From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the Suspect Behind the Keyboard. I want to expand upon beyond the registry regarding a computer having a personality.

The bullet point

By examining multiple computers (or a single system) for computer usage and/or configuration, the owner of the computer can potentially be identified or tied to the computer.

The longer version

I am sure that each time you buy a new computer (laptop, smartphone, tablet, etc…), you spend the first minutes or hours setting it up just the way you like it. Whether it is changing the desktop background, colors, fonts, sounds, or general configuration, you make it yours. You do this every time. To every system that you have. You make it yours.

The way that anyone sets up their machine reflects their likes, dislikes, wants, needs, priorities, and general flow of system use. Generally, and most always, all the systems of one owner are set up very similarly. This is a simple observation; however, it can be a very important investigative clue when you have a system that has been disavowed by a suspect. Any computer that has been disavowed by a suspect (“That’s not my laptop!”) just might have relevant evidence on it if it does in fact belong to the suspect. But how do you prove it if there is nothing on the computer that directly names your suspect?

I have only come across this scenario once where the analysis of one anonymous machine seized in a public space, with a suspect disavowing ownership of the machine, needed to be proven against the other machines. Most other cases eventually have the owner admitting possession or ownership before the cases eventually gets close to trial. For the types of cases where the suspect never claims ownership of their computer(s), this post is for you to tie a computer that has no obvious relation to your suspect, but actually does belong to your suspect. I can tell you that it worked at least once for me; I suspect it can work for others too.

Basic and easy stuff

With multiple systems, find what is similar (not the default configurations) among all the systems.  Check for the same things that you configure your personal computers at home or work. Is the customized desktop background image the same across devices? Are the software applications the same? Sound settings? Computing naming conventions the same, such as naming all the systems based off a movie or sports team?  These are the easy and obvious things.

Given odds and statistics as they are, I cannot imagine the odds of two or more computer systems being customized for personal use exactly, or near the same way, across more than one device. Even a throwaway laptop that is being used by a suspect to reduce the risk of personal data being created on the laptop will have personal configurations that can be tied to another machine.

A little more work

The computer activity is another clue.

Programs

Which programs have been custom set to autostart? What is the Internet history? Bookmarks? Sequence of using programs? Does the user open the same programs on all machines?  Do the machines have the same programs, especially the same unique type of programs?

Network connections

Are network connections the same? Even as public WiFi is accessible by anyone, have the machines accessed the same public WiFi?

Time

Length of use for the machines?  Are the times of use for the machines similar, such as being used at a certain time of day, or certain day of the week?  Is the user activity of the machines consistent with only one being used at a time, potentially indicating one user controlling the machines? Did multiple machines connect to the same WiFi on the day or within a short time frame?

Music and video

Whether downloaded or streamed, is there indication that the same music and videos have been played, or the same genre of music and videos?

Internet

Are search terms similar or the same? Identical bookmarks? Identical visited Websites? Same browsers? Same browser customizations?

The list goes on

The amount of unique user activity that you can find on a system is potentially limitless, as each person is different. Yes, it is possible for two different people to have something similar on their respective computers. However, the odds decrease with each similar (but unique or customized) aspect that you can match between systems are found.

This is what I call the Computer’s Personality. The user’s personality of likes and dislikes, preferences, biases, and desires eventually become obvious on all machines that they use on a regular basis. So when you have that one machine in a collection of machines that you need to identify the owner, take a look at the personality of all the machines and see if they match up to one owner. Sometimes it may be easy enough, other times you may have to really dig into the system, but either way, if you can match the computers to each other, all you need is to tie one of the computers to the suspect in order to tie all the computers to him.

Not to ignore non-personality clues, there are many other methods of tying a computer to a person when you have multiple systems. For example, geolocation forensics is a good method, where if you can show two or more systems traveling together for any amount of time, then probably the same owner is controlling those systems. Fingerprints too. The Computer Personality is just another tool to consider when you really want to tie someone to their device and eliminate all arguments to the truth.

Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her post being relevant for some time to come. One thing that I want to add is that of balancing our time in this line of work.

Now, I am not saying that the DF/IR/Infosec world has more stressors than other lines of work, or that one is better or worse than another. So, in that manner, this post can practically be applied to anyone in any career that builds stress.

The two things that I recommend for life-work balance is to do something for others and do something for yourself.

Doing for others

Giving back to your job field

Jessica wrote it best, so refer to her blog post on tips on Giving Back in DFIR. Most likely, there is local association or group that you can join, and if not, plenty of online associations to check out. As many are comprised of volunteers, your call to help the organization will be answered. Giving back helps the organization, the field, and in the same manner, will help you too. You get a little bit of improving your skills by sharing them with others.

Giving back to something to which relates to you, but is not job related

The dab of balance that I am talking about is that of non-tech related giving. Something that can balance against the time you spend in front of a monitor. If you were super excited when you first started this career, and wish to stay excited throughout, you must have some plan to balance it. Self-monitoring is important paramount.

Giving back to something you are related is for those things you have done in the past (unrelated to your job), but that you can contribute in a different way. For example, if you are a military veteran, do not discount the amazing work that a service organization does in which you can be part. I’m a Marine Corps League member and being part of Toys for Tots or helping a veteran move off the street and into a home is a feeling that can’t be reproduced anywhere else. If you were part of any organization in the past, you have a head start in getting involved in something great. Help others who can’t help themselves and you will have made the world a better place to live. That better world is your world.

Give time to an interest that you feel strongly about

I’ll admit, if I still lived in Hawaii, both my wife and I would be volunteering our time with something like NOAA Fisheries.  Helping out marine life like sea turtle and dolphins is something that I find quite cool (and important!). Luckily, living in Washington (State) allows for volunteering for lots of nature projects, none having a lick to do with technology, but makes the world a better place than when I found it. Did I mention that this better world is your world?

Show support for good causes

Given that the DF/IR/Infosec field is darn near a 24/7 callout job, where we are never far from our smartphone, and expected to run out the door at any given moment, time is precious. Spend time with your family and friends to support them and receive support as a priority. But, when time is short and you can’t commit to volunteering for a cause, you can always show moral support to the causes that you believe in.  Your support, no matter how little effort you need to do, can have a great impact on someone else.

Doing for yourself

This is an easy one. Find a hobby. Any hobby. Except taking naps. Something that makes you happy. Write poems or a book. Hike. Swim. Fish. Fly. Walk. Read. Take classes. Get a degree or get another degree. Do something on a regular basis that brings life back into perspective. Change it up when you want to.  Read for weeks and then hike for days or maybe swim on a weekend and walk the next weekend. Whatever you want to do for you.  Your personal time is important. Those who only do for others will eventually burn out.

Which is more important? Giving to yourself or others?

The answer is both are equally important. Giving only to one will likely result in failure in both. Take care of yourself and do something for others. The end result is that your DF/IR/Infosec job will be more satisfying, you will be more productive, and you can excel for the length of a career and beyond without burning out.

Look at it this way:

If you can do something that satisfies you, no matter what happens in your world, you can make it better for you.

If you do something for others that they can’t do for themselves, you just made the world a better place. And remember, that better world is also your world.

Summary

There is no easy way to learn DFIR. You can stop reading from here if you want.

Longer version

Ok. Since you are still reading, you probably are the type that will drive through, over, around, or under walls to get to where you want to go. Good for you!

The perception that “everyone else” has easy access to training, education, and resources while “you” do not is just a perception. It is easy to fall into the trap that makes this seem like reality when in fact, it is far from it.

Social media reinforces that we should only show the good and the best and the positive of ourselves, in that, few people talk about their personal struggles and only showcase the best parts of their lives. The DFIR marketing experience is no difference. Vendors tout their wares, colleges push their programs, and those in attendance of these programs mostly preach how great the training, education, and networking are in these venues. For the rest of the DFIR Internet, it seems like “everyone else” gets to go while “we” do not have the same opportunities.

The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.

The struggles

Do not believe that no one struggles in life except for you. Do not fall for any mental traps that you are the only person having the most difficult time in getting into the DF/IR/Infosec field. Avoid anyone and everyone who tell you that it is not your fault that you do not get what you want, but the fault of others that prevent you from learning or being hired because of what you are.  The “what” of you being everything that has nothing to do with “who” you are. The what are things like age, gender, race, height, weight, or any other physical description that have nothing to do with who you are.  It is the “who”, not the “what” that makes things happen. Anyone giving you excuses or perpetuating excuses like these is keeping you down, so ignore them.

Stop looking at those who have “made it” with a false belief that they had it easy. That they had everything handed to them. That they must be smarter and can learn things easier. I can promise that every single person who you think has “made it”, struggled for years and still struggle in trying to keep up with the field. They struggle to balance life and work. They struggle with medical concerns (like you), home budgets (like you), family duties (like you), and even suffering in traffic (like you too!).

No one lives inside a DFIR bubble that protects from any of life’s tragedies, miseries, and mishaps. I can also promise that many of those whom you may think had it easy, probably had a much more difficult time of getting to where they are than you could ever dream, maybe even harder than where you are now.

Tip: Everyone struggles. No one is born with a silver spoon in this field, because you have to put the labor to learn it. There is no other way.

The resources

With the Internet today, you can practically learn any field that you have interest, with virtually no money out of pocket other than an Internet-connected computer. DF/IR/Infosec is no different. On www.dfir.training alone, there are terabytes of forensic test images, thousands of software applications (more than half are free), hundreds of white papers and templates, and more resources than you could use in a career. Other related sites provide similar resources, even places where you can post any question, and have it answered by experienced practitioners in mere minutes of your post.

The training available today is more than I ever could have predicted when I first dipped my toes into this work. The courses available in the beginning pale in comparison to today. Where just more than a decade ago, the courses were basic “computer forensics” that covered a mere fraction of what we know today, courses now teach a deep dive into artifacts and systems in that you can select specifically to what you need.

Time and money

The issue of having enough time and money to learn is not new to DFIR, nor is it unique to DFIR. If you want to be an attorney at a top tier school, be prepared for the cost. If you want to be a physician, accept that there is a financial cost that is most likely more money than you have in the bank. And any field takes time. Anyone who expects this journey into DF/IR/Infosec to be 100% free or 100% paid by someone else, or that it can be learned in a few weekends (while watching Netflix on TV) will be greatly disappointed.

The reaction to high costs of education is not complaining about the difficulty or perceived unfairness, but rather figuring out your way to get what you want. Everyone has a different method to get to their destination. Everyone has different obstacles. But everyone has opportunities if you make sacrifices to take advantage of them.

Shortcuts

Let me digress a little. I am a firm believer in cheating. I define “cheating” as being innovative, creative, and imaginative. I do not use “cheating” as breaking rules, laws, agreements, or selling out a part of your reputation to get what you want.

Technology makes it easy to break laws and rules. Cracked (pirated) software/books are one of the most common things that I see among students, with the excuses that since they can’t afford the software or books, they download them from torrent sites.

Do not do this.

Or if you do, keep in mind that you will have crossed the bridge of the land of doing good to the land of doing bad. I won’t get into the moral aspects of digital property rights but will say that you cannot beat the law with excuses of “it is not stealing when you only downloading a copy”. Try and tell that to a judge if you are questioned about being a software pirate and let’s see how far the argument goes. Your client or boss will certainly not be happy…

Best field ever

As far as support, DF/IR/Infosec folks are the best. We like to learn, teach, and share. Yes, there are always a few bad apples in any group, but overall, the folks here are great. Avoid the bad apples. Don’t even communicate with them.

The reason I believe the people in DF/IR/Infosec are great is because the work we do is for the public good. The work is about justice, fairness, and truth. Usually, only good people gravitate to the good work like this. It’s in our nature.

In the words of Troy Larson, "Be good."  I cannot think of any better words that are more important than Troy's.

Shameless plug

Here are some things you can take advantage of from www.dfir.training.

•  * Find test images and challenges: https://www.dfir.training/resources/downloads/ctf-forensic-test-images
•  * Find tools to work on the challenges: https://www.dfir.training/dfirtools/advanced-search
•  * Find training to learn more: https://www.dfir.training/calendar
•  * Join an association to network and learn: https://www.dfir.training/directory/associations
•  * Find a DFIR blog with your target interest: https://www.dfir.training/dfir-blogs
•  * Find a college with a DFIR program: https://www.dfir.training/directory/educational
•  * Find a DFIR book: https://www.dfir.training/resources/book/library/1560/books
•  * Find a template, report, or search warrant to see how others write: https://www.dfir.training/resources/downloads/forms-and-templates
•  * Find any of thousands of white papers: https://www.dfir.training/resources/references/white-papers

And more. But you get the point. If you have the time, you have the resources.

The shortcut way

Granted, if you have unlimited financial resources and plenty of time, the options are “easier” in that you can sit in classes while being told the answers to DFIR problems using the most expensive software applications available today. This is the exception, not the rule for the DFIR world. In my opinion, the most expensive courses are best for when you can soak in every minute of the course because you already have a good foundation. Otherwise, your time and money will not be best spent if you don’t learn what you could have learned by being patient first. You will end up re-learning later what you should have learned in that course, which is a double waste of time and money.

How I do it

Your mileage will vary, but I plan on spending hours learning the bare basics of something that I don’t know.  I can spend an entire weekend and not accomplish anything because it was hours of trying, failing, falling into rabbit holes, wrong conclusions, wrong software, errors, oversights, Internet research, and restarting virtual machine snapshots again and again to try it all again and again. Sometimes I get it right quickly but most times I spend a lot of time to get it wrong a lot of the time.

I expect that some people learn faster than me and others learn slower. But that doesn’t really make a difference, nor do I judge myself against someone else. We are different.

A big point to make

I get asked questions often about topics that I have no idea because I haven’t done everything in DF/IR/Infosec. I know some things well just as I don’t know some things at all. Do not expect to learn everything because there is no such thing as knowing everything. By the same token, do not expect others to know everything either, regardless of who they are. Anyone who claims to know everything knows nothing about knowing everything. Also, don’t look at someone sideways when they don’t know the answer to your question when you think they should know it all.

One of the many things that I learned in Marine Corps boot camp was answering questions that I didn’t know the answer to. To jog the memory of the Marines reading this, we learned through positive reinforcement that to not know an answer to a question does not mean you cannot find the answer.

“I don’t know” is totally different from “I don’t know the answer right now, but I can figure out it and get back to you.”

At the CTIN conference a few weeks ago, I spoke to someone who has been doing this work for a long time.  His story, in brief, was that he spent an amazing amount of time to figure out how to pull data out of a database that he had not dealt with before. Nor could he find anyone who dealt with the same thing either. But he did it.  It took a lot of time and a lot of labor, but he did it. From what he described, this is not something you can find in a class or a book. You have to figure it out yourself. And he did as he always does, because he knows that it takes time and effort to learn and figure things out yourself.

By the way, his work made a difference in the case, because he found a way to pull out the data in a readable format, and it was a lot of data.

I wrote a little about the theme of figuring it out yourself here: Just show me the answer

One more big point

Another reference to the CTIN conference was a presentation by Mark Spencer of Arsenal Consulting. Mark spoke about a case where he found the most relevant forensically important data in a case that 14 other experts missed. Actually, it was 14 other companies that missed what he found, which most likely means that it was more than 14 individuals that looked at the same data and everyone missed it. The case involved the wrongful incarceration of more than 700 people, including journalists.

Mark could have been the 15^th company that missed the evidence, but he really dove into it, in the minute details of file analysis that I had never thought of before hearing his talk. You can believe that I look at the aspects of his work much differently in my work today.

In case you missed the point, it is that no matter who you are, you can do a great job when others do not. You do not need to work for a Fortune 50 company doing infosec to have part of a global case that affects hundreds of people, or even millions of people. You just have to put forth the effort to learn.

Walking miles in two feet of snow to get to school

I have talked about how difficult it was years ago to get into the field because the resources were scarce. No college programs at all. None. Not a single one. The books were few and extremely generic. Conferences didn’t exist either. Vendor courses were very expensive and plainly generic. Software choices were so bad that we used hex editors.

I do not say this to mean it is easier today than it was yesterday, but that there is always some struggle or obstacle to get where you want to go. The struggles and obstacles change over time, but nonetheless, they will always exist. Where I had no college choice years back, now there are many choices, but it comes with a financial and time cost.

Want to be famous? How about wanting to do good?

Here is the neat thing about this field: find something to research that hasn’t been done before. Dive into it. Break it apart. Smash it into bits. Test your theories. Come to conclusions. Publish it. It is not unreasonable, nor impossible to discover something really cool in this field.  Most fields work this way; DFIR is not different. You do not need a PhD to do this job. You do not need a certification to be competent. If you can do the job, that is all clients and victims want. 

Bonus points

You read to this point? That shows to me that you won’t take a shortcut, that you will do it right, that you will make it, and that you will be able to solve problems. Some of you will be solving problems that will affect hundreds or hundreds of millions of people. That right there is cool.