I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was ‘issued’ a USB flashdrive to temporarily store our reports. In theory, we would be able to write reports in our patrol car laptops (MDCs/MDTs), store the reports on the flashdrive, and then plug into the network to upload the report.  At the time, the patrol car laptops had no “Internet” connectivity, other than a data channel for running names and license plates.

In practice, those USB drives were forgotten in whichever computer that the officer plugged it into. Everywhere you looked, there would be a handful of these things either plugged into workstations or laying around desks. Some had names written on them, others were just plain ol’ USB flashdrives in every color of the rainbow.

At one point, the entire network was infected with a MS Word macro virus that was spread throughout the city. I blame those USB flashdrives.

Oh yeah. None were encrypted, but they should have been considering how many were probably lost throughout the city after inadvertently dropping them while on the street. When the real “Internet” was connected to the patrol MDCs, we could finally upload reports directly without those using those malware devices.

Personally, I still hate those things. I have lost USB flashdrives before, simply because they are small and easy to lose. Any USB flashdrive that I personally have is encrypted because I KNOW that I will lose one eventually. No, make that I will always lose all of them eventually. Thank goodness for cloud storage…but that’s another story.

 Today's spy story

https://abcnews.go.com/Politics/chinese-woman-mar-lago-security-controversy-expected-court/story?id=62247972

I’m not getting into why I think this spy is incompetent, because maybe she isn’t. Looking at all angles, this could be a small part of a very well executed operation where this particular operative was designed to be caught from the beginning. Perhaps to probe security or maybe as a distraction to the primary operation. Basically, this spy got caught with typical spy stuff, including a malware infected USB flashdrive.

Here the rub: After seizing this suspicious USB flashdrive, the Secret Service plugged it into a computer. I don’t know anything about the process used or the computer that was used, but reading that the agent shutdown the computer because of seeing a “very out-of-the-ordinary” event of files being installed to the computer implies that it was not the correct process…at all.

USB flashdrives are evil.

To be honest, I love finding USB flashdrives because I am a curious person. I automatically assume that malware is on every one of them that I find, and that is what I look for. If I had no intention of uncovering malware on a found USB flashdrive, I would throw it away. Unless someone’s name was on it and it could be returned, I toss them. I recommend that everyone toss them.  Most likely, you won’t find the owner unless you plug in the flashdrive and fish through the files. That means exposing your machine to potentially harmful malware.  Additionally, I am certain that the owner would rather have the found property tossed in the trash than have a stranger go through their personal data.

The year is 2019 and we should all know better by now. You do not need to be a “cyber” person to know that plugging in ANY unknown device into a system causes a risk of compromise. Plugging an unknown USB flashdrive into your computer should be viewed as if you were taste-testing white powder that was mailed to you in a letter. You just don’t do it because you just don’t know.

To have the Secret Service plug a USB device into their system is disappointing, because the best forensic training that I have ever received was from the Secret Service. They know their stuff. You just don't start plugging devices into a government computer system...

The lesson

If you know that USB flashdrives are dangerous, be sure to tell others when the occasion arises. Teach your kids. Teach your friends. A found USB flashdrive is garbage. Don't fall for anything that makes it enticing to plug in, because that is the point of an intentionally malware infected USB flashdrive: to get you to plug it in.

If USB flashdrives were shaped like spiders, we would have ZERO instances of people plugging these things into their computer. https://t.co/oSMTSMAkio

— Brett Shavers 🙄 (@Brett_Shavers) April 8, 2019

As for me, I would have loved the opportunity to examine that USB flashdrive. I have a computer set aside just for that sort of thing 😊

Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and gunning, saving the world, hacking into remote systems, and stopping bombs from exploding seconds before the countdown timer expires!

At least it looks that way from the outside.

But seriously, DFIR work is cool, just not in the way outsiders see it. Mostly this is because of Hollywood productions of “hackers” and “CSI” forensics. Every cool job works this way. Hollywood says so, therefore everyone’s perception is what Hollywood says it is.

One example of how this perception thing works is a recent podcast interview that I had on The Many Hats Club, which by the way, is a pretty good podcast to keep up with. My intention and thought when asked to be on the podcast was that I would be talking about the cool forensics stuff, but ended more talking about police work, specifically, undercover work.  No complaints, as it was really fun to bring up some old stories that I had with a few things that I have done.

It's been a while, but @notameadow has been hard at work and we have new podcast episodes for you! We had @Brett_Shavers on to talk about forensics and also finding out his past undercover work.https://t.co/MNyanCuKPR
Also available on iTunes, Spotify and other podcast apps.

— The Many Hats Club (@TheManyHatsClub) April 4, 2019

I have had this happen before, where I was hired for a class action litigation and flew out of state for trial with this team of really really expensive lawyers. At dinner with the lawyers, no one was paying me any mind at all, until someone asked what I did “before computers”.  I do credit the kindness of being asked, even though it was just courtesy.  As soon as I mentioned that I worked undercover narcs, the rest of the night was not a peep about computers, but lots of undercover stories. The class action case was not even talked about. They saw the dope work as cool and the computer work as mundane, but only because they see how the computer work (the ediscovery/forensics part anyway) is done. No big Hollywood excitement there other than spreadsheet and file fragments.

I’ve had the same responses when asked about some of the military and SWAT assignments that I’ve had. Internally, and much like DFIR work, most days are mundane. Writing. Sitting. Waiting. Planning. Training. Training. Writing. Sitting. Meetings. Training.  And then a few extreme highlights pop up, just like DFIR work. I call these extreme highlights "fires" because that's typically the way they happen...unplanned, unexpected, and everyone running around like the world is on fire.

The point of this post

Your DFIR job really is cool.  It was cool to you before you got in it and you may not feel the exact same excitement as before you learned how to do it, but it is still cool. It is cool because it is important, and you can make an amazing difference in the outcome of a case or incident for the special things that you can do that few others can even comprehend. Never mind the stereotypical images of hoodies, flashy computer graphics, and totally unrealistic movie plots. That doesn’t matter. What matters is that you have a job that is cool enough that Hollywood wants to make movies about it and people want to talk to you about it.

So, much like military ops and undercover ops, DFIR ops are super cool also, particularly to the non-DFIR folks who ask you about your job. Talk it up when it comes up, because it is just as important as they think it is, and a career well worth the effort to fight for a spot for those thinking about getting in. It doesn't hurt to have a job that many people know to be very important.  Every bit of positive perception in your job goes toward support for you when the public and your co-workers understand that what you do is so important, Hollywood movies and television series created to showcase the amazing things you do, so to speak :)

In the highest of technical terms, this DFIR work is defined as: neat!

I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not mean that they took on more than what they could handle, but that they started down a path, committed themselves to it, and refused to adapt to the changing environment.

Here is one example that I have seen in police work: Officers were dispatched to a drive-by shooting with a description of the shooters and vehicle. Reasonably, and expectedly, two officers pulled over a car that matched the make, model, and color of the suspect vehicle. Since it was a shooting, they conducted a “felony traffic stop” which means guns out, ordering occupants out the car, one by one. They were committed at this point in a high risk stop. As soon as the first occupant was ordered out of the car, both officers knew that they had the wrong car (they told me such afterward).

The thing is, they kept going forward, knowing they had the wrong car, but had to ‘finish the felony stop’.  They were overcommitted without room of adapting to a dynamic environment. I’ve seen this on a few occasions, not many, but enough to know that it happens.

The point

This happens in DFIR too, and I have seen it happen more often than I have ever seen in police work (or in the military). The way that I have seen it happen is on smaller scales of seriousness (no one has guns pointed at them..), but larger scales of wasted time only to get to the wrong objectives. I have seen this in peer reviewing reports in that I can tell that an examiner was hell bent on going one direction in an analysis, forcing a tool to do something that it really shouldn’t be doing, following leads that have nothing to do with the case objective, and completely missing blatantly obvious clues along the way. They are overcommitted in plugging in a dongle and driving through a media on a pre-set course with no room for deviation. This happens a lot in with students when teaching classes and is expected as a learning experience. But don’t let it happen to you.

As for me, I have gotten on the wrong track on occasion, but I have no hesitation to realize it, cut my losses in time already spent, and get back on track. Every time this happens, I end up in a better place in the analysis because I realized that I had become overcommitted.

How it happens

Basically, you hop on a train that has one track to one destination and you refuse to get off once you realize that you are on the wrong train. Some of the ways this happens include;

Your favorite tool

We all have a favorite tool or two. Sometimes that tool is not fit for the task you need. Either don’t start out using it when you shouldn’t, or as soon as you realize that you need a different tool, stop drop roll and change tools. The sooner you realize you need a different tool, switch to it.

Your “system”

Yes, it is easy to get into a rut and start an exam by looking in the usual places for the usual things in the usual order that you always do. Stop doing that! Each case is different. Each case needs to be evaluated with a ‘custom systematic’ method of analysis. Otherwise, you will miss evidence and not even know it.

Your blinders

Don’t start out thinking that you know what happened because you will keep looking to prove what you think rather than prove what actually happened on the system (or to the system).  By “blinders”, I mean that you intentionally don’t look at what you should be looking at because you only want to see what you want to see. As soon as you realize that you are doing this, guess what? Stop it, back up, and do the real work that you started out to do.

How to realize when it happens

As soon as you see yourself spinning wheels and getting nowhere fast, stop and reflect on what your initial goals were, the plan that you laid out, and just as important, the things that you saw along the way. It is what you find along the way that determines which way you go. Much like a tree blocking a road requires you to find a new route, when you find evidence or leads in your exam, adapt your previously well-thought out plan to what you find. Otherwise you will be stuck, spinning wheels, going nowhere.

Your benefit to re-group and re-start

You won’t waste as much time as you would have had you not just stopped, reflected on what you are doing and seeing, and adapting your plan to the evidence you have at hand. This advice works for practically any aspect of life by the way, but it is particularly helpful in forensics because it is so easy to get off on a wrong start or drift away from where you should be when looking at data.

Your next case

Plan how you want to attack it. Gather your tools. Prep yourself that your plan will probably change, which means your approach may change, your tool choices may change, and the route you take to solve the objective may change. Know that up front and you can save days and days and days of effort. As a side note, don't worry about the time you wasted, as long as you get back on the right track, because it is not wasted time if you adapt to the evidence you find along your route to the objective. You may even end up in a better place.