I had the amazing honor of speaking before a full room at Enfuse this week. This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well. Kudos to poolside event coordinator. Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool. However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).
This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard). I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books. I was able to give a few good tips that I hope someone will be able to take the bank and boost case work. I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.
After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides. However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases. I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well. Nonetheless, the meat and potatoes of the presentation is in the below PDF.
A few toughts on digital forensic skill development and giving away investigative secrets
Forensic examiners/analysts generally follow the same path in skill development, with some exceptions of course. For most of us, the tools are just plain neat and we initially focus on the tools. High tech software and using the type of hardware that you cannot find at Frys turns work into play. We dive into the box, swim around in it for days, weeks, or even months, and then we pull out every artifact we can to write a report of what happened ‘in the box’. Writing a report usually means pushing the "Create Report" button. I suggest that every examiner go through this stage quickly and move forward. Get it out of your system as soon as you can. There is more to digital forensics than the toys, I mean, tools.
Digital forensics investigators must investigate, unless your job is solely looking at data because someone else is investigating the case. This is where leaving the stage of ‘playing with high-tech toys’ turns the new forensic examiner into a real digital forensics crime fighter. When an examiner can integrate data recovered from ‘the box’ with information collected from ‘outside the box’, using any tool and investigative method available, we have a competent and effective digital forensics investigator, not just a tool user.
I have always believed that a good digital forensics investigator can practically use any software, as long as the software can do the job, without relying on the software to do the complete job. Pushing a button to find evidence, then pushing another to print a report does not a forensic analysis make. Just as Picasso could paint a masterpiece only using an old paintbrush and watercolors, a good forensic examiner can make a great case with only using a hex editor and gumshoe detective mindset. The high-tech tools should be used to make the work easier and faster without becoming a crutch.
1) To push forensic examiners out of the high-tech toy reliance into becoming a well-rounded, effective, efficient, and competent investigator.
2) As a reminder to the former investigator-turned-forensic-analyst to get back into the investigative mindset.
If you are currently in the ‘gotta-have-the-most-expensive-tools-on-the-planet’ stage while at the same time not working outside the CPU, don’t fret. It happens to most everyone, and not just in the digital forensics field. When I was a young Marine, I went to the local army surplus store and base PX to buy every cool tool I could think that would help me in the field. I had so many ‘tools’ that my ALICE pack looked like a Christmas tree dangling a five years' worth of trinkets from New Orleans’ Mardi Gras parades. After one trip to the field, I realized how much money I wasted on unnecessary gear (if you could actually call some of those things I bought "gear"..) and focused on using only the things that work and making things work for me. Digital forensics work is no different. Consider yourself DFIR SEALTeam 6 once you can work a case using ANY computer and ANY tool.
Giving away trade secrets?
There is a long-standing problem in the digital forensics world: Sharing, or rather, lack of sharing. Yes, experts and practitioners share their work, but many do not. I completely understand why. When you share your ideas and research to the public, there is a fear that the bad guys will see it and use it for their benefit. The fear is that once the methods are known to the criminal world, the methods become ineffective.
In short, that thinking is incorrect.
First off, cybercriminals and criminals, in general, share information with each other. They share the methods when they work together to commit crimes, they share it online, and they share it during their stays in the big house. Still, they get caught. Still, they make mistakes. Still, the methods work against them. I have even arrested drug dealers when they had in their possession, books on 'how not to get caught dealing drugs'. Cybercrime is no different. An entire website can be written on how to get away with crime on the Internet and read by every cybercriminal, and yet, they can still be identified, found, and arrested.
Second, lack of sharing only hurts us all. If you were to find a better way to find evidence, but keep it to yourself, the entire community stagnates. But when shared, we push ourselves ahead in skills. Do not be afraid that the bad guys will get away with crimes if they know how you catch them. Just as watching a Youtube video on Marine Corps boot camp does not make boot camp any easier, criminals that know how we place them behind a keyboard does not negate the process that can place a suspect behind a keyboard. In fact, the more they know, the more chance they will slip up more than once out of sheer fear of how easy it is to put enough investigative resources to find a criminal that cannot be countered with any amount of preparation.