Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that the article brings up a few questions and assumptions to think about on any legal matter.

This should be a mandatory read for every IT person who thinks they’re suddenly a forensics expert ready to judge facts. Inability to present preserved traces and timeline, along with impossible knowledge they can’t explain? 🥴 don’t know what’s going on https://t.co/sK1DbCWIaC

— SwiftOnSecurity (@SwiftOnSecurity) March 9, 2019

The short version of the story is that Tuft’s University accused a student of altering her grades by hacking the school’s system and subsequently expelled her. I’m not going to case-study the article since there isn’t any signed statement of perjury as there would be in an affidavit, other than the expulsion letter.

https://techcrunch.com/2019/03/08/tufts-grade-hacking/  

There are a lot of unanswered questions in the article, and without having the reports that surely had to be written, I see this article as a friendly reminder that ‘investigating’ an incident (crime, policy violation, etc…) should be done by those with experience to back up the findings, as well as having no hesitation in releasing the evidence and findings to the suspected party. The facts are what the facts are, but if you can’t refute the facts, it is only allegations and not facts. 

The topic of attribution is a favorite of mine. I like it enough to have written a book on it.  Actually, two books. These types of cases are cool because I love to find out whodidit and prove it that they did it (or disprove a false allegation). Articles like this are teases, because we’ll never know unless the facts of the case are produced showing what was done, how it was done, and what evidence was found. Implications one way or another only incite readers to believe one thing or another.  The subtitle to the article ,'You're guilty unless you can prove it", sort of shows this, although I think the writer meant "You're guilty unless you can disprove it". 

As to my opinion on what happened in this Tuft's matter, that is a risky proposition to even start. Too many 'experts' are asked their opinion on a cyber-related topic, and if the answer is not something to the effect of "Well, practically anything is possible", then the expert may get dug into a position that may not have been the best to dig into. The best opinions are those when you have complete and unfettered access to all available information, and based on your training and experience coupled with the evidence at hand, your opinion holds legal weight.

Side note: Don't forget that the "F" in DFIR stands for "forensics", defined as being part of the legal process, meaning that there are rules and procedures to follow to identify, validate, and admit evidence in legal proceedings. It's not just willy-nilly-I-found-an-IP-address!

I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html).  I agree with everything he points out about book writing, so no need to regurgitate any of what he wrote, except to say, ‘ditto’ on the book stuff.

The thing that I want to expand is that of Harlan taking phone calls.

Back in the day, from my narc desk, in my narc office, when I was contemplating whether to dip my toe into ‘computer forensics’, I found Harlan Carvey’s email on the Internet while I was researching if I really wanted to get into this thing called computer forensics. Harlan's email has never been a secret by the way…he's had the same one from more than a decade now.

I figured that since he put his email in the public view and that I was thinking hard on getting into forensics, I would cold shot Harlan with an email.  Surprisely, Harlan replied within a few minutes with his phone number. Of course I called him :)

He may or may not remember that call, and no need to get into the details of the call other than to say that this call was the deciding factor in me jumping wholeheartedly into this field. There was no other person, and no other thing which made such a directional turn in my career into this field more than this one cold shot email and phone call to Harlan. I'm not the kind of person that does anything half way; you could say that I went overboard in forensics as soon as I hung up the phone and haven’t slowed down since.  When I wasn't undercover arranging drug deals, I was planning, learning, and conspiring to get into forensics one way or another. And I did.

The point being, Harlan aint no joke when he says he responds to emails and phone calls. In my example, it was one of the most important calls that I have ever made.

The other big point

Your words are heavy.  Your advice can inspire someone to their potential. Your personal recommendations and advice can guide a person in a direction that benefits them personally and professionally, and you (by extension) will help others tenfold. Or not, if you don't take your words seriously.

As for me, I suggest that lending an ear, offering your hand, and gently pushing someone to their potential greatness is the most honorable thing a person can do in their life.

During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he kept asking me over and over again for the answer to one of his cases. A ton of ‘hypotheticals’ and another ton of ‘what ifs’ and a half ton of ‘that does not apply to my case’.  One thing about these types of questions is that nothing is going to solve the problem when you don’t know what the problem is in the first place. Another thing is that there is no one answer to solve someone else's problem in their case that you can give, not usually anyway. You can guide and suggest, but having the answer isn't typically going to happen.

So then this happened

The second part of the workshop was a discussion of past case studies and then current cases from the class (whoever wanted to volunteer their cases). The guy with all the questions, had none during the volunteer-your-case time. Others did, but not him. Oh well, I had been hoping to dig into his case directly, and when the class was over, the detective was gone out the back door. Probably not the happiest student since he left right after the class was over. We did get some really good ideas going on some cool cases that I wish I was working...

Fast forward a month.

The dissatisfied detective emailed me. He figured out what to do in his case, which worked, and it was nothing that I had given in the workshop. I thought that I was getting a complaint until he described that when I was discussing case studies, one thing led to another, to another, and he thought of something on his own, which was the key to overcoming an obstacle in his case. He was halfway complaining that I didn’t give him the answer, but conceded that I had helped him find it on his own. That was the entire point of the case studies session by the way; Figure it out yourself, with a tad bit of inspiration.

To the point

Had it not been for him listening to case studies (past cases and current cases) from a variety of different perspectives, he most likely would not have been inspired to come up with his own solution. At best, the solution might have come to him weeks or months later had he not listened to the class discuss case studies, and at worst, never at all.  For that, I’ll take a little credit to providing the spark for a fire.

Here is the thing with case studies, particularly with DFIR-type case studies; unless you did the case yourself, you’ll not have all the information on how the case was worked. But you can get a feeling of the flow of the case, a few pointers on how someone else ran it, and maybe grab a spark of inspiration on one of your cases.  All you need is a spark, not an explosion.

I’ve been making some case studies available through videos, in which I talk about the main points of cases that I find online. Talking about my cases doesn’t make as much sense because I already know what I was thinking.. It is the other cases where I want to find out how other people think, how they plan, and how they implement investigative strategies in their cases. With the videos, my intention is to show how I look at cases, criminal or civil, and things that I learn. If I could go back in time, I would do all my cases 10x better than I did, simply because I continue to study how cases are worked by others, gain ideas, and get inspired by innovative methods.

The forensic part of casework is ‘easy’, in that as long as you know how to do X, Y, and Z in an analysis, you can examine any piece of electronic evidence. Yes, analysis can be tedius, monotonous, eye-straining, and frustrating, but it is essentially easy when you can work tools to do what you want done with the data.

Do you know the difference between an average analyst and a great analyst?

One just examines electronic media and the other works the hell out of a case.

As a side note, I am working toward becoming a great analyst one day. I will never get there, but I won't stop trying until I do, which I may not get there, but I will keep working on it. I hope you get the point of that :)

Tips

• - There is no limit on the number of great examiners. Whoever wants to be one, can.
• - There is no restriction on who can be a great examiner. Identity = irrelevant.
• - This all applies to you.

Examples

Here’s two videos on case studies to get a feel of what I mean. I have more videos, and making the time to keep them coming, but this should hopefully drive home the point of what I mean when I say that you, yes you, can break a case regardless of seriousness or size. From theft of petty cash to cyber-terrorism, a case is a case is a case. You just need to work the hell out of it.

More case studies here, and more coming: https://www.patreon.com/DFIRtraining