I was asked an age-old question via a Twitter DM today:

"Should I pull the plug or image live?"

I thought this was a rhetorical or 'homework' question, because how would I know?  I gave a short answer of it depends on this and that, assuming that the question was being asked generally. But then,

....he messaged that he was standing in front of a machine, onsite, and was wondering which was best...oh my..

Some of the problems

I sincerely did not know which was best because:

(a) I was not there,

(b) I was not part of the planning process,

(c) I have no idea of the case/data objectives, and

(d) I have no idea of the machine configuration.

Apparently, this forensics company had no plan other than to meet onsite and image whatever computers were there...

Some solutions

My only and best answer ended up being:

(a) Make a reasonable decision for today and

(b) Make a plan next time.

The forensic process begins before processing forensics begins

We hear all the time about making plans before starting work. "Work" can be a highly critical military mission or just driving to the office. Both require a plan. The highly critical military mission will have many more details and require more time to prepare than simply driving to work, but both require planning. If you think that driving to work doesn't require planning, then I would assume that you are continually late to work.

If we visualize what "forensic processing" is, we tend to think of things like indexing, running Python scripts, filtering data, and carving data. Rarely do we think of planning as part of forensic processing, yet planning should be considered the number one top tier aspect of every DFIR "operation". Before starting any process on data, you need to make a plan, regardless of your evidence being a 1MB file or 1PB of storage on dozens of devices.

No plan survives first contact

Few things go perfectly as planned, no matter how much time and effort you put into the plan. You would be mistaken to take that to mean planning is a waste of time. It simply means that you cannot plan for absolutely everything, but you can plan for many things, and for those things that were unforeseen, you will handle them on the spot. Having a plan gives you more time to make decisions. More time to think means less chance of rash, uninformed, misinformed, or ignorant decisions.

So the next time my Twitter DM buddy goes onsite, he will have a plan on how to approach devices. Even if the plan is to dead box image everything (ie: pull the plug), having a plan for devices where pulling the plug is impossible or unreasonable (encryption, etc..), can be made beforehand. This reduces time to preserve data, decreases risk of data destruction, and increases success in collecting all targeted data.

No. I am not just talking about pulling the plug

There is not a time that I touch evidence without a plan unless the evidence is unexpectedly placed in my hands. This goes way back to working a district as a police officer. If I saw evidence, I would have some plan of how to (1) identify and preserve the evidence and (2) how to collect it before touching it. Sometimes this would take half a second and on occasion, it would take hours. The same applies to electronic evidence. Do not process it without a plan.

Case failures

Cases can fail by no fault of your own. And they can fail specifically and spectacularly because of you. Personally, I'd like to take myself out of the failure equation with planning and then use the gifts of planning to address the unforeseen circumstances.

Plan for the known to give you more time to handle the unknown.

Practical Benefits

In case none of this makes sense or means much to you, here is the practical aspect to take to the bank: If you were to spend 30 minutes planning your DFIR work (collection or analysis or presentation or etc...), you can save days or weeks over the life of that one case.  DAYS OR WEEKS by spending MINUTES to plan. ON EVERY CASE. Have you ever wondered why a coworker can plow through case after case, doing great work while you might be struggling to keep your head above water? hint...it is not because of being better skilled...

If you are overwhelmed with work (who isn't?), you can mitigate a good portion of that caseload with proper planning. I have seen investigators drowning in a heavy caseload for the sole reason of failing to plan anything on any case. At some point, it is obvious that an investigator is the bottleneck in cases being late or unfinished because the investigator, or analyst, chooses to not plan.

Side note: I asked permission to blog about this from the person who DM'd me with a promise of not disclosing the name of the person or company.  I think it important to share past errors to reduce future errrors.

We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we are skilled in the effective wielding of the most powerful weapon on the planet: INFORMATION!

We are experts in searching for it. Experts in interpreting it. Experts in sharing it. Experts in creating it. Sometimes, we are completely inept, or even malicious in handling it and totally screw up.

Ethics matter

Ethical behavior not only keeps your reputation solid but also keeps you from being sued or jailed. The cancel culture falls into a category of ethics, where if an infosec professional engages in canceling a person on the Internet, they are (in my opinion), the epitome of being unethical by wrongfully turning legitimate OSINT into the Baseball Bat of Internet Mob Justice. Ethics matter. The truth matters.

A recent example. Welcome to 2021.

Refer to the story for details (https://patch.com/illinois/chicago/trolls-wrongly-accused-retired-firefighter-capitol-riot-murder). In brief, an unidentified person (Figure 1) suspected of murder was misidentified (Figure 2). The identification was based on a posted image of the actual suspect in which OSINT was most certainly used to find a similar image online. The OSINT worked to find a similar image, but the verification of the match by the finder failed as did the action taken afterward. Rather than forward to law enforcement to verify, an Internet mob piled on an innocent person.

Could it get any worse? Sure. Once you blindly jump feet first into a rabbit hole, everything you come across that you believe to be true will become collateral damage. Even in this example, the innocent son of an innocent victim gets drawn into the wrong accusations. This may not seem to be a big deal, but the careers and reputations can be permanently damaged. Friendships, family, promotions, and even careers can be lost on a false allegation! It is so so easy to prove yourself correct if you are hellbound to do so, even when everything that you find is false but perceived in a way to support your belief.

An older example. Back to 1996

An older example from 1996 is the Richard Jewell case. Refer to the story for more details https://en.wikipedia.org/wiki/Richard_Jewell. Again, this was another misidentification, and Internet pile up that resulted in an innocent person’s life is forever turned upside down. This one was so bad that a movie was made out of the story. There are plenty of other misidentifications that you can find online or unluckily be involved in. Misidentification is not new. Law enforcement has had its fair share of accusing and arresting the wrong people for the same reason that Internet mobs have made: failure to verify and corroborate.

Did I somehow forget that I dated Nicole Brown Simpson?

Part of my incredible year of 2020 was getting a phone call from a reporter. I get calls from reporters on occasion, but this one was totally different. The reporter asked if I wanted to give him a statement before he printed an article about me having an affair with Nicole Brown Simpson in 1993.

First off, this didn’t happen. My shock was how could I be accused of something that I didn’t do by a nationally recognized reporter? Second, I immediately had visions of being splashed across the Internet of having an affair with OJ Simpson’s wife! My wife would not be pleased….

The details on this story, as told to me by the National Enquirer reporter was that he was holding photos of me arm-in-arm with Nicole Simpson in Cancun or Cabo San Lucus (I forgot which he said) in 1993. I told him that he has the wrong “Brett Shavers” but his response was that his ‘database’ was correct. I suggested that he not print the story because it is false, but if he did print it, to let me know because I’ll see what crazy mileage I can get out of it, mostly to write a blog post about it.

Then it got a little weirder. I told the reporter that I was in my first year of patrol in a police department during that time and I probably wrote a ticket or made an arrest on the alleged date of the photo, didn’t take any vacation that year, and married (my wife would certainly know if I flew off to Mexico without her and our kids!).

The reporter’s first reaction: “So you’re telling me that law enforcement was involved in her murder?!?”

So now you have a reporter who accused the wrong person and immediately created a conspiracy that law enforcement was involved in a murder and ready to write a story about that.

All I said was that he needed to check his sources and verify and that if he printed the story, I’d prove it false and go from there. By mere coincidence, I had a dated photo of me from a local newspaper from that time frame. I emailed it to the reporter and I think the reporter accepted that I looked much different from the person in the photo that he had. The more I think about it, that probably means that the guy with Nicole Simpson was better looking than me....

The point of this story is that anyone can be falsely accused by anyone for anything, and once the Internet dogs of war have been released, irreparable damage will occur. On top of that, this reporter was so dead set that I was the Brett Shavers that dated Nicole Brown Simpson, that he immediately jumped to a conclusion that since I was in law enforcement at the time, that law enforcement must be involved in her murder!  I do credit the National Enquirer for actually double-checking and finding out that they had the wrong person. Of course, if they printed their photo, my photo (backed by a local newspaper) would prove it to be false. Still...don't do this!

Unleashing the Internet dogs of war!

One thing about mob rule is the lack of personal, moral, and legal responsibility. It is quite easy to create a passionate stir, lead a group of people to the edge, incite emotion, and nudge the group over the edge into an all-out attack while at the very same time, avoid responsibility for causing it, especially if done anonymously. This is not ethical.  The Baseball Bat of Internet Mob Justice does not stop. It does not think. It grows and beats the victim until nothing of substance is left.

The anonymous and double-anonymous complaints

Here is something that happens commonly on the Internet:  “I will not name this person, but they are (name a group that this person belongs to) and they did (name the social norm violation).”

This type of accusation demonizes an entire group of people for committing some violation of a social norm, and now everyone in that group is now suspect. Any person speaking up in that group will then call attention to themselves and be misidentified as the violator. Additionally, it doesn’t solve any problem and most importantly, the claim cannot be verified or disproven.

This is not justice in any sense of the word. Quite the opposite and worse when the complaint is anonymous. Even if the offender is identified but the complainant is anonymous, the offender has no way to face their accuser. Yes, I know the Internet is not a court of law, but as we all know, the court of social media is sometimes harsher than any court of law ever could be.

How does any of this apply to us?

The Digital Forensics/Incident Response field is primarily investigative in nature and as such (1) be aware of your personal biases and beliefs, and (2) take measures to keep your personal biases in check. It is far too simple to let an internal bias affect your judgment, which affects your investigative/analysis plan, and ultimately affects your conclusions.

Society does not need a law enforcement officer who has a bias against any specific or general group of people, as that bias will negatively affect the community at large and wrongfully targeted individuals.

Society also does not need unethical people who work in ethical fields to wrongly accuse others because of internal biases, beliefs, or false conclusions to what they believe to be true. Any one of us can go down rabbit holes of “investigating” someone or some event and lead ourselves down the wrong path because of preconceived beliefs, failure to verify information, and a determined mindset to prove ourselves right rather than find the truth.

Professionalism in this field requires us to be professionals to be trusted and have our word to be trusted. That doesn’t mean a stiff personality, lack of humor, no personal opinions, or being impassionate. But it does mean being fair and impartial, and also maintaining the appearance of being fair and impartial.

Best investigative method to prevent this from happening to you

Follow the evidence. Disprove that which is false. Prove that which is true. Confirm, verify, corroborate.

In my law enforcement career, I have seen a few examples where investigators did not do this. In one example, a search warrant was served on an innocent family’s home. The warrant was served by SWAT (I was not on the team at that time), but SWAT was innocent. They only served the warrant as written by the case investigator and signed by the judge. The investigator failed at the most basic task of verifying an address. The address on paper wasn't even close to the physical address. I’ve seen this almost happen in another warrant service, but fortunately, I was aware of the real address and stopped the warrant from being served while the team was AT THE FRONT DOOR! Again, this was an instance of not verifying information.

In every instance (there are more!), verification was not done. Investigators had a belief and followed only the evidence that supported their belief. When an investigator does that, every single time they will prove their beliefs to be right, when factually, they were wrong. This never ends well.

All of us are prone to making mistakes with assumptions. Unfortunately, there is not much accountability when this happens with Internet allegations. Reporters may falsely accuse someone, ruin the person’s life, and the only accountability is publishing a correction article. On the Internet, people delete their posts and walk away without care that the Internet remembers forever.

On the Internet, accusations can be made, even anonymously, spread through the Internet like a virus, and even if proven to be false, no accountability to the accuser when destroying someone’s life. We need to be better than that, and if any of us falter, others should take the care to gently remind to take a step back, breathe, and verify before releasing the dogs of war online.

**side note**

I was "OSINTing" the reporter while on the phone and verified his name, number, email, and other information.

Who really reads the Terms of Service anyway?

Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply to dissuade users from reading past the first paragraph?

A few highlights from Instagram

Translated: All your content is ours. We do with it as we wish.

Opinion: You create it, Instagram/Facebook will make money off of it with no compensation to you. This is the model of how “free stuff on the Internet” works.

Translated: We have access to your camera, I mean “Instagram’s” camera.

Opinion:  They haz your phone camera.

Translated: Instagram keeps track of everything that you do on their platform, including the use of their camera.

Opinion: Sure. I get it. But this would be like a car rental company keeping track of every place you drove the car that you rented. Car rental companies probably do that too…

Translated: Instagram collects data about you even when you don’t provide it.

Opinion: Do they mean private messages too? Sure. Why not.

Translated: We gonna map out your network.

Opinion: Yikes!

Translated: Everything. We take everything.

Opinion: For the love of all that is good and holy! This looks like a digital forensics examination (and I mean “digital exam” as a “digital prostate exam”.

Translated: In case you didn’t get it earlier, we take everything, even that which is not on our platform.

Opinion: Instagram/Facebook is a third-party data collector that takes your data from another third-party data collector which probably takes your data from another third-party data collector. All to be curated ultimately by Facebook/Instagram. You don’t even need to have a Facebook account!

Translated: We know what is best for you. This might because we know everything about you or because we want you to behave a certain way and believe in what we want you to believe in.

Opinion: When you want to see a movie, you might want to ask a friend or read reviews, but you don’t have to. You can simply choose to see or not see a movie. Facebook/Instagram requires that you agree to be pushed toward groups that they want you to join. Kinda like getting jumped into a gang that you didn’t think you wanted to do, but got pushed into it by the local gang bangers.

Translated: We know everywhere you been, exactly where you are now, and can accurately predict where you will be going next.

Opinion: This is life on IoT and our addiction to “smart” devices. And we must agree to it in order to use ‘free’ services.

Translated: Ha! We haz your biometric data too!

Opinion: Facial recognition is one of the security features that we have to give up, but is something that we can’t change like a password.

Translated: Not only do we see what you search for, but we keep that, just in case…

Opinion:  Forensic peeps know this. Anything you type online is there for everyone to see, even those you don’t want to see it, potentially forever.

Translated: We not only take, curate, analyze, and store your information indefinitely, but we will share it around the world to our “partners”.

Opinion: Who are the “partners” and WHY DO THIS?!?

Summary

Free is not free.

Social media platforms are like leopards stalking dinner. You don’t see the leopard. You don’t think anything about it. And you don’t care that tidbits of your Internet activity are being analyzed by humans, ML, and AI. By the time you realize how much private data is gone, it is too late to much about it. Presumably, this is all for a profit motive, in which you make none. Worst case scenario is a nation-state obtaining this immense data. But that would never happen..

update: This from Twitter, best visual of EULAs that I have ever seen.

https://t.co/uYXup8iEdE

— #StopTheStupid! Goat (@bill_e_ghote) December 26, 2020