If you want to be entertained, block out 5 minutes of your time at 9am (PDT) on Friday, June 11^th, to see how something so simple as asking for public records turned into a major cluster. I’ll be giving comments in an Open Public Meeting about a lawsuit in which I asked for some public records, they were all not provided, and some have been destroyed.

https://www.norcom.org/event/governing-board-meeting-2-2021-06-11/2021-06-11/

So this team of lawyers has been hammering away at me…

I’ll get into the details of the records in my public comments, but some of the records include a workplace so bad that one employee committed suicide over it, another contemplated suicide, another suffers from PTSD from it, and an independent evaluation determined this workplace to be so bad that he described it as  “workplace violence”.   Then there are the non-disclosure agreements of up to $150,000 of hush money to public employees so that they don't disclose how bad it is! It is as whacky as it sounds.

For simply requesting public records, which anyone in any city, county, or state in the US can legally do, I somehow ended up with a team of attorneys against me causing nothing but obstruction.

Forensics?

What does this have to do with forensics or anything related? That’s a good question, and the answer is quite a bit.  The lessons that I have learned in this case can benefit you in forensics, ediscovery, or even if you want to request public records yourself if there is something of public interest that you are aware of. I’ll talk about that later, but for now, you might want to tune in to enjoy the fireworks in the virtual public meeting this Friday at 9am (PDT)!

Schedule:

0900 Meeting starts.

0902 I speak.

0905 I'm done.

The technical piece of DFIR is not difficult. If you know what you are looking for, and you know how to find it, the work is actually easy. I do not say this to mean that anyone off the street can do this work without training or education. I mean this as in once you are technically competent, the actual work allows you to excel even more so, technically, because it becomes easier.  But this is where a bottleneck holds up progress in the DFIR cycle. The presentation phase of DFIR work is the only piece that turns the most competently proficient forensicator into a little kitten.

The Too Long: Didn’t Read version of this post

If you can’t effectively tell the story of your DFIR work, your DFIR work doesn’t matter, no matter how good you are.

Now for the important details

Since I am a visual learner, colorful infographics and flowcharts make it easy for me to understand a concept. In DFIR, we have lots of these, for which I am grateful. Cycles of this, that, and the other, all showing easy-to-follow workflows.

One problem with an infographic is that the information is generally very minimal. For DFIR, we have many visuals that broadly display a “Cycle of DFIR” as:

1. Create a plan of the work
2. Do the work
3. Evaluate the work
4. Repeat

This is good. Practically every infographic related to DFIR, or the Intelligence/investigative cycles give varying visuals of Wash > Rinse > Repeat.  The one-piece that I see little on is that of the importance of being just competent in the presentation as in technical. And eventually, the presentation is the end of an investigation or response. No case is never-ending. Some are longer than others, but eventually, there is an end of some sort.

Who should be chosen as the best person to present a finding or case?

Every person on your team must be proficient to some extent in the presentation of their interpretation of data. Data can be a single artifact or the entirety of an incident/investigation, and everything in between. Not being able to effectively present evidence nearly negates doing any work at all. Let me say that again: If you can’t tell the story of what you did, then nothing you did matters.

You may have done the most awesomeness of DFIR work in the world, but if you can’t relay the story of that work, it was for naught. This applies to any work. If a police officer makes an arrest of the most violent felon in the community but cannot effectively present the facts of the investigation to a court, then the violent offender might not be convicted and go free. If a forensic analyst finds the key artifact on a storage device but is not able to describe the why and how of that artifact, then that artifact is meaningless along with the effort to find it.

The reason that ‘we’ do not take presentation seriously is that ‘we’ understand what we did. We understand what happened. And we expect everyone else to know exactly what we did without us having to explain ourselves. This is partly due to ego (see my post on ego in DFIR).

Presentation Training

Where are the courses in presentation? How about courses in court testimony? Sure, I have seen one or two over the past decade, but nothing as compared to the technical courses available. Not even close. Yet, every technical training course in the world is useless if the presentation is not up to the same level of competence. It is one thing for a policy to state, “Evaluate the actions taken” and quite another to train and give someone the experience in relaying technical information to another.

The newest and most junior person on a team must be able to present their work to their supervisor or trainer. Expect the presentations to be better over time, and this is up to the seniors to critique the juniors.  An attorney-friend of mine always preferences his questions to me with, “Forgive me, but to make sure I understand what you are going to say, pretend that I am a fifth-grader.” My friend-the-attorney is on the genius level of IQ and knowledge, but he has his ego under control enough to make sure he is going to understand what is coming.

Report writing is presentation?

I’ve not met anyone who loved writing reports. I have seen some do more work to get out of writing a report than the time it would have taken to quickly knock out a sheet of paper with words on it. Report writing is a presentation and should be taken just as seriously as speaking in front of 500 people or the CEO of your organization.

Report writing is also a fantastic training opportunity for junior DFIRers. If someone can effectively get the words on paper, they most likely will be able to get the spoken words out as well. Both of these take practice. It will never be perfect. But it will improve over time. And it will keep improving as long as the practice and experience continue.

Are you in charge?

Train your team to present! You will benefit your team more than you can imagine with just a few minutes at a time. Have a team member write up a half-page of an artifact (or anything) and explain it to everyone. Be sure that every person is verbally engaged in debriefs and evaluations. Encourage and require every person to present their work, their opinion, and their suggestions in both a written and spoken format.

Your team will grow by leaps and bounds when every person can articulate their reasoning, their opinions, their findings, and their conclusions. If there is one person that cannot do this, you have a weak link that will minimize the work of the team, regardless of how technically competent that person may be.

Motivating your team

Sometimes you may have a team member that does not see the importance of being able to explain effectively. Expect it. They simply don’t care that someone else doesn’t get it. This is your weak link and one way to motivate someone who doesn’t want to present their story (ie, their work), is to require it. I’ve not met good senior leadership who wouldn’t take a few minutes out of their day to help their organization, specifically helping someone in the organization that may need it. With this, I have had juniors who just didn’t get the importance, ultimately get the importance when being told to explain their work to the ‘big boss’ and that the ‘big boss’ better be able to understand the story in less than 2 minutes. Motivation achieved!

Becoming a better storyteller

Speak in front of others. Speak some more. Then when you think you got the hang of it. Keep speaking. If you happen to throw up occasionally, you are on the right track. (see my post on Puking in DFIR). I am speaking at a few events in April, May, and later this year. All are virtual, but the experiences of presenting are just as important to me as the information that I hope to convey to others. There is no point in your career where you don’t have to practice presentation skills because you obtained competence. Competence is like a sinking boat. Once you stop scooping out the water of a sinking boat, it will sink. Same with presenting DFIR information: once you stop doing it, your competence will wane.

When does presentation happen?

Ultimately, at least with a legal or internal investigation, there is a final presentation. This is the last chance to fully tell the story of your analysis. The final presentation should be a culmination of all the other presentations that should have occurred during the investigation to team members.

There are intermediate points in any analysis where periodic updates are given, questions asked, course directions changed, and leads followed. Use each of these opportunities as experience in storytelling as you adjust the story to the varying audiences you have. The same story told to your team will need to be told much differently when told to decision-makers who are outside of your technical world. These are valuable experiences that teach you how to change the pace, flow, and language based on your audience when telling the same story. This is a skill that can’t be bought and more importantly, can’t be faked.

About that motivation

If you are like me, whenever you get a task assigned, or volunteer to do something, tension starts. You want to do a perfect job. You don’t want to make any mistakes. And you over prepare to expect the worst.  This is what happens when you agree to present on a topic. Hours to prepare over weeks for a short presentation. Then checking your presentation. Then research again to make sure nothing changed since the last time you checked your information.

In addition to re-learning the topic, however, is that the experience of presenting will make sure that your next presentation will be even better. So, every presentation that you see someone do, keep in mind that that presentation was probably better than the last one, but won’t be as good as the next one.

I'll be at @NCCC_MA's cyber crime conference (virtually) on April 27.https://t.co/AEmFaRyMEb #DFIR pic.twitter.com/0D7ya0jFuI

— Brett Shavers 🙄 (@Brett_Shavers) April 16, 2021

Come join me and many others this year at the @MagnetForensics
Virtual Summit #MVS2021 #DFIR.

Registration can be found below & YES it's FREE!https://t.co/zECTwOkAp9 pic.twitter.com/IOOXdKWtRV

— Brett Shavers 🙄 (@Brett_Shavers) April 10, 2021

To those who helped me

I will openly admit that I have held some serious grudges in the past with team leaders. I distinctly remember one of my squad leaders in the Marines who ordered me to describe a field mission to my section leader because I didn't put the effort to explain it well enough to my squad as asked.  To be honest, I put no effort in it to my squad as I thought it was a waste of time.  After all, we had been planning that thing all day together....we all knew what we were going to do. That was a painful lesson to learn, but was needed. I used the same lesson many years into my law enforcement career. For those who helped me comprehend the importance of telling a story, I hope to repay that patience of dealing with me with my continuing to help others learn the same lesson.

Tell the story of your work so that it is understood. Decisions are made from it. Your competence is judged by it. And depending upon your job, you could have someone's life, liberty, or livihood hanging on the balance of your spoken words.

I was asked an age-old question via a Twitter DM today:

"Should I pull the plug or image live?"

I thought this was a rhetorical or 'homework' question, because how would I know?  I gave a short answer of it depends on this and that, assuming that the question was being asked generally. But then,

....he messaged that he was standing in front of a machine, onsite, and was wondering which was best...oh my..

Some of the problems

I sincerely did not know which was best because:

(a) I was not there,

(b) I was not part of the planning process,

(c) I have no idea of the case/data objectives, and

(d) I have no idea of the machine configuration.

Apparently, this forensics company had no plan other than to meet onsite and image whatever computers were there...

Some solutions

My only and best answer ended up being:

(a) Make a reasonable decision for today and

(b) Make a plan next time.

The forensic process begins before processing forensics begins

We hear all the time about making plans before starting work. "Work" can be a highly critical military mission or just driving to the office. Both require a plan. The highly critical military mission will have many more details and require more time to prepare than simply driving to work, but both require planning. If you think that driving to work doesn't require planning, then I would assume that you are continually late to work.

If we visualize what "forensic processing" is, we tend to think of things like indexing, running Python scripts, filtering data, and carving data. Rarely do we think of planning as part of forensic processing, yet planning should be considered the number one top tier aspect of every DFIR "operation". Before starting any process on data, you need to make a plan, regardless of your evidence being a 1MB file or 1PB of storage on dozens of devices.

No plan survives first contact

Few things go perfectly as planned, no matter how much time and effort you put into the plan. You would be mistaken to take that to mean planning is a waste of time. It simply means that you cannot plan for absolutely everything, but you can plan for many things, and for those things that were unforeseen, you will handle them on the spot. Having a plan gives you more time to make decisions. More time to think means less chance of rash, uninformed, misinformed, or ignorant decisions.

So the next time my Twitter DM buddy goes onsite, he will have a plan on how to approach devices. Even if the plan is to dead box image everything (ie: pull the plug), having a plan for devices where pulling the plug is impossible or unreasonable (encryption, etc..), can be made beforehand. This reduces time to preserve data, decreases risk of data destruction, and increases success in collecting all targeted data.

No. I am not just talking about pulling the plug

There is not a time that I touch evidence without a plan unless the evidence is unexpectedly placed in my hands. This goes way back to working a district as a police officer. If I saw evidence, I would have some plan of how to (1) identify and preserve the evidence and (2) how to collect it before touching it. Sometimes this would take half a second and on occasion, it would take hours. The same applies to electronic evidence. Do not process it without a plan.

Case failures

Cases can fail by no fault of your own. And they can fail specifically and spectacularly because of you. Personally, I'd like to take myself out of the failure equation with planning and then use the gifts of planning to address the unforeseen circumstances.

Plan for the known to give you more time to handle the unknown.

Practical Benefits

In case none of this makes sense or means much to you, here is the practical aspect to take to the bank: If you were to spend 30 minutes planning your DFIR work (collection or analysis or presentation or etc...), you can save days or weeks over the life of that one case.  DAYS OR WEEKS by spending MINUTES to plan. ON EVERY CASE. Have you ever wondered why a coworker can plow through case after case, doing great work while you might be struggling to keep your head above water? hint...it is not because of being better skilled...

If you are overwhelmed with work (who isn't?), you can mitigate a good portion of that caseload with proper planning. I have seen investigators drowning in a heavy caseload for the sole reason of failing to plan anything on any case. At some point, it is obvious that an investigator is the bottleneck in cases being late or unfinished because the investigator, or analyst, chooses to not plan.

Side note: I asked permission to blog about this from the person who DM'd me with a promise of not disclosing the name of the person or company.  I think it important to share past errors to reduce future errrors.

We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we are skilled in the effective wielding of the most powerful weapon on the planet: INFORMATION!

We are experts in searching for it. Experts in interpreting it. Experts in sharing it. Experts in creating it. Sometimes, we are completely inept, or even malicious in handling it and totally screw up.

Ethics matter

Ethical behavior not only keeps your reputation solid but also keeps you from being sued or jailed. The cancel culture falls into a category of ethics, where if an infosec professional engages in canceling a person on the Internet, they are (in my opinion), the epitome of being unethical by wrongfully turning legitimate OSINT into the Baseball Bat of Internet Mob Justice. Ethics matter. The truth matters.

A recent example. Welcome to 2021.

Refer to the story for details (https://patch.com/illinois/chicago/trolls-wrongly-accused-retired-firefighter-capitol-riot-murder). In brief, an unidentified person (Figure 1) suspected of murder was misidentified (Figure 2). The identification was based on a posted image of the actual suspect in which OSINT was most certainly used to find a similar image online. The OSINT worked to find a similar image, but the verification of the match by the finder failed as did the action taken afterward. Rather than forward to law enforcement to verify, an Internet mob piled on an innocent person.

Could it get any worse? Sure. Once you blindly jump feet first into a rabbit hole, everything you come across that you believe to be true will become collateral damage. Even in this example, the innocent son of an innocent victim gets drawn into the wrong accusations. This may not seem to be a big deal, but the careers and reputations can be permanently damaged. Friendships, family, promotions, and even careers can be lost on a false allegation! It is so so easy to prove yourself correct if you are hellbound to do so, even when everything that you find is false but perceived in a way to support your belief.

An older example. Back to 1996

An older example from 1996 is the Richard Jewell case. Refer to the story for more details https://en.wikipedia.org/wiki/Richard_Jewell. Again, this was another misidentification, and Internet pile up that resulted in an innocent person’s life is forever turned upside down. This one was so bad that a movie was made out of the story. There are plenty of other misidentifications that you can find online or unluckily be involved in. Misidentification is not new. Law enforcement has had its fair share of accusing and arresting the wrong people for the same reason that Internet mobs have made: failure to verify and corroborate.

Did I somehow forget that I dated Nicole Brown Simpson?

Part of my incredible year of 2020 was getting a phone call from a reporter. I get calls from reporters on occasion, but this one was totally different. The reporter asked if I wanted to give him a statement before he printed an article about me having an affair with Nicole Brown Simpson in 1993.

First off, this didn’t happen. My shock was how could I be accused of something that I didn’t do by a nationally recognized reporter? Second, I immediately had visions of being splashed across the Internet of having an affair with OJ Simpson’s wife! My wife would not be pleased….

The details on this story, as told to me by the National Enquirer reporter was that he was holding photos of me arm-in-arm with Nicole Simpson in Cancun or Cabo San Lucus (I forgot which he said) in 1993. I told him that he has the wrong “Brett Shavers” but his response was that his ‘database’ was correct. I suggested that he not print the story because it is false, but if he did print it, to let me know because I’ll see what crazy mileage I can get out of it, mostly to write a blog post about it.

Then it got a little weirder. I told the reporter that I was in my first year of patrol in a police department during that time and I probably wrote a ticket or made an arrest on the alleged date of the photo, didn’t take any vacation that year, and married (my wife would certainly know if I flew off to Mexico without her and our kids!).

The reporter’s first reaction: “So you’re telling me that law enforcement was involved in her murder?!?”

So now you have a reporter who accused the wrong person and immediately created a conspiracy that law enforcement was involved in a murder and ready to write a story about that.

All I said was that he needed to check his sources and verify and that if he printed the story, I’d prove it false and go from there. By mere coincidence, I had a dated photo of me from a local newspaper from that time frame. I emailed it to the reporter and I think the reporter accepted that I looked much different from the person in the photo that he had. The more I think about it, that probably means that the guy with Nicole Simpson was better looking than me....

The point of this story is that anyone can be falsely accused by anyone for anything, and once the Internet dogs of war have been released, irreparable damage will occur. On top of that, this reporter was so dead set that I was the Brett Shavers that dated Nicole Brown Simpson, that he immediately jumped to a conclusion that since I was in law enforcement at the time, that law enforcement must be involved in her murder!  I do credit the National Enquirer for actually double-checking and finding out that they had the wrong person. Of course, if they printed their photo, my photo (backed by a local newspaper) would prove it to be false. Still...don't do this!

Unleashing the Internet dogs of war!

One thing about mob rule is the lack of personal, moral, and legal responsibility. It is quite easy to create a passionate stir, lead a group of people to the edge, incite emotion, and nudge the group over the edge into an all-out attack while at the very same time, avoid responsibility for causing it, especially if done anonymously. This is not ethical.  The Baseball Bat of Internet Mob Justice does not stop. It does not think. It grows and beats the victim until nothing of substance is left.

The anonymous and double-anonymous complaints

Here is something that happens commonly on the Internet:  “I will not name this person, but they are (name a group that this person belongs to) and they did (name the social norm violation).”

This type of accusation demonizes an entire group of people for committing some violation of a social norm, and now everyone in that group is now suspect. Any person speaking up in that group will then call attention to themselves and be misidentified as the violator. Additionally, it doesn’t solve any problem and most importantly, the claim cannot be verified or disproven.

This is not justice in any sense of the word. Quite the opposite and worse when the complaint is anonymous. Even if the offender is identified but the complainant is anonymous, the offender has no way to face their accuser. Yes, I know the Internet is not a court of law, but as we all know, the court of social media is sometimes harsher than any court of law ever could be.

How does any of this apply to us?

The Digital Forensics/Incident Response field is primarily investigative in nature and as such (1) be aware of your personal biases and beliefs, and (2) take measures to keep your personal biases in check. It is far too simple to let an internal bias affect your judgment, which affects your investigative/analysis plan, and ultimately affects your conclusions.

Society does not need a law enforcement officer who has a bias against any specific or general group of people, as that bias will negatively affect the community at large and wrongfully targeted individuals.

Society also does not need unethical people who work in ethical fields to wrongly accuse others because of internal biases, beliefs, or false conclusions to what they believe to be true. Any one of us can go down rabbit holes of “investigating” someone or some event and lead ourselves down the wrong path because of preconceived beliefs, failure to verify information, and a determined mindset to prove ourselves right rather than find the truth.

Professionalism in this field requires us to be professionals to be trusted and have our word to be trusted. That doesn’t mean a stiff personality, lack of humor, no personal opinions, or being impassionate. But it does mean being fair and impartial, and also maintaining the appearance of being fair and impartial.

Best investigative method to prevent this from happening to you

Follow the evidence. Disprove that which is false. Prove that which is true. Confirm, verify, corroborate.

In my law enforcement career, I have seen a few examples where investigators did not do this. In one example, a search warrant was served on an innocent family’s home. The warrant was served by SWAT (I was not on the team at that time), but SWAT was innocent. They only served the warrant as written by the case investigator and signed by the judge. The investigator failed at the most basic task of verifying an address. The address on paper wasn't even close to the physical address. I’ve seen this almost happen in another warrant service, but fortunately, I was aware of the real address and stopped the warrant from being served while the team was AT THE FRONT DOOR! Again, this was an instance of not verifying information.

In every instance (there are more!), verification was not done. Investigators had a belief and followed only the evidence that supported their belief. When an investigator does that, every single time they will prove their beliefs to be right, when factually, they were wrong. This never ends well.

All of us are prone to making mistakes with assumptions. Unfortunately, there is not much accountability when this happens with Internet allegations. Reporters may falsely accuse someone, ruin the person’s life, and the only accountability is publishing a correction article. On the Internet, people delete their posts and walk away without care that the Internet remembers forever.

On the Internet, accusations can be made, even anonymously, spread through the Internet like a virus, and even if proven to be false, no accountability to the accuser when destroying someone’s life. We need to be better than that, and if any of us falter, others should take the care to gently remind to take a step back, breathe, and verify before releasing the dogs of war online.

**side note**

I was "OSINTing" the reporter while on the phone and verified his name, number, email, and other information.

Who really reads the Terms of Service anyway?

Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply to dissuade users from reading past the first paragraph?

A few highlights from Instagram

Translated: All your content is ours. We do with it as we wish.

Opinion: You create it, Instagram/Facebook will make money off of it with no compensation to you. This is the model of how “free stuff on the Internet” works.

Translated: We have access to your camera, I mean “Instagram’s” camera.

Opinion:  They haz your phone camera.

Translated: Instagram keeps track of everything that you do on their platform, including the use of their camera.

Opinion: Sure. I get it. But this would be like a car rental company keeping track of every place you drove the car that you rented. Car rental companies probably do that too…

Translated: Instagram collects data about you even when you don’t provide it.

Opinion: Do they mean private messages too? Sure. Why not.

Translated: We gonna map out your network.

Opinion: Yikes!

Translated: Everything. We take everything.

Opinion: For the love of all that is good and holy! This looks like a digital forensics examination (and I mean “digital exam” as a “digital prostate exam”.

Translated: In case you didn’t get it earlier, we take everything, even that which is not on our platform.

Opinion: Instagram/Facebook is a third-party data collector that takes your data from another third-party data collector which probably takes your data from another third-party data collector. All to be curated ultimately by Facebook/Instagram. You don’t even need to have a Facebook account!

Translated: We know what is best for you. This might because we know everything about you or because we want you to behave a certain way and believe in what we want you to believe in.

Opinion: When you want to see a movie, you might want to ask a friend or read reviews, but you don’t have to. You can simply choose to see or not see a movie. Facebook/Instagram requires that you agree to be pushed toward groups that they want you to join. Kinda like getting jumped into a gang that you didn’t think you wanted to do, but got pushed into it by the local gang bangers.

Translated: We know everywhere you been, exactly where you are now, and can accurately predict where you will be going next.

Opinion: This is life on IoT and our addiction to “smart” devices. And we must agree to it in order to use ‘free’ services.

Translated: Ha! We haz your biometric data too!

Opinion: Facial recognition is one of the security features that we have to give up, but is something that we can’t change like a password.

Translated: Not only do we see what you search for, but we keep that, just in case…

Opinion:  Forensic peeps know this. Anything you type online is there for everyone to see, even those you don’t want to see it, potentially forever.

Translated: We not only take, curate, analyze, and store your information indefinitely, but we will share it around the world to our “partners”.

Opinion: Who are the “partners” and WHY DO THIS?!?

Summary

Free is not free.

Social media platforms are like leopards stalking dinner. You don’t see the leopard. You don’t think anything about it. And you don’t care that tidbits of your Internet activity are being analyzed by humans, ML, and AI. By the time you realize how much private data is gone, it is too late to much about it. Presumably, this is all for a profit motive, in which you make none. Worst case scenario is a nation-state obtaining this immense data. But that would never happen..

update: This from Twitter, best visual of EULAs that I have ever seen.

https://t.co/uYXup8iEdE

— #StopTheStupid! Goat (@bill_e_ghote) December 26, 2020

I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). 

Here is my white paper analysis.

#1 - If a device has connectivity with at least one other device, it can be,  has been, or will be compromised.

#2 - If a device has the ability for connectivity with at least one other device but isn't connected yet, see #1.

#3 - If a device is airgapped from any other device, it can still be compromised.

#4 - If a device has a speaker, someone you don't know can hear you.

#5 - If a device has a camera, someone you don't know can see you.

#6 - If one nation-state is monitoring your device, probably another one is too (maybe your own government!).

The good news is that criminals are more easily identified, tracked, arrested, charged, convicted, and incarcerated.

The bad news is that every bit of your life is logged somewhere, by multiple entities without your consent or knowledge.

Question I received: How long does it take before I can expect to get into a DFIR career?

Answer: It depends!

It depends on your available resources + available time + motivation to learn.

Meaning

The more of each of these that you have, the faster it will be. A lack of resources (software/hardware) means scraping together machines and free/open-source tools. A lack of time means squeezing in minutes here and there over a longer period of time.

A lack of motivation is the most important factor because, without motivation, you will never make it regardless of your available resources. Period.

Motivation

By the same token, motivation is the biggest factor to make up for a lack of resources.  Do not ever underestimate the power of motivation.  The sheer force of drive. The unstoppable energy of determination.  If you are driven to succeed in face of anything, then you will make it. It does not matter where you start from, age is irrelevant. Education level meaningless. Socio-economic background means nothing.

I say this full well knowing that someone with a high education or "elite" status in society with unlimited sources starts farther ahead than you or I. I say this because without motivation, resources are useless and any success is limited and a dead end. With motivation, there is no limit. You will have to work harder.  Study more.  Endure stress and keep moving forward against friends or family advice to quit. Others will appear to effortlessly pass you by. Everything will seem more difficult. And it will be.

Keep the pace

It is one foot in front of the other. That should be your focus. Your goal is not to master the entire registry at the same time that you have a goal to master Linux logfiles.  Learn a registry concept. Then a registry hive. And a key. One step at a time.  As long as you keep moving forward, you will move forward.

Mentor

Find one. Follow your mentor. Know that your mentor, whether you ever met or communicate, has gone through exactly what you are going through. Maybe they had an even more difficult time with circumstances you'll never know. The best mentor is the one that motivates you. It is the person that you know will pull you forward as long as you make the effort to make the effort.

An example of making the effort

When I was a much younger Marine, I had an aptitude for humping a pack (ie; long, forced marches carrying a heavy backpack).  I had the same pains as everyone else, blistered feet, sore back, muscle cramps, and lots of sweat! But I would never quit and never quit putting one foot in front of the other.  A new Marine behind me on one of the marches didn't do so well, but he tried.  So on a really long hump, I told him to grab ahold of my backpack straps (the straps that you use for your sleeping bag). I said, "Hold my straps and as long as you keep walking, I'll help."  The secret was, I didn't pull him at all, but he kept going. He learned that as long as he worked and did his part, he'd be able to keep up.  He never really needed to hold my straps that day, and he only needed it for a few minutes that he could do it. He just needed to know everyone goes through the same pains and understands, but if you do your part, everyone is there for you.

You are next

Know now that someone is going to look to you as a mentor, if not already.  You won't know who they are, but they are watching you. They are hanging on your every word.  They are inspired by you. They are motivated by you, all because they know you made the effort and didn't quit. There are more than a few peeps in DFIR that I watch like a hawk because they inspire me every day. On the days when I don't believe that I know enough, I fall back on my mentors and their work. I fall back on those who give a little of themselves by sharing, and speaking, writing, and teaching.  Do not be surprised that if and when we meet, I tell you that you inspired me.  You never know when something that you did or said made a difference to someone else who is also swimming in the ocean of DFIR information, trying to figure it all out. 

This thing we call "DFIR"

DFIR (Digital Forensics Incident Response) is simply one small part of the Information Security world (or cybersecurity). There are many sub-fields, cross-fields, and related fields, but none are DFIR. The people in DFIR are awesome. Infosec is one thing, but DFIR is something all by itself. I look at DFIR as the Green Berets of Infosec (or Navy SEALs, or Marines, or SWAT...take your pick, but you get the point). In those communities, everyone pulls more than their own weight. They work to excel in their respective expertise. They help each other. They work as team players. For this, DFIR has advanced and advances in skill and knowledge beyond practically any other field.If you are new to DFIR, welcome to the family.  If you have been here a while, be sure to hold the door open to the new folks. They bring a whole new world of motivation, innovation, and drive that benefits us all.

Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded on a deserted island with a group of people and only one knows how to fish. That person just became an expert on fishing.

The legal expert

There are legal definitions of an expert geared specifically toward testimony. In short, experts can give their opinions (interpretations) of facts in testimony, while every other witness can only testify to the facts obtained by first-hand knowledge. There is an exception of a lay opinion, but let’s stick to the high level for now.

Without getting deeper into the legal aspects of a court expert witness, everything below directly benefits becoming a court expert if you ever choose the path of the expert witness.

The community expert

The community expert is the person who knows more than most of their community. In DFIR, this would be the person that could probably be a legal expert, but not necessarily so. It may be someone who writes amazing forensic software, teaches at conferences or courses, writes and shares their work, and all the while, never going to court to testify as a court expert witness.

We have a lot of these experts in the DFIR community, whether they know it (or like it!) or not. We look up to them and glean as much information as we can to improve.

Who knows what

All of us in DFIR know something that all of us know. Things like, ‘what is a hard drive’ is something that everyone in this field knows. Don’t be surprised to hear that many people outside of the computer field do not really know anything about hard drives.  Within this example, there are those who are experts in hard drives, but as a high-level topic, we all know something about hard drives.

Then there are those in DFIR who know something that we don’t know. There are absolutely more people that know about reverse engineering malware at an expert level than me!  If your level of knowledge and skill of reverse engineering malware is not at the expert level, that does not mean you cannot be an expert at anything else, or that you even need to know anything about reverse engineering malware. We have our niches and thankfully, we mostly have different likes and dislikes!

And there are the things that you know more about than the rest of us in the community. This is where your expertise in a topic can shine.  Focus on this one.

Brett’s tip

Work on becoming a community expert from this moment for two reasons. One, you will grow professionally and personally from the effort, and two, the community will benefit from your efforts. This becomes a cycle of the more you work on your expertise, the more the community benefits, resulting in you having more data to become more of an expert.

What should you focus on? Any topic that interests you!  One recommendation would be to pick an artifact and learn all about it. Learn more than anyone else.  Test your assumptions. Validate your findings. And write about it. Talk about. Share it. Congrats. You’re on the way to becoming an expert in that artifact!  Maybe even the only expert in that artifact.

Another idea could be to pick a FOSS (free and open-source software) and master that tool! Help with its development and testing. Make that tool into a widely used community forensic app and BOOM! You’re an expert in it.

Why do you want to be an expert?

• *  Professional recognition (within your community)
• *  Career (get hired or promoted)
• *  Challenge (self-improvement without concern of others)
• *  Fame (media, publishing, teaching)
• *  Fortune (selling yourself but not literally)
• *  ___________ (your personal reason!)

How long does it take?

Some studies show it takes 10,000 hours to become an expert. Other studies 'debunk' the 10,000 hour studies, and still others write that in 2 hours, you can be an expert.  The thing that is left out in many of these studies is the subject of expertise. A world-class tennis player surely will need thousands of hours of practice to reach near perfection in tennis. As would a musician. Conversely, an information technology professional would need far fewer hours of practical application and testing to master a topic such as building a computer.

There is plenty of research online that you can read on the number of hours that research shows results in expertise. I believe that time is an important aspect of expertise, but absolutely not the only or most important aspect.

How to become an expert

Becoming an expert is simple, but that does not mean it is easy. Simple, as in, all you need to do is study, put into practical use, and know well enough to teach it.  This is not easy because it is work!

• *  Focused study (the learning of foundations)
• *  Diligent practice (the practical application)
• *  Teach others (writing and/or speaking)

Study is the foundation, as you can’t teach what you don’t know. Or more accurately, if you try to teach something that you don’t know, it will be painfully obvious to your audience. Diligent practice is completely different than practice. Taking piano lessons and throwing your fingers around for an hour just to fill an hour of practice is not just useless practice, it is detrimental in learning bad habits. Don’t just “read” a book on your topic: engage in the content!  Do not just test a theory, but deep dive into every aspect of it.

When you think you are ready to teach, then prepare to teach by checking everything you know. You will end up learning more, solidifying what you thought you knew, and now almost ready to teach. I say “almost” because teaching in itself requires practice and time to get it right! The mere act of teaching others does not mean you automatically are an expert. You have to be good at it too!

The road to being an expert

There are checkboxes to keep track of your path to expertise. Here are a few, and within each item there are dozens of DFIR related sub-items to fill the checkboxes.

• *  Publish works in trade publications, peer reviewed works, journals, books
• *  Speak at trade conferences, universities
• *  Research, test, and validate your works
• *  Get interviewed by media
• *  Be awarded grants, awards, fellowships
• *  Spend time in academic study
• *  Spend time with practical applications of your work
• *  Discover, invent, develop processes
• *  Peer review the work of others
• *  Have your work peer-reviewed by others
•  

Factors that affect time to reach expertise

Mentor/trainer/coach/formal education

Figuring out how to ‘do it’ takes much longer than someone showing you how it is done.  Finding your errors is difficult, but easy when someone is evaluating, critiquing, and mentoring you.

Both of my kids grew up with classical piano and violin lessons. They practiced every morning at 5AM. They practiced after school. They practiced a lot. The biggest lesson that I pushed was that it is better to have perfect practice for an hour than a thousand hours of bad practice. Practice makes permanent, and that is a difficult task to undo. Mentors can check your work, critique it, and enforce the drive for perfection over the drive to compile hours of useless work.  Practice does not make perfect! Perfect practice makes perfect.

Hands-on versus academic research

An expert can solely be a pure academic without much (or any) practical application. An expert can also be a practitioner with virtually no academia.  A mix of both absolutely will reduce the length of the path to expertise.

Trying to master everything or one thing

The bigger the pie you want to be in expert in, the longer it will take to become an expert in it. If you want to be an expert in all-things “Digital Forensics and Incident Response”, you may need more than two lifetimes!  However, if you want to be an expert in “Internet forensics” or “prefetch artifacts”, then you can do that in shorter order, certainly within your lifetime and probably within the next 12 months.

Pick your target. Make sure that it is a reasonable goal. Focus on it and work towards it.

Reaching the plateau

There is a plateau, but you don’t want to get there. As soon as you stop learning and growing, you will have plateaued. Any expertise that you gained fades exponentially as time goes by. Choose to plateau when you no longer need the skill that you mastered.  The DFIR field is an ever-growing and dynamically changing field that needs constant upkeep to keep up, let alone excel in.

Sharing is a big part of improvement

The more that you share your work, along with being open to critical responses, the faster you will reach the expertise you are working toward. If you ignore or do not want to accept critiques, go ahead and put that lawn chair out on your plateau, because that is the result of not evaluating the community evaluation of your work. The more open to suggestions of improvement, the more you will improve.

Who is eligible to be a DFIR expert?

This is an easy one. Anyone. Literally anyone with the drive and determination regardless of background or any individual characteristics can be expert in their youth or old(er) age.  It is never too early and never too late. Whew!

You might be an expert already

You might have read through this post and realized that you have already done everything, but never considered yourself an expert. When you realize this, there one suggestion that I have for you.

Know when it is the time to be humble, and when it is time to bring out the expertise credentials, and know when you are an expert.

Your expertise can (is!) the key to someone else learning, growing, inventing, and discovering amazing DFIR things that are waiting to be found. Your expertise can bring the truth into a legal case based on your opinion and interpretation of facts and evidence. Experts carry an enormous responsibility.

There is no shame in being an expert. If for no other reason, become an expert to be more than competent in your job. I don't recommend shouting from the rooftops that you are an expert, but I do recommend acting as an expert when needed. Everyone will benefit, appreciate, and grow from it.

PS. There is no magic formula, cheats, or vitamin that exists to make you an expert. It is all up to you to make it happen!

Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at the time and if you haven’t read the post, take a read of it to maybe get a tip or two that could be helpful for you or someone you know.

I want to peel back one aspect of preventing burning out that some take too far, which is not doing any DFIR activities on your personal time. There is a fine line between work and personal time, in that keeping both separate from each other is healthy and necessary. However, that line is different for each person and it shifts back and forth during each person’s career. The more skilled that you become, the less time you need to maintain your skills. I find it difficult to have a bright line that no DFIR professional development using some personal time is reasonable.

The short version

The longer version.

What does this have to do with doing DFIR stuff on your own time?

While in the Marines, I married and my new wife made sure that work and home were separate, and that both lives supported each other. Later, in police work (especially when doing undercover work for years), the line between work and home was still solid, and still supportive of each other.  By supportive, I mean that each life (work and home) had focus during each respective shift, in that, when at work I focused on work and when at home I was an active and involved family participant.  I did my best to avoid working at home and also avoid bringing my family life into work. That was my bright line. Your mileage may vary. Understandably, some things are unavoidable no matter what you do.

Working at home (not working from home)

Working from home is not the same as working at home. By working at home, I mean bringing your work into your home when it should be left at work. You know what I mean…working on that exam or report in your off time, away from work because you “need” to get it done, many times without compensation from your employer.  Doing this on a regular basis cracks open the burnout door. This is working at home when you should be working on home. Any employer who overtly or subtly requires this type of unhealthy work ethic will eventually see the destruction of that employee's home and work life.

Back to those tweets and the competition

I have hired and managed people in the field (and let some go) and although I have never implied or required anyone to work at home, I have fully supported their professional development outside of work hours. This is the difference that I feel is imperative to state. If you want to be a competitive hire, advance in your field, or improve your skills, you probably need to spend some of your off-work time on professional development.

For entry-level positions, it is cutthroat. For higher-level positions, it is cutthroat. For promotions, it is cutthroat. Unless other factors are in play, such as favoritism, every single person competes with everyone else to get the job, the promotion, or even be assigned the “best” cases.  Doesn’t this make sense? Shouldn’t the most qualified person be selected? Of course, it does!

Listening to advice is risky, but necessary. It is risky because the advice may not apply to you and only apply to the person giving you the advice. It is necessary because none of us know what all of us know. For example, you might be told to “never improve your skills on your own time unless your work pays for it”, or that “you should only improve yourself at work”. This might be good advice to someone who already has a high skill level but terrible advice for someone without experience or recently learned skills.

Take advice with a grain of salt. Maybe it applies to you. Maybe it does not. Either way, you won’t know for sure until the results are in on whether the advice was good or bad (for you) after it is too late to change your mind. In the end, we are each responsible for the decisions we make. Even fully taking the advice from any person that results in absolute failure is the responsibility of the person making the final decision, not the advice-giver.

Professional development

When I hear DFIR professionals encourage new or not-so-new practitioners to not improve themselves on their personal time, I take a look at who is giving that advice. Have they not taken professional development, continuing education, or college courses on their own time away from work? Have they not read a technical book in their free time, or paid for books with their own money? Have they not ever turned on a computer to test a theory that popped in their head while at home? Or have they held true to their advice of only improving their skills while being paid at work which resulted in their current success? My guess is that most have spent quite a bit of time in their personal life to at least be competitive enough to create opportunities for themselves.

Side story: I was given a comp registration (free!) to a DFIR conference that I was speaking at a few years ago to give away. I offered the seat to someone that I felt could use it since he worked less than 10 miles away from the conference venue. His agency approved his attendance at the conference to attend on his work time (vacation not needed!) but the agency wouldn’t pay for his meals as it was physically a 5-minute drive from his office. What was his response? He turned down the conference! He said that he will not spend any time or money outside of work to learn forensics because he expects his agency to pay for everything. I found someone else that took the offer..and they paid for their meals.

I tell this story as an example that there are some decisions on how much sacrifice you are willing to make to improve your skills. In this example, it was the cost of 2 lunches and 1 dinner, which he paid anyway since he certainly ate during those days of the conference while he was at work instead of attending the conference .  For him, his line was absolutely not a penny spent from his pocket or second used from his personal time to better his skills.

The point

Know the distinction between:

** Working at home

** Working from home

** Improving your skills in your personal time

** Improving your skills on your work time

There is a time and place for everything. Manage the time. Manage the place. If you have the belief that your employer is responsible for improving your skills, I can promise that you will be stunted in your skill growth.

It is within your personal time that balance is important to manage. If your personal life fails, your work life will not be far behind. Balance results in the exponential growth of personal and professional, while the imbalance in one or the other will wreck both.

Generally, work time is immovable, and you should only work during work time (minus breaks). You are being paid to work, so this makes sense. Good management ensures that you have a good work workload balance.

Your sleep time should be solid too. Some nights might be shorter than others because of emergencies, but again, generally, you need to maintain good sleep habits. This is your responsibility.

But for your personal time, balance is much more difficult! Family time, hobby time, vacation time, and basic free-to-do-nothing time is bunched together here. This is 100% your responsibility to maintain and balance. You can’t increase it without affecting something else, but you can manage the best use of it. Anything you add to it will decrease some other parts of it.  If you add too much, then sleep gets whittled away. Add more and perhaps work becomes negatively affected.  Or if you stretch out work, your sleep and your personal time gets robbed.

You and I both have 24 hours in a day and cannot change it. It is how we fill that time that matters.

Summed up!

You make your own decisions based on the information you have at your disposal. Balance your personal life with your work life. Maintain balance within your personal life with professional development that benefits your entire timeline and does not detract from it.

You can have a career without any professional development and without ever spending a minute outside of work on your competence building. But you can also choose to spend time, as needed and as reasonable, to develop your skills using some of your personal time.

Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy, but you choose to eat it anyway.

TikTok is worse for you than a cheeseburger

Many of us mis/use the Internet by installing apps that we know collect our data. We tweet, share, post, repost, reshare, retweet, and say little (if anything!) about the dangers of the platforms that we use.  It is a “risk worth taking to connect with friends and family online.” 

We partake in this ocean of data collection platforms because, like the cheeseburger, we are willing to willingly trade our personal data and intimate details of our Internet behavior to strangers for something that we want even though we know it is not good for us.  And like eating a cheeseburger yesterday, a new day begins today, and we are seemingly unharmed from yesterday’s use of these platforms, which encourages us to eat another cheeseburger (I mean, log into TikTok again).  We justify this unbalanced trade so that we can “connect” with friends and family online.

TikTok is like a triple stack, bacon cheeseburger.

Every person working in any aspect of “information security”, from the IT admin to the deep-diving forensicator, knows all about how social media platforms are purposely developed for the collection of data of its users. We know without doubt that the sole purpose of these platforms (ie, the code) is to collect personal data from users to specifically sell it. Yet, here we are using them, to connect to friends and family.  To be honest, we also know that one day, all of the unhealthy cheeseburgers will hit us hard one day. But we ignore that warning.

We are all breached

In defense of using “malicious” social media platforms, I hear the argument often that since the breaches have already happened, we have nothing left to lose.  It is true that our personal data has been breached, leaked, stolen, and sold multiple times. Our DOBs, SSNs, and mother’s maiden names have all been collected by hackers many times over and we used to treat our DOBs and SSNs as practically TOP SECRET information! But now, for less than five bucks, you can get anyone’s DOB and SSN in minutes.  For a little physical effort on a keyboard, you can probably find it for free.

The point that I stress is that our behavior is being collected. Our behavior speaks volumes more than our biological identity, especially when behavior is tied to an identified person.

Sure, when Facebook monitors your website visits, this is collecting your behavior, but even that is not what I am talking about. Facebook wants your browsing history and purchasing history so that it can make money from your Internet behavior. If Facebook informed every user in big, colorful letters that it is providing Facebook free in exchange for users’ Internet history and personally identifiable information, they would lose exactly no users. No one cares because the effect is almost unnoticeable. By the way, I am not defending Facebook in the least bit.

An entirely different level of ‘breached’

I consider every social media platform as malware even as I also use social media. How bad is that!?!  The most devasting impacts of social media platforms is not the selling and reselling of our phone number in order for a company to sell us something. It is not about being sent targeted ads. It is about the type of our information that is not being sold which is the worst kind of breached: our offline behavior.

Online dis/mis/information directly modifies our offline behavior, both intentionally and unintentionally by Internet platforms and other users. A person or persons in one country can cause a person in a different country to behave against their best interests or against the interests of their own country through misinformation, disinformation, and even with bullying online behavior. This can happen to corporations and even to governments, or more accurately, by corporations and governments.

We know it, but we ignore it, because we like cheeseburgers

TikTok is clearly malicious. Your PII and offline behavior are both being captured.  TikTok is malicious in the clear definition of being malicious. Data is collected surreptitiously for bad purposes, in the sense of marketing of “TikTok is totally free; we are not taking any personal information <wink wink>.”

A guy on reddit reversed engineered #TikTok

Here’s what he found on the data it collects on you

It’s far worse than just stealing what’s on your clipboard: pic.twitter.com/oqaQyYDXT2

— Dan Okopnyi 🇺🇦 (@d1rtydan) June 28, 2020

This is an unstoppable train

The train has left the station: Offline behavior of geolocation data, smartphone contacts, IP addresses, personal photos, bank account information, connected apps, the places you regularly visit, the routes that you regularly use, and the dates and times of your travels and destinations. All of this is in the hands of the developers of the apps on your device.

With the right machine learning, the right artificial intelligence, and the right intuitive design of an effective operation, you could start riots, create race wars, bankrupt corporations, shutdown economies, sway elections, and even start kinetic wars between countries based on this information.

No, I am not overreacting

In 2013, in a book that I wrote, I stated that “…mobile devices are practically an attached GPS device on the user.”  I should have added “…without needing probable cause for a warrant.”  And could have added, “…and can be used as an effective behavior modification device.”

All of this is already happening. It’s not a new method of warfare. Psychological operations have employed for many wars for as long as humans have warred.  The only difference is that with the Internet, PsyOps is more effective, easier, and quicker to see results. Where a few decades ago, a PsyOps campaign may not see results for months or years, we can see results in mere days and hours. Push the right buttons on the right person and a riot is sparked.  Our devices not only give our location but also collecting the identity of those near us who also have connected devices. Think about it: a gathering of any social group can be completely identified in minutes by date, time, location, and the personal contacts between people based on the physical distances of each person's mobile device.  What could you do with that information if you wanted to modify the behavior of a group?

I am past preventing the misuse of PII or collection of offline behavior. I think all of us should move past that, including our government. For as long as people use the Internet, this information will be collected maliciously or with consent. The more effective measure is what to do about the effects of what we cannot control. How do we correct our misdirected behavior created by trolls and enemies? How do we separate what is fake from what is real? What is our countermeasure?

We can ban malicious apps today, but without question, others will come tomorrow. Apps that we assume to be non-malicious today can easily turn malicious with the change of a few lines of code at any time of use. If not the app itself, malicious insiders will always, and have always, stolen and sold information to adversaries. We can't blot out the sun but we can put on sunscreen.

A forensics-thinking approach

One thing about the digital forensics mindset is that everything in the electronic data world is questioned during an analysis. No competent forensic analyst will blindly accept the date of a file as being the actual date of the file without some corroborating data. One point of circumstantial evidence is just an opinion.  We need more than a single point of data to separate a fact from opinion.

The same holds true for every social media platform. We cannot blindly accept that our use of any platform is free from being used to harm others or ourselves by malicious actors or even the platform provider (sometimes they are the same!).  Bots, puppet accounts, and hijacked accounts are most always trusted at first glance, and many times, continue to be trusted until it is too late.

Question everything that makes you question questions

One of the traits that makes a good investigator is listening that little voice in your head that asks, “Why…”.  You have an ability that raises red flags and gives doubt, but you have to act upon that ability. Humans are too quick to accept what they see or hear, and thereby not question it.  Have you ever walked into a new restaurant, got a bad feeling, ate there anyway, and ended up regretting it? That's what I mean. Find the answers to the questions of the little voices* that you hear.

In a digital forensic case, acting on uncorroborated evidence can result in case dismissals, or worse, wrongful convictions. In the offline world, acting on uncorroborated information can result in personal and physical attacks on innocent people or worst, the complete breakdown of a society.

There are no coincidences

I did some time in military intelligence units and one of the things that I learned was that there is no such thing as a coincidence. Anything that happens, happens for a reason and someone was behind it happening. I carried that experience and training into undercover investigations in law enforcement by creating "coincidences' in my cases. It was a simple op to gather intel on criminals and 'coincidently' to bump into them to develop relationships without having to be introduced. These planned coincidences resulted in going from zero in a case to practically being #2 or #3 in an organization.

The Internet is no different. There are no coincidences on the Internet. Everything has a purpose and plan. Whether individuals create dissent, or they are useful idiots in a bigger operation by organizations or nations, consider that there is something behind everything if it is on the Internet. More so with the "free" social media platforms.  You are not the product in these scenarios. You are the pawn.

The hard way of surveillance

At a federal task force, my group needed to come up with a plan to install listening devices in a house. The house was irregularly occupied and of course, always locked. The team that actually installed the devices had a plan. We created a 'power-line down' ruse in the neighborhood to stop all incoming traffic, the install team broke into the house through the garage, cut a hole in the wall to access a room, installed the devices and software, repaired the hole that they cut out, and left undetected. That was a major operation and the occupants didn't have a clue until they read the affidavit...

In another case, I needed to install a hardwired-GPS on a vehicle that was extremely difficult to catch at a place for the installation. The only way feasible was to get a search warrant to steal the car, order a key from the manufacturer, install the GPS after 'stealing' it, and then "report" the stolen car to local PD as a stolen recovery.  Again, lots of work just to install a GPS.

Today, if I were a spy and wanted to do these things, I would walk down the hall to the computer team and request development of a free, social media app. Then I would market it like crazy to the country/countries of choice.  And monitor it and wait until my targets, or the children of my targets, or the friends of my targets installed the app. Then I would be in their home, quite literally in the sense of being able to hear and see anything. And potentially influence them. Or I could influence the populace slightly by pushing a few key users into a pre-planned direction of disruption. Not that this could be happening now.........I wonder if I could get law enforcement officers, political figures, movie stars, and their children to use my app?

A step in the right direction

Be prepared to address what is coming. Be prepared with solutions to the problems when people start complaining. When your government wants to implement an overreaction to a perceived problem, be prepared to have a better-measured response. 

Consider the current encryption debate. The government can’t break encryption, so their solution is banning encryption altogether (a backdoor is an encryption ban, fight me if you want). Any person in information security knows that this is not only an over-reaction, but it will be the biggest detriment to security in the history of security. There are better solutions. One would be for investigators to do better jobs in their investigations rather than outright ban encryption.

We are all smart enough to know what is happening with the breaches, the leaks, and the malicious social media platforms. If the data is not being sold for profit, it is being caressed into a format useful for warfare (cyber or otherwise).

As a side note, every country is doing this to their own countries in the search of potential dissidents and criminals. Remember that what you do today may be illegal or unacceptable tomorrow. Some governments may allow for the past to go unpunished, which other governments may (will) retroactively punish past behavior that was legal at the time but subsequently made illegal.

You Should Already be in Condition Yellow

Anyone working in the infosec field should be in Situational Awareness Condition Yellow. Being aware of threats now decreases the time between identification and action which thereby increases your odds of success to handle threats.

Of course, we are aware of the threats that the Internet holds for society. From cyberbullies pushing victims toward suicide through nation-states creating internal turmoil in their enemy’s countries using online PsyOps. But being aware is only one step. We should be thinking of countermeasures and remedies.

Be ready for when those in Condition White begin to overreact, you can bring them down to Yellow when they go straight to Red without a plan. No one wants to hear from complainers without solutions, and by being ready with something, you will be further ahead and maybe we can get this right the first time.

Until then, cut back on the cheeseburgers because the day to pay up for those burgers will be here soon enough.

*by little voices in your head, I mean "gut feeling", "intuition", "bad feeling", "paranoia", or anything else describing the feeling that something not quite right.

Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue, but I am glad that more public attention is being given to spoofed social media accounts.

I am referring to imposter accounts as “spoofed”, “faked”, and “imposter”, where the account was not created by the user. Conversely, there are fake accounts created by a user as a multiplier to voice misinformation/disinformation, but not used against a real person. The fake accounts of real people are a different matter.

How does this affect you, aka: TL/DR?

A fake account can affect your personally by:

• *  Ruining your personal reputation,
• *  Destroying family relations,
• *  Getting you fired from your job,
• *  Having criminal charges filed against you, and
• *  Creating a risk of being sued.

On the professional side of using Facebook as part of OSINT investigations, you can be led on rabbit trails of false and misleading information whereby you put an innocent person at risk of all of the above bullet points, plus other devasting problems that I probably overlooked. Simply, if you find your suspect's account and use that information as a foundation of fact, you will be chasing an innocent person being framed with disinformation.

I wonder how many alibis have been successfully used with disinformation on social media platforms...

Today’s News is Old News but it is Relevant News for Today

In the Philippines article, students and journalists are the targeted victims with spoofed Facebook accounts created in their name and without any other information, such as personal photos. Fake accounts have been happening for years, so this is not new. However, it is just as relevant today as it was years ago. Perhaps more so now than ever before.

I am using “Facebook” throughout this post as Facebook is this article’s focus, but everything that I say about Facebook can be applied to almost any social media platform.  Social media has been an amazingly positive force in the world for connecting people and sharing information, but just as any tool that has an incredible power to do good, the same tools have the power to do the exact opposite for bad.

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Found 3 fake Facebook accounts using my name last night. Already down (I think?) after I reported. One good thing about having a unique name is I’m sure the accounts are not owned by actual people with the same name as mine. pic.twitter.com/7TBptLnofU

— Jodesz Gavilan (@jodeszgavilan) June 7, 2020

So what?

With a standard disclaimer that I am not a lawyer, creating fake accounts probably isn’t a crime in most countries, because who cares if a fake account with no information on it was created.  Certainly, fake accounts may violate the TOS (terms of service) of the platform provider and the accounts can be removed by the provider.  

By the way, you can report a fake account to Facebook here: https://www.facebook.com/help/1216349518398524?helpref=hc_global_nav

As far as criminal laws are concerned, the Internet doesn’t create a new world of criminal laws as the Internet only facilitates existing crimes electronically. The laws are basically the same, but have a sexier title like, "computer facilitated". Meaning, harassing someone online with racial or threatening comments is not different than doing the same thing at a workplace. Threats are threats. Identity theft is identity theft. The Internet just makes it easier, faster, and more explosive. Please don’t @ me with laws on Internet crime…I’m speaking extremely broadly on the legal aspect of fake accounts. I want to focus on the more important issues that affect you personally and affect your cases.

Technically, a fake account is just a fake account if it just sits there, right? I mean, I even checked my name in Facebook and found a fake account! No photo or any information, but it is there.. This is a fake Facebook page in my name (again, I did not create this).

https://www.facebook.com/pages/Brett-Shavers/163135850514643
In case you may be thinking that this could be a different “Brett Shavers” with a Facebook page, I highly doubt it.  In fact, this fake page was created with me specifically named based on seeing (1) author under my name since I am an author, (2) Renton Police Department as a related page, which is where I was a detective in my former career, and (3) Amped Software- Forensic as a related page since I am somewhat involved in deeply involved in forensics.

There is also a notation (4) of “Unofficial Page”, which Facebook defines as a page that was not created by the named user.  If I want, I can claim this page, or merge it, or ask that it be deleted. If I were to do this, I assume it would begin a game of whack-a-mole.

The interesting thing about me and Facebook is that I do have a personal Facebook page, but I don’t use it. Nothing is on it. I don’t like the concept of Facebook for many reasons. I created it in a futile attempt to prevent someone from creating a fake Facebook in my name.  My effort was completely in vain. My real page looks like this (again, I did create this page).

How many fake accounts are out there?

This is one of the unknowns in life, as you can’t know the unknowable. However, Facebook has deleted BILLIONS of fake accounts.  More specifically, Facebook has taken down over 5.4 BILLION fake accounts.  Consider that the planet’s population is about 7.8 billion and that there were at least 5.4 billion known fake Facebook accounts. Still, this is not the most important issue to you as I move toward the juicy stuff!

The juicy stuff!

By now, I know that your brain has already gone through a dozen scenarios of how bad this situation with fake accounts sucks.  I can’t think of a better word than “sucks”, because that is how this feels. To make sure that you covered the most important scenarios in your head, here are a few to think about if you missed one.

What can a fake Facebook account do against you?

• *  Target you personally
• *  Target your professional
• *  Target your criminally
• *  Target your civilly

These are easy to see. In this world of angry Internet users, any person can be the target of an army of one or an army of many through Internet attacks. A fake account can make you seem to be a far left/right political threat, a criminal peddling some form of criminal evidence (drugs, stolen property, etc..), or use your name/account to post threats to businesses, people, or to a government. None of these are good and all will require substantial resources to remedy, as in, prove your innocence. Also, the permanent effects of personal damage online is…permanent.

Criminals can (do) scope out targets and monitor their social media accounts. Creating a fake account in their target's name takes this one step and a million miles further. Imagine a fake Facebook account in your name that friends one of your friends. In minutes, your entire life’s connections can be mapped out with friends of friends and friends of those friends, and so forth. One fake account and you are completely exposed to an attacker. Before you are made aware, the account can be removed and you now your attacker has a complete dossier on you for their mission of destruction.

Not cool at all.

How can fake Facebook accounts affect your investigations (criminal or civil)?

• *  Misleading information
• *  Disinformation

For those who use OSINT (open source intelligence) as part of your job with either civil or criminal investigations, any criminal can create a fake account to throw you off their trail and on the trail of an innocent person. Imagine finding someone admit to a crime on Facebook, in their name, with their photo! That breaks the case!  But if it was fake, you may or may not figure it out, and if not, an innocent person could end up charged and convicted of a crime that they did not commit.

Regardless if you can figure out if the account was faked, the effort involved to verify and corroborate the information wastes valuable time in any investigation. Your casework is affected nonetheless.

A bigger threat?

• *  Facebook data collection
• *  Government collection from third party Facebook

Facebook collects personal data. And it sells it to other businesses. And it gives it to governments. We expect that now. The surprise no longer exists that Facebook is a data collection machine that makes money off its users’ personal information. But that is not the issue, because if you don’t want to be part of that machine, you can avoid creating a personal account. Right?

Wrong. Facebook might make a personal page for you anyway without telling you anything about it. If they don’t make a personal and public page for you, they are certainly collecting your information anyway, even if you have never ever visited a www.Facebook.com website..ever.

Packet Storm wrote an amazingly important article in 2013 that describes basically your personal is collected by Facebook through friends and family on Facebook. Many in the security field are aware of this, where John Doe will post on his Facebook page about Jane Smith. Jane Smith might not have a Facebook page and is doing everything to avoid being online, but now her friend John just outed Jane to the Internet world.

Take this a step further. When John logs into the dozens of social media accounts through his mobile device or computer, he will usually give access to his contacts to the social media platform. Now, dozens of social media platforms have Jane’s contact information, even though Jane has no account on any of these platforms.  Eventually, these contacts are collected by Facebook through the same manner of allowing access to the user’s contacts, and Facebook practically has the contact information of every person on the planet who has an email address or name.

Facebook has been questioned about “shadow” accounts or “invisible” accounts and claimed that the collection of this information was a technical glitch. This bug was, in effect, mapping the world regardless if everyone had a Facebook account.

The bigger threat, even more important than being targeted by criminals, is that of being wrongfully targeted by a government.  Let’s take the Philippine’s situation as an example.

“This was first reported by U.P. Cebu’s official student publication Tugani, which said it found fake accounts of student activists who were arrested in an anti-terrorism bill protest on June 5.” - https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

It seems that students who were protesting and subsequently arrested, discovered fake Facebook accounts in their name. What would the purpose of that be, other than tracking people critical of their government? Over the course of human history, every group of people has had their turn of being critical of their government. Everyone takes their turn. Some nations allow public critiques without interference and other governments execute dissidents on the spot, in the street, for all to see.

3^rd Party Access Trumps 4^th Amendment protection

But the United States has the 4^th Amendment! Come back with a warrant, bro! This is true, and generally, the Constitutional protections are followed by the US government (all levels).  I say “generally” because there is always an instance of abuse that occurs inadvertently or intentionally.

Most people aren’t intimately aware of Constitutional Rights, and when asked, will usually recite something that they remember from a Hollywood movie or TV show. They don’t get it right often. Those “in the know” know that Facebook’s data is not protected by the Constitution. Your home and everything in it is protected from unreasonable search and seizure, but the data collected by Facebook (or any 3^rd party) is not.  That means knocking on Facebook’s door with a written request for data bypasses the wall between your data and the government.

The issue is when the data with your name on it is not your data but is tied to you. Or perhaps it is your data, collected and curated by Facebook that your entire life is memorialized in a neat zip file. Hopefully, the information collected was not disinformation by a competitor or criminal or scorned lover wanting to set you up for a fall.

All Existing Data is at Risk to be Breached

Social media platforms and any company that collects data are under varying degrees and sometimes opposing requirements of data preservation and data destruction. Some types of data is required to be maintained for a certain number of years and other data is mandated to be destroyed in a different number of years or months. Some providers swear to not keep any data.

The thing is, no one really knows how long data is kept or destroyed. Personally, I have written affidavits for data that should exist but told that it does not. I have also received data that should have been destroyed but was “overlooked”, resulting me getting extra information… On top of that, I have personally seen corporations not even know the data that they were maintaining that they certainly should have destroyed (legally) a decade earlier.

This data, all of it, including the fake accounts, are ripe for the taking by anyone with access to the data. Access does not only imply “legal” access, but any access to include hackers. It’s bad enough for your real data to be stolen, but it may be much worse if fake data is stolen and attributed to you.

What can you do?

Unfortunately, it is whack-a-mole with your private data and doubles with the fake accounts that might be attributed to you. At one point, I made a Keybase account, where you can verify the platforms and websites under your control. I verified everything in hopes that if a fake account was made (which there are a few for me…..), I could easily point to a verification site to disprove the fake news.

But, Keybase was purchased by Zoom, and with Zoom’s security problems, I deleted my keybase. The good news is that Keybase doesn’t allow me to recreate my account with my same name. That in itself is a good security feature for you. I recommend creating a keybase account and then delete it in order to prevent someone from creating a keybase account in your name. Of all fake accounts, Keybase would be a bad one to have made in your name as it professes to the world that you are you. Another example of platforms communicating (ie, sharing) data between each other is Zoom's iOS app sending data to Facebook as reported in Motherboard. The funny part? Even if you don't have a Facebook account, Zoom sends it to Facebook anyway. Add to this that Zoom purchased Keybase. Before you start spiraling out of control in conspiracy theories with social media platforms, keep in mind that I am only focusing on the fake Facebook accounts.

A personal story

Way back when, when I was a new patrol officer, my wife made a website.  This was really incredible at the time. To give you a hint of when this was, it was during dialup, and websites were made by straight typing HTML. WYSIWYG wasn’t a thing yet, but she taught herself and made a site on one of the free platforms at the time. It was a family website and because I was in law enforcement, I stressed to not use our names or personally identifiable information, especially as our kids were young at the time. Anyway, her website became popular and made it into several print magazines in Japan. Oh yeah, the website was in Japanese. This will be important to know shortly.

The punchline is that one day in patrol, dispatch sent me a message on my MDC (mobile computer) and said something to the effect of, “Hey. I found a website with pictures of you and your family on it. Did you know that?”

Long before the Internet searching became really easy, a dispatcher somehow found me online with my family, on a website that was in Japanese. My wife took the site offline when I told her.

Later, in my undercover days, my threat level substantially increased. I flew around the country and internationally, many times unarmed (dumb in-country rules...), and hung out with organized crime. My conversations were talking to people about people that they killed or had killed, informants that were tortured, corrupt cops, smuggling humans across borders, and all things drugs and guns. I had cars drive slowly in front of my home, been followed on more occasions than I want to remember, and bumped into targets while off duty while with my family.  During this time, I found that a relative of mine was posting pictures of me and my family online, even knowing the job that I was doing. I blame the ignorance of security more than anything, but to be unaware that photos you send to friends and family end up on their social media platforms is uncool without asking permission. Then at a point, I had threats and guns stuck in my belly added to the mix.  Having a gun stuck in my belly and also my personal information exposed online, I can say that the Internet exposure was worse. Oh yeah, my ID was stolen with all of this too.

I have more of these types of stories than any one person should have, but the point is that the Internet is a dangerous place for not only those with intelligence or law enforcement jobs, but for any person who somehow gets in the crosshairs of an angry person, or someone who needs a scapegoat for their crimes. Fake social media accounts are a serious concern, and for you, the IT, Infosec, or DF/IR pro, your first responsibility is to protect your family. Protect the world as a secondary task as you get to it.

Stay safe.

Billions of fake accounts: Who's messaging you on Facebook?

https://bigthink.com/politics-current-affairs/facebook-banned-accounts?rebelltitem=1#rebelltitem1

Philippines Probes Proliferation of Impostor Facebook Accounts

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Facebook has shut down 5.4 billion fake accounts this year

https://www.cnn.com/2019/11/13/tech/facebook-fake-accounts/index.html

DOJ to probe sudden surge of fake Facebook accounts

https://www.cnnphilippines.com/news/2020/6/7/DOJ-probe-fake-Facebook-accounts.html

Shadow profiles: Facebook has information you didn't hand over

https://www.cnet.com/news/shadow-profiles-facebook-has-information-you-didnt-hand-over/

Facebook: Where Your Friends Are Your Worst Enemies

 https://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html

Facebook admits year-long data breach exposed 6 million users

https://www.reuters.com/article/net-us-facebook-security/facebook-admits-year-long-data-breach-exposed-6-million-users-idUSBRE95K18Y20130621

Zoom + Keybase

https://keybase.io/blog/keybase-joins-zoom

ZoomiOS App Sends Data to Facebook Even if You Don't Have a Facebook Account

https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

The fantasy

So many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows vivid and dynamic computer screens depicting the fascinating work of forensics and incident response, from James Bond flicks to any of the CSI tv show series.

And the money! There is so much money to be made! WHAT A GREAT JOB!

The reality

You need to know computers. I mean, you really need to know about computers, from the basic fundamentals of how a computer works physically with hardware through how software works on that hardware. You need to be a generalist and a specialist. The time spent to learn what you need to learn requires more than you can imagine and at that point, you will still be incompetent for working in this field. You’ll just know that you don’t know enough.

Then when you feel like you have learned “enough” to do the job, if you haven’t kept up with technical aspects of the field every day, you will realize that you have fallen behind in competence faster than a boulder plummeting down a high cliff.

After you read a dozen books on the topic, spend thousands of dollars in courses and conferences, practice with all types of software, your climb to the hill of knowledge will feel like the hill is growing and you are not making any headway. 

Every device that you touch will seem like Groundhog Day because not only will it be a different scenario than the prior device, but your objectives will be different, and the software that you once used might not work for what you need this time. That means learning a new tool to handle a new device on a new case, all the while, trying to keep up with the changes that were made in an operating system from last week.

You will quickly learn that CSI on TV has it all wrong. You won’t be solving anything in the timespan of a primetime TV show and will be explaining to your boss or client constantly that Hollywood has forensics all wrong, and that you have to do research on the analysis. Then your confidence will fall because you will feel that you should have already learned how to do analysis on this particular device, but you have to now do research and figure it out like it’s the first day on the job.

Once you get the hang of this career, for as long as you want to be competent, you will be constantly seeking out training, reading, practice, and research. If you didn’t realize it before, you just learned that the process to keep up is never-ending!

Your reality

If you still want to work in DFIR after all of that, then you might be made for it. This may be your path.  I spoke about much of this with Jessica Hyde of Magnet Forensics this week, and I stand by everything I said about trying to talk someone out of a difficult profession because there are some jobs that require more effort than other jobs in terms of preparation and sustainability.

For each of us, there are jobs that we could not be paid enough to do. Those same jobs where we would never work are the same jobs that some people would pay to have. Each person is different as each job to each person is different, and there is a sliding scale for career preferences.

Any and every job is honorable. No job is beneath any of us. And if we are fortunate in this life, we can choose a job that fits both our wants and needs. DF/IR is no different in that aspect with any other profession.

The one aspect where DF/IR is different is the effort required to get started. Compared to a job where minimal skill is required, or where the skill is fairly easy to obtain, DF/IR  is not only not easy, it is laborsome. With that comes making a commitment to carry through just to get a chance of working in the field. If you are not committed, you are not going to make it.

If you ever competed in anything, from music to sports, you know that it takes many hours of perfect practice, many errors, and extreme focus just to be able to be competitive against everyone else. You can tell in seconds those who have prepared from those who have not. There is no competition when there is no preparation.

On the visual below, if DF/IR is not on the far green end of the arrow for you, you might not make it because it is too easy to give up on anything, let alone something that you are not fully committed to do.

Boot camp is not what you think

If DF/IR sounds like a military boot camp to you, then you got the picture that I am trying to get across. It is boot camp for your brain. You need endurance. You need focus. You need to learn to walk all over again and eventually you are running.

Few things in life are more frustrating and defeating than not getting what you worked for.  We are impatient. We want what we want when we want it and not a second later. If you are lucky, you get what you want when you want it. For the rest of us, it will take time, effort, failure, time, effort, failure, time, effort, failure, and eventually success. Time = days or years, different for everyone and everyone’s personal situation.

Excuses are like…

During my first week in Marine Corps Boot Camp, a drill instructor was yelling at a recruit who had just given an excuse for failing at a task. The DI yelled "Excuses are like assholes. Everyone has one and they all stink!"  I don’t believe DIs can swear anymore by the way..but the point was well made to me and I was really glad to learn it by not being the recruit being yelled at. Don’t worry. I was given my fair share of being yelled at every day.  The point is that everyone has excuses and they get in your way if you let them get in your way.

There are some factors that will eliminate you from a specific job. For example, to be a firefighter, you need to be able to physically carry firehoses upstairs to put out fires. If you cannot physically do that for any reason, you won’t get that job. Same with being a house painter. If you blind, painting houses isn’t going to be possible. If you are able to perform a job, then the odds are good that you can get that job with effort.

Barring circumstances that physically prevent you from doing DF/IR, you can do this job. That might make it sound like anyone can do this job, but that is far from the truth. The only people who can do this job are the ones who dedicate themselves to continual education to keep up and learn. For those who DF/IR is for them, keeping up with the field is more entertaining than watching an action movie because it is exciting and challenging. For those who struggle with spending the time to prepare, learn, and keep up, DF/IR is not for them.

You cried?

If you didn’t get into the school of your choice for the DF/IR degree of your choice or were turned down by the job that you really wanted, or failed to pass a certification that you studied weeks for, or couldn’t figure out something that you believe to be simple for everyone, then you are probably still on the right track. This is normal. 

And if you sat in the middle of your room and cried about your choice of working to get into DF/IR, that is ok too. You are probably still on the right path. If you consider quitting to do something else, you are even still probably on the right path.

The defining point is that after you do that once or twice or a hundred times, you stand up, crack open the book, and get back to it. If you keep doing that, you will be fine. Do not let yourself get in the way of what you are working toward.  Quitting is simply what happens when you find out that what you thought you really wanted, you didn’t want bad enough. No matter how often you fail, it is only failure when you stop trying.

Yes, it does take time.

Timing is everything. If you are lucky (I am not….), by the time you are qualified to do DF/IR, the demand is so great that you have the pick of where you want to and how much you will accept to be paid.  You might not have any downtime between qualified to work and actual work.

For many others, it might take years to get where you want to go. Actually, it probably will take years to end up where you want to be. This is not only ok, but to be expected. Achieving what you want sooner than expected is nice but do not let this be your measure of success.

I get it

Sometimes the timing is not right for what you want. Maybe you are too early or too late for what you are after. Sometimes there are things out of your control that can prevent you from walking one path, but that does not mean you cannot walk another path that might end up being the better path for you.

Life happens to all of us. We hope to avoid life’s tragedies, but the tragedies are waiting on your path just as they are on the path of everyone else. We confront what we confront when it is time to confront them. We don’t choose when they happen, but we choose how to react.

With that, for anyone wanting to sincerely step off the DF/IR path because of any reason, I fully support the decision, because that decision to quit is probably the right decision. By the right decision, I mean that quitting means you weren’t meant for that path, but also means there is another path more fit for you.

But for those who are on the spectrum that they would pay their salary to work in this field, to learn the bits and bytes of data, and to spend whatever energy is required to get there, I am right behind you making sure you keep going.  You can cry along the way or even toss your laptop against the wall in frustration as long as you decide to keep moving forward. Cry. Wipe off the tears. Get back to work. You will be fine.

Hang on…you’re already in DF/IR?

If you do this job already, by now you should have encouraged at least one person who had a spark of DF/IR to move forward (maybe one of those folks was me!). Be an inspiration to the next generation. We now live in a world of the most negative social media, call out and cancel culture, where anyone can be brought down publicly for no reason at all. This is our world, the electronic world, the “cyber” world, and by virtue of our job, we are responsible for safety of all people. Be the force of good and make your name one to be remembered for helping someone, not tearing them down.

The experiences of anyone in this field are awesome! They are even more awesome when you can ignite a small spark of inspiration in someone who may use these skills to change the way we do business, change the way we think about DF/IR, and potentially change the world.

Don’t think this doesn’t apply to you, regardless of where you sit. You have more power to inspire someone to make discoveries in this field that would not be possible except for the spark you lit in someone. That’s pretty cool in my book.

The meat and potatoes

A bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical aspects of the work has not changed. But what about the investigative aspect?  Oh yes. That part of DFIR has certainly changed. The key change is geolocation, and it is more important than you may realize at first glance.

The full meal

Every investigation with any aspect of an electronic device has been affected due to COVID-19 and its consequence of stay-at-home/work-at-home. As far as investigations are concerned, device geolocation is perhaps the biggest impact. There are also other subtle aspects of the quarantine to take advantage of in your investigations, whether you are involved in civil or criminal investigations or corporate matters. The benefits are there to be had. Individual privacy is yet another issue but let us start with investigations.

For the most part, the impact of COVID-19 is positive for investigators. Actually, it is practically only positive.  I will be breaking down the pros and cons by way of using the below four broad categories. These are "broad" because overlap exists and it is near impossible to have a clean break from every aspect of DFIR. Every person fits in one or more of those boxes, including the privacy category.

Digital Forensics (DF) & Incident Response (IR)

How does COVID-19 affect DFIR investigations?

For criminal investigations, the geolocation impact is most dramatic. Compare the “before” and the “current” geolocation investigative aspects of COVID-19 (specifically criminals using mobile devices and Internet access points).

In the above comparison, “home” is where a person lays their head. Investigators who pursue criminals focus heavily on the “home” of a criminal, which tends to be the location where the criminal spends most of their time, stores and creates physical evidence, and where they are most vulnerable to arrest. Even one of the most primary and basic goals of law enforcement surveillance is to follow criminals and ‘put them to bed’, which simply means, follow them to their home. COVID-19 makes this much easier since everyone, including criminals, must be home, or at least be at home more than usual.

Side note: An investigative truism for the vast majority of crimes is that criminals must communicate to plan, conspire, and commit crimes. The most convenient and commonly used investigative method to capture communication is focusing on communication devices. Quarantine makes this easier.

COVID-19 Benefits Investigations

--Mobile devices

---Easier to find the home of the owner (suspect) since the device will be home more.

---Easier to identify other devices of the suspect since personal devices are also home with the suspect.

---Cell tower dumps near a crime scene will have fewer devices connected, lowering the list of possible suspects.

---“Burners” are now burned. They now travel less and are quarantined with their owners. Burners can now be easily tied to a ‘home’ and to its owner at that home.

---“Burners” will now always be near their owner’s other devices, tying them together.

---Subsequent forensic analysis post-seizure will have fewer GPS points to investigate. This is good for the purpose of fewer false alibis.

---Higher usage of all devices (burners and personal) results in more data and more evidence. There is also a higher use since face-to-face communications are less due to quarantine/stay-at-home.

--IP Addresses

---Higher use of personal Internet accounts being used.

---Higher use of borrowing neighbor’s Internet access.

---Higher chance of protective measures (VPNs, Tor, etc…) being inadvertently misconfigured or neglected for one or many communications.

With criminals being home more than usual, identifying their devices, tying the devices to them, and identifying the “homes” of criminals has never been easier.  As long as you have either the device information (ex. the phone number) or the home address, tying both together is simpler than pre-COVID 19. Consider that a mobile device, including the ‘burners’, will be living at their owner’s home for longer hours per day than before, because the owner is at home for long hours. Where cautious criminals won't turn on a burner at their home, they don't have much choice now.

• A home address can be assumed and later confirmed by using mobile device geolocation, such as from GPS coordinates obtained from service providers.
• Device information can be obtained by having the home address, such as examining cell tower dumps, or other technical means to obtain mobile device signal connections.

Another side benefit of COVID-19 for investigations is that of increased usage of electronic devices to communicate. Criminals must still leave their homes to commit traditional, non-computer crimes, but the use of mobile device communications still increases. More calls to more phones help build a more thorough link analysis of criminals and their co-conspirators. Traditional policing is also made easier with fewer cars on the road and fewer places for criminals to blend in with the public (such as at a crowded restaurant or park).

Cell tower dumps in the area of a crime, where pre-COVID 19 could result in hundreds of devices per one tower might now only have a few devices which greatly narrows the list of potential suspects of a crime.

Successful criminal hackers take great pains to hide their true identity and location. Whether it be using VPNs or Tor, one of the basic premises is to not connect to the wire with anything that ties to your home or work. For the most part, the quarantine forces the use of a home Internet connection or a nearby neighbor’s connections. One error made in complacency or technical failure can expose everything.  Investigators should take advantage of the increased possibility of tracking a criminal hacker to their home as compared to tracking to any one of thousands of public WiFi spots found at libraries, coffee shops, and throughout entire cities with public WiFi.

One negative with COVID-19's quarantine is not being able to physically place the co-conspirators together by way of geolocation, such as having two devices being at the same place at the same time. In cases that I have had, each time that I could identify the date and place that a group of conspirators would meet to talk, such as at dinner or a parking lot, being able to identify every device in the area was a good operation. This was really beneficial as not every person in an organization will call every person in that organization, so tying devices together requires more labor. Conversely, in the quarantined world, everyone in the organization will need to call more of those in the organization to communicate.

As far as when the quarantine is lifted and we reach the new normal, the historical geolocation data available will still benefit future cases, both with device forensic analysis and with third-party service providers holding the geolocation data.

Electronic Discovery (ED)

Compared with criminal and civil investigations, COVID-19 poses more risk to businesses. Companies who are allowing remote work at their employees’ homes without appropriate precautions are now creating a situation of intermingled personal and business data.

Employees who know have open access to their employer’s systems using personal devices might be the biggest risk to employers in the past decade. On one hand, data mingling can cause a substantial legal issue in litigation, where company data might be intentionally or inadvertently saved onto personal computers. Additionally, personal computers that may have outdated anti-virus or unsupported operating systems could increase the chances of a company being compromised through an employee’s personal system.

Companies that had been supporting remote work by way of providing systems that are maintained by internal IT staff and using protected connections (not simply directly connecting to the network…), have no concerns that they did not have before COVID-19. For the rest, I can foresee some problems.

Open Source Intelligence (OSINT)

OSINT is fun for the curious. It is also an effective investigative method as well as an effective victimization tool. With COVID-19’s quarantine, the impact is that for those who want to remain semi-private regarding their homes, yet still remain socially available online, they will be more at risk of exposure.

Being at home more means most photos to be posted on social media will be those taken from the home. More family photos. More photos of a home’s interior and exterior. All of which can build upon safety concerns for some.  

For investigators, applying OSINT to cases where suspects are using social media simply means gathering more relevant and home-based geolocation data.

Privacy & Surveillance

Being anti-crime does not mean that you must be anti-privacy, but most governments will try to convince you otherwise. All of the above-mentioned benefits of COVID-19 as it relates to investigations to solve crimes have a perverted relationship in potential loss of personal privacy. The key questions are who is being watched, for what reason, and for what justification.

Right behind any government are the many tech companies with the ability to collect personal data from its users, privacy be damned. The intention is for the public good as it is primarily, if not solely, used as a revenue source (your data is sold and sold and sold again). Now, we are online more because we are home more (practically 24/7), which creates more data to be collected on the websites we visit, the online shows that we watch, the videos, and online purchases.

A government’s view of “data hoarding” is for the public’s benefit.

A corporate’s view of “data hoarding” is for corporate benefit.

Now comes COVID-19 and there is a merge between the two. Corporate tech giants (small tech too!) are partnering for both the public good of tracking people via mobile devices and certainly the sale of the data. The most effective way to convince anyone to give up a bit of privacy is to promise a chunk of security in exchange.  In times of panic or worry, not only is this easy to accomplish, but it is more of an exchange of a large piece of privacy for a false hope of security.

https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/

Post COVID-19

I can expect to see the mobile apps being developed today that track infected persons and their interactions with non-infected being more commonly used. The Apple-Google efforts of using Bluetooth technology to track people in the name of public safety can be easily applied to many other things, much like the dating apps and other friendly location sharing apps do as well.

For the investigator, these data sources have always been treasure troves used to place a suspect at a scene but will now jump into hyperdrive in doing more by collecting data with willing user-consent, default configurations of apps, and covert monitoring.

Summary

Forensic analysis is the same. Investigations have (temporarily) changed. Good investigators continually look for breaks in a case, are always open to a break in a case, ready to exploit a break in a case, and are creative in trying to find a break in a case. Don't let COVID-19 be anything else other than a potential way to solve a case. For the business owners and managers, it is not too late to update computer use policies to protect how employees connect to the company's data.

Committing crimes today is not as easy as yesterday. Neither is keeping your privacy.

The short story on the newest Mini-WinFE 10 (aka, the download link):

Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for Mini-WinFE) at https://www.patreon.com/posts/34814255.  The Mini-WinFE builder is a free download.

Are forensic bootable OSs still useful today?

Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.

What is (Mini) WinFE?

WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.

Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE.  I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.

Mini-WinFE 10

WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson.  Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices.  The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder.  Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.

The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).

WinFE 10

Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.

For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.

https://www.winfe.net/

WinFE Resources

WinFE Documentation

Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version.

DFIR books:  Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.

Training

If you are in law enforcement (LE), there are a few sources of WinFE training:

• SEARCH   https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
• RCFL   https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
• Others As part of FLETC, IACIS, short conference presentations, and others.

For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.

An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining.  The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too.  The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.

The future of WinFE

Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!