Brett's Ramblings

Font size: +
7 minutes reading time (1381 words)

The Multiverse of a DFIR Case

I'm going to give a few tips to prevent you from wrecking your next case.

First, consider that every case is like standing in a maze with an infinite number of doors, each leading an entry to a different universe with a different case outcome. All but one of these universes are rabbit holes in an investigation, where you spin your wheels and end up with bad outcomes.

But since you must open a door to start your case, how do you pick the one that leads to the truth?

maze

"I am about to pick up a rattlesnake"

When you hear the words that you have a new case, picture yourself standing in front of a rattlesnake, and you have just been instructed to pick it up. Do you just reach out and grab it?  That's what many in DFIR do! They jump into the data without thinking!  Part of the reason is that they believe that they will figure the case out by swimming in data, but will only drown in it.

pickupasnake

When you jump into a new case without a plan, you are haphazardly grabbing a rattlesnake that will bite you with wasted time, wrong conclusions, false assumptions, and potentially further victimizing a victim.

Before stepping off of Square One, first decide to make a plan that gathers information. Say the words, “I am about to grab a rattlesnake,” to remind yourself of the importance of what you are about to do.

This isn’t just any plan that you need to create; it’s your blueprint to the truth. There are many templates that you can choose from that can be found online or in training/education courses. The important thing is picking one, any one of them, and doing it. No plan is worse than the worst plan.

And generally, no matter which framework of a plan you pick, they broadly cover the same items, such as:  

Situation, Mission, Execution, Administration & logistics, and Command & control* (SMEAC)

You need to force patience and planning before plugging in dongles and running apps.

The Reticular Activating System (aka: Confirmation Bias)

Some investigators only verify what they believe.

Effective investigators only believe what they verify.

Understanding your brain's reticular activating system (RAS) is crucial. Among the many things that it does, it helps you focus on what’s important. But it can also trick you into seeing what you want or expect to see.

It’s like when you learn a new word and suddenly hear and see it everywhere. If you start an investigation thinking someone’s guilty, you’ll find all the “evidence” you need, even if it’s not there. This is known as confirmation bias. It’s the same reason people used to get burned at the stake for being witches. Spoiler alert: most none of them were witches.

By latching onto a belief, you will only see that which confirms your belief; you will ignore or rationalize away the rest. This applies to virtually everything you currently believe.

High Stakes in DFIR

Let’s take a real-world example to illustrate this: the case of Todd Chism, a firefighter in Spokane, Washington (https://www.spokesman.com/stories/2012/jun/02/chism-settles-suit-against-wsp-for-24-million/). In 2007, detectives received tips about illicit images hosted on websites allegedly paid for with Chism’s credit card. They seized his computers, arrested him, and charged him based on this evidence alone.

Here’s where things went wrong:

Lack of Proper Evidence: The detectives relied heavily on the fact that Chism's credit card was used to pay for hosting fees for the websites, without any direct evidence linking Chism to the actual uploading or downloading of such images​.

Judicial Deception: The detectives used false statements and omissions in their affidavits to obtain search warrants. The Ninth Circuit Court found they showed a "reckless disregard for the truth.” I can’t see into their minds, but perhaps they did not recognize their bias.

Ignoring Fraudulent Activity on the Credit Card: The detectives overlooked that Chism's credit card had been reported for fraudulent activities multiple times. They should have investigated whether the charges were legitimate or resulted from credit card fraud.

Failure to Verify Key Information: The detectives did not verify the connection between the IP addresses and Chism, relying instead on assumed connections.

Premature and Intrusive Actions: They executed search warrants and arrested Chism based on insufficient evidence, causing significant personal and professional harm.

In this case, the detectives’ confirmation bias led them to ignore crucial information and rush to judgment. They created a universe where an innocent person was wrongfully accused, arrested, and humiliated. They grabbed a rattlesnake without a plan.

Think in the speed of life and death

It’s not just about experience or training—it’s about how you think. Your mindset can make or break a case. If your biases run unchecked, you could end up in an alternate universe where everything goes wrong and the truth gets lost. Not only will those in your case be negatively affected, but you could end up in a bucket of bad news, too.

We can't rest on our laurels or assume that because we have a past record of success, the future will certainly be the same. Also, in regards to experience, ten years of experience does not necessarily mean ten years of better or increasingly improved experience. Sometimes, one ineffective year is repeated ten ineffective times.

This simply means that every case is your chance for success and your chance for failure, regardless of who you are and regardless of the seriousness of the case.

partoftheplan

*SMEAC, a US Marine Corps framework to organize and communicate mission plans

I mentioned SMEAC earlier, so here's how SMEAC can be applied to a theoretical DFIR case involving an organized ring of illicit sharing of images, with some suspects arrested, others unidentified, and some identified but at large:

Situation:

  • Suspects: Several individuals have been arrested, some are identified but at large, and others remain unidentified.
  • Incident: An organized ring involved in the distribution and sharing of illicit images has been uncovered. The devices of arrested suspects contain evidence suggesting a wider network.
  • Environment: Various locations, including homes and workplaces of suspects, with digital devices seized from these locations.
  • Initial Findings: Multiple devices show evidence of illicit image sharing, communications between ring members, and potential leads to other members.

Mission:

  • Objective: Conduct a comprehensive digital forensic investigation to dismantle the organized ring, identify and apprehend all members, and gather solid evidence for prosecution.
  • Purpose: Ensure thorough evidence collection and analysis to support the legal proceedings against all involved individuals and prevent further illegal activities.

Execution:

  • Plan:
    • Step 1: Secure all locations and devices associated with the arrested suspects.
    • Step 2: Create forensic images of all seized devices to preserve original data.
    • Step 3: Conduct detailed forensic analysis of devices to uncover the full extent of the network, communication patterns, and additional suspects.
    • Step 4: Collaborate with national and international law enforcement agencies to track and apprehend identified suspects at large and trace unknown members.
    • Step 5: Compile comprehensive reports detailing findings, including the methodology used, evidence discovered, and connections between suspects.
  • Tasks for Subordinates:
    • Forensic Examiners: Perform imaging and analysis of digital devices.
    • Investigators: Conduct follow-up investigations based on digital evidence, including interviews and field operations.
    • Legal Team: Prepare the legal framework for prosecution using the gathered evidence.
    • Cyber Analysts: Monitor online activity to identify additional suspects and prevent further illicit sharing.

Administration and Logistics:

  • Resources:
    • Forensic workstations and software (e.g., Axiom, Belkasoft, etc..).
    • Secure storage for digital evidence.
    • Collaboration tools for coordination with other law enforcement agencies.
    • Access to databases and internet service providers for tracking online activity.
  • Logistics:
    • Chain of custody forms to document evidence handling.
    • Coordination with local, national, and international law enforcement for suspect apprehension and evidence transport.
    • Legal approvals for accessing and analyzing data as required.

Command and Signal:

  • Command Relationships:
    • Lead Investigator: Overall in charge of the investigation.
    • Forensic Team Leader: Manages digital forensic analysis.
    • Legal Advisor: Ensures compliance with legal standards and procedures.
    • Liaison Officer: Coordinates with other law enforcement agencies.
  • Communication Protocols:
    • Regular briefings and updates to keep all team members informed of progress and changes in the investigation.
    • Secure communication channels for discussing sensitive information.
  • Signal Plan:
    • Establish a clear protocol for reporting findings and escalating critical issues.
×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

The key to DFIR mastery
Ethics of Plagiarism Allegations