I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not mean that they took on more than what they could handle, but that they started down a path, committed themselves to it, and refused to adapt to the changing environment.

Here is one example that I have seen in police work: Officers were dispatched to a drive-by shooting with a description of the shooters and vehicle. Reasonably, and expectedly, two officers pulled over a car that matched the make, model, and color of the suspect vehicle. Since it was a shooting, they conducted a “felony traffic stop” which means guns out, ordering occupants out the car, one by one. They were committed at this point in a high risk stop. As soon as the first occupant was ordered out of the car, both officers knew that they had the wrong car (they told me such afterward).

The thing is, they kept going forward, knowing they had the wrong car, but had to ‘finish the felony stop’.  They were overcommitted without room of adapting to a dynamic environment. I’ve seen this on a few occasions, not many, but enough to know that it happens.

The point

This happens in DFIR too, and I have seen it happen more often than I have ever seen in police work (or in the military). The way that I have seen it happen is on smaller scales of seriousness (no one has guns pointed at them..), but larger scales of wasted time only to get to the wrong objectives. I have seen this in peer reviewing reports in that I can tell that an examiner was hell bent on going one direction in an analysis, forcing a tool to do something that it really shouldn’t be doing, following leads that have nothing to do with the case objective, and completely missing blatantly obvious clues along the way. They are overcommitted in plugging in a dongle and driving through a media on a pre-set course with no room for deviation. This happens a lot in with students when teaching classes and is expected as a learning experience. But don’t let it happen to you.

As for me, I have gotten on the wrong track on occasion, but I have no hesitation to realize it, cut my losses in time already spent, and get back on track. Every time this happens, I end up in a better place in the analysis because I realized that I had become overcommitted.

How it happens

Basically, you hop on a train that has one track to one destination and you refuse to get off once you realize that you are on the wrong train. Some of the ways this happens include;

Your favorite tool

We all have a favorite tool or two. Sometimes that tool is not fit for the task you need. Either don’t start out using it when you shouldn’t, or as soon as you realize that you need a different tool, stop drop roll and change tools. The sooner you realize you need a different tool, switch to it.

Your “system”

Yes, it is easy to get into a rut and start an exam by looking in the usual places for the usual things in the usual order that you always do. Stop doing that! Each case is different. Each case needs to be evaluated with a ‘custom systematic’ method of analysis. Otherwise, you will miss evidence and not even know it.

Your blinders

Don’t start out thinking that you know what happened because you will keep looking to prove what you think rather than prove what actually happened on the system (or to the system).  By “blinders”, I mean that you intentionally don’t look at what you should be looking at because you only want to see what you want to see. As soon as you realize that you are doing this, guess what? Stop it, back up, and do the real work that you started out to do.

How to realize when it happens

As soon as you see yourself spinning wheels and getting nowhere fast, stop and reflect on what your initial goals were, the plan that you laid out, and just as important, the things that you saw along the way. It is what you find along the way that determines which way you go. Much like a tree blocking a road requires you to find a new route, when you find evidence or leads in your exam, adapt your previously well-thought out plan to what you find. Otherwise you will be stuck, spinning wheels, going nowhere.

Your benefit to re-group and re-start

You won’t waste as much time as you would have had you not just stopped, reflected on what you are doing and seeing, and adapting your plan to the evidence you have at hand. This advice works for practically any aspect of life by the way, but it is particularly helpful in forensics because it is so easy to get off on a wrong start or drift away from where you should be when looking at data.

Your next case

Plan how you want to attack it. Gather your tools. Prep yourself that your plan will probably change, which means your approach may change, your tool choices may change, and the route you take to solve the objective may change. Know that up front and you can save days and days and days of effort. As a side note, don't worry about the time you wasted, as long as you get back on the right track, because it is not wasted time if you adapt to the evidence you find along your route to the objective. You may even end up in a better place.

Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that the article brings up a few questions and assumptions to think about on any legal matter.

This should be a mandatory read for every IT person who thinks they’re suddenly a forensics expert ready to judge facts. Inability to present preserved traces and timeline, along with impossible knowledge they can’t explain? 🥴 don’t know what’s going on https://t.co/sK1DbCWIaC

— SwiftOnSecurity (@SwiftOnSecurity) March 9, 2019

The short version of the story is that Tuft’s University accused a student of altering her grades by hacking the school’s system and subsequently expelled her. I’m not going to case-study the article since there isn’t any signed statement of perjury as there would be in an affidavit, other than the expulsion letter.

https://techcrunch.com/2019/03/08/tufts-grade-hacking/  

There are a lot of unanswered questions in the article, and without having the reports that surely had to be written, I see this article as a friendly reminder that ‘investigating’ an incident (crime, policy violation, etc…) should be done by those with experience to back up the findings, as well as having no hesitation in releasing the evidence and findings to the suspected party. The facts are what the facts are, but if you can’t refute the facts, it is only allegations and not facts. 

The topic of attribution is a favorite of mine. I like it enough to have written a book on it.  Actually, two books. These types of cases are cool because I love to find out whodidit and prove it that they did it (or disprove a false allegation). Articles like this are teases, because we’ll never know unless the facts of the case are produced showing what was done, how it was done, and what evidence was found. Implications one way or another only incite readers to believe one thing or another.  The subtitle to the article ,'You're guilty unless you can prove it", sort of shows this, although I think the writer meant "You're guilty unless you can disprove it". 

As to my opinion on what happened in this Tuft's matter, that is a risky proposition to even start. Too many 'experts' are asked their opinion on a cyber-related topic, and if the answer is not something to the effect of "Well, practically anything is possible", then the expert may get dug into a position that may not have been the best to dig into. The best opinions are those when you have complete and unfettered access to all available information, and based on your training and experience coupled with the evidence at hand, your opinion holds legal weight.

Side note: Don't forget that the "F" in DFIR stands for "forensics", defined as being part of the legal process, meaning that there are rules and procedures to follow to identify, validate, and admit evidence in legal proceedings. It's not just willy-nilly-I-found-an-IP-address!

I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html).  I agree with everything he points out about book writing, so no need to regurgitate any of what he wrote, except to say, ‘ditto’ on the book stuff.

The thing that I want to expand is that of Harlan taking phone calls.

Back in the day, from my narc desk, in my narc office, when I was contemplating whether to dip my toe into ‘computer forensics’, I found Harlan Carvey’s email on the Internet while I was researching if I really wanted to get into this thing called computer forensics. Harlan's email has never been a secret by the way…he's had the same one from more than a decade now.

I figured that since he put his email in the public view and that I was thinking hard on getting into forensics, I would cold shot Harlan with an email.  Surprisely, Harlan replied within a few minutes with his phone number. Of course I called him :)

He may or may not remember that call, and no need to get into the details of the call other than to say that this call was the deciding factor in me jumping wholeheartedly into this field. There was no other person, and no other thing which made such a directional turn in my career into this field more than this one cold shot email and phone call to Harlan. I'm not the kind of person that does anything half way; you could say that I went overboard in forensics as soon as I hung up the phone and haven’t slowed down since.  When I wasn't undercover arranging drug deals, I was planning, learning, and conspiring to get into forensics one way or another. And I did.

The point being, Harlan aint no joke when he says he responds to emails and phone calls. In my example, it was one of the most important calls that I have ever made.

The other big point

Your words are heavy.  Your advice can inspire someone to their potential. Your personal recommendations and advice can guide a person in a direction that benefits them personally and professionally, and you (by extension) will help others tenfold. Or not, if you don't take your words seriously.

As for me, I suggest that lending an ear, offering your hand, and gently pushing someone to their potential greatness is the most honorable thing a person can do in their life.

During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he kept asking me over and over again for the answer to one of his cases. A ton of ‘hypotheticals’ and another ton of ‘what ifs’ and a half ton of ‘that does not apply to my case’.  One thing about these types of questions is that nothing is going to solve the problem when you don’t know what the problem is in the first place. Another thing is that there is no one answer to solve someone else's problem in their case that you can give, not usually anyway. You can guide and suggest, but having the answer isn't typically going to happen.

So then this happened

The second part of the workshop was a discussion of past case studies and then current cases from the class (whoever wanted to volunteer their cases). The guy with all the questions, had none during the volunteer-your-case time. Others did, but not him. Oh well, I had been hoping to dig into his case directly, and when the class was over, the detective was gone out the back door. Probably not the happiest student since he left right after the class was over. We did get some really good ideas going on some cool cases that I wish I was working...

Fast forward a month.

The dissatisfied detective emailed me. He figured out what to do in his case, which worked, and it was nothing that I had given in the workshop. I thought that I was getting a complaint until he described that when I was discussing case studies, one thing led to another, to another, and he thought of something on his own, which was the key to overcoming an obstacle in his case. He was halfway complaining that I didn’t give him the answer, but conceded that I had helped him find it on his own. That was the entire point of the case studies session by the way; Figure it out yourself, with a tad bit of inspiration.

To the point

Had it not been for him listening to case studies (past cases and current cases) from a variety of different perspectives, he most likely would not have been inspired to come up with his own solution. At best, the solution might have come to him weeks or months later had he not listened to the class discuss case studies, and at worst, never at all.  For that, I’ll take a little credit to providing the spark for a fire.

Here is the thing with case studies, particularly with DFIR-type case studies; unless you did the case yourself, you’ll not have all the information on how the case was worked. But you can get a feeling of the flow of the case, a few pointers on how someone else ran it, and maybe grab a spark of inspiration on one of your cases.  All you need is a spark, not an explosion.

I’ve been making some case studies available through videos, in which I talk about the main points of cases that I find online. Talking about my cases doesn’t make as much sense because I already know what I was thinking.. It is the other cases where I want to find out how other people think, how they plan, and how they implement investigative strategies in their cases. With the videos, my intention is to show how I look at cases, criminal or civil, and things that I learn. If I could go back in time, I would do all my cases 10x better than I did, simply because I continue to study how cases are worked by others, gain ideas, and get inspired by innovative methods.

The forensic part of casework is ‘easy’, in that as long as you know how to do X, Y, and Z in an analysis, you can examine any piece of electronic evidence. Yes, analysis can be tedius, monotonous, eye-straining, and frustrating, but it is essentially easy when you can work tools to do what you want done with the data.

Do you know the difference between an average analyst and a great analyst?

One just examines electronic media and the other works the hell out of a case.

As a side note, I am working toward becoming a great analyst one day. I will never get there, but I won't stop trying until I do, which I may not get there, but I will keep working on it. I hope you get the point of that :)

Tips

• - There is no limit on the number of great examiners. Whoever wants to be one, can.
• - There is no restriction on who can be a great examiner. Identity = irrelevant.
• - This all applies to you.

Examples

Here’s two videos on case studies to get a feel of what I mean. I have more videos, and making the time to keep them coming, but this should hopefully drive home the point of what I mean when I say that you, yes you, can break a case regardless of seriousness or size. From theft of petty cash to cyber-terrorism, a case is a case is a case. You just need to work the hell out of it.

More case studies here, and more coming: https://www.patreon.com/DFIRtraining 

The bad cons are the criminals that victimize you.

The good CONS are the conferences that you were glad to attend.  CTIN is one of those good CONS.  I’m partial to CTIN because it was the first organization that took me in when I was but a babe-in-arms as far as digital forensics goes. I am also partial because the people in it have always, and I mean that literally to mean all-the-time, been the best in welcoming members and sharing everything. I’m also partial because I was once the Secretary and afterward, the President. I am glad to see that CTIN has maintained its original founding principles. Much of what I am writing in this post applies to most local conferences, so you will probably think that I am writing about your local organization. That's cool if so, and also it's my intention to bring out the good.

The bad stuff

I have to admit, I have read the incredibly terrible things that have been happening at conferences. I won’t repeat anything that I read simply because I don’t want to make it any worse than it sounds. As for me, I’ve been to many conferences, but ‘many’ is only a small percentage of the number of conferences there are. For the conferences that I have presented and/or attended, I have never seen any of the negativity that some have seen. Mostly, that is because I usually fly in to present and fly out, or stick with a close group of friends for dinner (or just me and my wife) without getting involved in any craziness of midnight partying. However, with the high number of attendees in some of the conferences, I have no doubt that things happen. Don’t forget, I was an undercover narc for a decade…I know how people can get.

By the way, if I ever were to see negative behavior, I am the kind of guy that is not happy if I am not the first person to address it, directly, on the spot. I don’t agree with calling out anyone online, but I will fix problems on the spot because the evidence is there. The witnesses are there. The culprit is there. And usually, it is best to handle it on the spot. Enough of the bad. Onto the good! 

The good stuff

CTIN (http://www.ctin.org) became a non-profit way back when, back in the days of DOS and floppies. I came on-board as a cop just starting out in forensics around that time. We had monthly meetings at the police academy in Burien, Washington, and probably had eight or ten folks show up each month .Half were cops. Half were private sector tech. Both were figuring out this high-tech crime thing..together. After our meeting, we’d head out to a nearby restaurant and continue our conversations before heading back to work. It was, and still is, a public-private partnership in high tech crime investigations.

Over the years, CTIN grew to hundreds of members, with training sessions having almost 100 showing up! All of this cost each member nothing but their time to attend.  Everything was shared, any member with something to add was (and still is!) welcomed to share, and everyone knows everyone, at least by face if not by name.

The lucky stuff

The Seattle area is rife with seriously great people in this field! I mean, we have Amazon, Boeing, Microsoft, dozens of tech start-ups, and even Google moved in. And we have companies like Crowdstrike, DomainTools, and other greats each all having their toes or completely immersed into the cybersecurity realm. And don’t forget the University of Washington! With billiionarie Paul Allen’s donations to the UW computer science program, we have quite a bit of talent to draw upon; after all, US News ranks UW #6 in the nation in Computer Science. Any member, or rather every member, in CTIN has the opportunity to sit next to someone with amazing experience. We are also a short driving distance away from British Columbia, Canada. Talk about competent forensic folks, they are not only competent, but also nice to be around ('cause Canadian, ey?). 

The CTIN conferences

CTIN didn’t always have conferences. I took a chance and volunteered to arrange the first one and over a hundred people showed up! Speakers were great, and the venue was not that great. An old hotel near the airport…dark…dingy…slowest Wi-Fi on the planet, except maybe the Kwajalein islands. It was also our first attempt at “swag” and charging money to pay for the venue. It worked out and is still working. From that experience, any time I meet someone who arranges these types of conferences makes me want to give them a hug or a drink.

Now CTIN is at Microsoft for the conferences. How's that! From a dingy hotel to the Microsoft campus. Not that a place like Las Vegas isn't "fun" to have a conference, but compared to having a conference at the place where the actual source code to 99% of your electronic evidence is being developed, there isn't a comparison. You won't get access to source code, but you'll be sitting in the same buildings learning how to examine it. That's kinda cool.

The best stuff

The CTIN conference is not the only good conference. There are plenty of others. Many of these conferences (should I say ‘all’?) are run by folks donating more time than they originally planned, herding multiple organizations, dealing with money, schedules, and more with the only compensation being that they were part of something that made a difference. Every non-commercial conference is like that. The non-commercial conferences charge just enough to pay for expenses because no one gets paid. It is all done to share. Commercial is different, but that's not what I am talking about.

Some of the best stuff is meeting great people at a local conference. You’ll not find a more well-connected bunch of people than those working and attending at a local conference. If you want a connection to a Fortune 50 company, you’ll find the nicest people here. Actually, the person who helped me get into this forensics field worked at one of the world’s largest companies, is a published author, speaker, and is an extremely experienced and technically competent forensic examiner.  With all of that, he spent personal time in me as a mentor that turned into a decade long friendship. He’s also one of the founding members of CTIN, so that’s how this CTIN thing started.  A nice guy met up some with nice folks, helping each other figure out this cyber-thing. Then they shared it all.

And that’s why I will always be a CTIN member.  

**edit 2/16/2019**

Forgot to mention, I'm speaking at this year's conference. Please say 'hi' if we've not yet met.  I'm one big ear, so to speak :)

The #1 factor is not giving up. The #2 factor is talent. Actually, scratch #2. You can make it without talent if you don’t give up. Talent is overrated.

<sounds of desks being pounded>

•   *Here is the thing about giving up or quitting:      It is easy to do.
•   *Here is the thing about not giving up or not quitting:      It’s tough.
•   *Here’s the other thing:      You will never know “when” you will make it.

I talked about my path into “DFIR” (specifically, the DF part) in today’s Patreon podcast.  Although I didn’t talk about everything, I did give the broad-brush stroke of what I had to do. It took years, lots of my money, lots of my personal time, and personal risks. This was before the flood of colleges offering degrees in cyber/forensics. With a wife, two young kids, and working full-time as an undercover cop with crazy schedules and travel, I had every reason to quit. More of that in my podcast, but you get the point. Others have had more difficult circumstances to get into the field, so I’m not complaining. I'm just saying that I have yet to meet someone who glided into their favorite DFIR job just as easy as buying a book on Amazon.

For some years, I taught at the University of Washington's Digital Forensics program.  Every student in the UW-Seattle Digital Forensics program that I taught was told the same thing, on the first day of the program each year:  “If you are sitting in this room, with the intention to learn forensics, you are smart enough and have the opportunity to do it. You just have to do it.” - me

I say that to you reading this, here and now.

By the way, this post was inspired by Liam Booth.

Soooo, I may have blown the dust off my old wordpress(ugh) blog, and made a new post. Annnd I may have name dropped a couple of people (@Brett_Shavers @cybersecstu) https://t.co/ddH66lqNhL

— Liam Booth (@UpsidedownCanuk) January 10, 2019

From those words that I read in the post, Liam is going to do it.

A story of not giving up

When I was a younger pup in a military course that had a lot of walking in it, the last walk on the last day was a long one.  Before that last “walk” of 20 something miles, one of the guys next to me said that he is going to make it even if it kills him. Of course, I said, “Me too.”

At the end of this walk, I was sitting and watching the last people coming down the hill and there was that guy walking down the hill.  He fell, got up, fell, got up, fell, and didn’t get up. Then he was crawling. Then the Corpsman rushed to him. He was having a heart attack, and then he tried to fight off the Corpsman until they got control of him.

The good news is that he lived. The bad news is that he was medically discharged afterward. But I sure learned what determination looked like. He had it. I don’t remember his name, but I am sure that whatever he wanted to accomplish after the military, he did it. I wish I remembered his name because I am curious. Then again, I’m not curious because I know that he made exactly what he wanted. He has been my role model of determination every since. 

I hope that I imprinted this trait on my kids, and think I have. My son wanted Harvard to accept him out of high school. That didn't work...he was not happy at all about it...but after going to another college and working extremely hard at everything, he starts Harvard law this year. Determination and tenacity will win out over natural talent and wishy-washyness. 

Back to knowing who will make it in DFIR

My point is that it is difficult to get into any profession, including DFIR, but there are some who I have met that I know will make it. There are also those who I meet and I know they have no chance. Not because of who they are, what they are, or where they come from, but because of attitude.

For me, DFIR is overwhelming in that there is so much information and breadth, that choosing something specific to focus on is like being a kid in a game store who is only able to buy one game. Or more personally, me walking inside Cabalas…. But that is also what makes DFIR so great with so many opportunities.

Making the long story short

•   *Do not quit, period.
•   *Motivate yourself because no one else will.
•   *Make your plan, because no one else’s plan will work for you.
•   *If you think you can, you’re right.
•   *If you think you can’t, you’re right.
•   *There is no magic bullet to get what you want.

One more thing

I want to be the person that is the #1 supporter of anyone and everyone who wants to better themselves, improve themselves, and get into any profession. Motivated people motivate me. I have had plenty of obstacles in my life, and I distinctly remember each and every person who either cracked a door for me to step inside, held out a hand so I could pull myself up, or pointed me in a direction so that I would at least be going forward and not backward. I also remember the saboteurs, but not for the same reasons.

So, the ‘one more thing’ is that we, those in DFIR, should endeavor to fan the flames of those with the attitude and motivation to follow in your footsteps. I say “your" footsteps, only because I am also working my way forward in the shadows of those who came before me, those who are clearly more skilled, and those who I value as a role model.

My goal…I want anyone who I can give guidance, to do more in their life, than I ever could in mine. If we don't at least do that, then what is the point of it all?

Short version:

1. Bring your A Game
2. Don’t hold back
3. Be prepared
4. Know what you claim to know
5. Fight complacency

The longer version (and the version you should read):

First, here’s what I mean about being outdone, outmaneuvered, or plain outright embarrassed in DFIR: someone or something kicks your butt in the arena. The ‘arena’ could be in court, or mitigating a breach, or just working a case where nothing is going right for you.  Sometimes the arena feels like a circus. The last place you want to be in that kind of circus is the center of attention wearing clown shoes with a red nose. Trust me. I’ve been there more than once (I will talk about my experiences in tomorrow’s podcast). 

Bring Your A Game

If you don’t approach every scenario with the intention to do the best you can do, then you have a some chance of screwing it up. Maybe it will work out like it has for the past 50 similar situations, but I promise that the day is near where you will screw up just because you didn't do your best.  You must bring your A Game each and every time, regardless of how small the task or monumental the objective.

I will give you one mindset shift that will help you: Never accept when someone tells you “good luck” and never wish someone “good luck”. Luck can beat most anything, but luck is simply chance.

Here is a better way to look at the “good luck” saying. Rather than good luck, simply ‘do your best’.  If a team member is about to tackle a problem, especially a potentially public problem, recommending your team member to do their best is a better encouragement of wishing them luck. For a good example of this theory, check out the Japanese. They don’t wish luck.  It is “Gambatte!” which translates to ‘do your best’.  Both of my kids were raised with “Gambate!” their entire lives as their mother is Japanese. I have never seen either depend on good luck to win a sports match, compete in a music recital, or get into the colleges they wanted. Live by doing your best, not hoping for the best will happen by luck.

Do your best each time you approach a scene, scenario, situation, incident, task, computer, malicious file, or meeting, focus as if the only thing that matters is the task at hand, because that is all that matters. Never ever trick yourself into thinking that ‘this time’ is just like the ‘last 100 times’.  Every time is the first time, and it is the only time that matters.

I’ll bring this around to the military, to where in Marine Corps Boot Camp, a drill instructor asked me (asked is polite for how it came out of his mouth), how many rounds are fired for rifle qualification. As he repeated his question in case I didn't hear it the first 10 times, I tried to count how many rounds at each line of fire, and of course, I got the answer wrong. 

The answer, which sticks with me today, which I have repeated in anything that I have taught for decades since, is that there is exactly one round fired in any firearms qualification. The round fired prior doesn’t count. The round to fire after the current round doesn’t count. The only one that counts is the round you are firing. Same with any task in DFIR. It doesn’t matter what you have done before, how many times you have done it, or how many more times you will do it. The only thing that matters is this time.

One round. One chance. One opportunity. Focus on the current thing as if it is the only thing, because it is.

Don’t Hold Back

If you get really good at what you do, you may tone down your efforts a little just because you only need to do 75% to solve the problem (whatever the problem is). Do not do that. Go at it full speed and full energy as if you don’t know how your task will turn out, because in reality, you don’t know how it will turn out regardless of how much effort you put into it.

Holding back in DFIR work means that you could be going all out to solve a problem, but you figure, “nahh, I’ll just run the so-and-so application over the drive and be done with it”, or “I beat that opposing expert in court last time, so I’m fine to go up against him tomorrow.”  When you hold back, your opponent, whether it is a person or data, will eventually take advantage of you holding back.

Be Prepared

This is an easy one, but something we sort to slack off the more we do the same thing over and over. In everything you do, be prepared. Think back to how many times you had to do something and assumed that you have the tools in your toolbox, or the dongle in your Go-bag, or that your software license was current, and when you needed to use it, you couldn't. When you run into a situation where this sort of thing happens, it is solely because you were not prepared.

An uncomfortable related preparation issue is that of your teammates. If you must rely on someone else to do their job in order for you to do your job, be sure that they do their job. The buck stops with you, and blaming someone else is a bucket that holds no water. Don’t assume that a teammate (co-worker or whomever) will be prepared to the extent that you need them to be prepared. I have too many examples of this happening to me, where entire operations had to be cancelled because someone forgot something that they were told to bring. Double-check. The end result will reflect on you, regardless if a teammate is blame (which, if it is your gig, it is your responsibility to make sure).

The two-prong point is that you need to be personally prepared and ensure that if you depend on any other person to do your job, that you supervise them to do their job. Yes. Technically you could be ‘supervising’ someone, but more specifically, you are making sure that you can do your job.

Know what you claim to know

If you are reading this blog post, especially to this point, you have dug deep in the world of DFIR. My assumption is that you know more about the DFIR field than the average computer user. That means you know far more than simply ‘what is a computer’.  I would bet that if were thrown into court tomorrow and quizzed, the court would qualify you as an expert in some aspect of the DFIR world that you know. The reason…is because you know more than the average bear. That makes you an expert.

Here’s the thing to remember: being an expert, or someone considering you to be an expert, or even a judge qualifying you as an expert does not mean you know everything. Quite the opposite. It means you know more than most people, but you are also acutely aware that you are learning all the time.

Those who have been doing this work for more than a few days will never say that we know everything, or that we know everything about even one small thing. There are too many variables, too many moving parts, and too many unknowns to claim to know it all or be a know-it-all.

But if you claim to know something, you better know it, because one day, you will be called upon to prove it. You won’t have time to prepared. You won’t have time to learn it. You won’t have time to practice. It will be game-on at that moment.

Fight complacency

The better you get at what you do, the better you get at what you do. Which means, the better you hone a skill, the more honed that skill naturally becomes. Realize that this is a good thing, but comes at a price. The price is complacency. Complacency will sink your career and skills faster than a long-tailed cat running through a room full of rocking chairs. In some jobs, your life may depend on not being complacent.

<Back to my wife> I have had the fortune of "luck" by working hard to get good results. At times, I would brag about some of the things that I have done and my wife would always give me a Japanese proverb of “Even a monkey can fall from a tree”.  Until I was t-boned in a patrol car did I really take this to heart. I’ll talk about the wreck in my podcast, but suffice to say that I consider myself to be a monkey that is trying not to fall out of tree, regardless of how good I am at climbing trees.

The point

Everything you do needs to be done with pinpoint focus as if the task at hand is more important than it appears. I am not suggesting to stress yourself out when you have to image a drive or run AV against a media, but that when you do the little things with focus, the bigger things will be more easily handled.

When I am hired for peer-review reports to find flaws, I can instantly pick out where the analyst was lazy, or complacent, or is relying on past experience and luck rather than focusing on the work or even focusing on the report. Any time I hear someone say, “I’ll just knock out a quick write-up”, I cringe. If it relates to my case, my responsibility, my name, my reputation, or any aspect of my work, I stop-drop-and-roll with a clear “That report better be your best work or don’t give it to me.”

A warning

You will get caught off-guard at some point. Unprepared. Surprised. And you’ll have to sit in the hot seat until it is over. BUT! If you at least do the five things in this post, the chances that you will be in that hot seat will be less and when it happens, it won’t be so bad, because you will know that you did your best.

Gambatte!

This week, @taosecurity (Richard Bejtlich) wrote an important blog post on managing burnout (Managing Burnout). As he mentions in the first sentence, he is not talking only about information security, but burnout in any profession.

I’m certainly no expert in preventing burnout, other than regularly bringing myself to the burnout line, because that is the way I am. I enjoy working hard, solving problems, and moving on to the next challenge.  I tend to go all the way to that line because of high expectations of myself. I also tend to be highly vigilant of my limits.

I believe that most everyone in InfoSec (DF/IR) has the same type of personality. We see broken things and want to fix them. When we don’t see broken things, we break things and try to rebuild improved versions of what we just broke. That’s the nature of problem solvers. I have been that way in every job that I ever had.  You are probably the same way. This works out well most of the time, until it doesn’t.

Richard shared a great deal of his personal burnout careers, for which I am grateful of his sharing. My belief, based on what I have seen in my life so far, is that for us problem solvers, we have to monitor our burnout because few others will do it for us, or even if they notice, will ever show that they are worried about pushing ourselves too far.

For me, I have been lucky. My family has been the balance of burnout prevention. My wife certainly makes sure of it and I take vacations whether I feel I need it or not. Moral support is priceless too.

But here are some things that I learned about burning yourself out at a job.

• * The harder you work, the more work you get. Work smarter. Not harder.
• * Your job didn’t miss you before you got there. It won’t miss you when you leave. Do your bit and then go home.
• * Suck it up. Don’t be selfish. Until this turns into stupidity; then you stop.
• * There’s and time a place for everything. That includes recuperation.
• * You are just a warm body. You are there to do a job, not become the job.
• * See someone reaching burnout?  Offer support.
• * Are you a supervisor and see someone reaching burnout? You better have resources on hand, right now.
• * Be a positive in life overall.  Ask coworkers and friends how they are doing. You may just save their job.
• * If someone tells you that they are at their limit... BELIEVE THEM!.

This is what I came to conclude from my last jobs as an employee (before becoming business owner and part-time employer). At one point in my police career, I had many duties at the same time. Let me repeat myself: all at the same time. Most were on-call duties, but it added up. I was the Use-of-Force lead instructor (defensive tactics instructor, firearms instructor), SWAT, OIC (Officer in Charge), narcotics/vice detective, undercover officer, and computer forensics examiner. I carried a pager (for SWAT), a business cell (for detectives), and up to a dozen burner phones for all the undercover cases I was working in multiple countries and states. I answered calls 24/7. Was called out for bank robberies for SWAT, officer involved shootings as a detective, and undercover assignments for guns, drugs, human trafficking, and stolen car rings. I did some really cool cases in some really cool (and scary) places. I was at work a lot.  A whole lot.

None of that bothered me, except that when I would seize $100K cash in a drug bust, the expectation from my agency was that I would seize $200K the next time.  Or if I arrested 10 in a major case, that I’d arrest 20 the next time. And if the next case only had $10K in cash and one car seized instead of a fleet of luxury vehicles or a flush safety deposit box, the case was a failure. And running from city to city for either SWAT or undercover or imaging a computer, only to be worry about having lesson plans ready for either defensive tactics or firearms to teach the next week, led to me always reaching that burnout line as I didn't want a failure of a case because only $10K in drug money was seized, or the drug dealer's car was only a Camaro and not a Mercedez. Unnecessary stress. Half of it self-induced.

Couple that with expectations from multiple agencies that I worked with, that I was doing all of this at higher levels than anyone anywhere, that everyone believed that I could just keep going forever. Doesn’t work that way. This is where I repeat myself; know your limits because no one else will, or few (if any) will care anyway. Your warm body will be replaced by another warm body when you leave.

I have never been approached with advice or support or suggestions or offers to take some of the burden, so I quickly learned that it is up to me to recognize where my pain threshold is and to take proactive measures to not cross that burnout line. My suggestion is that you should never expect anyone to tell you that you need a vacation. You have to check yourself constantly. Consider yourself lucky if someone else tells you that you need a break. And take the advice because they may see something you don't.

Did I mention that family saves the day? Family and friends are my cure all to burnout. When any of them say, ‘Hey, you should take a vacation’, I take it to heart and take time off.

I have seen the Infosec community only in a sliver of time and space, much like peeking through a fence at a football game for one play, I only see a bit of the game. I haven’t worked everywhere or with everyone, but I certainly see some of us get burned out, frustrated, and even leave the profession for something else. With self-management, we can reduce this exodus, extend our joy of working in this field, and be productive by solving problems. More important, we can be better humans and be happy.

I don't want a point getting across that I am advocating being lazy, or not working hard. Quite the opposite. I have learned that when managed properly, you can be a star player and still take vacations,  and still not work yourself until you are delusional. Key point: Being a star player means taking care of yourself.

As far as being better humans, one of my primary goals in life is removing the worst humans from my life. If someone is not supportive, or always negative, then I don't want to be near that person, online or in real life. The Internet has made the few worst of us affect the whole lot of us, with negative tweets or shares, lies, allegations, and just plain meanness. They will never go away, so as the saying goes, don’t feed the trolls. A method I believe in:  mute them. block them. ignore them. don’t engage them. There is no other way to be less affected by the ugly on the Internet without excluding the Internet completely. 

Be vigilant

I look for burnout in others. And dude, if I see it, I am on it like no one’s business. If it comes down to me just giving a hug, a pat on the back, or having a serious sit-down, I do it on the spot. Consider that if you see burnout in someone, that is a problem. You are a problem solver. Go solve that problem. You might end up doing more than just saving someone’s job.

**May 15, 2019**

Relevant video, well worth the watch.

Call me paranoid. It’s okay. I’ve been called worse.

Nothing I am saying in this post will harm officer safety and actually should increase it. The public needs to tell cops to stop being online marketing tools. PIOs choose to be a public figure, but the everyday patrol officer is a law enforcement officer, not a marketing tool. Officer safety is responsibility of the individual officer, but it helps if others remind each other of the pitfalls of police work when sacrifices in officer safety is seen.

The Internet is a boon to law enforcement investigators. I started in police work before Microsoft Outlook for MS-DOS was released, which means, the Internet really was not an integral part of police work.

Introducing Google Earth and Brett’s eyes opening wide

The first time that I realized that the Internet may be pretty cool for police work was when I was on SWAT and attending a search warrant briefing where the team leader used Google Earth…I sat there thinking, “Oh my. This is so cool.” Practically every SWAT raid used some form of Google Maps or Google Earth after that briefing. That was really cool for officer safety.

Then I went into detectives (narcs, vice).  Of course, the basic Internet investigations at the desk were cool, but being able to lug a laptop in my undercover car on surveillance with Internet access, and having direct and immediate access to lots of alphabet resources like DMV/DOL, WACIC, NCIS, HIDTA, and the usual public Internet research tools outside the office…“Oh yes. This is so very cool.”

And then I started ‘running informants’…

I developed and managed over a hundred informants in my career. That’s a lot, but not all at once. Some were one-case wonders, some were cant-put-together-a-ham-sandwich informants, and some were star players. Out of that 100+ informants, 3 were kidnapped while working for me. I have to use a cliché because there is no other way to say it, but they were each beaten within an inch of their lives. One was held hostage for three days in a basement in an abandoned house…and tortured. Because they were not cops, and they each kept their wits and never admitted to being informants, they were all let go. This is from 3 different cases involving 3 different and violent organized crime groups. Had they been cops, and had public facing social media accounts, it would have turned out differently. *SIDE NOTE* These 3 informants were star players, kept working with me in the cases, and helped me turn three self-initiated cases into full-fledged, successful OCEDTF investigations.

But then I started working undercover…

A friend of mine in another agency told me a story of how he forgot to bring his undercover (fake but real) ID with him on an undercover op the month prior. The targets wanted to meet at a bar, which requires….you guessed it, an ID check. Rather than say that he forgot his wallet, he used his real ID and covered up as much as he could to just show photo and date of birth.

Less than twenty minutes into the undercover meeting, he was outed as a cop in the bar. They claimed to have his real name and agency. And they were correct, all because of an Internet search of the information that he didn’t cover up. He was lucky that he was in a public place with targets that didn’t want to kill him.

I’m getting to my main point a little further in this post, but I want to give more supporting info first

There are many stories I can talk about to drive officer safety points home. Although I was a use-of-force instructor (defensive tactics and firearms), the officer safety methods that I also pushed was non-physical, and I carried this over to undercover work.

One of several eye-opening experiences I had was being in a room full of criminals in an OC case where someone in the room was on the phone, asking for information on a name. After the call, the guy using the phone told another guy in the room about the guy’s name he asked about on the phone.  The other person on the line gave the date of birth, full name, home address, and arrest records of that name. Later, we found that the name had been run through DOL (DMV) and NCIC by a local police department. This criminal group had an ‘in’ with that police department, which turned out to be social engineering through a criminal third party, but nonetheless, they had someone who had social engineered their way into law enforcement records. They had the information in minutes, way faster than the public records check story I mentioned earlier at the bar.

I have more stories like this than I want to have had, but the type of people in this particular room drove the point of officer safety home much more clearly than any other.  I was unsure if my undercover ID would have been enough if they choose to run my name. The thoughts I had at the time were, ‘how many bullets do I have on me’ and ‘do not let anyone behind me’ and ‘where is the nearest exit’ and ‘if the fight starts, stay in it, be in it, win it’. Technology is wonderful….

So I when I teach this sort of thing (OSINT/Internet Investigations) to cops

In LE-only courses, I give more details on the cases I worked and the close calls. And I show how to background someone suspected of being a cop or an informant, in a manner that criminals do it using both public-only resources and public+private+govt resources (in case of corrupt or compromised govt employees).  In one class, I was questioned about the effectiveness, and the officer questioning me asked to background him. Against my suggestions, he pushed it, and so I did. Using just his undercover ID and supporting ID (other things typically used to prove an ID), I found him online. And his home address. And his agency. And his social media. And his family. And his daughter in college. And her apartment. And photos of her and her car. And the location where she will be on the next Friday night. The officer stopped me at that point. We did this together during the lunch break and used some of what we found in the afternoon for the rest of the class.

Here’s the point, and it applies to non-LE too

Your photos that you post online are going to the cause of problems. Let me say that I know that everyone will still keep posting photos online. That’s not my point. I have been accused of being a cop while undercover but there was not a publicly available photo of me anywhere. Well, there were some physical photos in a few public places, nothing you could find online. The odds of being identified are much lower when a photo can’t be printed and held up to your face while you are in a small room with locked doors and everyone has a gun.

The bigger point that I want to make is that the current philosophy of law enforcement today is to encourage police officers to be active on social media, to be involved in every public event to get dunked in buckets, break dancing in parades, and making music videos. I understand the intention to have police look to be involved in the communities they serve, but I’m telling you that this is not the way to do it.

Using cops as agency marketing tools sacrifices officer safety in ways that can never be remedied or fully felt until something bad happens. These photos and videos are forever! Young officers who are active online socially (personal life) and online with agency encouragement, or worse by requirement, have practically ended any undercover work in their future and have placed their families at risk. It is virtually impossible to be invisible today. The extent of personal information that is publicly exposed, on purpose, will be used by criminals to harm law enforcement officers and their families.  If not harm, it is wholly possible to compromise an officer using information found publicly online. Anyone, and I mean anyone, can be compromised by being groomed either in the short term or long term if their life is open for public inspection. Grooming isn’t just for kids.  I groomed many-a-criminal to be informants, either as witting or unwitting informants.

More to my point

Hey police agencies, maybe you want to take a step back with all these music videos and break dancing in the streets for photo ops. Do you really want to sacrifice the safety of your employees and their families because dunking the officer in a bucket of water on Facebook makes police work more effective? The community knows if their police engage in the community or not, regardless of if an officer is on YouTube doing the moonwalk or skateboarding. The job is already hard enough.

For the cops out there, come on now. Think about it. There are sacrifices to make when you are military and law enforcement, and one of them is controlling your social media presence. No matter how ‘nice’ you are to every person you arrest, you are at risk by someone who doesn’t care how nice you are. They maybe only care that you arrested a family member and now they may want to hurt one of your family members. Why make it easier for them? Why have your spouse be followed home from work by suspicous cars? Or strangers approaching your kids telling them to say hello to their Mom or Dad by name?

And for the non-LE DF folks

Don’t think that I forgot about you. Some of the cases you may working in the private sector can have the same safety issues that law enforcement have. Just one example of a CIVIL case I had, was that the defendant in the case had everyone terrified. He wasn’t diagnosed as mentally ill, but he was clearly dangerous, threatening, angry, and had the background to back it all up. I think I was the only armed person working that case…

The inspiration for this post… https://pimeyes.com/en/

Stand by, here comes my opinion on forensic tools (software and hardware)

I tend to prefer having the option to pick among a large selection of tools to be highly specific in solving problems. The fewer options I have, the more likely I will be doing an “OK” job instead of doing a “good” job. Worse still, when not having the right tools, I may not be able to the job at all. With that, I say things like, “The more tools in your toolbox, the more problems you can solve.”

This doesn’t mean tools solve problems. It doesn’t mean that anyone with many tools can solve problems. It doesn’t mean that any tool can solve any problem. And it doesn’t mean that merely having lots of tools means you can solve lots of problems. I simply mean that by having a choice of tools that I am competent to use, I can pick the right tool for the right job.

To elaborate a little more, I do not believe that having every tool in existence is a reasonable plan. There are far too many tools available for any one person to be competent (even at the least level of competence!), or to keep updated, or to validate, or to use with any frequency to remember which button (or command) does what. It is just too much.  

Each person has their own sweet spot as to how many tools that they need for their job. For some, this may be a few. For others, it may be more. And for each person, the sweet spot is different. And over time, the sweet spot changes.  Even with different jobs, the sweet spot will change. You have to find your sweet spot and no one else can tell you what that is. Did I mention that your sweet spot of tools will change? 

Related experience on having too many things: In my younger life, days after I checked into 2/3, I was headed to the field for a month (PTA). What did I do to prepare for 30 days in the field? I went to the PX and bought a bunch of nicely packaged and enticing junk that was packaged and marketed as "the top 10 things that Marines need to bring to the field". I brought back this junk to the barracks and started packing and strapping junk to my ALICE pack. The old salts in my squad ribbed me pretty bad about me wasting my money on ‘junk’. The things I bought were promises of making field life easier for Marines in the field. The packages said as much!   Days after being in the field, I cursed every little junk item I bought because all it did was add weight to everything I was carrying, did nothing to make fieldwork easier, and I learned from the salty Marines on what works in the field based on hundreds of years of Corps’ existence, not some toy from the PX. Some of the NCOs that I mirrored were magicians in the field. Literally, they performed magic. The things I learned that a person can do with the right tools showed me that it is never just a tool, but the right person appropriately employing the right tool. I carried this lesson from that first month in the field through today with this blog post. 

"It's not the machine, but the examiner, that does the work" - Brett Shavers

Picking the right tool

Some questions have one answer. What is 2+2? Is fire hot? Is ice cold? Other questions have more than one answer. That is why this this blog post is titled, What’s the best way to get to Spokane from Seattle? No one can answer this question for someone else. There are too many variables involved for there to ever be one answer to the best way to get to Spokane from Seattle. Variables such as, how soon do you need to be there? How much are you willing to pay for travel expenses? Do you prefer to drive, fly, or ride a bus or train? Do you like a window seat or aisle? And hundreds of personal questions that affect the best way for you to get to Spokane from Seattle. Point being, best for you may not necessary be best for me.

So, when I hear “the best forensic tools” or “this is the best forensic tool”, I assume that the person stating or writing such a thing is speaking solely for themselves, as there is no way that they are speaking for me. It is impossible. The variables to choose a software tool are no different than choosing something to eat for lunch. It depends on everything.  Time to eat. Money to spend. Locations available. Type of food available. Allergies. Food preferences. Tastes. Desires for a certain food at that very moment. The person eating with you and their preferences. Any “top list” of anything is useless except for the person creating the list.

The point: You choose the best tool for you that can solve the problem.

How many tools?

I have written things about forensic software, but never stated that one tool is better than another, or that you only need one tool. The closest thing I have written that could be interpreted as such was in the X-Ways Forensics Practitioner’s Guide. And even then, I simply stated that if you are proficient in X-Ways Forensics, then you probably know your stuff and probably know how to use other tools too.

https://www.amazon.com/gp/product/0124116051/ref=dbs_a_def_rwt_bibl_vppi_i1

The appropriate number of tools is that number which (1) you can maintain competence and (2) those tools that you need. If you can’t maintain competence in a tool, get rid of it. If you don’t need a tool, why do you have it? Don’t overwhelm yourself with too many tools that you can’t use competently or don’t need to use at all.

Validation

I had an email recently asking my opinion on validation. I happened to be extremely busy at the time I saw the message on my phone, and didn’t have the time to appropriately respond. In short, the question was how do you validate tools and how often.  And do you use test images that are online. Wow. Tough question actually.

Without writing a book on forensic tool validation, all I can say is that I have spoken to many about this subject and I have found that it is a rare examiner that validates all of their tools, and at that, rarely does it regularly. The vast majority simply buy (or download) a tool and use it. Validation happens when they use another tool to check the work of the first tool on finding an artifact…in real cases. The result is that many of us use a tool (that we didn’t validate) to find evidence, and then we use another tool (that we also didn’t validate) to validate our findings. Hint: I test my tools against other tools against known data sets.

I’m not a software developer, but I am aware of what software testing is and how to do it. There are books on how to test software, with processes that range from simple to complex. I recommend picking up one or more of these books to get a handle on software validation before you get asked on the stand about it. Seriously. Check into it because it happens, or at least it happened to me.  At a minimum, I suggest taking advantage of Paraben's free ebook on validating forensic tools (https://paraben.com/validation/). 

As far as the online test images, I believe that they have their place if they were developed for testing. There are images that are freely downloadable for testing that were purchased from the private market. These particular sets of images are from discarded and used computer systems that we really have no idea what happened on the systems other than what the tools tell us. I find this to be very exciting, but only for the sake of curiosity to see what data did people throw out without knowing this risk? In my opinion, these are the worst images to use a test images, because we have to trust the tools to tell us what happened on the systems. How can you test a tool on data that you are trusting that a tool is correct in telling you if you can't validate the data? 

Test images should be images that you know exactly what data is on them, and know exactly how the data was created. If you don’t have the documentation of the activity that occurred on the image, then the only thing you are testing is your patience of time of running software. If you don’t know the fact of what happened on an image (prior to imaging of course), then how do you know your tool is performing correctly? You don’t, because you are trusting the tool to be accurate with the data that you can’t validate, in order to validate the tool you are testing…

**EDITED** 12/21/18

To clarify my initial thoughts on test images and tool validation, I think it better to state that the tools may be accurate in parsing the data on images on which you do not have assurance of the activity, but that the results may be incorrect or inconclusive. What I mean by this is by one example, is that the tool may parse the data correctly, but the data itself may have been anti/counter-forensics. To show this, I've created a trick-question in classes where I planted anti/counter-forensic data (user-created files) onto a drive purposely to throw off an analysis.  Tricks are unfair in teaching, but this sort of exercise makes several points, such as how to state conclusions in a report, to question why a file may or may not exist and its supporting metadata may or may not exist, and not to jump to conclusions at the first sight of seeing evidence.

The steps I took were simple:

1. boot drive to winpe
2. copy user-created files* (Word docs, etc..) onto the drive
3. image the drive

The result was most of the class assumed that the files were created by the logged on user account, on the dates and times of the documents/files. Some of the class questioned how the files were created (not downloaded, no evidence of the applications being run, no USB connections, no LNK files, etc..). The tools were correct in pulling the data, but the conclusions were wrong about the data itself. The point being made was that finding the evidence is #1 important. Next is to validate the evidence (is it really evidence or not?). And come to some conclusion of how the evidence most likely was created supported by other corroborating evidence (other than the actual data file itself). The result was everytime the 'evidence file' was found in classwork, students really worked to make sure they grabbed as much supporting evidence on that file as possible.

*The user-created files were time stomped to match Internet activity dates/times on the drive.

My test images

I have a set of test images that I have created over the years. For each image, I have extensive documentation with everything I did on that image, with date and time. It is a lot of work. A serious amount of work, but I now have a library with different OSs and different types of evidence planted on the images.  When I run a tool on an image, I compare the result of the tool with my notes. It should match exactly, and if it does not, either I used the tool wrong or the tool doesn’t work. I know that because I planted the evidence and know exactly what the evidence is. I know how it got on the disk. I know when it was put on the disk. I know because I did it and documented it as I was doing it.  My test images are validated by me, for me. You can’t do that with an image you find online. You can’t even do it with an image someone gives you, because you are trusting someone else with validation of the data on the image! At best, you are trusting the creator of an image to not only give you accurate information about the image, but that they accurately documented the creation of the data on the image. Think about that a moment.

One question that I saw on Twitter a while back concerning the software listings on dfir.training, was something to the effect of “are all these tools validated?” This is a legitimate question because there are over 1,300 software listings. The only accurate answer is that none of the software is validated. Not a single one. Not a single tool on Github is validated. Nothing on SourceForge is validated. Not a single commercial suite that costs thousands of dollars is validated. No open source programs are validated either. None of them. Nada. Zip. 

The only tools that are validated are the tools that you personally test. Out of that 1,300+ tool listing, whatever you download and use is up to you to validate.  Out of that 1,300+ tool listing, you may ever only need 5 or 50 or 500 of those tools in your lifetime. Again, that is totally up to your situation and needs and validation falls upon you. Sorry, but that is the way it works.

How I choose forensic tools

Everyone is different because we are.  Every scenario is different, because they are.  Tools are different because they are developed by different people and for different scenarios. All of this adds up to an infinite number of solutions for each person to decide on which tools to pick for specific scenarios.

Here is how I do I pick tools (keeping it simple…):

1. What is the problem?
2. What tools do I know how to competently use and will any of these tools solve the problem?
3. If I don’t have the tool, which tool can I become competent in to solve the problem?

That’s it. Every single scenario, I go through the same process. Some are quick and easy to figure out. If the job is imaging an easy-to-access single hard drive without any encryption in a desktop, then the choice is quick and simple. Scenarios beyond that will add a bit of complexity with each additional obstacle to overcome. This process covers every scenario from basic imaging to full-fledged network breach that is bleeding data like a stuck pig. There comes a point where I can’t handle a problem because it is way out of scope of what I know and time needed for me to learn what is needed. If I came across a problem that required me to be a program developer, I could do it if I had the time and the problem could wait while I got a degree in computer programming. But I know my limits, and I know how long it takes me to learn a new application to a competent level if that can be the solution.

Those pesky personal preferences

Back in the day, we didn’t really have much in the way of software choices. If you started back in the Norton Disk Editor days…you were really limited in choices overall. Today, we have many (too many?) to choose from. Then we have personal preferences. I know examiners who swear by one particular forensic suite (name any suite and I’ll show someone that swears only by it). Others won’t touch a suite because they prefer to use small tools to solve problems. By small tools, I mean those forensic tools that do one specific thing rather than a suite of functions. Some demand push-button only, others want CLI only. Some only use Windows-based, others only Mac, and believe it or not, some only use Linux-based forensic applications. Many use a combination of all of these, because it depends on the problem to solve coupled with competence in specific tools.

I never question someone’s preferences in tool selection or tool development, because preferences. As long as the problem can be solved, personal preferences don’t really matter.

It is only when personal preferences interfere with problem solving that it matters. When someone keeps trying to force a solution that keeps failing or is obviously inappropriate, then the problem is never solved and gets worse. If a tool is not working on a problem, and you can’t fix it, then quickly move to something that works.

You should be able to flow from tool to tool to solve problem to problem.

Reporting and tools

Accept now that one tool does not do it all.  This includes reporting. I have seen comments about forcing one suite to accept reports from other suites and tools because the examiner wants to press ‘print’ and have it all done in one.

In reality, each suite creates its own reports, and many (most?) small tools don’t even create reports at all. They will spit out the data, but not so much a report of the data like a suite will.  Unless you are only using one suite for a case, you will be hodge-podging a report from multiple suites of tools and creating output reports from small tools. Yes, some suites allow for easy importing of other reports, but as for me, I am combining small tool outputs with suite reports, adding software logs, pasting screenshots, and typing statements and summaries to form one report. When I take a course in a tool in which the provider is touting the reporting feature as the end-all be-all reporting feature, I kinda tune out because I heard that song before.

Trying to avoid the technical

I do my best to avoid technical writing, except for a few pieces that I want to put out that others may not be aware. The only reason I do not want to put out technical pieces is that so many others are doing fantastic work in publishing their research. David Cowen’s test kitchens are the most innovative that I’ve seen in the online forensic videos.  There are several on Twitch that have been doing the same sort of thing (hacking mostly), but Dave’s fits the area where I work in forensics, so I really appreciate what he is doing.  Others (too many to mention) are writing blog posts with some juicy technical forensic info. The thing I find missing is that of the investigative aspect, the principles and concepts of forensics, and the personal facets of forensic work.  That’s what I tend to focus on when teaching and writing. I believe we can all learn the technical aspects, particularly when we have some outstanding researchers sharing their knowledge! My objective is to push the other side of the coin, the side that focuses on using your brain to make decisions, to think things through, and solve any problem with multiple solutions derived on how to think.

Back to the best way to get to Spokane from Seattle

There are many ways. There are side roads, service roads, flight paths, and train tracks. Rather than think that you can drive to Spokane, evaluate the ways and pick the solution that fits your situation at that moment, because driving may be best today, but flying may be best next week. No different with forensics. Today’s solution may be different from tomorrow’s.a

The mechanics of digital forensics (and its related cousin, incident response) are fairly easy. A computer is a computer is a computer. Collecting data is collecting data. And an artifact is an artifact. As long as you follow the basic mechanical principles and concepts, you should be able to do the work without impossible obstacles.

A most basic example is imaging a hard drive on computer that is not running.

1. Protect the source
2. Image it

That’s about it. This example carries into all things DF/IR, as it is mechanical work coupled with decisions on overcoming obstacles in order to get the job done.

Here is where digital forensics is most easy!

DF/IR is easy to screw up. It is really really easy to screw up. Besides the mechanical ways to make an error, such as overwriting the original data, there ways to make things worse by thinking you know what you are doing, but actually don’t. Using the above example, there are a lot of little things that are needed for a complete job (like documenation, chain of custody, etc...).

Here are two personal examples.

Example 1:

I was hired for a civil case to examine a hard drive image. I received the image that was created by an employee from a nationally known computer repair company. The part of the case that matters is that after the computer was dropped off at this repair company, the computer was identified as being pivotal in a substantial and public civil case. An employee at the computer repair company talked his supervisor and attorney into believing that he could create a ‘forensic’ image of the hard drive.

The employee was first level IT in that I didn’t see much more experience than having an A+ certification and zero experience or education in digital forensics. The employee's only forensic work experience was creating this “forensic” image for the case using FTK Imager.

The process was not correct, as the employee believed that because FTK Imager (ie: “Forensic” Tool Kit Imager) was used, all was well in the world with the forensic image. Some of the issues: there was no chain of custody with the image or original source, the original source was subsequently lost, data was overwritten prior to and during imaging*, and barely any documentation existed. The only documents created were the receipt to drop off the computer and a text file created by FTK Imager.

I was hired to fix the ‘forensics’ in this case. The point of the story is that the employee thought he was doing forensics, but actually, he was screwing it all up by not having any basis of knowledge in the legal aspects of forensics or the technical aspects of creating an image (or much else).

End result: I couldn’t fix it because I didn’t have a time machine to go back in time to prevent the employee from touching the computer. Oh yeah. A new policy on not doing forensics was incorporated in the computer repair company.

Example 2:

On a civil case where I found child porn on a device, I immediately transferred the evidence to the local police department and wished the attorney-client luck (I don’t do those types of cases outside of law enforcement anymore). I also gave the PD the only image that I made of the original, along with an extensive report of what I saw that included verification of known CP hash comparisons. I’m stressing to you in this post that I made it extremely clear to the police department that without a doubt there was child porn on the hard drive, some of the worst that I have ever seen in my career. I even wrote my report as if it were an affidavit for a search warrant because what I saw certainly deserved police attention. 

Months later, the forensic detective told me in a phone call that he couldn’t image the drive and tried for months. He apparently gave up because he said that he was busy with more important cases (than child abuse), like rape and homicide...  He didn’t want any help, so that was it for me in the case. I offered that he could at least use my image that I gave...but nope.

Months later, I was re-hired to examine the drive, specifically for child porn, as the device owner was accused of also molesting his daughters. Then a weird thing happened. The wife (of the device owner) asked the PD to pick up the hard drive. She simply called and said it was her hard drive in evidence. They told her to come pick it up. Then they gave it (the original drive!) to her. Child porn and all. Nothing wiped, no court order for anyone to possess or examine.  Not only that, but the case was still open, and now included child molestation allegations.

The wife (client of my attorney-client) carried the original drive around, passed it on to her attorney, who days later wanted to give it to me. No one (including the police department) cared that child pornography on a hard drive in an active case of child abuse was being passed around without any a sliver of chain of custody or concern of what it legally means to possess that stuff. Or any care of how the data on the drive may refute or collaborate the real-time child abuse allegations.

PS: I refused custody of the drive until I was given a court order that said I could touch it.

The point of this story is that I wouldn’t expect the wife to know anything about chain of custody or possession of child pornography, but I would certainly expect (actually, demand) that the police detective and attorney exactly know. I further would expect that a police officer working in digital forensics could figure out how to image a hard drive in a day rather than never figure it out in months before giving up.

End result: I ended up in court. So did the detective. Some people got yelled at by the judge. I wasn’t one of the people getting yelled at. One positive out of this case is that there were so many problems, that I can use a hundred examples from it for a decade of how not to do digital forensics or police work.

These two examples, out of more than a few that I have personally seen, reinforce a largely ignored aspect of digital forensics work: a basic foundation.

A basic foundation is just that.  Basic. Foundation.

I am not talking about the basics of a specific job in DF/IR, but rather the basics that cut across all the jobs in DF/IR. This includes law enforcement! No one is perfect or exempt from being expected to have a basic foundation.

The DF/IR field typically focuses away from the legal aspects because many in the field wrongly assume that they are not working within the legal arena. For the most part, many are correct, until they aren’t. It is because that not only do we work with data, we also have a high risk of interacting with data that constitutes evidence in a legal case (civil or criminal). We should know what evidence is, how to know it when we see it, and what to do with it if and when we come across it.

Never complain about a problem without following up with a proposed solution

We need to know the foundational basics of both DF and IR.  When you focus on one small aspect of the entire field, you are working with a hammer. All your decisions will be based upon that small part of the field that you work with.  By “small part”, I do not mean insignificant. I mean that if we, in DF, come across an obstacle or issue that clearly fits the other side of the house, that we can identify it as such, and be able to refer or delegate it to more appropriate specialists. Same thing if we, in IR, come across a legal issue, that we handle it appropriately by knowing who best should handle it.

We cannot expect those who do not work in either DF or IR to know how to forensically image a hard drive, or have any of idea of the legalities of passing around a hard drive with child pornography (albeit, at the request of an attorney…after receiving it from law enforcement….). But we can require that us in the field have some basic foundation of both the common legal and technical aspects that cut across the disciplines.

A simple solution is requiring that those who work in either DF or IR, have this foundational knowledge. You don’t need to be an attorney to know chain of custody for evidence. You don’t need to be a police officer to know what evidence looks like. You don’t need to know how to reverse engineer malware if its not your job, but you should be able to know when it needs to be done. You don’t need to know how to do a chip off of a mobile device if you don't work with mobile devices, but you should know that it can be done if needed when you come across it.

What does a basic foundation look like?

1. What you need to know legally (only those things that everyone in DF and IR should both know)
2. What you need to know technically (only those things that everyone in DF and IR should both know)

Anything else is job specific and from which core competencies are built upon,  therefore not part of what I am talking about. Just the basics, like the very basics.  Because without it, digital forensics is really easy..to screw up.

For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?”

The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network held hostage? Can the ransomware be decrypted with available tools or keys? Basically, can we fix it or not? If not, then there is the decision to make on paying a ransom.

I know that clients want a definitive “YES” or “NO”, but it doesn’t work that way. If you advise to definitively pay, maybe they won’t get their files back and then what? Your advice was bad in that it didn’t work. And if you advise to absolutely not pay, then the client surely doesn’t get the files back. You’re between a rock and a hard place.

Here’s been my recommendation. Recommend that the client buy some bitcoin and hold it. How much to buy depends on how much you think a ransom will be based on the amounts of current ransomware attacks.  Then, if it happens, the client has saved at least a day of panicking in figuring out how to buy bitcoin and getting the money out of the budget to buy it, and potentially missing the window to pay the ransom anyway.

As far as will Bitcoin increase or decrease in value, that doesn’t matter. It matters to have some on hand. It matters just as much to have someone know how to access/send it when and if needed.

Then if a ransomware attack happens, the client can spend time on deciding to pay or not without having to have a team figuring out “what is this Bitcoin thing?” and distracting from the problem at hand (to pay or not).  

Probably the best advise I can give, is that if the client pays the ransom, there is a chance of getting the data back, or more accurately, getting back access to the encrypted data. But if you don’t pay, you have about a zero percent chance of getting access to your encrypted data. I’ve seen someone state that it’s about a 50/50 chance that an attacker will give decryption keys upon payment.  I’m not a gambler, but I say paying to get 50/50 odds is a lot better than not paying for 0/100.

The point of this post

A very adamant advocate of not paying off ransomware strongly suggested that I not recommend to my client that they should consider paying off ransomware. His point is that if everyone keeps paying ransoms, this will keep happening. I totally agree. If these attacks keep getting paid off, they will keep happening. The problem is that this is easy to say if you are not the victim. If the existance of your company rests solely on getting your data back, the 'common good' of not paying takes a back seat.

Or, the victim could pay a few bitcoin and better prepare in the event this were to happen again. Yes, the criminals make money. But also, the business survives (people keep their jobs!) and the business prepares to prevent this from happening again. 

I know that depending upon who a business calls for ransomware advice, one person will be advising to never pay and another person will be advising to look at the entire picture and keep all options open. The real answer to pay or not rests solely on the client. We can only give recommendations and a shoulder to lean on (or cry on....).

I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done).  With that, I completely understand that the “IR” in “DFIR” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but still related, like cousins.

In a pure digital forensics (ie. legal) matter, attribution is key. Attribution is the goal. Attribution is what you are working towards. Otherwise, it is not literally forensics, but only mechanically forensics, in that you may be performing the same mechanics as with forensic processes and methods, but if you aren’t looking to pin a crime on the suspect in a legal matter, it is not really forensics by definition.

With IR, pinning the crime/breach on the criminal or nation-state isn’t the primary mission unless you work at one of the alphabet-soup government agencies. But, IR is no less important than DF, even as the goals are generally different. With DF, the work is targeted to give justice to a victim through a legal process. With IR, the goal is usually to quell the panic of data spewing from the network like a busted fire hydrant in the middle of summer. Attribution is maybe an afterthought, at best. Stopping the pain is the priority.

But here I go splitting a hair with attribution in IR work….

When you do IR work (outside of the alphabet-soup government agencies), sometimes you should think about attribution in what you are doing. In fact, sometimes you must think about it because you might not be working a pure IR job. You might be deep into the legal arena! 

Fairly recently, I was asked to “look at” an employee’s email account for "hacking". Sure enough, someone other than the account holder had been in the account. Emails had been sent out from the employee’s account and some emails posted online by way of screenshots. Without getting into the weeds of what was happening, it clearly looked like internal drama in the organization.

The client/CEO wanted it stopped, but did not care about who did it because, “Nothing you can do about it if China is doing it.”  This was the advice from IT to the CEO. Hackers can’t get caught, so don’t waste money on it when you can just prevent it from happening again. However, just by looking at the content of the emails that were being sent out and posted online, it was clearly an insider job or someone related to the employee in some manner. Seriously. It was so blatantly obvious that the employee was targeted and that most likely, it was probably another employee just by a quick glance of how it was happening. I gave an estimate of a day to be able to find out who it was, and still, the solution was to stop it from happening and not worry about catching the culprit.

Good grief.

My point is that sometimes you can catch the person because maybe the suspect is not in Iran or China or Russia or Timbuktu. Maybe s/he is in the next cubicle. In this example, the suspect was in IT, which took me a half day to figure out, without even having to skip lunch. End result was that everyone happy (the in-house attorney, the employee and the CEO). Except the IT person. He was not happy. But everyone else was.

Most anyone working in IR can fairly accurately tell where the hacks* come from. Maybe not to a specific person or nation-state, but at least be able to gauge whether or not the suspect is in the same building or down the street or related to the organization (generally!). There is nothing wrong with advising a client that although you can certainly stop the pain of a hack* (see the below definition..),  you may also be able to solve a problem that is just as important which may actually have a positive ROI beyond dollars spent.

This is just an example of when a pure IR engagement can turn into pure DF gig, simply because IR can see typically be able to determine that not only can you identify the suspect, but that you should because in a case like this, the victim will keep being victimized by someone that can be caught and brought to justice.

*hacks, as in whatever you want to call unauthorized computer access.

Some have found a Patreon page that I created for the DFIR Training website (http://www.patreon.com/dfirtraining). Here is a short description of what is going on with me, DFIR Training, and Patreon.

First off, Patreon is just a way for you to support DFIR Training (and me!). You simply choose to subscribe at a level of support that you want. Right now, there is a $3 level if you wish to throw me a cup of coffee (much appreciated by the way), or $20.  In return, you get rewards. The rewards inlcude the courses I make (Placing the Suspect Behind the Keyboard, X-Ways Forensics Practitioner's Guide course, and more), plus videos that I will only publish on Patreon, and a few other goodies exclusive for supporters only.

Before you get a little turned off that to get some things, you have to pay, hold on just a few seconds so I can explain. The things I freely do and give out, I will continue to do so. But for the extra things, I will be doing them under Patreon for the DFIR Training website.  To make it rewarding to support the DFIR Training Patreon page, I not only lowered the price of the courses I have created, but I am flat out giving access to most all of them at $20 a month. I've seen where some folks will not support on Patreon, but for those who do, you have my gratitude and access to everything :)

As to the DFIR Training website, it will remain freely accessible, and everything on it will remain freely accessible. Only the content that I create solely for Patreon supporters will be for Patreon supporters, and nowhere else, even as Patreon will support the growth of www.dfir.training.

On top of that, for the book giveaways on DFIR Training, Patreon supporters get an extra 20 chances to win a book, for each book drawing. This is in addition to getting access to the online courses. And I am posting cheat sheets only for Patreon supporters too. There are also going to be software reviews and software comparison videos too. None of the reviews are paid, so you’ll get my honest and unbiased opinion and not a commercial.

Why am I doing this?

The ‘free’ books, of course, are not truly free (they are to the winners, but that's it). Patreon supporters are super in helping pay for the books that aren’t donated by the authors. Because of Patreon support, I am willing to give supporters high levels of return favor with things like access to my online training courses, interviews, and the other neat things that I will be creating just for them (like a series of cheat sheets and ebooks).

As far as the online courses, I am continually asked about freely extending course access, which I am sure is a little uncomfortable to ask and uncomfortable for me to turn down as all user accounts are charged to me, and therefore, I have to charge the users, so free access isn’t really free… With Patreon, it is easier for each person to control their access with a subscription. So as long as you are a Patreon supporter at $20, all the courses are included for as long as you want.

I am planning on changing the Patreon support levels fairly soon. I won’t cancel the support levels, but I will be limiting the number for each level. For example, I will eventually close the $20 level and increase the amount with a new tier, but everyone in the $20 before the change will be able to stay in it for as long as they want. Hint: best to get in sooner than later it if you are considering it, because I will be limiting the number.

Also, the more support on Patreon, the more things I will be able to devote time to create.  For the time being, I will be adding every course I create to Patreon and also create some Patreon-only content in the coming weeks and months.

So, you can look at it two different ways:

1. Support DFIR Training (and me) on Patreon and get lots of rewards like online courses and ebooks, or 
2. Get a bunch of online courses that I make for only $20 a month, which goes toward supporting DFIR Training

Either way works 😊

The short version:

Support DFIR Training on Patreon and get this X-Ways Cheats ebook for free!

The longer story:

One of the most useful things I made for the 101+ Tips & Tricks X-Ways Forensics course was the Ultimate DFIR Cheats! X-Ways Forensics ebook.  This is a 118-page book that is a free ebook download in the course, or you can buy the same book in print at Amazon.com. This book is the most comprehensive book of cheats for X-Ways Forensics written!

There are easy to follow charts and tables describing the 3-state checkboxes, all the ways to add evidence (plus the shortcuts), and more. This is not a book on “how to do forensics” and it is not a 2^nd edition of the X-Ways Forensic Practitioner’s Guide. It a huge collection of cheats, tips, & tricks!

So, you can buy the print book on Amazon or better yet, get the ebook free as part of supporting DFIR Training on Patreon at http://www.patreon.com/dfirtraining.  This is also the only way to access the 101+  Tips & Tricks for X-Ways Forensics course, which given everything else you can get (X-Ways Forensics Practitioner's Guide online course, Placing the Suspect Behind the Keyboard course, Windows Forensic Environment course, DFIR Case Study series, and more), makes this a pretty good deal.