out and cost less than $100 (but that’s only for about 128GB drive).
2019 You can grab an 8-terabyte HDD for less than $200.
Jobs
From practically few jobs (outside law enforcement) in 2000 to now having an entire field of DF and IR where positions are unfilled due to shortages of applicants. The degrees of specialty have gone from being simply working as a ‘computer forensic specialist’ to now being able to specialize in the field by operating system, type of device, or type of work (forensics, incident response, electronic discovery, etc…).
The next decade and beyond
My intention with this post was not just to show how amazingly the DFIR field grew in just two decades, but also that the next decade will most certainly dwarf the previous two decades in terms of new software, processes, discoveries, and information shared in books and online.
My other intention in this post is to ignite a spark in the new generation of DFIRrs (age irrelevant!) into developing these future improvements, developments, and inventions! Anyone, and I mean anyone, can change the course of direction in this field by a seemingly small piece of information or by a huge deviation in the way things have been done.
We are still in the heyday of DFIR with lots more to figure out. Fortunately, we have outstanding people in DFIR who break new ground, blaze trails, share discoveries, and help all of us move forward.
Mini-WinFE 10
Something good and something not-so-good on learning DFIR
The not-so-good thing is the time and effort needed. Plus it is scary because of the time, effort, and money involved is a virtual unknown when you start out. Then again, anything worthwhile is worth the effort and time. The time and effort needed is actually the most common obstacle that everyone faces to get into the DFIR field. Keep in mind that no matter which path in DFIR that you embark, you have a lot of barrels to jump over and they just keep coming. Sometimes, it seems that there are so many that you feel that you will never make it. Everyone gets frustrated. Many give up. Some keep going (this is you).
