Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link
APR
05
2

Mini-WinFE 10 and WinFE 10 Updated

Posted by Brett Shavers
in  Digital Forensics

The short story on the newest Mini-WinFE 10 (aka, the download link):

Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for Mini-WinFE) at https://www.patreon.com/posts/34814255.  The Mini-WinFE builder is a free download.

Mini-WinFE 10 

Are forensic bootable OSs still useful today?

Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.

What is (Mini) WinFE?

WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.

Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE.  I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.

Mini-WinFE 10

WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson.  Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices.  The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder.  Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.

The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).

WinFE 10

Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.

For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.

https://www.winfe.net/

 

WinFE Resources

WinFE Documentation

Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version.

DFIR books:  Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.

Training

If you are in law enforcement (LE), there are a few sources of WinFE training:

  • SEARCH   https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
  • RCFL   https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
  • Others As part of FLETC, IACIS, short conference presentations, and others.

For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.

An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining.  The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too.  The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.

The future of WinFE

Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!

 

 

 

  17943 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Jeff E.
Hi Brett, Wondering if there is a way to add dot net framework to a Mini WinFE build?
Friday, 24 April 2020 11:31
Brett Shavers
There is, but it is not easy. I remember seeing a Winbuilder script at one point, but do not know if it worked. Microsoft says i... Read More
Friday, 24 April 2020 12:02
17943 Hits
JAN
18
0

Eat your broccoli first

Posted by Brett Shavers
in  Digital Forensics

Something good and something not-so-good on learning DFIR

The good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and gain skills in this career than most any other professional career.

*  Resources are plentiful (such as thousands of websites, hundreds of books, colleges, trade schools, etc..)

*  Skills (aka: competence) are generally more important than pieces of paper (i.e.: certifications)

*  The DFIR field is segmented into many specific jobs (at least one surely fits you best!)

The not-so-good thing is the time and effort needed. Plus it is scary because of the time, effort, and money involved is a virtual unknown when you start out.  Then again, anything worthwhile is worth the effort and time. The time and effort needed is actually the most common obstacle that everyone faces to get into the DFIR field. Keep in mind that no matter which path in DFIR that you embark, you have a lot of barrels to jump over and they just keep coming. Sometimes, it seems that there are so many that you feel that you will never make it. Everyone gets frustrated. Many give up. Some keep going (this is you).

Let’s get something out the way first

In this game of getting of getting into DFIR, or growing your skills in DFIR, everyone has to jump over the same barrels, meaning, there are subjects and skills that you must learn, just like everyone else. No one has a shortcut to reach the end.  (PS: there is no end to what you need to learn to stay relevant and current). There is one tip that I found to work for me that might work for you. By the way, I am far from perfect, far from the smartest, and far from the best. It feels like that I have to work twice as hard as everyone else, but I realize that everyone has to work hard regardless of who you are or what your background experience may be.

First things first.

Keeping your DFIR skills up is no easier than it is to get the skills in the first place. We each know that because we know how difficult it is to get started. We are reminded of this sometimes-painful trek into DFIR each time we hear the question asked, “How do I get started?”.

As for me, as it applies to anything that I wanted to learn, the first lesson that I learned still applies today as it did the first time I really wanted to learn. That lesson is..

Eat your broccoli first.

Translated, this means to first do the things that you don’t want to do but you know have to get done. Get it over with as quick as possible. Push yourself through it. Your desire to only do what you want to do and not do what you don’t want to do is not only irrelevant, it is counterproductive.  But how does that apply in the DFIR world?

The broccoli

If you love broccoli, then broccoli is a bad analogy. But I think you see my point. I am not the biggest fan of broccoli, so when it is on my plate, I eat it first, because I don’t like it. I like the health benefits, but not the broccoli itself.  But I know by eating it first, I won’t have to suffer eating it later when it is cold and staring me in the face for 20 minutes after I finished eating my steak. To be fair, by eating my broccoli first for years, I now like it.

In DFIR, we have lots of ‘broccoli’ to eat. Hexadecimal may be one for you (unless you like hex from the beginning). Basic computer repair (A+) for another.  Network topology may be another one for you. And the list goes on. The things that are not exciting, but necessary to do the DFIR work, must be learned, otherwise, they will stare at you later as you regret not mastering these topics first.

Luckily, in the broad category of DFIR, you can avoid much of what you might not like if you choose your job carefully. I doubt you can avoid the broccoli all together, but you can minimize quite a bit by avoiding the type of jobs that require learning what you don’t want to learn. But generally, across the board, there are quite a few topics in DFIR that everyone should know. Some of the topics fall into the “must know” category. Other topics are specific to the specific type of job in broad category of DFIR.

The way I handle the topics that bore me, or that I don’t initially think to be important, is to make those topics a priority. Learn them. Become competent enough, and then move onto the things that I want to do. Otherwise, if you skip over the basics or the boring things, the day will come when you will suffer at having not done the first things first.

Programming (your brain)

For me, at this stage of life and work, I actually like the boring topics, because I have seen where a basic fundamental aspect of DFIR will cinch a case shut. Many in the field skip the basics and that is where the big failures come. I have also seen some turn a “basic” forensic thing into a whole new world of how to do forensics.

Let me reiterate

*  There is no free lunch.

*  You cannot fake competence (for long).

*  You can’t buy competence.

*  You can’t buy experience.

*  You can’t buy knowledge.

* You can’t buy determination.

*  You can’t buy dedication.

*  There are no shortcuts.

 

I screwed up

If I don’t catch myself making an error somewhere at some point, that means I am missing my mistakes. We all make them because we are human. The people who claim to never have made a mistake, or an oversight, or any fragment of an error only fool themselves.

The path to learning DFIR, whether new to the field or in it for decades, resembles the act of shopping for a car.  Or dishes.  Or groceries.  Or a computer. No matter which thing you choose to buy at the time, eventually you discover that you should have bought something different or at a different place for a better price. That is the way it works buying things and the way it works learning things. Some of the things work out. Some were not the best idea. But sometimes you need to have your path diverted intentionally, inadvertently, or unknowingly in order to get where you need to be.

Some of my greatest hits of learning DFIR screwups

*  Studied like crazy for a cert and failed just as crazily. Then failed again. I even failed a third time. Just call me rock.

*  Not studied at all for a cert due to over confidence (arrogance probably) and failed just as miserably. Twice.

*  Paid for certs that did absolutely nothing for me because 'everyone' says you need these.

*  Refused to get a specific cert out of spite even though it probably would have helped me get hired.

*  Renewed same certs…for no good reasons other than acronyms to put on a CV.

*  Paid for membership in “high tech” orgs that provided nothing more than a certificate of membership.

*  Paid for a cert that required no test, no exam, nothing. Too embarrassed to ever write that one on my CV.

*  Paid for an expensive course that was WAAAAYYYY above my level at the time. Gained practically nothing in the course.

*  Paid for an expensive course that was WAAAAAYYY below my level at the time. Also, gained practically nothing in the course.

*  Bought expensive software and hardware that I didn’t need, but everyone said that I did.

*  Didn't buy expensive software and hardware that I knew I that I needed, but wrongly assumed that I could use other software and hardware.

*  Not listened to advice from experienced mentors.

*  Listened to advice from experienced mentors (sometimes it works, sometimes it doesn’t…)

*  Took on cases that I ‘assumed’ I could handle, resulting in hiring people who could actually handle the cases that I assumed I could do.

*  Take the above listed items, multiply by a factor of 4, maybe 5 or 6, and that's my life in learning DFIR..

 

But with that, a few neat things happened along the path..

*  Hired to teach forensics at a university that rejected me as a student several years prior.

*  Hired to teach forensics to a federal agency (same agency that also didn’t hire me when I applied…).

*  Turned down a request to apply to that same federal agency that didn’t hire me (life had changed in a different & better direction).

*  Taught forensics to a packed room of PhDs who teach forensics, yet never did forensics, but wanted to learn forensics!

*  Met some of the smartest people in the world in this field, and most all have been great people!

*  Worked some of the most amazing types of cases with incredible government agencies and law firms from class action litigation to the “T” type cases (if you worked in an alphabet agency, you probably know what I mean by T…….. case).

Perceptions change

Here is how I initially looked at everyone who was working in DFIR (even before ‘DFIR’ was coined);

Wow. They are so lucky. They had all the opportunities. They must all be geniuses. They must have had it so easy their entire life. I am so unlucky compared to them. Life is so unfair. I have to work so much harder to get where they are at. They are younger than me (or older), taller (or shorter) than me. You name it, I thought it. I feel pretty stupid thinking today about what I was thinking about all the DFIR folks at that time...

Here is how I look at them now;

They had to have worked hard. They had to have had amazing obstacles to overcome. They most likely had personal issues to handle at the same time of learning this work. They struggled like me. They most certainly are determined. They most certainly know that you have to put in the work. They are definitely still learning. They surely know that they don't know everything and never will. They all had different paths, and every path had it's own obstacles and challenges.  They also know to eat the broccoli first.

  33678 Hits
Tweet
Share on Pinterest
33678 Hits
DEC
26
0

The Second Decade of the 2000s is almost over!

Posted by Brett Shavers
in  Digital Forensics Books
The Second Decade of the 2000s is almost over!

We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.

We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”.  Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).

Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few of the major highlights to emphasize the growth and changes.

Books

The number of books in a certain field is generally a good indication of that field’s growth and development. The digital forensics field of books is no different.

2001       Warren Kruse tested the waters with Handbook of Computer Crime Investigation.

2007        Harlan Carvey waded in with Windows Forensics Analysis (the FIRST edition).

 

2010     Into the second decade, many others jumped in headfirst writing books (including me!).

2019       Before the end of the second decade of the 2000s, we had amazing flood of great books on practically every topic and sub-topic in the DFIR world, in the form of ebooks, print books, guidebooks, and textbooks. There is almost no book that you cannot find that focuses on a specific subtopic of DFIR.

  Software

The forensic software that started in the last two decades is incredible. Practically anything in use today has only been around for less than 20 years, with not too many choices in the beginning of the century. Many of these tools used today have only been around for less than 10 years!

2000        Computer forensics was mostly DOS based, command-line tools, like those from NTI and Maresware !

2002        Belkasoft opens its door with a forensic suite and continues to grow!

2003        You could buy Accessdata’s FTK (version 1) for $795!

2004        Encase version 4, and it was about $2500!

2004      X-Ways Forensics was born from WinHex (and was less than $350!).

2008        Troy Larson developed the Windows Forensic Environment ( WinFE ) and it remains free today.

2011      Magnet Forensics sprouted from a small forensic tool (Internet Evidence Finder) and company (JADSoftware) into a full-fledged forensic company.

2019        Over a thousand shareware, freeware, open source, and commercial DFIR tools available today, with most of them listed on DFIR Training .  Developers are creating and releasing forensic tools on an astronomical basis, like Eric Zimmerman ’s constant showering of amazing forensic applications!

Degrees & Certifications

From having no degrees in “digital forensics” to being able to choose from any level of degree in Cybersecurity, Digital Forensics, etc… across the globe.  We’ve also created more “cyber/DFIR” certifications than any one person could ever hope to earn in a single lifetime.

2004        The University of Washington launched a computer forensics certificate program.

2019        Practically every major university and college offers now one or more degrees in cybersecurity, digital forensics, network forensics, cyber security management, and security. Many are listed here: https://www.dfir.training/educational-map

Law enforcement & Military

Sure, there were some forensic cases in the 80s and 90s, but the forensic investigation world didn’t really pick up in law enforcement until this century. Where digital forensics in criminal cases was the outlier before, it has been a central focus now for many investigations.

2000        FBI creates Regional Computer Forensic Laboratories.

 

2009        The United States Cyber Command was created! The military branches each created their own cyber units under the US Cyber Command!

2019       Virtually every federal, state, and local law enforcement agency adds digital forensics processes to cases involving electronic evidence (whether conducted in-house, by cooperating agencies, or contracting work to private analysts). Rarely does any case not consider electronic evidence as part of the investigation process.

Famous cases

2000     Michelle Theer: E-mails documented a conspiracy to murder her husband

2002     Scott Tyree: Kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. Case solved via a Yahoo screen name and IP address.

2003       Zubulake v. UBS Warburg: This case set the stage for electronic discovery cases!

2005     Dennis Rader , the "BTK" Serial Killer: Case broke by the metadata of a deleted Microsoft Word document on a floppy disk!  Software used: Encase!

2011       Capture of Bin Laden: Who knows what intelligence came out of all the collected electronic evidence items (10 hard drives, 5 computers, and over a hundred storage devices) from the Bin Laden operation?  Certainly something!

2019       Digital forensics has solved more cases than ever before, sometimes being the only evidence in a crime. It may be fair to say that more crimes are solved in 2019 that have been solved in the entire first decade of this century.

Malware and Ransomware

Cybercrime is regular crime on nitrous. Where one criminal can physically only victimize one or a few people in real life, connected computers and devices make it easy for one criminal to remotely victimize hundreds or millions of people. The past two decades proves this to be true much more than ever before.

2004       Virus.Win32.Gpcode: Early type ransomware that scanned and encrypted a user’s documents, and then deleted the original files.  Had a short life due to being easy to detect and crack.

2011       Trojan WinLock: Locked users out of their Windows computers until they called a scam line that racked up a large phone bill to ‘reactivate’ Windows.

2017       Wannacry: Yes, this one made you want to cry. It affected hundreds of thousands of computers in dozens of countries with losses in the hundreds of millions of dollars!

2017       LeakerLocker: Not to ignore mobile devices, here is one which targeted Android devices and threatened to share the phone contents with all the user’s contacts, unless a fee was paid…

Websites

The Internet, for all its faults in facilitating cybercrime, also has been the primary means of investigators sharing information to fight cybercrime. From humble beginnings of one or two digital forensics forums to now an endless supply of websites, the DFIR Internet has grown into a worldwide force of sharing powerful weapons against crime.

2002        Forensic Focus begins! The most popular digital forensics forum is still growing strong!

2003     e-evidence.info curates a massive amount of PDFs and forensic news links. Sadly...it went offline..

2005       Forensicswiki.org opens its doors! Although it has disappeared and reappeared over the years, the wiki is back.

2016        DFIR Training lets loose with the most comprehensive list of DFIR software and grew into one of the most popular DFIR websites on the Internet curating “All Things DFIR”.

2017        AboutDFIR.com gets a website!  From a Google Docs spreadsheet to a website, another resource of DFIR curated content goes online.

2019        The Internet became plush with DFIR resources with website, forums such as Reddit , Github, Slack, and Discord .

Magazines

This is one area where I have unfortunately not seen much growth….I suspect it is due to the number of online resources, but still, DFIR became important enough in these two decades to warrant magazines!

2007        The Digital Forensics Magazine (Website) goes online.

2012        eForensicsMag , another magazine focused on digital forensics.

Operating Systems

Just a high-level overview of the systems that are interrogated with DFIR processes, we have come a long way. Many of those working in DFIR judge their time in the field by the OS version that they first examined.

2000        Windows ME and Windows 2000. Oh my!

2001       Mac OS X 10.0 (Cheetah) and Windows XP.

2015       Windows 10

2019       Mac OS 10.15 (Catalina) and Windows Server 2019.

Mobile Devices

In 2001, I sat in a briefing at CRIMES in Portland, Oregon, about how cell phones would play a major a part of crime and forensics in the coming years. The speaker (from ATT?) said that he believed cell phones to be the most prevalent, most used, and most valuable pieces of criminal evidence for the next 25 years. To be honest, as looked at the Nokia in my hand, I took those words lightly. Now, I wish that I paid more attention in that briefing…

2000       The Nokia 5110. It made calls and you could play Snake on it. Forensics was not a thing with this mobile device.

2007       The iPhone was introduced. A computer in your pocket, meaning a new world of mobile forensics.

2019       Mobile devices spanning a range of operating systems, styles, designs, storage capacities, Internet connections, unlimited data, and virtually the same applications as on a consumer desktop computer are now the norm. Mobile device forensics is practically its own field in digital forensics.

Hard Drives

The storage of hard drives directly impacts a forensic analysis, as the larger the harder, the more likely it will have more data to sift through in order to find evidence. Of course, high end computers and efficient forensic software minimize this impact, but then again, massive amounts of data is still massive amounts of data.

2000       The size of most common hard drives in consumer PCs was than 50GB.

2003       Seagate produced the first serial ATA

2005     Hitachi developed the first 500GB drive

2010       When the terabyte barrier broke, for around $100 you could get a 1.5 terabyte drive.

2013       Solid state drives are out and cost less than $100 (but that’s only for about 128GB drive).

2019       You can grab an 8-terabyte HDD for less than $200.

Jobs

From practically few jobs (outside law enforcement) in 2000 to now having an entire field of DF and IR where positions are unfilled due to shortages of applicants. The degrees of specialty have gone from being simply working as a ‘computer forensic specialist’ to now being able to specialize in the field by operating system, type of device, or type of work (forensics, incident response, electronic discovery, etc…).

The next decade and beyond

My intention with this post was not just to show how amazingly the DFIR field grew in just two decades, but also that the next decade will most certainly dwarf the previous two decades in terms of new software, processes, discoveries, and information shared in books and online.

My other intention in this post is to ignite a spark in the new generation of DFIRrs (age irrelevant!) into developing these future improvements, developments, and inventions! Anyone, and I mean anyone, can change the course of direction in this field by a seemingly small piece of information or by a huge deviation in the way things have been done.

We are still in the heyday of DFIR with lots more to figure out. Fortunately, we have outstanding people in DFIR who break new ground, blaze trails, share discoveries, and help all of us move forward.

 

  12905 Hits
Tweet
Share on Pinterest
12905 Hits
DEC
12
0

Public Records

Posted by Brett Shavers
in  Digital Forensics

I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I haven't received any public records yet from the request. I have been hired by government agencies as a consultant to help the agency find and produce response records on occasion. Mostly, I was hired because the agency did such a bad job in producing records that a court ordered the agencies to hire a third party.

In those instances, I won't talk about what the agencies specifically did wrong, but it was enough to justify a court order to do it right. The interesting thing about working on a public records engagement versus a civil litigation is that the rules are somewhat different, especially the part about a citizen's right to request public records without a need to show damage. Citizens who are curious as to what their governments are doing can simply make a request for specific records. That is pretty cool. Being in Washington (State), the MRSC website is packed with everything anyone ever needs to know about public records requests and laws.

So, back to my public records request...

Well, this request isn't part of an engagement where I have been hired as a consultant, but the subject of the request is surely important to me and should end up being important to others too. I most likely will detail the trials and tribulations of this request as soon as I am provided the start of a rolling production of records. Then I will be able to blog about records requests from the perspective of the requestor as compared to the view of the insider. One personal benefit is that I plan on learning what I can as the requestor and compare the results with what I know from being on the inside of these types of cases/records request. I am expecting that this experience will make me better when hired to search and provide records due to an entirely different perspective.

Yes, I've done public records before

I have helped clients and friends file public records requests, but that was simply helping to fill out forms, craft the request, and tips on what to look for (missing threads or attachments in emails, modified documents, withheld documents, etc...). I have testified on the search for records that were claimed to be 'too difficult', and I have gone through more than enough emails to find where an email was missing. But this time, it's actually me asking for records and me having to make sure everything is done correctly, and making sure the agency stays true to the records law for my sake.

This should be a good learning experience with a hopefully good resolution. I may make the records available online to illustrate some points if I find errors, omissions, or egregious government behavior in the records (hopefully not!).

As far as the timeline...

12/2/2019    Records requested

12/9/2019     Agency replies with no date of completion or start date to produce any records but instead gives me a date of 12/23/19 just to tell me when they can give me a date that they will start producing records.

***UPDATE***

The agency gave me a production date for the year 2040. It may be a long time before I write about this experience. Yes, it's not a typo. It is the year 2040 when this request will be completed. This agency uses the Barracuda Email Archiver, which you would assume that having pre-indexed (instant search hits!), single-instance storage (no duplicates!), simple search feature (as easy as using Google!), and quick exporting of emails would not take this long...but apparently, it does.

So now the timeline of this public records request looks like this:

2019: Requested public records

2020: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2021: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2022: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2023: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2024: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2025: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2026: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2027: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2028: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2029: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2030: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2031: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2032: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2033: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2034: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2035: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2036: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2037: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2038: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2039: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2040: Final records expected to be produced.

  6872 Hits
Tweet
Share on Pinterest
6872 Hits
SEP
10
0

The Five Stages of the DFIR Career Grief Cycle

Posted by Brett Shavers
in  Digital Forensics

I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerman and I wrote. It stands to figure that I have followed his blog for many years because I learn something every time he writes something.

Well….

His latest blog post was more than I typically expected, and I had to read it several times because Craig bared his soul with something that every single one of us would be fortunate enough to experience.  I tried to search for another way to say, “bared his soul” because that is what Craig said in his post. However, there is no other description that fits better, because that is what he did.

https://craigball.net/2019/09/09/who-am-i-if-im-not-that-guy-anymore/

I’ll let you read Craig’s blog post before reading further, and you should read it regardless of what point of your DFIR/infosec/ediscovery career point you currently sitting.  Then come back for my thoughts on the “Five Stages of Grief in a DFIR Career”.

Welcome back*

You may have already read a Swiss psychiatrist’s model detailed in a book, On Death and Dying. I’ve used that book on many occasions as a reference for teaching response to traumatic experiences to others and as a tool for coping with my own traumatic incidents. *I know you didn't read Craig's post and kept reading, but seriously, read his post.

https://www.psycom.net/depression.central.grief.html

The above visual describes the grief cycle succinctly. No need for me to add to it to describe it. But then again, I’ve done a lot of personal and professional research as well as teaching on the topic in a past career. I recommend digging further into it if this is the first time that you have seen this.

In my own life, I have gone through this grief cycle many times. Sometimes, it has taken me years to complete, and other times, seconds. Many of us are going through this now, and if not now, we will at some point in our lives. Police officers, especially those forced into deadly force incidents, will go through the entire cycle in a few seconds during an encounter and can spend years going through it after a deadly force encounter, regardless if deadly force was applied. They tend to go through this cycle a lot...same with those in combat.

Bringing this back around to you and your DFIR career

Since you read Craig’s post, you saw where it sounds that he feels his relevance has faded into a crisis of lost confidence.  If you didn’t read the post yet, do not fret; there’s a party at the end. 

This is where I see a direct resemblance to the grief cycle and a DFIR career, at least to where we will eventually feel that our relevance waned. Perhaps it will. Probably it will not.  Certainly, that which we did good, especially good for others, will never wane. The good that we did selfishly for ourselves will be forgotten faster than a long-tailed cat in a room full of rocking chairs. But the good for others is another story.

Bonus Lesson: I taught police use-of-force for about a decade and put my heart and soul into it. I taught military tactics with the same intensity in a career before police work. Here’s the bonus lesson in a nutshell: you can’t fight the grief cycle no matter who you are, which training you’ve taken, or what you ‘plan’ to do in the event of being forcibly handed the grief cycle after an incident or near the end of your career. You can move through it and get to the end of the cycle in order to grow from it. You can't win by fighting it. But you will be better because of it.

Go to work for money. Then you can do for yourself what you couldn't do before and do for others what they cannot do for themselves.

That’s what I tell my kids. Do your job, but do not be your job. The job didn’t miss you before you got there, and it won’t miss you when you are gone. But the job can help you to make this a better place by being a positive force on others.

<I’m getting to the point on the DFIR Career Grief Cycle, so bear with me>

When you create a ripple of positive change in a person’s life, you also spark a chain reaction of a tidal wave of good far past what you will ever have the fortune to see. The difference in a newcomer doing well or failing is in direct relation to your interaction with the newcomer.  Their failure or success in this field is directly tied to you. This is the point to know that the DFIR Career Grief Cycle is not a negative, but a positive in your career growth if you do it right. 

My suggestion is to push through the DFIR Career Grief Cycle as quickly as possible when it comes. Don’t be stuck at Anger, because you’ll be that ‘grumpy old person’.  And try to fly through Depression by knowing you are almost done with the cycle. Acceptance doesn’t mean the end. It means that your path has evolved, as it will for all of us, if all of us are lucky enough. The DFIR Career Grief Cycle is simply an evolution from doer to mentor or role model. Or maybe a not-so-subtle hint to move to a different job or position with a more instrumental role because your experience is incredible.

Our goal should be to be able to look back at the seeds that we planted, the good that we did, the bad that we prevented, and the positive guidance that we gave newcomers for them to grow.

We live our lives day-to-day knowing that tomorrow will never come, and that we have plenty of time to do something good for someone else tomorrow. When we accept that every new morning means that we have one less morning when we will not wake, then we can focus on what matters at home (and at work to make someone else’s life better). You have a fixed number of sunsets. A fixed number of sunrises. A fixed number of days to make a difference. Don't make the DFIR Career Cycle a Grief be one of regret, but one of satisfaction.

Craig Ball has nothing to worry about in regard to imposter syndrome, crisis of confidence, or whether or not he made a difference. I have followed his career for more than a decade. He has made a difference across the board in the forensics and electronic discovery fields as well as in the careers of many. We will all do better if we do better by others; then the grief cycle will not be feared as much as it will be welcomed.

  41018 Hits
Tweet
Share on Pinterest
41018 Hits
SEP
01
0

Our World is Going to Turn Upside Down with DeepFakes

Posted by Brett Shavers
in  Digital Forensics

The short story

Any person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any other person face and voice. This is known as a “DeepFake” video.  Credibility of videos will no longer exist without some form of analysis, but the assumption that a DeepFake video is credible will create enough damage before being proven to be fake. The technology is not perfect (yet), but does it have to be in order to induce the intended effect?

Tip for some: You have to look up to get this. https://t.co/tfqTuToZK2

— Brett Shavers 🙄 (@Brett_Shavers) August 28, 2019

The longer version

It is difficult to find which aspect of our lives will be more in harm’s way because of DeepFake videos. With children, cyberbullying will take on an entire new life by an exponential factor.  DeepFake cyberbullying will be the nuclear bomb of child’s bullying nightmare.  The cruelness of bullies with access to make their victims appear to do anything in a video that can be instantly spread across the planet in seconds is not something to ignore.

The direction of a nation-state’s actions can potentially be moved with video evidence that was completely manufactured.

The movie industry can profit from DeepFakes by hiring B-list actors and replacing their face with A-lister faces but I don’t see an upside for the actors…

Innocent people can be made to look guilty of a crime. Today, your face can digitally replace the face of a violent criminal who was video recorded while committing the most horrid of acts, and people will believe the video..with your face on the criminal.  Criminal charges (vigilantism is a possibility!) might be filed, an arrest made, and your reputation ruined long before the video is determined to be fake.

Photoshop (and its competitors) changed the way we look at photos. Forensically, it is not entirely impossible to exam manipulated photos to find inconsistencies based on the content or layers of an image. Still, photoshopped photos are still intentionally created to damage a reputation. I’m referring to the manipulation of a photo using any photo-editing software, not just Photoshop.

But videos…this is an entirely new world of potential damage to a person’s reputation, or worse!

Stand by for a new world of fraud and information warfare campaigns.

Your online photos

The free Internet services that we have been graciously offered over the past years, in which we blissfully post photos and videos of ourselves, family and friends, is ripe for abuse. Our Internet service providers have already abused our data, selling it haphazardly to every bidder (not just the highest bidder, but practically everyone willing to pay for it). Since data can be duplicated forever, we can be abused forever as soon as we have given our data the first time to any online company.

With that, our pictures are online. We have posted the pictures of our children. Our online resumes, ie Linkedin, have a super clean portrait which is perfect for the source of a DeepFake video (all the machine learning software needs is one picture of your face…). Everyone is at risk. We already created the source material for abuse. And we did it with a smile.

My (online) photos

Working a decade in undercover narcotics turned me into an ultra-paranoid-of-cameras person. At two points in my patrol career, photos of me in uniform were posted online by my department and local news. Then I went undercover.  Always worried about someone finding those two photos of me online at the worst possible time, I avoided cameras ever since.

Even during those years, if anyone (friend or family) ever pointed a camera at me, it was like I was ducking a baseball being thrown at me.  I did the same thing working undercover to make sure my photo wasn’t part of evidence in a case that may go public. Even with that, a family member of mine kept posting my photos online, without my knowledge, even while he knew the type of work that I was doing. Good grief. Third party control of our data is never good. Never ever.

The solution

I hate to say it, but lawyers are the only solution. They also stand to be the only people that will make out like bandits in the DeepFake future with litigation. Litigation, including criminal prosecution is the only remedy for damage and hope for prevention.

Actors will need tighter contracts to protect their image and voice, otherwise Tom Cruise will be starring in new release movies well into the next century…

Victims of cyberbullying, whether it be children or adults, will have to sue for damages, but as we all know, that which goes online tends to stay online forever.

Third party curators of our data need to be held legally responsible for something or anything. If our data is being controlled by others, without any compensation other than a free email address or data storage, then this problem will only grow.

Pandora’s box is opened and the DeepFake video is here to stay. I wonder how many Pandora’s boxes exist, because it seems that every year or so, another Pandora’s box is opened and something else pops out that does 1% good and 99% bad. I’m still looking for that 1% good that DeepFakes might provide, but I’m not holding my breath.

The future

Like anything on the Internet, it is all fun and games until someone loses a job, gets sued, gets beat up or killed, or commits suicide because of doxing, harassment, and cyberbullying.

As for me, I prefer to work on things that do good.  That's why I wrote this; to remind you that this 'thing' we do, this thing we call DFIR, is for doing good.

 

 

  6293 Hits
Tweet
6293 Hits
AUG
29
0

If you are comfortable in DFIR, you might be doing it wrong

Posted by Brett Shavers
in  Digital Forensics

I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the course already and this class is probably too basic for me…on the first day…in the first hour…and I was in the first row…I was a little uncomfortable.

I spoke to the instructor afterward about the course being well-done, with an effective delivery, and I learned more than enough to make the time and cost worthwhile. It was a good course and I have already benefited from the cool tips that I saw, including from what came out of the course from other students.

Side note: Did you catch that I said “students”? If you go into any training thinking that you know more than anyone else, you aren’t a student. A student is one who studies and learns with interest. That includes the instructor.

This is the crux of this post: Several people in this class, including the instructor, asked why I spent money and time in this course when I could be in some super-secret-and-advanced-digital-forensics-training given by the best-instructors-on-the-planet kind of class that costs tens of thousands of dollars. For me, it only makes sense to keep up on the foundations of any field on a regular basis. I mean, there isn’t any reason that I can think of to work on anything beyond foundations if the foundations are not solid. Foundations are like vegetables. They spoil in time.  As you wouldn't want to eat a rotten apple, you wouldn't want to do any DFIR work with spoiled skills. You have to be fresh in your foundations.

An extreme example of this is the commonly used (and accurate) phrase that complacency kills. All military service members know this. All police officers know this. All doctors and nurses know this. Anyone who works in a field of life-and-death know that complacency will cause someone to die. Like I said, this is an extreme view, but accurate in the fields where people have died from mistakes caused by complacency. I've personally seen it as you may have as well.

In the DFIR world, complacency may not kill a person, but it can certainly kill a case or your job. If you ever want to know if you have become complacent, ask yourself, “Am I comfortable?” If you are comfortable in your job, in that you have the answer for everything, and for that which you don’t know you assume that it is not important, you may be getting too comfortable in your skills. Maybe you are that good, but as for me, whenever I think that I am “that good”, I take a step back because I know that have crossed the line between confidence and complacency.

You can see the chain of how this happens as soon as you become confident in your skills.

*  Confidence leads to cockiness.

*  Cockiness leads to comfort. 

*  Comfort leads to complacency.

*  Complacency leads to carelessness.

At that point, anything you touch is at risk of failure. The good news is that most of us avoid heading down that path because it is easy to discover how much you don’t know with any given scenario, just as long as you have an open mind of accepting that you don’t know what you don’t know. The bad news is that carelessness can sneak up on you without warning until something bad happens if you don't keep alert.

If you think that those in the DFIR field are exempt from continuing having to keep up on the foundations of the field, you are wrong.  Would you want your doctor to have never refreshed the foundations of general practice medicine or are you fine with your doctor last seeing foundational medical instruction twenty years ago?

When you see me in any training, do not expect that I know anything or everything that will be presented in the course (probably…I know nothing or at best, not enough). I read and re-read “basic” forensic books all the time. I refresh myself on my notes that I have taken in classes, because I tend to more clearly understand what I wrote after I have experienced those skills in work afterward. I repeat tests that I’ve previously done, most always before testifying or writing a report on my findings where I cite those personal tests. I take and re-take "basic" forensic courses.

Sure, you may be an expert at an advanced topic, but be sure to have the foundation solid.

So if you are comfortable, make yourself uncomfortable and hit the foundational books and courses, that is, unless you are on vacation. Then by all means, be sure to make yourself comfortable.

 

 

  6542 Hits
Tweet
Share on Pinterest
6542 Hits
AUG
17
0

Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

Posted by Brett Shavers
in  Digital Forensics

You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits.  In fact, you can probably enjoy the benefit of the lessons more quickly than spending months of being bombarded with ‘training’ every day..recruits have no clue of the value of most lessons that they experience on a daily basis until years after graduating boot camp. You can most likely get it the first day at this stage of working in DFIR, because you know the problems that need to be solved already. You just need a gentle push to the solutions.

These are my Top 10 Marine Corps Boot Camp Lessons for DFIR success

1.  Set the example

Be the leader that you want to follow. Set the example that others want to emulate. If you are not in charge, support the leader as you would want to be supported. You can’t force others to stop complaining or do a better job; but you can do your best so that others may follow, whether you are in charge or not. Take the initiate. Get the job done. This is the person everyone Looks to for answers and direction.

2.  Communicate

Effective communication sets the stage for success. Give clear and concise directions for the casework to be handled. Be sure that you understand the directions given to you. Brief-back (ie; paraphrase back to make sure you understood) your mission and only start your work when you know what the work is.  Communicate throughout the engagement and tasks as an essential part of the work. Share information. This is you being the one who understands the big Picture.

3.  Mission first

Get the job done. Do what you are being paid to do. Learn the skills needed for your job title and responsiblities. Overcome adversity in getting the job done; It is never easy and that is why you were tasked to get it done. You are the only one that can do it, so get it done. This is you being the person that is known as able to get things Done.

4.  Keep calm

Panic breeds panic. Panic destroys confidence in those around you. There is no situation where panic will be helpful, so keep calm by focusing on finding solutions. Abstract reasoning will solve more problems than any scientific model ever will. Reassure others with your command presence and confidence. This is you being the Rock in the storm.

5.  Attention to detail

Take care of the little things, and the big things will take care of themselves. Taking care of the little things takes only small bits of time but not only will save large chunks of time later but will also reduce the risk of failure.  Look for the little things and make sure they are taken care of. Even something as simple as checking the appropriate box on a check sheet, or making sure you check for the common things in an exam that you should always check, like certain registry keys that commonly hold forensic clues. This is you doing everything Right.

6.  Learn from mistakes

You make mistakes. I make mistakes. We all make mistakes. The chasm between making mistakes and owning them is huge!  If you didn't write-protect the evidence while imaging, fess up to it. When (not if) you make your next mistake, identify it, and most importantly - own it. Be accountable. Be responsible. Fix it. Learn from it. Better yet, learn from the mistakes of others.  Even better, teach others about your mistakes so they can learn.  This is you being a Mentor and coach.

7.  Be honest

Be honest with yourself. Know your limitations. But also know your stuff. Do only that which you can do before needing assistance. Be honest with your supervisors and subordinates. The truth of an error or unexpected (ie: unwanted) analysis finding may sting now, but not as nearly much as a lie will hurt later. Be the person whose word is the Gold standard.

8.  You need a team

Drop everything to help a teammate. Your job cannot be done alone or in a vacuum. To claim to know all is to state that you don’t even know that you don’t even know. Choose your team wisely, accept no one can do everything alone, connect each other by individual strengths, and acknowledge their individual and team successes. Assign tasks not by rank or title, but by capability and competence. Be an effective team Leader.

9.  Security

A Marine on duty has no friends. That means to not make any exception for anyone that will cause a break in security. Make for no lapse in security for no one or no thing. Without security, most any work can be lost, including reputations and even entire organizations. If responsible for security, you are the Lock.  

10. Be grateful

No one promised you a rose garden. Being comfortable never solved a problem. Make discomfort your friend. If the job was easy, anyone could do it and it would pay barely above minimum wage. Appreciate the slow times because the hectic times are waiting for you.  Appreciate your team as they will be the ones who solve problems by working together toward a common goal. Appreciate and comprehend the seriousness of every task we have, whether that involves any part of securing a national infrastructure, ensuring that justice is served in a legal matter, or that a hard drive has been stored appropriately. Be Gracious of the gratitude of others.

The list of lessons from boot camp has filled books, created many successful people and organizations, won wars, and saved lives. And the lessons are not proprietary. They can be learned and used by anyone looking for an edge to success or problem-solving solutions.

What’s the biggest problem to solve?

I have found that the most difficult problem to solve is that of a lack teamwork because of not having a leader take charge to lead the team to success. By “leader”, I mean the person who is the leader by action and influence, not by title or paygrade.  This is where a bully in a team can be the leader and destroy a team, yet any team member can do just the opposite by leading from within, title irrelevant. An effective team can solve any problem. Build the team and rule over any problems.

How long does it take for a team to follow and trust a leader?

That depends on you and the team members. How do you handle yourself? How to you treat others? How do you exhibit confidence? How formed is the team now? The time it takes is basically "It depends. But few situations are impossible to fix in regards to building and encouraging an effective team.

One day, many many years ago, I was placed in charge of a different squad unexpectedly and gave my first orders to a team of Marines that I never met before; but I did it as if I knew them all my life, with the expectation that I would lead them in the same manner that I would want follow another, and in a manner that no order I give would be any different than anything I have done or would do. After the first formation, I heard one Marine ask another, “Who is that guy?”, with a reply of, “I don’t know, but he knows his shit.” We made a good team; every single one of them. I was honest, forthcoming, admitted mistakes, asked for suggestions, supported them, disciplined in private, and praised in public.  All the things I want to see in a leader.

The key of Marine leadership is nothing that you see in the movies. Marines follow leaders not due to threats or yelling, but simply in the respect, trust, and confidence of the Marine leader.  Boot camp has a lot of yelling and screaming, but that is just to get the lessons across in a short period of time. After the lessons are learned, it’s gravy train from there.

  8436 Hits
Tweet
Share on Pinterest
8436 Hits
JUL
31
0

Personality of a computer

Posted by Brett Shavers
in  Digital Forensics

From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the Suspect Behind the Keyboard. I want to expand upon beyond the registry regarding a computer having a personality.

The bullet point

By examining multiple computers (or a single system) for computer usage and/or configuration, the owner of the computer can potentially be identified or tied to the computer.

The longer version

I am sure that each time you buy a new computer (laptop, smartphone, tablet, etc…), you spend the first minutes or hours setting it up just the way you like it. Whether it is changing the desktop background, colors, fonts, sounds, or general configuration, you make it yours. You do this every time. To every system that you have. You make it yours.

The way that anyone sets up their machine reflects their likes, dislikes, wants, needs, priorities, and general flow of system use. Generally, and most always, all the systems of one owner are set up very similarly. This is a simple observation; however, it can be a very important investigative clue when you have a system that has been disavowed by a suspect. Any computer that has been disavowed by a suspect (“That’s not my laptop!”) just might have relevant evidence on it if it does in fact belong to the suspect. But how do you prove it if there is nothing on the computer that directly names your suspect?

I have only come across this scenario once where the analysis of one anonymous machine seized in a public space, with a suspect disavowing ownership of the machine, needed to be proven against the other machines. Most other cases eventually have the owner admitting possession or ownership before the cases eventually gets close to trial. For the types of cases where the suspect never claims ownership of their computer(s), this post is for you to tie a computer that has no obvious relation to your suspect, but actually does belong to your suspect. I can tell you that it worked at least once for me; I suspect it can work for others too.

Basic and easy stuff

With multiple systems, find what is similar (not the default configurations) among all the systems.  Check for the same things that you configure your personal computers at home or work. Is the customized desktop background image the same across devices? Are the software applications the same? Sound settings? Computing naming conventions the same, such as naming all the systems based off a movie or sports team?  These are the easy and obvious things.

Given odds and statistics as they are, I cannot imagine the odds of two or more computer systems being customized for personal use exactly, or near the same way, across more than one device. Even a throwaway laptop that is being used by a suspect to reduce the risk of personal data being created on the laptop will have personal configurations that can be tied to another machine.

A little more work

The computer activity is another clue.

Programs

Which programs have been custom set to autostart? What is the Internet history? Bookmarks? Sequence of using programs? Does the user open the same programs on all machines?  Do the machines have the same programs, especially the same unique type of programs?

Network connections

Are network connections the same? Even as public WiFi is accessible by anyone, have the machines accessed the same public WiFi?

Time

Length of use for the machines?  Are the times of use for the machines similar, such as being used at a certain time of day, or certain day of the week?  Is the user activity of the machines consistent with only one being used at a time, potentially indicating one user controlling the machines? Did multiple machines connect to the same WiFi on the day or within a short time frame?

Music and video

Whether downloaded or streamed, is there indication that the same music and videos have been played, or the same genre of music and videos?

Internet

Are search terms similar or the same? Identical bookmarks? Identical visited Websites? Same browsers? Same browser customizations?

The list goes on

The amount of unique user activity that you can find on a system is potentially limitless, as each person is different. Yes, it is possible for two different people to have something similar on their respective computers. However, the odds decrease with each similar (but unique or customized) aspect that you can match between systems are found.

This is what I call the Computer’s Personality. The user’s personality of likes and dislikes, preferences, biases, and desires eventually become obvious on all machines that they use on a regular basis. So when you have that one machine in a collection of machines that you need to identify the owner, take a look at the personality of all the machines and see if they match up to one owner. Sometimes it may be easy enough, other times you may have to really dig into the system, but either way, if you can match the computers to each other, all you need is to tie one of the computers to the suspect in order to tie all the computers to him.

Not to ignore non-personality clues, there are many other methods of tying a computer to a person when you have multiple systems. For example, geolocation forensics is a good method, where if you can show two or more systems traveling together for any amount of time, then probably the same owner is controlling those systems. Fingerprints too. The Computer Personality is just another tool to consider when you really want to tie someone to their device and eliminate all arguments to the truth.

 

  7622 Hits
Tweet
Share on Pinterest
7622 Hits
JUN
24
0

Add a Dab of Balance in your DFIR World

Posted by Brett Shavers
in  Digital Forensics

Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her post being relevant for some time to come. One thing that I want to add is that of balancing our time in this line of work.

Now, I am not saying that the DF/IR/Infosec world has more stressors than other lines of work, or that one is better or worse than another. So, in that manner, this post can practically be applied to anyone in any career that builds stress.

The two things that I recommend for life-work balance is to do something for others and do something for yourself.

Doing for others

Giving back to your job field

Jessica wrote it best, so refer to her blog post on tips on Giving Back in DFIR. Most likely, there is local association or group that you can join, and if not, plenty of online associations to check out. As many are comprised of volunteers, your call to help the organization will be answered. Giving back helps the organization, the field, and in the same manner, will help you too. You get a little bit of improving your skills by sharing them with others.

Giving back to something to which relates to you, but is not job related

The dab of balance that I am talking about is that of non-tech related giving. Something that can balance against the time you spend in front of a monitor. If you were super excited when you first started this career, and wish to stay excited throughout, you must have some plan to balance it. Self-monitoring is important paramount.

Side story: My first months as a police officer were most exciting as it was new.  At the end of every shift, I didn’t want to leave the station. I would have stayed in my district 24/7 because I really loved that job as a new officer. Luckily, experienced officers told all of us new officers to go home when the shift is done. The point was succinctly delivered and taken seriously; to not become overly involved or overly invested in a job if you intend on having long lasting satisfaction in the job. When I became one of the experienced officers, that was a point that I carried on telling the new officers: go home when your shift is done.

Giving back to something you are related is for those things you have done in the past (unrelated to your job), but that you can contribute in a different way. For example, if you are a military veteran, do not discount the amazing work that a service organization does in which you can be part. I’m a Marine Corps League member and being part of Toys for Tots or helping a veteran move off the street and into a home is a feeling that can’t be reproduced anywhere else. If you were part of any organization in the past, you have a head start in getting involved in something great. Help others who can’t help themselves and you will have made the world a better place to live. That better world is your world.

Give time to an interest that you feel strongly about

I’ll admit, if I still lived in Hawaii, both my wife and I would be volunteering our time with something like NOAA Fisheries.  Helping out marine life like sea turtle and dolphins is something that I find quite cool (and important!). Luckily, living in Washington (State) allows for volunteering for lots of nature projects, none having a lick to do with technology, but makes the world a better place than when I found it. Did I mention that this better world is your world?

Show support for good causes

Given that the DF/IR/Infosec field is darn near a 24/7 callout job, where we are never far from our smartphone, and expected to run out the door at any given moment, time is precious. Spend time with your family and friends to support them and receive support as a priority. But, when time is short and you can’t commit to volunteering for a cause, you can always show moral support to the causes that you believe in.  Your support, no matter how little effort you need to do, can have a great impact on someone else.

Doing for yourself

This is an easy one. Find a hobby. Any hobby. Except taking naps. Something that makes you happy. Write poems or a book. Hike. Swim. Fish. Fly. Walk. Read. Take classes. Get a degree or get another degree. Do something on a regular basis that brings life back into perspective. Change it up when you want to.  Read for weeks and then hike for days or maybe swim on a weekend and walk the next weekend. Whatever you want to do for you.  Your personal time is important. Those who only do for others will eventually burn out.

Which is more important? Giving to yourself or others?

The answer is both are equally important. Giving only to one will likely result in failure in both. Take care of yourself and do something for others. The end result is that your DF/IR/Infosec job will be more satisfying, you will be more productive, and you can excel for the length of a career and beyond without burning out.

Look at it this way:

If you can do something that satisfies you, no matter what happens in your world, you can make it better for you.

If you do something for others that they can’t do for themselves, you just made the world a better place. And remember, that better world is also your world.

 

  17616 Hits
Tweet
Share on Pinterest
17616 Hits
JUN
08
0

The Easy Way to Learn DFIR

Posted by Brett Shavers
in  Digital Forensics

Summary

There is no easy way to learn DFIR. You can stop reading from here if you want.

Longer version

Ok. Since you are still reading, you probably are the type that will drive through, over, around, or under walls to get to where you want to go. Good for you!

The perception that “everyone else” has easy access to training, education, and resources while “you” do not is just a perception. It is easy to fall into the trap that makes this seem like reality when in fact, it is far from it.

Social media reinforces that we should only show the good and the best and the positive of ourselves, in that, few people talk about their personal struggles and only showcase the best parts of their lives. The DFIR marketing experience is no difference. Vendors tout their wares, colleges push their programs, and those in attendance of these programs mostly preach how great the training, education, and networking are in these venues. For the rest of the DFIR Internet, it seems like “everyone else” gets to go while “we” do not have the same opportunities.

The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.

The struggles

Do not believe that no one struggles in life except for you. Do not fall for any mental traps that you are the only person having the most difficult time in getting into the DF/IR/Infosec field. Avoid anyone and everyone who tell you that it is not your fault that you do not get what you want, but the fault of others that prevent you from learning or being hired because of what you are.  The “what” of you being everything that has nothing to do with “who” you are. The what are things like age, gender, race, height, weight, or any other physical description that have nothing to do with who you are.  It is the “who”, not the “what” that makes things happen. Anyone giving you excuses or perpetuating excuses like these is keeping you down, so ignore them.

Side Note: Every client of mine cares nothing for “what” I am, only that I can solve their problems.

Stop looking at those who have “made it” with a false belief that they had it easy. That they had everything handed to them. That they must be smarter and can learn things easier. I can promise that every single person who you think has “made it”, struggled for years and still struggle in trying to keep up with the field. They struggle to balance life and work. They struggle with medical concerns (like you), home budgets (like you), family duties (like you), and even suffering in traffic (like you too!).

No one lives inside a DFIR bubble that protects from any of life’s tragedies, miseries, and mishaps. I can also promise that many of those whom you may think had it easy, probably had a much more difficult time of getting to where they are than you could ever dream, maybe even harder than where you are now.

Tip: Everyone struggles. No one is born with a silver spoon in this field, because you have to put the labor to learn it. There is no other way.

The resources

With the Internet today, you can practically learn any field that you have interest, with virtually no money out of pocket other than an Internet-connected computer. DF/IR/Infosec is no different. On www.dfir.training alone, there are terabytes of forensic test images, thousands of software applications (more than half are free), hundreds of white papers and templates, and more resources than you could use in a career. Other related sites provide similar resources, even places where you can post any question, and have it answered by experienced practitioners in mere minutes of your post.

The training available today is more than I ever could have predicted when I first dipped my toes into this work. The courses available in the beginning pale in comparison to today. Where just more than a decade ago, the courses were basic “computer forensics” that covered a mere fraction of what we know today, courses now teach a deep dive into artifacts and systems in that you can select specifically to what you need.

Time and money

The issue of having enough time and money to learn is not new to DFIR, nor is it unique to DFIR. If you want to be an attorney at a top tier school, be prepared for the cost. If you want to be a physician, accept that there is a financial cost that is most likely more money than you have in the bank. And any field takes time. Anyone who expects this journey into DF/IR/Infosec to be 100% free or 100% paid by someone else, or that it can be learned in a few weekends (while watching Netflix on TV) will be greatly disappointed.

The reaction to high costs of education is not complaining about the difficulty or perceived unfairness, but rather figuring out your way to get what you want. Everyone has a different method to get to their destination. Everyone has different obstacles. But everyone has opportunities if you make sacrifices to take advantage of them.

Shortcuts

Let me digress a little. I am a firm believer in cheating. I define “cheating” as being innovative, creative, and imaginative. I do not use “cheating” as breaking rules, laws, agreements, or selling out a part of your reputation to get what you want.

Technology makes it easy to break laws and rules. Cracked (pirated) software/books are one of the most common things that I see among students, with the excuses that since they can’t afford the software or books, they download them from torrent sites.

Do not do this.

Or if you do, keep in mind that you will have crossed the bridge of the land of doing good to the land of doing bad. I won’t get into the moral aspects of digital property rights but will say that you cannot beat the law with excuses of “it is not stealing when you only downloading a copy”. Try and tell that to a judge if you are questioned about being a software pirate and let’s see how far the argument goes. Your client or boss will certainly not be happy…

Best field ever

As far as support, DF/IR/Infosec folks are the best. We like to learn, teach, and share. Yes, there are always a few bad apples in any group, but overall, the folks here are great. Avoid the bad apples. Don’t even communicate with them.

The reason I believe the people in DF/IR/Infosec are great is because the work we do is for the public good. The work is about justice, fairness, and truth. Usually, only good people gravitate to the good work like this. It’s in our nature.

In the words of Troy Larson, "Be good."  I cannot think of any better words that are more important than Troy's.

Shameless plug

Here are some things you can take advantage of from www.dfir.training.

  •  * Find test images and challenges: https://www.dfir.training/resources/downloads/ctf-forensic-test-images
  •  * Find tools to work on the challenges: https://www.dfir.training/dfirtools/advanced-search
  •  * Find training to learn more: https://www.dfir.training/calendar
  •  * Join an association to network and learn: https://www.dfir.training/directory/associations
  •  * Find a DFIR blog with your target interest: https://www.dfir.training/dfir-blogs
  •  * Find a college with a DFIR program: https://www.dfir.training/directory/educational
  •  * Find a DFIR book: https://www.dfir.training/resources/book/library/1560/books
  •  * Find a template, report, or search warrant to see how others write: https://www.dfir.training/resources/downloads/forms-and-templates
  •  * Find any of thousands of white papers: https://www.dfir.training/resources/references/white-papers

And more. But you get the point. If you have the time, you have the resources.

 

The shortcut way

Granted, if you have unlimited financial resources and plenty of time, the options are “easier” in that you can sit in classes while being told the answers to DFIR problems using the most expensive software applications available today. This is the exception, not the rule for the DFIR world. In my opinion, the most expensive courses are best for when you can soak in every minute of the course because you already have a good foundation. Otherwise, your time and money will not be best spent if you don’t learn what you could have learned by being patient first. You will end up re-learning later what you should have learned in that course, which is a double waste of time and money.

How I do it

Your mileage will vary, but I plan on spending hours learning the bare basics of something that I don’t know.  I can spend an entire weekend and not accomplish anything because it was hours of trying, failing, falling into rabbit holes, wrong conclusions, wrong software, errors, oversights, Internet research, and restarting virtual machine snapshots again and again to try it all again and again. Sometimes I get it right quickly but most times I spend a lot of time to get it wrong a lot of the time.

I expect that some people learn faster than me and others learn slower. But that doesn’t really make a difference, nor do I judge myself against someone else. We are different.

A big point to make

I get asked questions often about topics that I have no idea because I haven’t done everything in DF/IR/Infosec. I know some things well just as I don’t know some things at all. Do not expect to learn everything because there is no such thing as knowing everything. By the same token, do not expect others to know everything either, regardless of who they are. Anyone who claims to know everything knows nothing about knowing everything. Also, don’t look at someone sideways when they don’t know the answer to your question when you think they should know it all.

One of the many things that I learned in Marine Corps boot camp was answering questions that I didn’t know the answer to. To jog the memory of the Marines reading this, we learned through positive reinforcement that to not know an answer to a question does not mean you cannot find the answer.

“I don’t know” is totally different from “I don’t know the answer right now, but I can figure out it and get back to you.”

At the CTIN conference a few weeks ago, I spoke to someone who has been doing this work for a long time.  His story, in brief, was that he spent an amazing amount of time to figure out how to pull data out of a database that he had not dealt with before. Nor could he find anyone who dealt with the same thing either. But he did it.  It took a lot of time and a lot of labor, but he did it. From what he described, this is not something you can find in a class or a book. You have to figure it out yourself. And he did as he always does, because he knows that it takes time and effort to learn and figure things out yourself.

By the way, his work made a difference in the case, because he found a way to pull out the data in a readable format, and it was a lot of data.

I wrote a little about the theme of figuring it out yourself here: Just show me the answer

One more big point

Another reference to the CTIN conference was a presentation by Mark Spencer of Arsenal Consulting. Mark spoke about a case where he found the most relevant forensically important data in a case that 14 other experts missed. Actually, it was 14 other companies that missed what he found, which most likely means that it was more than 14 individuals that looked at the same data and everyone missed it. The case involved the wrongful incarceration of more than 700 people, including journalists.

Mark could have been the 15th company that missed the evidence, but he really dove into it, in the minute details of file analysis that I had never thought of before hearing his talk. You can believe that I look at the aspects of his work much differently in my work today.

In case you missed the point, it is that no matter who you are, you can do a great job when others do not. You do not need to work for a Fortune 50 company doing infosec to have part of a global case that affects hundreds of people, or even millions of people. You just have to put forth the effort to learn.

Walking miles in two feet of snow to get to school

I have talked about how difficult it was years ago to get into the field because the resources were scarce. No college programs at all. None. Not a single one. The books were few and extremely generic. Conferences didn’t exist either. Vendor courses were very expensive and plainly generic. Software choices were so bad that we used hex editors.

I do not say this to mean it is easier today than it was yesterday, but that there is always some struggle or obstacle to get where you want to go. The struggles and obstacles change over time, but nonetheless, they will always exist. Where I had no college choice years back, now there are many choices, but it comes with a financial and time cost.

Want to be famous? How about wanting to do good?

Here is the neat thing about this field: find something to research that hasn’t been done before. Dive into it. Break it apart. Smash it into bits. Test your theories. Come to conclusions. Publish it. It is not unreasonable, nor impossible to discover something really cool in this field.  Most fields work this way; DFIR is not different. You do not need a PhD to do this job. You do not need a certification to be competent. If you can do the job, that is all clients and victims want. 

Bonus points

You read to this point? That shows to me that you won’t take a shortcut, that you will do it right, that you will make it, and that you will be able to solve problems. Some of you will be solving problems that will affect hundreds or hundreds of millions of people. That right there is cool.

  18997 Hits
Tweet
Share on Pinterest
18997 Hits
APR
25
0

Game of Thrones, DFIR Style

Posted by Brett Shavers
in  Digital Forensics

Short post and quick opinion.

I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find truly negative things, things that I don’t typically see.  (*edit: this wasn't written about a current infosecdrama, but certainly can be applied to it)

DFIR Call-out culture

On the call-out culture in DFIR/infosec, aka “name and shame”, I liken it to a Game of Thrones style Walk of Shame. When the Internet is weaponized against someone, for any reason, justified or not, it’s not just a walk of shame, it is a walk of shame on a cocktail of meth and steroids, and carved in stone.

I don’t have any requests of anyone who chooses to participate in the call-out culture, simply because people will do what they are going to do regardless of any positive advice you want to give. For those, it will always be damn the consequences, to hell with long term negative effects, and so what to those hit as collateral damage.  I’m using the ‘call-out culture’  term as it applies to simply calling out anyone online to bash, shame, embarrass, ridicule, or troll because you are angry at something.

Stay above the fray

There is a reason that I don’t see these things online. I don’t look for them. I ignore them and certainly don’t follow them. I intently look for the positive. There are good people in the world, in every profession, just as there are not-so-good people in the world and in every profession. We each choose who to listen to, who to associate with, who to mentor, who to be mentored by, and who are our role models. We make our own beds by the choices we make. Make the wrong choices and you will see a lot of negativity that is amplified more than its reality.

To be honest, I have started this post several times over the past year, but I chose to not write it because of a fear of somehow being targeted in the culture that we developed in targeting ourselves. But I hope that the post helps someone, so I write it today.

Inciting fear, anger, and hate

Here is one example of what I am talking about: It is difficult to get the job that you really want. For some reason in the universe, no matter what job that you truly want, it is difficult to get. Sometimes it is impossible. Same with the school that you want to accept you.  I have no reason why this is, or maybe it is just me. Whatever story that you have on not getting what you truly wanted, I can one-up you on every count. Whatever story that you can give on not getting what you wanted because of something about you, I can one-up you on that too. We all suffer from some form of something that we had nothing to do with or have any control over that is used against us for some reason or another. All of us.

The thing is, when we tell each other that the world is against us because of something, like what you are (versus who you are), or some other reason, we do a disservice by discouraging hard work. By knocking someone down online, we discredit ourselves and the community. When we say, “The system is against you”, that roughly translates into “No matter what you do, you won’t win.”  Some of us, certainly a small percentage, dance in the muck of trolling others, embarrassing peers, creating untruths, and worse still, doxxing each other.

This negativity won’t go away, but you can choose to not listen, not be a part of those conversations, and push the positive, not push the narratives. And simply keep moving forward. Simply, by the way, does not mean easily.

I'm not trying to conflate the mentions that may unintentionally come across as negative with the intentionally negative comments found online. There is a difference in innocently saying something that may be misinterpreted and blatently calling someone/something out.

I see this sort of culture online, where some users are constantly spreading fear or generating anger, riding on any hot topic of the day. I just don't know what to say about those who are angry about something that affects no one but themselves. When they try to build an audience to support their cause of anger, by "calling out" some person or some group of people for some reason or another, the Internet magnifies someone's personal perception which in some cases, can be totally offbase. All I can suggest is to ignore those who do this because those who do this can't be reasoned with. Associate with eagles so that the turkeys don't hold you down.

Confrontation

Going directly to the source of an issue that you have with someone takes guts. You won’t get any ‘Internet social cred’ for not calling them out publicly, but you will get respect from the person or company that you confront. I have been in military and law enforcement units that the only way to solve a problem was to go straight to the person and talk; if you don’t talk to the source of your problem, shut up about it. Today, we see people hit every social media platform to take someone down on an issue that might not even be an issue, with long lasting (i.e., permanent) effects. Whether a justified injustice or perceived slight, the result is the same when the Launch-the-Internet-nukes button is pushed.

The contact information of nearly any person or company is blatantly open online. A simple email or DM might answer a question that you have, or clear up a misunderstanding that you or the other person may have. Maybe it won’t.  But I can tell you, when you slam a company or person online, it doesn’t matter if you were right (or self-righteous), or totally wrong. The damage is done to both your target and you as soon as it hits the interwebs.

Enough of this already

I will repeat something that I have said many times before. I remember every single person that helped me in every aspect of my life. Some have no idea that they were even a positive influence in my life, but I remember them as such. I remember them by name and by the very thing they helped me in achieving, overcoming, or most importantly, helping me survive.

One of these people, with whom I served with in the military, had a huge impact in me being positive in any situation. I’ll name him, because it is in the positive, as you will never see me call-out anyone in the negative.

So many years ago, when I was a young E-4, Sam Birky was my unit’s Chaplain, and was one of the most positive of anyone who I have ever met before or since then. Every minute speaking and every mile running with him affected me then through to today. You would think that looking at his demeanor and attitude that everything must have come naturally to him and nothing ever bad happened. If you thought that way about him, you would be totally wrong, yet he came across as one of the luckiest, happiest, and most positive people you can ever meet. If you are fortunate to have him tell you about his life, from serving in Vietnam, to its aftermath on him and family, and more that he has endured, you will see how someone can be better even when everything is at its worse. Those stories that he told me are mine, but for anyone who I ever helped, know that most likely that it was Sam Birky that helped you as I was just the middleman of Sam's goodwill and good advice.

As for those who held me back, pushed me down, sabotaged me, kicked me while I was down, stole from me, or spoke nothing but untruths….I remember you just as clearly, but not for any good thing. That’s all I will say about that.

My opinion to you is, be the person that is remembered like a Sam Birky. You will sleep better. The community will be better. In the end, you will be remembered, and not ignored. And the world around you will be a better place to be. That is all that matters today. Yesterday is gone, but we can work today to make ourselves better tomorrow, even if just a little bit (or byte) at a time.

*edit 4/26/19*

Some have asked, and this is the Sam Birky to which I refer (hint: he's the Col).

 

  47983 Hits
Tweet
Share on Pinterest
47983 Hits
APR
17
0

Puking in DFIR

Posted by Brett Shavers
in  Digital Forensics

Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in, literally puking.

The inspiration for this post

I listened to a well-done presentation not too long ago, and afterward, I went to the restroom. When I walked in, I heard someone puking their guts out. It turned out to be the presenter. When he came out of the stall, looking all embarrassed, he said that it must have been something that he ate.

I told him that food probably had nothing to do with it, but more with the stress, pressure, anxiety, fear, and energy required to give the great presentation that he did. I realized after I said that, he was more nervous...

Then I told him that he’ll probably tango with the toilet again at another presentation. It’s just the way it is when you open yourself to a crowd of people. The fear of being judged, evaluated, critiqued, criticized, or being wrong is a lot for the stomach’s brain to handle. Of course, I immediately realized that I was making it worse after the words left my lips..

I said that sometimes I drive the porcelain bus when I give presentations (I have once, and I expect to do it again surely at some point). My advice was to let it flow when it comes, either before or after the presentation, and consider it a badge of honor that you truly put out your best effort for your audience and put yourself out there. You physically and mentally gave it your all because you exposed your entire self to a crowd of strangers. As a bit of comfort, I did say that I’ve not seen anyone hurl during a presentation, but I’m sure that can happen too. I didn’t tell him that at the time tho.

But can it happen to you? And should you ever risk speaking in public if so?

In my opinion, presentation-induced upchucking can happen to anyone from the most experienced presenters and the greenest of presenters. In DFIR, anyone, and I mean anyone, can find themselves on a stage for the first time in a young career or at any point of their career simply because they know something that others don’t. Maybe a small thing. Maybe a big thing. But your time in DFIR is irrelevant insofar as being able to speak to those in DFIR.

Also, it doesn’t matter the size of the audience or your competence level of your job that will determine if you will toss your cookies.

Ok. Let me give it to you on my ralph story.

My day-of-barf came at a presentation to a group of citizens on basic cyber security. The talk was a favor to a friend who organized the attendees. I gave it my all, as every time I do, but nothing extremely out of the ordinary. As soon as it was over, I felt a little queasy, and lost my lunch in the restroom. That was it. I did it once. When I stepped out the restroom, there was a small group of people staring at me and one asked if I was ok. Yep....they must have heard me...If you ever hear anything different, that was the story, and not a big deal. I would not be surprised to have it happen again, mostly because I care about giving an audience the information that they came to hear, in a manner that everyone benefits.  And I hope that my zipper is not done at the time…

I tell you this because no matter how many times you present, you may never know the one time that you end up revisting your breakfast afterward which has nothing to do with the number of presentations you have given. I have given presentations for more than 30 years to groups of less than 5 to rooms of more than 500 and I still ordered a buick in the restroom.

But this doesn’t mean to stop presenting when you have the opportunity. On the contrary, I hope it encourages more presentations from those who are so nervous that they would never think of standing on a stage to present a topic that so many people are waiting to hear.

If you are doing your best, and you care that you are connecting and giving a part of yourself to the audience, you are probably at risk of retching afterward. Consider it solid (albeit chunked) proof that you gave everything you had and that your audience received maximum output from your effort.

My intention with this post is that if you find yourself blowing chunks after a presentation, whether you were nervous or not, do not take that to mean you should not present anymore or that anything went wrong with your presentation (it probably as good as it gets). If I happen upon you as you make modern art in the toilet, I will know that I saw a presentation given at your best and you beared all to your audience.  Kudos to you.

By the way, I believe there to be three types of presenters:

  • Those who have thrown up.
  • Those who will throw up.
  • Those who have thrown up but haven’t told anyone.

 

So......have you ever thrown up with one of your presentations? Don’t worry about it 😉

  8223 Hits
Tags:
presentations
Tweet
Share on Pinterest
8223 Hits
APR
09
0

The #1 Reason that DFIR practitioners don’t post opinions

Posted by Brett Shavers
in  Digital Forensics

 

Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner had the journalist just asked. I find this tweet to be an extremely important tweet that affects many in forensics (see my side note on 'forensics'). 

Lesley's tweet was in an article about a national security lapse, or actually, several national security lapses. The incident described in the article is important on its face of national security, yet a journalist took a snarky tweet to validate the journalist's statements. Lesley was spot on with her tweet, as Leslie mentioned, she would have written a killer response that would be better for the journalist had the journalist just asked her.

TFW your shitposting tweet about infosec is so funny they just stick it in a serious and credible news article 🤷🏻‍♀️🍸

— Lesley Carhart (@hacks4pancakes) April 9, 2019

Let me take this a step further to get to the crux of this blog post on why many practitioners don't post opinions online 

"I am afraid of some attorney using my words against me. - unnamed DFIR expert" 

I have spoken to more than a few practicing DFIR folks about their decisions to not openly use social media to discuss DFIR, since that is the best way to get the fastest answers to problems. The common response is the fear of having a conment being used against them in a case, especially since they are perpectually under subpoena in one case or another.  Some of those who do post online comments are using anonymous accounts. They are afraid of their words being used against them in court, so they go the anonymous route, as if that will protect them from answering the question under oath, "Do you have any social media accounts where you discuss your work?"

This commonly stated reason of fear of any comment or comments being used against them in legal proceedings where they stand to be called as a witness is something that I totally get.

 A scenario that can play out is being a witness in a civil or criminal trial, undergoing cross examination, and past comments being brought into play as a means of discrediting the witness. With journalists and activists reaching back decades of online comments to discredit or embarrass someone, the legal arena is ripe for doing the same thing (I have seen it done). In some instances, this could be reasonable if full context is introduced, and even then, opinions are like fruit; they can be perishable as time goes by.

I've had a tweet of mine end up in a class action suit filing. While I stand by it (not a good idea to link to JavaScript from an ad domain that was abandoned years ago—and now repurposed by an attacker—in a production site), it made me rethink how I framed things.

— Kenn White (@kennwhite) April 9, 2019

The result is that we have an incredible amount of talent, experience, and knowledge in the forensic world that refuse to post any comments online for the fear of potentially having a comment being used maliciously or falsely in either expert qualification or cross examination.  The impact on the community is that we miss the most relevant and impactful resources that could move the community forward 100x, all because of fear of being quoted out of context.

Some people, for whatever reason, do not want to disclose where they work, as if having any job would be embarrassing anyway. So, they stay anonymous online. Again, I totally get it, but if you aren’t bashing your employer, disclosing intellectual property, or being disingenuous in what you say, do you need to be anonymous?

What we get then is a slew of anonymous accounts. We have anonymous practitioners and experts, who we have no idea of their qualifications or reputation, stating opinions on “DFIR” topics, which do not have the same impact as a named person. It’s anonymous, therefore, untrusted and unverifiable, even when coming from someone who is probably the best to state an opinion on the topic at hand. We just don’t know, therefore, almost pointless.

Reasons supportive of anonymous accounts

I understand the use of anonymous accounts when your personal safety is at risk, such as working in a field where you or your family could be targeted (and killed) because of your job, such as working undercover or for an intelligence agency hunting terrorists.  If you are only doing forensics, the odds of being targeted are quite low… How do I know this? Because when I worked undercover, where I was day-in and day-out hanging out with people who killed people, I never had my name online. I was also at the point of not having any social media presence at all (anonymous or not) for the sole reason of limiting risk of exposure to myself and family.

Other than that, I see no need to have an anonymous account other than for the ability to post anything, and I mean practically anything, without any risk of being personally called out for unreasonable, untruthful, or otherwise harmful opinions.  Unless an employer has a specific policy that an employee cannot have a personal social media account, then anonymity simply appears to be a manner to spout off without recourse.  I’m still looking for an employer that prohibits an employee from having a social media account…  But again, I get it. Anonymity is here to stay.

To the anonymous experts

Brett’s opinion: Anonymous accounts hold zero weight for opinions. It doesn’t matter how many retweets, shares, or favorites you get, anonymity is not credibility.  But if you put your name on your words, your words are heavy. For those working in the legal arena, especially those writing affidavits, you particularly know the weight of an anonymous complaint versus someone willing to have their name listed in a search warrant affidavit. 

Your word is to your honor as your name is to your reputation.

The things that we say (post/tweet/share) today will most likely exist forever. This by itself should be enough to make us at least read our words before posting them. Although I will admit, I will re-read what I just typed, post it, and then catch my grammar errors too late after the post…but for the content, I stand by what I post. As to the grammatical errors, I’ll take them too because for context, my words are my words.

I hate saying that I was wrong

I do not like to apologize or admit to being wrong, but when I am, I do it. I consider everything that I do and say, including social media posts, to be under scrutiny of accuracy and truthfulness. I don’t need anyone scraping my data to find something that I misstated, but surely could see something in court or online by someone who wants to dig something up. That’s fine. If I was incorrect in stating something, I’ll admit that I was wrong.  I will even apologize for it because I want to learn and improve, not be stuck in growth in the field.

pot calling the kettle black

Yes, you have seen me, and will continue to see, embed someone's tweets in a blog post. But you will never see me take someone's comments out of context, nor re-post someone's comment that will embarrass or shame. That is uncool. However, I will showcase some good ones that deserve more discussion than just a tweet can do. The really important tweets that affect hundreds or thousands of people. Lesley's tweet is one of those tweets. Her tweet was perfectly done and did not need rephrasing in the least bit (or byte).

  8236 Hits
Tweet
Share on Pinterest
8236 Hits
APR
08
0

If USB flash drives were shaped like spiders, we wouldn’t have these problems

Posted by Brett Shavers
in  Digital Forensics

I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was ‘issued’ a USB flashdrive to temporarily store our reports. In theory, we would be able to write reports in our patrol car laptops (MDCs/MDTs), store the reports on the flashdrive, and then plug into the network to upload the report.  At the time, the patrol car laptops had no “Internet” connectivity, other than a data channel for running names and license plates.

In practice, those USB drives were forgotten in whichever computer that the officer plugged it into. Everywhere you looked, there would be a handful of these things either plugged into workstations or laying around desks. Some had names written on them, others were just plain ol’ USB flashdrives in every color of the rainbow.

At one point, the entire network was infected with a MS Word macro virus that was spread throughout the city. I blame those USB flashdrives.

Oh yeah. None were encrypted, but they should have been considering how many were probably lost throughout the city after inadvertently dropping them while on the street. When the real “Internet” was connected to the patrol MDCs, we could finally upload reports directly without those using those malware devices.

Personally, I still hate those things. I have lost USB flashdrives before, simply because they are small and easy to lose. Any USB flashdrive that I personally have is encrypted because I KNOW that I will lose one eventually. No, make that I will always lose all of them eventually. Thank goodness for cloud storage…but that’s another story.

 Today's spy story

https://abcnews.go.com/Politics/chinese-woman-mar-lago-security-controversy-expected-court/story?id=62247972

I’m not getting into why I think this spy is incompetent, because maybe she isn’t. Looking at all angles, this could be a small part of a very well executed operation where this particular operative was designed to be caught from the beginning. Perhaps to probe security or maybe as a distraction to the primary operation. Basically, this spy got caught with typical spy stuff, including a malware infected USB flashdrive.

Here the rub: After seizing this suspicious USB flashdrive, the Secret Service plugged it into a computer. I don’t know anything about the process used or the computer that was used, but reading that the agent shutdown the computer because of seeing a “very out-of-the-ordinary” event of files being installed to the computer implies that it was not the correct process…at all.

USB flashdrives are evil.

To be honest, I love finding USB flashdrives because I am a curious person. I automatically assume that malware is on every one of them that I find, and that is what I look for. If I had no intention of uncovering malware on a found USB flashdrive, I would throw it away. Unless someone’s name was on it and it could be returned, I toss them. I recommend that everyone toss them.  Most likely, you won’t find the owner unless you plug in the flashdrive and fish through the files. That means exposing your machine to potentially harmful malware.  Additionally, I am certain that the owner would rather have the found property tossed in the trash than have a stranger go through their personal data.

The year is 2019 and we should all know better by now. You do not need to be a “cyber” person to know that plugging in ANY unknown device into a system causes a risk of compromise. Plugging an unknown USB flashdrive into your computer should be viewed as if you were taste-testing white powder that was mailed to you in a letter. You just don’t do it because you just don’t know.

To have the Secret Service plug a USB device into their system is disappointing, because the best forensic training that I have ever received was from the Secret Service. They know their stuff. You just don't start plugging devices into a government computer system...

The lesson

If you know that USB flashdrives are dangerous, be sure to tell others when the occasion arises. Teach your kids. Teach your friends. A found USB flashdrive is garbage. Don't fall for anything that makes it enticing to plug in, because that is the point of an intentionally malware infected USB flashdrive: to get you to plug it in.

If USB flashdrives were shaped like spiders, we would have ZERO instances of people plugging these things into their computer. https://t.co/oSMTSMAkio

— Brett Shavers 🙄 (@Brett_Shavers) April 8, 2019

As for me, I would have loved the opportunity to examine that USB flashdrive. I have a computer set aside just for that sort of thing 😊

  4192 Hits
Tweet
Share on Pinterest
4192 Hits
    Previous     Next
1 2 3 4 5 6 7 8 9 10

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers