Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

FEB
09
0

I lived a double life.

Posted by Brett Shavers
in  Digital Forensics

I lived a double life for a decade. I have now been away from that life for more than a decade and feel (a little) more comfortable talking about it.

Not long after I left military service, I went to work as a patrol officer in a suburb of Seattle. When I thought the best years of my life were the years in the Marines with the best group of people that I ever met doing amazing things, I entered a different sort of life with more great people doing amazing things in police work.

Side note: I worked with idiots too, both in the military and police world, and in both cases, they were the ones who put my life in danger more than any criminal or enemy ever could.

Here’s my police career in a nutshell. I was in patrol for a few short years, which included riding a bicycle. Don’t laugh. Bike Patrol was AWESOME!  Not being responsive to a radio allowed me to run amuk around town and find some dangerous criminals, some of the worst sort. I did other things too on a part time basis, like SWAT, use-of-force instructor, and things like that.

 

Then I applied to be a narcotics detective!

I didn’t get selected.  Someone else got it.

So, I waited until for the next opening and applied again. This time, I got it.

That is when shit started going south, as they say.  In less than 2 years, my partner and I seized more dope than the entirety of my drug unit seized in the past 20 years.  We seized that much more cash too. And that many more cars too.  Later seizures included a semi. And a plane. And boats. All with the arrests and cases to back it up. I was doing undercover buy busts, buy walks, meet and greets, surveillance, and everything else you can imagine with “crack heads”, “cranksters”, and all sorts of dealers. I was buying kilos of cocaine, working the DEA, FBI, USSS, ATF, and other alphabet soup agencies, all while being a little city PD detective…

In two years, I was in a state task force and working bigger cases. For those who understand how teams work, this task force was in a perpetual state of “storming”, so that sucked in more ways than you can imagine. Incompetence was the norm and on no less than a dozen occasions I was in more fear of being killed by incompetence of police than the criminal organizations that I infiltrated.

Two years later, I was drafted to a federal task force that virtually took the types of cases that I had started in my state task force and turned it into a laser-focused-federal objective. I’ll get into that with more detail sooner or later. During the next years, which turned out to be my final years in law enforcement, I traveled nationally and internationally doing undercover work with outlaw motorcycle gangs, Asian organized crime, and Mexican cartels. I was running informants across the country, initiated a dozen OCDETF cases on my own that were eventually managed by DHS, ICE, FBI, DEA, and the IRS.

I worked undercover for foreign agencies, one of which, again, had not only incompetence, but corruption with the very international criminal organization that I was undercover in….

Dozens of stories of having a gun stuck in my gut, followed home, investigating high level organizations where the children of my targets were in the same classroom as my kids, nearly being shot mistakenly by police, and getting the “once you are in, you are never getting out” talk by those that I was investigating while undercover all led me to getting into digital forensics.  I figured a computer would never kill me...

My double life involved my wife and kids. Now, my wife is amazing. She was a Marine wife. An army wife. And a cop’s wife. Growing up, my kids were amazing (they are even more amazing now!). My double life had me a husband and father at home, while at “work”, a drug dealer, and an arms dealer, and a human trafficker, and a hitman, and a money launderer, and a trafficker in stolen cars, and a smuggler, and eventually, involvement in “national security-type” investigations, that involved other types of assoCIAtions.   I trained my wife and kids in reacting to danger, reacting to me being confronted in public by criminals, and other reactions that families shouldn't have to be exposed to learning.

The point of this story

After being asked more times than I remember to write these stories down, I finally decided to podcast them. I am starting with some cases a little distant to me, and only the ones where someone was convicted. There are plenty of non-convicted criminals that I investigated but never filed the cases for one reason or ten others. For them, I hope they all turned a corner and are living an honest life. Some however, I know never will.

My podcast is behind a paywall because I’m a bit of a paranoid person, and if someone wants to hear these stories…well…I’d rather keep the audience a little smaller than the entire planet..

If you are interested, I'll be on Patreon.  I'm even going to do some live video chatting to talk about things that I don't want to put down on paper or in a podcast...the cool thing about these stories is that only one is under an NDA :)

The really funny thing is that you won't be the only ones hearing these stories for the first time, because my wife and kids will be hearing them for the first time too.  Little did they know that not only could daddy help mommy with housework, but he was flying armed and partying with people who killed people for a living.

Update: Some former and current narc buddies want to write a book with me about undercover work. With that, no time for a podcast as I'll trade podcast prep time with writing time!

  27180 Hits
Tweet
Share on Pinterest
27180 Hits
JAN
29
0

There is no censorship because I haven’t seen it.

Posted by Brett Shavers
in  Digital Forensics

Today, I posted on social media that my posts about not being censored were not censored. Obviously, the posts were not (yet) censored. But if they had been censored, no one would have ever known. That was the point of the posts.

Twitter did not #censor this tweet.

— Brett Shavers 🙄 (@Brett_Shavers) January 29, 2022

There are two major events happening world-wide that affect you directly, personally, professionally, and profoundly: 

  1. Your access to information (ie: increased censorship)
  2. Other’s access to your information (ie: decreased privacy)

When your access to information is blocked, banned, eliminated, or restricted, you will be uniformed. If the information that you are allowed access has been manipulated, you will be misled. With either scenario, you have no control of what you think, regardless of what you think.

Were you manipulated in 2012?

If you were on Facebook in January 2012, you were probably one of the guinea pigs in Facebook’s experiment in manipulating you to either be happy or sad, without your knowledge or consent.  The bottom line of the experiment was that you can be manipulated through the control of information, by a private company no less….

And of course we know now just how much Facebook has mined not only our personal information, but has algorithms that predict your behavior to the point of knowing when you are going to divorce or go poop.

A little pregnant

Either you are for censorship, or you are not.  When Howard Stern says “I’m against any kind of censorship, really, you know, I really am. I don’t like censorship.  But when you are talking about life and death……,” we have a paradox. It is as if we are saying that we want censorship to prevent censorship. This is no different than banning a book that is disagreeable.

Howard Stern says Neil Young’s threat to pull music from Spotify over Joe Rogan using the platform to spread “fake information about vaccines” is not about censorship because it’s “about life or death.” pic.twitter.com/uBayuzHwaR

— The Recount (@therecount) January 26, 2022

Private is personal

Do you want someone looking through your dresser drawers? You probably have nothing illegal in your socks drawer, but if a stranger were to ask to search your dresser “just in case you have evidence of a crime”, do you want to give consent? 

Your underwear drawers are personal and private, and so should be your emails and everything else that is intimate and personal to you that you don’t want to share with a private company, the government, or your neighbors.

We are ‘a little pregnant’ with this one, too. We waive our privacy in so many ways for a ‘free’ benefit of using a service that eventually there is nothing private anymore.

The future

Imagine if a corporation wanted you to buy their product that you really didn’t want to buy in the first place. With effective and targeted marketing designed to personally manipulate you with information mined from your life, you would most likely be inclined to pay whatever the price for that product, and even stand in line for hours for it. This could be described as “effective marketing” but the more accurate definition would be “manipulated” through invasive, yet covert means, using your private and personal information.

Now imagine if your country wanted to go to war for reasons that were not for true national security. If a corrupt government that controlled all information that you see and given that so much of your personality and behavior is known (like your most intimate and personal belief systems), they could manipulate information to make you feel a certain way. You won’t see censorship. You won’t be aware of your mood being manipulated. You will believe what you are led to believe.

What then would be the odds that your country would go to war with you waving the flag in one hand and carrying a $1200 iPhone in your other hand?

 

 

  5261 Hits
Tweet
Share on Pinterest
5261 Hits
JAN
13
0

There are Only Two things That set you Apart from Another DFIR Practitioner

Posted by Brett Shavers
in  Digital Forensics

Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where courts (and corporations regarding internal matters) rule on evidence, the rulings are usually based on a “person.”  By this, I mean that the ruling body, whether the court or corporate makes their decision by trust of a person that what that person said or did was true and relevant to the case at hand.

Disclaimer! 

I have personally witnessed where ruling bodies (legal or corporate) made decisions that were completely unexpected! I’ve seen where an expert opinion would have made a huge difference in a case, but a judge rule that an expert opinion is not necessary. There are cases where a witness will be disallowed because the witnesses simply asked to be excused from testifying because they were “too busy” or “too important” to testify.  I have seen “conflicting testimony” that could otherwise be called boldface lying (perjury under oath!) without any consequence. In other words, you might be the best, but might not be allowed to be the best.

Don’t hinge everything on my disclaimer applying 100% of the time. You can only be sure to keep doing what you should be doing in your preparation of laying down facts and opinions when called upon.  One way to look at this is that DFIR work is a competition.  Your peers will judge your work. Your organization will judge your work. A judicial body will judge your work. And your opposing expert will judge your work. The better you get, the more judgmental people become, and the more you need to be prepared.

The most important thing to know

Only you will document you the way you need to be documented because only you will be putting words that you say and write on the record.

Document what, exactly?

This is not about your resume, and this is not about your CV.  This is about creating and maintaining your record of what you know.  Here are 10 tips to get it right, save you time, prevent unnecessary stress, and stand apart from other DFIR practitioners.

Write it down

If you don’t write it down, it didn’t happen. This simply means that if there is no evidence to support that it ever happened, then for practical purposes, it never happened.  That includes documenting the course you completed last week and the one you complete five years ago. Many courses do not provide a certificate of training, for reasons that are beyond me. At least with a certificate of completion, you have a record of the training you completed.

What can you do if you are not provided a record?  First off, consider that there is a record, whether that be an email confirmation, enrollment sheet, or canceled check. Something exists to document that training.  Use the information from that documentation to ‘write down’ your course.

Corroborate it

If you have a cert, keep it!  No cert? How about an email confirmation?  Maybe send an email to the vendor and ask for an email that states the course was successfully completed.  Consider that if you can’t prove it, who will believe it when challenged?

Update it

Keep adding everything relevant to your training record. Everything.  Make it a habit to update. It is far to easy to go through a lot of training, education, and experience and plan to later, only to forget the details.

Validate it

If you were taught something, keep the practice, at least some of it. Keep your notes and practice. You can easily scan to PDF entire student manuals for archival purposes. If you take great notes and ever challenged, those notes will validate that you were exposed to information and validated it with practice, exams, tests, and notes.

Make it Detailed

It is one thing to say you attended Course 123 sometime in the year 2018 and quite another to say Course 123, 32 hours in length, in Washington D.C., with dates of 3/3/2018 through 3/6/2018, presented by Vendor A, instructed by Instructors B and C and the course covered topics 1-9.

Make it Accurate

The last thing you need to do is embellish. There is rarely any DFIR course that by itself doesn't speaks volumes more than embellishing could.  If the course was 5 days and listed at 40 hours, then that is what to document.  40 hours, not 60 hours unless it was 60 and you can show it.

Don’t treat it like a resume

Your training documentation is for you to see.  It is not a resume or CV.  This is your record as a source for your resume, CV, or statement of qualifications. Sure, you can offer it as your training record to support expert qualifications or when asked by a client, but typically, this is your official training record.  Treat it as such.

Don’t rely on your organization to do it (correctly)

Your organization might keep decent training and education records, but if you are going to rely on someone else keeping track, you are doing it wrong.  It is actually the other way around. You use your records to make sure that your organization is keeping track accurately and appropriately. Plus, there will be items in your personal record that won’t need to be in your organization's records.

Use it as a reference

When you write a report and have already documented research on what you are reporting on, refer to your training/education record.  You will have the dates and details of what you’ve done for easy reference.

Include your research (workflows, innovative processes, software, scripts, blog posts, presentations given, courses, workshops, conferences, books read, books written)

Your practice counts.  Your study counts. Your homework counts. If you read a DFIR book, document it.  All of them.  If you take a course online, document it. Almost as important as taking a course is noting who taught it. The perceived value (quality?) of a course is directly related to the vendor and/or the named instructor of that course.  An anonymous presenter of a DFIR subject on YouTube will have a much lower perceived quality view than a topic presented by a well-known vendor or well-known named expert.

Something as simple as a spreadsheet to keep track of your training will save you grief in putting together a CV for court, or a resume for a job, or listing qualifications on a report.  Keep in mind that the important points to track are:

  • Name of course/book/class/conference/etc…
  • Presenter/author name
  • Vendor/company/organization sponsoring or presenting
  • Date(s) attended or date published
  • Hours completed
  • Cert received if applicable
  • URL if a YouTube video or video series
  • Brief of topic/s
  • Anything else of relevance that could be useful to remember later

Of the two things that will differentiate you from another practitioner, this one is the easiest because you just have to document everything to show what you (should) know. For the other thing…you have to show what you are doing based on your actual work.

These are the two things to get you that .5% edge that will set you apart from everyone else.

 

  7727 Hits
Tweet
Share on Pinterest
7727 Hits
    Previous     Next
1 2 3 4 5 6 7 8 9 10

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers