Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner had the journalist just asked. I find this tweet to be an extremely important tweet that affects many in forensics (see my side note on 'forensics'). 

Lesley's tweet was in an article about a national security lapse, or actually, several national security lapses. The incident described in the article is important on its face of national security, yet a journalist took a snarky tweet to validate the journalist's statements. Lesley was spot on with her tweet, as Leslie mentioned, she would have written a killer response that would be better for the journalist had the journalist just asked her.

TFW your shitposting tweet about infosec is so funny they just stick it in a serious and credible news article 🤷🏻‍♀️🍸

— Lesley Carhart (@hacks4pancakes) April 9, 2019

Let me take this a step further to get to the crux of this blog post on why many practitioners don't post opinions online 

"I am afraid of some attorney using my words against me. - unnamed DFIR expert" 

I have spoken to more than a few practicing DFIR folks about their decisions to not openly use social media to discuss DFIR, since that is the best way to get the fastest answers to problems. The common response is the fear of having a conment being used against them in a case, especially since they are perpectually under subpoena in one case or another.  Some of those who do post online comments are using anonymous accounts. They are afraid of their words being used against them in court, so they go the anonymous route, as if that will protect them from answering the question under oath, "Do you have any social media accounts where you discuss your work?"

This commonly stated reason of fear of any comment or comments being used against them in legal proceedings where they stand to be called as a witness is something that I totally get.

 A scenario that can play out is being a witness in a civil or criminal trial, undergoing cross examination, and past comments being brought into play as a means of discrediting the witness. With journalists and activists reaching back decades of online comments to discredit or embarrass someone, the legal arena is ripe for doing the same thing (I have seen it done). In some instances, this could be reasonable if full context is introduced, and even then, opinions are like fruit; they can be perishable as time goes by.

I've had a tweet of mine end up in a class action suit filing. While I stand by it (not a good idea to link to JavaScript from an ad domain that was abandoned years ago—and now repurposed by an attacker—in a production site), it made me rethink how I framed things.

— Kenn White (@kennwhite) April 9, 2019

The result is that we have an incredible amount of talent, experience, and knowledge in the forensic world that refuse to post any comments online for the fear of potentially having a comment being used maliciously or falsely in either expert qualification or cross examination.  The impact on the community is that we miss the most relevant and impactful resources that could move the community forward 100x, all because of fear of being quoted out of context.

Some people, for whatever reason, do not want to disclose where they work, as if having any job would be embarrassing anyway. So, they stay anonymous online. Again, I totally get it, but if you aren’t bashing your employer, disclosing intellectual property, or being disingenuous in what you say, do you need to be anonymous?

What we get then is a slew of anonymous accounts. We have anonymous practitioners and experts, who we have no idea of their qualifications or reputation, stating opinions on “DFIR” topics, which do not have the same impact as a named person. It’s anonymous, therefore, untrusted and unverifiable, even when coming from someone who is probably the best to state an opinion on the topic at hand. We just don’t know, therefore, almost pointless.

Reasons supportive of anonymous accounts

I understand the use of anonymous accounts when your personal safety is at risk, such as working in a field where you or your family could be targeted (and killed) because of your job, such as working undercover or for an intelligence agency hunting terrorists.  If you are only doing forensics, the odds of being targeted are quite low… How do I know this? Because when I worked undercover, where I was day-in and day-out hanging out with people who killed people, I never had my name online. I was also at the point of not having any social media presence at all (anonymous or not) for the sole reason of limiting risk of exposure to myself and family.

Other than that, I see no need to have an anonymous account other than for the ability to post anything, and I mean practically anything, without any risk of being personally called out for unreasonable, untruthful, or otherwise harmful opinions.  Unless an employer has a specific policy that an employee cannot have a personal social media account, then anonymity simply appears to be a manner to spout off without recourse.  I’m still looking for an employer that prohibits an employee from having a social media account…  But again, I get it. Anonymity is here to stay.

To the anonymous experts

Brett’s opinion: Anonymous accounts hold zero weight for opinions. It doesn’t matter how many retweets, shares, or favorites you get, anonymity is not credibility.  But if you put your name on your words, your words are heavy. For those working in the legal arena, especially those writing affidavits, you particularly know the weight of an anonymous complaint versus someone willing to have their name listed in a search warrant affidavit. 

Your word is to your honor as your name is to your reputation.

The things that we say (post/tweet/share) today will most likely exist forever. This by itself should be enough to make us at least read our words before posting them. Although I will admit, I will re-read what I just typed, post it, and then catch my grammar errors too late after the post…but for the content, I stand by what I post. As to the grammatical errors, I’ll take them too because for context, my words are my words.

I hate saying that I was wrong

I do not like to apologize or admit to being wrong, but when I am, I do it. I consider everything that I do and say, including social media posts, to be under scrutiny of accuracy and truthfulness. I don’t need anyone scraping my data to find something that I misstated, but surely could see something in court or online by someone who wants to dig something up. That’s fine. If I was incorrect in stating something, I’ll admit that I was wrong.  I will even apologize for it because I want to learn and improve, not be stuck in growth in the field.

pot calling the kettle black

Yes, you have seen me, and will continue to see, embed someone's tweets in a blog post. But you will never see me take someone's comments out of context, nor re-post someone's comment that will embarrass or shame. That is uncool. However, I will showcase some good ones that deserve more discussion than just a tweet can do. The really important tweets that affect hundreds or thousands of people. Lesley's tweet is one of those tweets. Her tweet was perfectly done and did not need rephrasing in the least bit (or byte).

I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was ‘issued’ a USB flashdrive to temporarily store our reports. In theory, we would be able to write reports in our patrol car laptops (MDCs/MDTs), store the reports on the flashdrive, and then plug into the network to upload the report.  At the time, the patrol car laptops had no “Internet” connectivity, other than a data channel for running names and license plates.

In practice, those USB drives were forgotten in whichever computer that the officer plugged it into. Everywhere you looked, there would be a handful of these things either plugged into workstations or laying around desks. Some had names written on them, others were just plain ol’ USB flashdrives in every color of the rainbow.

At one point, the entire network was infected with a MS Word macro virus that was spread throughout the city. I blame those USB flashdrives.

Oh yeah. None were encrypted, but they should have been considering how many were probably lost throughout the city after inadvertently dropping them while on the street. When the real “Internet” was connected to the patrol MDCs, we could finally upload reports directly without those using those malware devices.

Personally, I still hate those things. I have lost USB flashdrives before, simply because they are small and easy to lose. Any USB flashdrive that I personally have is encrypted because I KNOW that I will lose one eventually. No, make that I will always lose all of them eventually. Thank goodness for cloud storage…but that’s another story.

 Today's spy story

https://abcnews.go.com/Politics/chinese-woman-mar-lago-security-controversy-expected-court/story?id=62247972

I’m not getting into why I think this spy is incompetent, because maybe she isn’t. Looking at all angles, this could be a small part of a very well executed operation where this particular operative was designed to be caught from the beginning. Perhaps to probe security or maybe as a distraction to the primary operation. Basically, this spy got caught with typical spy stuff, including a malware infected USB flashdrive.

Here the rub: After seizing this suspicious USB flashdrive, the Secret Service plugged it into a computer. I don’t know anything about the process used or the computer that was used, but reading that the agent shutdown the computer because of seeing a “very out-of-the-ordinary” event of files being installed to the computer implies that it was not the correct process…at all.

USB flashdrives are evil.

To be honest, I love finding USB flashdrives because I am a curious person. I automatically assume that malware is on every one of them that I find, and that is what I look for. If I had no intention of uncovering malware on a found USB flashdrive, I would throw it away. Unless someone’s name was on it and it could be returned, I toss them. I recommend that everyone toss them.  Most likely, you won’t find the owner unless you plug in the flashdrive and fish through the files. That means exposing your machine to potentially harmful malware.  Additionally, I am certain that the owner would rather have the found property tossed in the trash than have a stranger go through their personal data.

The year is 2019 and we should all know better by now. You do not need to be a “cyber” person to know that plugging in ANY unknown device into a system causes a risk of compromise. Plugging an unknown USB flashdrive into your computer should be viewed as if you were taste-testing white powder that was mailed to you in a letter. You just don’t do it because you just don’t know.

To have the Secret Service plug a USB device into their system is disappointing, because the best forensic training that I have ever received was from the Secret Service. They know their stuff. You just don't start plugging devices into a government computer system...

The lesson

If you know that USB flashdrives are dangerous, be sure to tell others when the occasion arises. Teach your kids. Teach your friends. A found USB flashdrive is garbage. Don't fall for anything that makes it enticing to plug in, because that is the point of an intentionally malware infected USB flashdrive: to get you to plug it in.

If USB flashdrives were shaped like spiders, we would have ZERO instances of people plugging these things into their computer. https://t.co/oSMTSMAkio

— Brett Shavers 🙄 (@Brett_Shavers) April 8, 2019

As for me, I would have loved the opportunity to examine that USB flashdrive. I have a computer set aside just for that sort of thing 😊

Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and gunning, saving the world, hacking into remote systems, and stopping bombs from exploding seconds before the countdown timer expires!

At least it looks that way from the outside.

But seriously, DFIR work is cool, just not in the way outsiders see it. Mostly this is because of Hollywood productions of “hackers” and “CSI” forensics. Every cool job works this way. Hollywood says so, therefore everyone’s perception is what Hollywood says it is.

One example of how this perception thing works is a recent podcast interview that I had on The Many Hats Club, which by the way, is a pretty good podcast to keep up with. My intention and thought when asked to be on the podcast was that I would be talking about the cool forensics stuff, but ended more talking about police work, specifically, undercover work.  No complaints, as it was really fun to bring up some old stories that I had with a few things that I have done.

It's been a while, but @notameadow has been hard at work and we have new podcast episodes for you! We had @Brett_Shavers on to talk about forensics and also finding out his past undercover work.https://t.co/MNyanCuKPR
Also available on iTunes, Spotify and other podcast apps.

— The Many Hats Club (@TheManyHatsClub) April 4, 2019

I have had this happen before, where I was hired for a class action litigation and flew out of state for trial with this team of really really expensive lawyers. At dinner with the lawyers, no one was paying me any mind at all, until someone asked what I did “before computers”.  I do credit the kindness of being asked, even though it was just courtesy.  As soon as I mentioned that I worked undercover narcs, the rest of the night was not a peep about computers, but lots of undercover stories. The class action case was not even talked about. They saw the dope work as cool and the computer work as mundane, but only because they see how the computer work (the ediscovery/forensics part anyway) is done. No big Hollywood excitement there other than spreadsheet and file fragments.

I’ve had the same responses when asked about some of the military and SWAT assignments that I’ve had. Internally, and much like DFIR work, most days are mundane. Writing. Sitting. Waiting. Planning. Training. Training. Writing. Sitting. Meetings. Training.  And then a few extreme highlights pop up, just like DFIR work. I call these extreme highlights "fires" because that's typically the way they happen...unplanned, unexpected, and everyone running around like the world is on fire.

The point of this post

Your DFIR job really is cool.  It was cool to you before you got in it and you may not feel the exact same excitement as before you learned how to do it, but it is still cool. It is cool because it is important, and you can make an amazing difference in the outcome of a case or incident for the special things that you can do that few others can even comprehend. Never mind the stereotypical images of hoodies, flashy computer graphics, and totally unrealistic movie plots. That doesn’t matter. What matters is that you have a job that is cool enough that Hollywood wants to make movies about it and people want to talk to you about it.

So, much like military ops and undercover ops, DFIR ops are super cool also, particularly to the non-DFIR folks who ask you about your job. Talk it up when it comes up, because it is just as important as they think it is, and a career well worth the effort to fight for a spot for those thinking about getting in. It doesn't hurt to have a job that many people know to be very important.  Every bit of positive perception in your job goes toward support for you when the public and your co-workers understand that what you do is so important, Hollywood movies and television series created to showcase the amazing things you do, so to speak :)

In the highest of technical terms, this DFIR work is defined as: neat!