Stand by, here comes my opinion on forensic tools (software and hardware)

I tend to prefer having the option to pick among a large selection of tools to be highly specific in solving problems. The fewer options I have, the more likely I will be doing an “OK” job instead of doing a “good” job. Worse still, when not having the right tools, I may not be able to the job at all. With that, I say things like, “The more tools in your toolbox, the more problems you can solve.”

This doesn’t mean tools solve problems. It doesn’t mean that anyone with many tools can solve problems. It doesn’t mean that any tool can solve any problem. And it doesn’t mean that merely having lots of tools means you can solve lots of problems. I simply mean that by having a choice of tools that I am competent to use, I can pick the right tool for the right job.

To elaborate a little more, I do not believe that having every tool in existence is a reasonable plan. There are far too many tools available for any one person to be competent (even at the least level of competence!), or to keep updated, or to validate, or to use with any frequency to remember which button (or command) does what. It is just too much.  

Each person has their own sweet spot as to how many tools that they need for their job. For some, this may be a few. For others, it may be more. And for each person, the sweet spot is different. And over time, the sweet spot changes.  Even with different jobs, the sweet spot will change. You have to find your sweet spot and no one else can tell you what that is. Did I mention that your sweet spot of tools will change? 

Related experience on having too many things: In my younger life, days after I checked into 2/3, I was headed to the field for a month (PTA). What did I do to prepare for 30 days in the field? I went to the PX and bought a bunch of nicely packaged and enticing junk that was packaged and marketed as "the top 10 things that Marines need to bring to the field". I brought back this junk to the barracks and started packing and strapping junk to my ALICE pack. The old salts in my squad ribbed me pretty bad about me wasting my money on ‘junk’. The things I bought were promises of making field life easier for Marines in the field. The packages said as much!   Days after being in the field, I cursed every little junk item I bought because all it did was add weight to everything I was carrying, did nothing to make fieldwork easier, and I learned from the salty Marines on what works in the field based on hundreds of years of Corps’ existence, not some toy from the PX. Some of the NCOs that I mirrored were magicians in the field. Literally, they performed magic. The things I learned that a person can do with the right tools showed me that it is never just a tool, but the right person appropriately employing the right tool. I carried this lesson from that first month in the field through today with this blog post. 

"It's not the machine, but the examiner, that does the work" - Brett Shavers

Picking the right tool

Some questions have one answer. What is 2+2? Is fire hot? Is ice cold? Other questions have more than one answer. That is why this this blog post is titled, What’s the best way to get to Spokane from Seattle? No one can answer this question for someone else. There are too many variables involved for there to ever be one answer to the best way to get to Spokane from Seattle. Variables such as, how soon do you need to be there? How much are you willing to pay for travel expenses? Do you prefer to drive, fly, or ride a bus or train? Do you like a window seat or aisle? And hundreds of personal questions that affect the best way for you to get to Spokane from Seattle. Point being, best for you may not necessary be best for me.

So, when I hear “the best forensic tools” or “this is the best forensic tool”, I assume that the person stating or writing such a thing is speaking solely for themselves, as there is no way that they are speaking for me. It is impossible. The variables to choose a software tool are no different than choosing something to eat for lunch. It depends on everything.  Time to eat. Money to spend. Locations available. Type of food available. Allergies. Food preferences. Tastes. Desires for a certain food at that very moment. The person eating with you and their preferences. Any “top list” of anything is useless except for the person creating the list.

The point: You choose the best tool for you that can solve the problem.

How many tools?

I have written things about forensic software, but never stated that one tool is better than another, or that you only need one tool. The closest thing I have written that could be interpreted as such was in the X-Ways Forensics Practitioner’s Guide. And even then, I simply stated that if you are proficient in X-Ways Forensics, then you probably know your stuff and probably know how to use other tools too.

https://www.amazon.com/gp/product/0124116051/ref=dbs_a_def_rwt_bibl_vppi_i1

The appropriate number of tools is that number which (1) you can maintain competence and (2) those tools that you need. If you can’t maintain competence in a tool, get rid of it. If you don’t need a tool, why do you have it? Don’t overwhelm yourself with too many tools that you can’t use competently or don’t need to use at all.

Validation

I had an email recently asking my opinion on validation. I happened to be extremely busy at the time I saw the message on my phone, and didn’t have the time to appropriately respond. In short, the question was how do you validate tools and how often.  And do you use test images that are online. Wow. Tough question actually.

Without writing a book on forensic tool validation, all I can say is that I have spoken to many about this subject and I have found that it is a rare examiner that validates all of their tools, and at that, rarely does it regularly. The vast majority simply buy (or download) a tool and use it. Validation happens when they use another tool to check the work of the first tool on finding an artifact…in real cases. The result is that many of us use a tool (that we didn’t validate) to find evidence, and then we use another tool (that we also didn’t validate) to validate our findings. Hint: I test my tools against other tools against known data sets.

I’m not a software developer, but I am aware of what software testing is and how to do it. There are books on how to test software, with processes that range from simple to complex. I recommend picking up one or more of these books to get a handle on software validation before you get asked on the stand about it. Seriously. Check into it because it happens, or at least it happened to me.  At a minimum, I suggest taking advantage of Paraben's free ebook on validating forensic tools (https://paraben.com/validation/). 

As far as the online test images, I believe that they have their place if they were developed for testing. There are images that are freely downloadable for testing that were purchased from the private market. These particular sets of images are from discarded and used computer systems that we really have no idea what happened on the systems other than what the tools tell us. I find this to be very exciting, but only for the sake of curiosity to see what data did people throw out without knowing this risk? In my opinion, these are the worst images to use a test images, because we have to trust the tools to tell us what happened on the systems. How can you test a tool on data that you are trusting that a tool is correct in telling you if you can't validate the data? 

Test images should be images that you know exactly what data is on them, and know exactly how the data was created. If you don’t have the documentation of the activity that occurred on the image, then the only thing you are testing is your patience of time of running software. If you don’t know the fact of what happened on an image (prior to imaging of course), then how do you know your tool is performing correctly? You don’t, because you are trusting the tool to be accurate with the data that you can’t validate, in order to validate the tool you are testing…

**EDITED** 12/21/18

To clarify my initial thoughts on test images and tool validation, I think it better to state that the tools may be accurate in parsing the data on images on which you do not have assurance of the activity, but that the results may be incorrect or inconclusive. What I mean by this is by one example, is that the tool may parse the data correctly, but the data itself may have been anti/counter-forensics. To show this, I've created a trick-question in classes where I planted anti/counter-forensic data (user-created files) onto a drive purposely to throw off an analysis.  Tricks are unfair in teaching, but this sort of exercise makes several points, such as how to state conclusions in a report, to question why a file may or may not exist and its supporting metadata may or may not exist, and not to jump to conclusions at the first sight of seeing evidence.

The steps I took were simple:

1. boot drive to winpe
2. copy user-created files* (Word docs, etc..) onto the drive
3. image the drive

The result was most of the class assumed that the files were created by the logged on user account, on the dates and times of the documents/files. Some of the class questioned how the files were created (not downloaded, no evidence of the applications being run, no USB connections, no LNK files, etc..). The tools were correct in pulling the data, but the conclusions were wrong about the data itself. The point being made was that finding the evidence is #1 important. Next is to validate the evidence (is it really evidence or not?). And come to some conclusion of how the evidence most likely was created supported by other corroborating evidence (other than the actual data file itself). The result was everytime the 'evidence file' was found in classwork, students really worked to make sure they grabbed as much supporting evidence on that file as possible.

*The user-created files were time stomped to match Internet activity dates/times on the drive.

My test images

I have a set of test images that I have created over the years. For each image, I have extensive documentation with everything I did on that image, with date and time. It is a lot of work. A serious amount of work, but I now have a library with different OSs and different types of evidence planted on the images.  When I run a tool on an image, I compare the result of the tool with my notes. It should match exactly, and if it does not, either I used the tool wrong or the tool doesn’t work. I know that because I planted the evidence and know exactly what the evidence is. I know how it got on the disk. I know when it was put on the disk. I know because I did it and documented it as I was doing it.  My test images are validated by me, for me. You can’t do that with an image you find online. You can’t even do it with an image someone gives you, because you are trusting someone else with validation of the data on the image! At best, you are trusting the creator of an image to not only give you accurate information about the image, but that they accurately documented the creation of the data on the image. Think about that a moment.

One question that I saw on Twitter a while back concerning the software listings on dfir.training, was something to the effect of “are all these tools validated?” This is a legitimate question because there are over 1,300 software listings. The only accurate answer is that none of the software is validated. Not a single one. Not a single tool on Github is validated. Nothing on SourceForge is validated. Not a single commercial suite that costs thousands of dollars is validated. No open source programs are validated either. None of them. Nada. Zip. 

The only tools that are validated are the tools that you personally test. Out of that 1,300+ tool listing, whatever you download and use is up to you to validate.  Out of that 1,300+ tool listing, you may ever only need 5 or 50 or 500 of those tools in your lifetime. Again, that is totally up to your situation and needs and validation falls upon you. Sorry, but that is the way it works.

How I choose forensic tools

Everyone is different because we are.  Every scenario is different, because they are.  Tools are different because they are developed by different people and for different scenarios. All of this adds up to an infinite number of solutions for each person to decide on which tools to pick for specific scenarios.

Here is how I do I pick tools (keeping it simple…):

1. What is the problem?
2. What tools do I know how to competently use and will any of these tools solve the problem?
3. If I don’t have the tool, which tool can I become competent in to solve the problem?

That’s it. Every single scenario, I go through the same process. Some are quick and easy to figure out. If the job is imaging an easy-to-access single hard drive without any encryption in a desktop, then the choice is quick and simple. Scenarios beyond that will add a bit of complexity with each additional obstacle to overcome. This process covers every scenario from basic imaging to full-fledged network breach that is bleeding data like a stuck pig. There comes a point where I can’t handle a problem because it is way out of scope of what I know and time needed for me to learn what is needed. If I came across a problem that required me to be a program developer, I could do it if I had the time and the problem could wait while I got a degree in computer programming. But I know my limits, and I know how long it takes me to learn a new application to a competent level if that can be the solution.

Those pesky personal preferences

Back in the day, we didn’t really have much in the way of software choices. If you started back in the Norton Disk Editor days…you were really limited in choices overall. Today, we have many (too many?) to choose from. Then we have personal preferences. I know examiners who swear by one particular forensic suite (name any suite and I’ll show someone that swears only by it). Others won’t touch a suite because they prefer to use small tools to solve problems. By small tools, I mean those forensic tools that do one specific thing rather than a suite of functions. Some demand push-button only, others want CLI only. Some only use Windows-based, others only Mac, and believe it or not, some only use Linux-based forensic applications. Many use a combination of all of these, because it depends on the problem to solve coupled with competence in specific tools.

I never question someone’s preferences in tool selection or tool development, because preferences. As long as the problem can be solved, personal preferences don’t really matter.

It is only when personal preferences interfere with problem solving that it matters. When someone keeps trying to force a solution that keeps failing or is obviously inappropriate, then the problem is never solved and gets worse. If a tool is not working on a problem, and you can’t fix it, then quickly move to something that works.

You should be able to flow from tool to tool to solve problem to problem.

Reporting and tools

Accept now that one tool does not do it all.  This includes reporting. I have seen comments about forcing one suite to accept reports from other suites and tools because the examiner wants to press ‘print’ and have it all done in one.

In reality, each suite creates its own reports, and many (most?) small tools don’t even create reports at all. They will spit out the data, but not so much a report of the data like a suite will.  Unless you are only using one suite for a case, you will be hodge-podging a report from multiple suites of tools and creating output reports from small tools. Yes, some suites allow for easy importing of other reports, but as for me, I am combining small tool outputs with suite reports, adding software logs, pasting screenshots, and typing statements and summaries to form one report. When I take a course in a tool in which the provider is touting the reporting feature as the end-all be-all reporting feature, I kinda tune out because I heard that song before.

Trying to avoid the technical

I do my best to avoid technical writing, except for a few pieces that I want to put out that others may not be aware. The only reason I do not want to put out technical pieces is that so many others are doing fantastic work in publishing their research. David Cowen’s test kitchens are the most innovative that I’ve seen in the online forensic videos.  There are several on Twitch that have been doing the same sort of thing (hacking mostly), but Dave’s fits the area where I work in forensics, so I really appreciate what he is doing.  Others (too many to mention) are writing blog posts with some juicy technical forensic info. The thing I find missing is that of the investigative aspect, the principles and concepts of forensics, and the personal facets of forensic work.  That’s what I tend to focus on when teaching and writing. I believe we can all learn the technical aspects, particularly when we have some outstanding researchers sharing their knowledge! My objective is to push the other side of the coin, the side that focuses on using your brain to make decisions, to think things through, and solve any problem with multiple solutions derived on how to think.

Back to the best way to get to Spokane from Seattle

There are many ways. There are side roads, service roads, flight paths, and train tracks. Rather than think that you can drive to Spokane, evaluate the ways and pick the solution that fits your situation at that moment, because driving may be best today, but flying may be best next week. No different with forensics. Today’s solution may be different from tomorrow’s.a

The mechanics of digital forensics (and its related cousin, incident response) are fairly easy. A computer is a computer is a computer. Collecting data is collecting data. And an artifact is an artifact. As long as you follow the basic mechanical principles and concepts, you should be able to do the work without impossible obstacles.

A most basic example is imaging a hard drive on computer that is not running.

1. Protect the source
2. Image it

That’s about it. This example carries into all things DF/IR, as it is mechanical work coupled with decisions on overcoming obstacles in order to get the job done.

Here is where digital forensics is most easy!

DF/IR is easy to screw up. It is really really easy to screw up. Besides the mechanical ways to make an error, such as overwriting the original data, there ways to make things worse by thinking you know what you are doing, but actually don’t. Using the above example, there are a lot of little things that are needed for a complete job (like documenation, chain of custody, etc...).

Here are two personal examples.

Example 1:

I was hired for a civil case to examine a hard drive image. I received the image that was created by an employee from a nationally known computer repair company. The part of the case that matters is that after the computer was dropped off at this repair company, the computer was identified as being pivotal in a substantial and public civil case. An employee at the computer repair company talked his supervisor and attorney into believing that he could create a ‘forensic’ image of the hard drive.

The employee was first level IT in that I didn’t see much more experience than having an A+ certification and zero experience or education in digital forensics. The employee's only forensic work experience was creating this “forensic” image for the case using FTK Imager.

The process was not correct, as the employee believed that because FTK Imager (ie: “Forensic” Tool Kit Imager) was used, all was well in the world with the forensic image. Some of the issues: there was no chain of custody with the image or original source, the original source was subsequently lost, data was overwritten prior to and during imaging*, and barely any documentation existed. The only documents created were the receipt to drop off the computer and a text file created by FTK Imager.

I was hired to fix the ‘forensics’ in this case. The point of the story is that the employee thought he was doing forensics, but actually, he was screwing it all up by not having any basis of knowledge in the legal aspects of forensics or the technical aspects of creating an image (or much else).

End result: I couldn’t fix it because I didn’t have a time machine to go back in time to prevent the employee from touching the computer. Oh yeah. A new policy on not doing forensics was incorporated in the computer repair company.

Example 2:

On a civil case where I found child porn on a device, I immediately transferred the evidence to the local police department and wished the attorney-client luck (I don’t do those types of cases outside of law enforcement anymore). I also gave the PD the only image that I made of the original, along with an extensive report of what I saw that included verification of known CP hash comparisons. I’m stressing to you in this post that I made it extremely clear to the police department that without a doubt there was child porn on the hard drive, some of the worst that I have ever seen in my career. I even wrote my report as if it were an affidavit for a search warrant because what I saw certainly deserved police attention. 

Months later, the forensic detective told me in a phone call that he couldn’t image the drive and tried for months. He apparently gave up because he said that he was busy with more important cases (than child abuse), like rape and homicide...  He didn’t want any help, so that was it for me in the case. I offered that he could at least use my image that I gave...but nope.

Months later, I was re-hired to examine the drive, specifically for child porn, as the device owner was accused of also molesting his daughters. Then a weird thing happened. The wife (of the device owner) asked the PD to pick up the hard drive. She simply called and said it was her hard drive in evidence. They told her to come pick it up. Then they gave it (the original drive!) to her. Child porn and all. Nothing wiped, no court order for anyone to possess or examine.  Not only that, but the case was still open, and now included child molestation allegations.

The wife (client of my attorney-client) carried the original drive around, passed it on to her attorney, who days later wanted to give it to me. No one (including the police department) cared that child pornography on a hard drive in an active case of child abuse was being passed around without any a sliver of chain of custody or concern of what it legally means to possess that stuff. Or any care of how the data on the drive may refute or collaborate the real-time child abuse allegations.

PS: I refused custody of the drive until I was given a court order that said I could touch it.

The point of this story is that I wouldn’t expect the wife to know anything about chain of custody or possession of child pornography, but I would certainly expect (actually, demand) that the police detective and attorney exactly know. I further would expect that a police officer working in digital forensics could figure out how to image a hard drive in a day rather than never figure it out in months before giving up.

End result: I ended up in court. So did the detective. Some people got yelled at by the judge. I wasn’t one of the people getting yelled at. One positive out of this case is that there were so many problems, that I can use a hundred examples from it for a decade of how not to do digital forensics or police work.

These two examples, out of more than a few that I have personally seen, reinforce a largely ignored aspect of digital forensics work: a basic foundation.

A basic foundation is just that.  Basic. Foundation.

I am not talking about the basics of a specific job in DF/IR, but rather the basics that cut across all the jobs in DF/IR. This includes law enforcement! No one is perfect or exempt from being expected to have a basic foundation.

The DF/IR field typically focuses away from the legal aspects because many in the field wrongly assume that they are not working within the legal arena. For the most part, many are correct, until they aren’t. It is because that not only do we work with data, we also have a high risk of interacting with data that constitutes evidence in a legal case (civil or criminal). We should know what evidence is, how to know it when we see it, and what to do with it if and when we come across it.

Never complain about a problem without following up with a proposed solution

We need to know the foundational basics of both DF and IR.  When you focus on one small aspect of the entire field, you are working with a hammer. All your decisions will be based upon that small part of the field that you work with.  By “small part”, I do not mean insignificant. I mean that if we, in DF, come across an obstacle or issue that clearly fits the other side of the house, that we can identify it as such, and be able to refer or delegate it to more appropriate specialists. Same thing if we, in IR, come across a legal issue, that we handle it appropriately by knowing who best should handle it.

We cannot expect those who do not work in either DF or IR to know how to forensically image a hard drive, or have any of idea of the legalities of passing around a hard drive with child pornography (albeit, at the request of an attorney…after receiving it from law enforcement….). But we can require that us in the field have some basic foundation of both the common legal and technical aspects that cut across the disciplines.

A simple solution is requiring that those who work in either DF or IR, have this foundational knowledge. You don’t need to be an attorney to know chain of custody for evidence. You don’t need to be a police officer to know what evidence looks like. You don’t need to know how to reverse engineer malware if its not your job, but you should be able to know when it needs to be done. You don’t need to know how to do a chip off of a mobile device if you don't work with mobile devices, but you should know that it can be done if needed when you come across it.

What does a basic foundation look like?

1. What you need to know legally (only those things that everyone in DF and IR should both know)
2. What you need to know technically (only those things that everyone in DF and IR should both know)

Anything else is job specific and from which core competencies are built upon,  therefore not part of what I am talking about. Just the basics, like the very basics.  Because without it, digital forensics is really easy..to screw up.

For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?”

The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network held hostage? Can the ransomware be decrypted with available tools or keys? Basically, can we fix it or not? If not, then there is the decision to make on paying a ransom.

I know that clients want a definitive “YES” or “NO”, but it doesn’t work that way. If you advise to definitively pay, maybe they won’t get their files back and then what? Your advice was bad in that it didn’t work. And if you advise to absolutely not pay, then the client surely doesn’t get the files back. You’re between a rock and a hard place.

Here’s been my recommendation. Recommend that the client buy some bitcoin and hold it. How much to buy depends on how much you think a ransom will be based on the amounts of current ransomware attacks.  Then, if it happens, the client has saved at least a day of panicking in figuring out how to buy bitcoin and getting the money out of the budget to buy it, and potentially missing the window to pay the ransom anyway.

As far as will Bitcoin increase or decrease in value, that doesn’t matter. It matters to have some on hand. It matters just as much to have someone know how to access/send it when and if needed.

Then if a ransomware attack happens, the client can spend time on deciding to pay or not without having to have a team figuring out “what is this Bitcoin thing?” and distracting from the problem at hand (to pay or not).  

Probably the best advise I can give, is that if the client pays the ransom, there is a chance of getting the data back, or more accurately, getting back access to the encrypted data. But if you don’t pay, you have about a zero percent chance of getting access to your encrypted data. I’ve seen someone state that it’s about a 50/50 chance that an attacker will give decryption keys upon payment.  I’m not a gambler, but I say paying to get 50/50 odds is a lot better than not paying for 0/100.

The point of this post

A very adamant advocate of not paying off ransomware strongly suggested that I not recommend to my client that they should consider paying off ransomware. His point is that if everyone keeps paying ransoms, this will keep happening. I totally agree. If these attacks keep getting paid off, they will keep happening. The problem is that this is easy to say if you are not the victim. If the existance of your company rests solely on getting your data back, the 'common good' of not paying takes a back seat.

Or, the victim could pay a few bitcoin and better prepare in the event this were to happen again. Yes, the criminals make money. But also, the business survives (people keep their jobs!) and the business prepares to prevent this from happening again. 

I know that depending upon who a business calls for ransomware advice, one person will be advising to never pay and another person will be advising to look at the entire picture and keep all options open. The real answer to pay or not rests solely on the client. We can only give recommendations and a shoulder to lean on (or cry on....).

I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done).  With that, I completely understand that the “IR” in “DFIR” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but still related, like cousins.

In a pure digital forensics (ie. legal) matter, attribution is key. Attribution is the goal. Attribution is what you are working towards. Otherwise, it is not literally forensics, but only mechanically forensics, in that you may be performing the same mechanics as with forensic processes and methods, but if you aren’t looking to pin a crime on the suspect in a legal matter, it is not really forensics by definition.

With IR, pinning the crime/breach on the criminal or nation-state isn’t the primary mission unless you work at one of the alphabet-soup government agencies. But, IR is no less important than DF, even as the goals are generally different. With DF, the work is targeted to give justice to a victim through a legal process. With IR, the goal is usually to quell the panic of data spewing from the network like a busted fire hydrant in the middle of summer. Attribution is maybe an afterthought, at best. Stopping the pain is the priority.

But here I go splitting a hair with attribution in IR work….

When you do IR work (outside of the alphabet-soup government agencies), sometimes you should think about attribution in what you are doing. In fact, sometimes you must think about it because you might not be working a pure IR job. You might be deep into the legal arena! 

Fairly recently, I was asked to “look at” an employee’s email account for "hacking". Sure enough, someone other than the account holder had been in the account. Emails had been sent out from the employee’s account and some emails posted online by way of screenshots. Without getting into the weeds of what was happening, it clearly looked like internal drama in the organization.

The client/CEO wanted it stopped, but did not care about who did it because, “Nothing you can do about it if China is doing it.”  This was the advice from IT to the CEO. Hackers can’t get caught, so don’t waste money on it when you can just prevent it from happening again. However, just by looking at the content of the emails that were being sent out and posted online, it was clearly an insider job or someone related to the employee in some manner. Seriously. It was so blatantly obvious that the employee was targeted and that most likely, it was probably another employee just by a quick glance of how it was happening. I gave an estimate of a day to be able to find out who it was, and still, the solution was to stop it from happening and not worry about catching the culprit.

Good grief.

My point is that sometimes you can catch the person because maybe the suspect is not in Iran or China or Russia or Timbuktu. Maybe s/he is in the next cubicle. In this example, the suspect was in IT, which took me a half day to figure out, without even having to skip lunch. End result was that everyone happy (the in-house attorney, the employee and the CEO). Except the IT person. He was not happy. But everyone else was.

Most anyone working in IR can fairly accurately tell where the hacks* come from. Maybe not to a specific person or nation-state, but at least be able to gauge whether or not the suspect is in the same building or down the street or related to the organization (generally!). There is nothing wrong with advising a client that although you can certainly stop the pain of a hack* (see the below definition..),  you may also be able to solve a problem that is just as important which may actually have a positive ROI beyond dollars spent.

This is just an example of when a pure IR engagement can turn into pure DF gig, simply because IR can see typically be able to determine that not only can you identify the suspect, but that you should because in a case like this, the victim will keep being victimized by someone that can be caught and brought to justice.

*hacks, as in whatever you want to call unauthorized computer access.

Some have found a Patreon page that I created for the DFIR Training website (http://www.patreon.com/dfirtraining). Here is a short description of what is going on with me, DFIR Training, and Patreon.

First off, Patreon is just a way for you to support DFIR Training (and me!). You simply choose to subscribe at a level of support that you want. Right now, there is a $3 level if you wish to throw me a cup of coffee (much appreciated by the way), or $20.  In return, you get rewards. The rewards inlcude the courses I make (Placing the Suspect Behind the Keyboard, X-Ways Forensics Practitioner's Guide course, and more), plus videos that I will only publish on Patreon, and a few other goodies exclusive for supporters only.

Before you get a little turned off that to get some things, you have to pay, hold on just a few seconds so I can explain. The things I freely do and give out, I will continue to do so. But for the extra things, I will be doing them under Patreon for the DFIR Training website.  To make it rewarding to support the DFIR Training Patreon page, I not only lowered the price of the courses I have created, but I am flat out giving access to most all of them at $20 a month. I've seen where some folks will not support on Patreon, but for those who do, you have my gratitude and access to everything :)

As to the DFIR Training website, it will remain freely accessible, and everything on it will remain freely accessible. Only the content that I create solely for Patreon supporters will be for Patreon supporters, and nowhere else, even as Patreon will support the growth of www.dfir.training.

On top of that, for the book giveaways on DFIR Training, Patreon supporters get an extra 20 chances to win a book, for each book drawing. This is in addition to getting access to the online courses. And I am posting cheat sheets only for Patreon supporters too. There are also going to be software reviews and software comparison videos too. None of the reviews are paid, so you’ll get my honest and unbiased opinion and not a commercial.

Why am I doing this?

The ‘free’ books, of course, are not truly free (they are to the winners, but that's it). Patreon supporters are super in helping pay for the books that aren’t donated by the authors. Because of Patreon support, I am willing to give supporters high levels of return favor with things like access to my online training courses, interviews, and the other neat things that I will be creating just for them (like a series of cheat sheets and ebooks).

As far as the online courses, I am continually asked about freely extending course access, which I am sure is a little uncomfortable to ask and uncomfortable for me to turn down as all user accounts are charged to me, and therefore, I have to charge the users, so free access isn’t really free… With Patreon, it is easier for each person to control their access with a subscription. So as long as you are a Patreon supporter at $20, all the courses are included for as long as you want.

I am planning on changing the Patreon support levels fairly soon. I won’t cancel the support levels, but I will be limiting the number for each level. For example, I will eventually close the $20 level and increase the amount with a new tier, but everyone in the $20 before the change will be able to stay in it for as long as they want. Hint: best to get in sooner than later it if you are considering it, because I will be limiting the number.

Also, the more support on Patreon, the more things I will be able to devote time to create.  For the time being, I will be adding every course I create to Patreon and also create some Patreon-only content in the coming weeks and months.

So, you can look at it two different ways:

1. Support DFIR Training (and me) on Patreon and get lots of rewards like online courses and ebooks, or 
2. Get a bunch of online courses that I make for only $20 a month, which goes toward supporting DFIR Training

Either way works 😊

The short version:

Support DFIR Training on Patreon and get this X-Ways Cheats ebook for free!

The longer story:

One of the most useful things I made for the 101+ Tips & Tricks X-Ways Forensics course was the Ultimate DFIR Cheats! X-Ways Forensics ebook.  This is a 118-page book that is a free ebook download in the course, or you can buy the same book in print at Amazon.com. This book is the most comprehensive book of cheats for X-Ways Forensics written!

There are easy to follow charts and tables describing the 3-state checkboxes, all the ways to add evidence (plus the shortcuts), and more. This is not a book on “how to do forensics” and it is not a 2^nd edition of the X-Ways Forensic Practitioner’s Guide. It a huge collection of cheats, tips, & tricks!

So, you can buy the print book on Amazon or better yet, get the ebook free as part of supporting DFIR Training on Patreon at http://www.patreon.com/dfirtraining.  This is also the only way to access the 101+  Tips & Tricks for X-Ways Forensics course, which given everything else you can get (X-Ways Forensics Practitioner's Guide online course, Placing the Suspect Behind the Keyboard course, Windows Forensic Environment course, DFIR Case Study series, and more), makes this a pretty good deal.

For those working in DFIR, there are some who don’t travel, some who travel a lot, and some who travel all the time. Depending on the person, any of these can be enjoyable or exhausting.

Right to the point

If you travel for business, try to carve out a little time for sanity and lifetime experiences. It may not cross your mind at the time, but if you can, ‘stop and smell the roses’. You will do more for yourself than you realize by simply taking a look around, as much as you can, when you can.

You will have regrets

When I worked undercover and traveled, I had a blast. For one, I didn’t foot the bill, practically had an open checkbook for everything, and had either a cover team, rescue team, surveillance team, or a combination of several teams for my work. They did what I called, the boring stuff. They followed me around while I had pretended to have a good time and negotiate deals.  I traveled to many places (not just in my county, or my state, but several states and countries). Here is my memory of most of my “travels”. I can tell you the name of some of the most expensive restaurants, fancy hotels, and crazy nightclubs. I can also tell you about the layout of many FBI, DEA, ICE, and foreign law enforcement offices in each of these places.  Beyond that, didn’t see much. I am certain that I drove by scenic areas and probably some world heritage sites or something, but I never saw more than what I remember doing for work.

For my forensic travels, in the first years outside law enforcement, it was the same. Basically, it was a phone call > engagement letter > next flight out > collect data > first flight back.  Then, rinse and repeat. Again, I can tell you the layout of the general type of airports, office buildings, elevators, and conference rooms. Not much more than that.

A result

I have stamps in my passport from places that I didn’t really visit. Maybe I met a criminal in a bar doing UC work on one trip, or imaged a drive in a cubicle for a forensic gig on another trip. For speaking gigs, it used to be the same thing. Fly in the night before, speak, fly out. One conference room blends into another, just like the airports. Either way, I didn't really "travel" and I never intended to make a vacation out of any work anyway. I don't do that anymore.  I still do the work I am hired to do, but when not being paid after the work is done, and I have that magic element of "a little time" to spend, I spend it.

Work to make it better

Go see something in the places you travel, even if it just a walk around the block.  Do your work, and then do something to reflect on you being on a spot on the globe where you've not been before, or not really seen. I’ve spoken to a Secret Service agent who seriously did world travel with presidential protection. The thing most experienced and remembered in all his travels….stairwells and nothing else. Understandably, those travels probably didn't leave a minute to personal time, but for the rest of us, we generally have a few minutes to spare.

Granted, work comes first, and sometimes you practically have to HALO in and it feels like you are being renditioned in a matter of hours. But when you can, take a breath. I know that many times we create our pressure cooker situations because we thrive on it. A healthier and happier way is really to stop and smell the roses, which means turning off HBO in your hotel room and going outside. Talk to someone at the little shop and actually travel.

ps. thank me later.

If you haven’t seen yet, I started a Patreon page for DFIR Training (www.dfir.training). I’ve done this for a few reasons to benefit those interested and me personally. I think if you see the why, you may want to jump over and support the page.

If you support the Patreon page, you’ll get access to the training courses that i have created and those that I will continue to create.  You’ll get  24/7 access to the courses and certs of completion for supporting me at Patreon.  

The training courses will keep coming and the posts/videos to Patreon will keep going as well. 

The main point: Supporters on Patreon will help grow www.DFIR.training, be recognized for their support, and gain some cool rewards.  

There are a lot of other cool things that I have planned for DFIR.training too...  Some will be available only on the Patreon page as rewards for supporters, and other things will be added to the website freely. If you decide to support through Patreon, you are on my hero list and I sincerely thank you.

Another point on Patreon

You should take a look at what is on Patreon. There are quite a few creators on Patreon that deserve a look.   I’m supporting a few too, if for nothing else but to support someone’s effort in the field and to keep them doing what they are doing.

Thanks in advance!

Twitter had some great commented threads on the North Korean government hacker (PARK) who was criminally indicted by the United States. The main point in the threads that I read revolved around whether or not the NK hacker should have been indicted as he was ‘only following orders’.

If we assume the attribution of PARK is correct, in that the US correctly identified a specific person that hacked Sony (and other things), then the question is “What does a country do?”

My opinion

1. Criminally charge the hacker, set a court date, and wait...or
2. Sneak in, grab him, drag him to court, and/or
3. Sony sues him.
4. Go to war against NK.

As to these choices..

#4 is extreme with too many consequences

#3 will go nowhere.

#2 might start a war without declaring war

#1 shows the enemy that we can/ WILL find them without going to war

I vote for #1.

The affidavit

Right off the bat, the affidavit lays out the crimes committed. This is par for the course for any (all) affidavits. You have to spell out the crimes. But the point I make is that “crimes” were detailed, not military actions. Meaning, a crime committed results in a crime being charged.

The issue on Twitter was that since PARK was a only government hacker just doing his job, the USA should not criminally indict him because it would result in unintended consequences of USA hackers being potentially criminally charged by doing the same thing to foreign countries. This would be like, ‘hey, don’t criminally charge burglars because I am a burglar too and I don’t want to be criminally charged for when I burgle homes.”

Now to “duress”...

Firstly, duress does not relieve someone of culpability, meaning, even if a gun is to your head to put a gun to someone else’s head, that doesn’t relieve you of being responsible for what YOU do.  Yes, some argued that under duress, you don’t have a choice, but seriously, you do have a choice of ‘bad choice #1’ and ‘bad choice #2’.  Your morals tend to guide your decision, so those who say PARK had no choice but to do what he did must also believe that choosing to victimize a totally innocent person because you don’t want to be a victim yourself, exonerates the person from the crime. Not in my book. Or in any law book that I heard of.

As to PARK’s specific ‘duress’, only PARK knows, and for that reason alone, you can’t excuse his actions based on assumptions of duress to him or threats of harm to his family. 

A more relevant example of duress not being an excuse to committing a crime is that NK/PARK sent threatening messages to Sony demanding that Sony employees sign a statement against Sony or that the employee families will be at risk of harm from North Korea.  So here goes the rationale that doesn’t work for duress.  NK government threatens PARK to hack Sony or face harm to his family, then PARK emails Sony employees and threatens to harm their families if they don’t sign a statement against Sony.  If a Sony employee then did something illegal, is he immune because PARK told him to do it or his family suffers? And PARK only did it because his family would suffer, and PARK’s immediate supervisor only told PARK because..and on and on. The line is drawn at the actor.

THE BIGGER POINT: What about the USA government hackers?

Again, my opinion is that there is no difference between the USA criminally charging an in individual as in the PARK case than a foreign country charging a USA citizen in the same type of circumstance.  The legal authority given by one country does not and cannot be extended to any other country.  Laws don’t work that way. Cyber might appear different because (1) it’s fairly new and (2) you don’t have to physically HALO into a country to do damage.

There are exceptions, which are too deep to get into here, but the exceptions are basically having approval to ‘operate’ in a foreign country with the explicit approval of the foreign country.  This applies to any foreign national in another country operating under a government’s orders (such as a military service member or government employee, like a spy or diplomat). 

A personal law enforcement example I can give is that one country authorized me to work a case in their country as an undercover officer, but did NOT authorize me to carry a gun (Canadians......).  However another country did authorize me to carry a firearm while working undercover in their country.  Now, if I went into Canada to work a case with Canadian authority BUT brought my gun and said that my government gave me authority....that would not have been legal.  Laws are specific to the country and the granted authority is specific.

I have another LE example of getting authority to operate in a hostile environment and authority to do so. My partner and I (she’s probably reading this, and will remember well), asked for the Sgt of Arms permission to enter an OMG club meeting. By OMG, I don’t mean O My God, but rather Outlaw Motorcycle Gang.  The permission was reluctant, and we would have went in anyway (with the entire PD...), but with his permission, we walked right in, said hello, made some introductions to key decision-makers, and left. Given 100:1 odds, permission was the better route than calling in the world for support for what we wanted to do. The point being, we had legal authority to enter (it was a public-private venue) but the authority of the OMG would certainly be violated without at least asking to come in.

This leads me not the part of the story that says everyone who volunteers for the military is at risk of committing crimes in foreign countries, even when given the authority by their government.  Wars are usually fought in enemy countries, in which the enemy is not going to grant authority for an invasion. If the enemy wins, expect criminal trials of individuals for following the orders of their government.

Hacking foreign nations was done/is done with the false perception of immunity from prosecution.  Doesn’t work that way. Spies know this too.  How many have been arrested outside of their country and either convicted of crimes or traded between countries? Or killed? No difference between slithering into a country to kill a military leader in an enemy state than it is to hack into the computing systems operated by an enemy state.

DO NOT take this to mean that I believe USA govt hackers are criminals, or that they should be arrested. Totally inaccurate. I’m all for freedom in the world and against oppression of people. To the USA government hackers, I say, “Go for it and do a good job.”  For the nation-state hackers damaging the USA, I say, “We are going to find you and if we can grab you, we will.”

The big negatives for government employees are that for the rest of your life, you must live under the assumption that there is an enemy country somewhere that wants to arrest or kill you, and that even when you leave your job, the risk remains. Like, forever.  They may have you on a hit list if you ever leave your country or even have plans to take you out while you are in your own country. This is not spy fiction, but reality. 

For more perspective, and on a different scale, law enforcement works with the same premise.  LE has government authority to do things, like exceed the speed limit and arrest criminals. But consider the criminals as foreign nations.  When a police officer makes an arrest, organized crime and criminals do not see that LE is immune to their justice. An informant will be (has been) tortured and/killed as much as a CIA asset can be (has been). Undercover cops can be (have been) tortured or killed for legally operating under government authority, but not under authority of the criminal element.  The only thing preventing this from happening is that the ‘other side’ chooses not to do it in most instances.

These are the things to know before taking cool and important jobs. It’s like knowing that sharks can eat you. You may not agree with a shark biting your leg off, but it is reality.  You just have to be careful where you swim, and if you do have to swim with the sharks, you run the risk of getting eaten. 

An easy decision making tree :)

1. Are you in your own country?
   1. Yes
      1. Do you have authority to operate in your country?
         1. Yes - No crime
         2. No - Crime
   2. No
      1. Do you have authority from your country AND host country?
         1. Yes - No crime
         2. No - Possibly a crime

I hate to do this....

But, I’ve been called out with a Twitter DM on not knowing anything about this topic by someone who said they know everything about it.  So, a short baseline of my perspectives on USA operations outside of the USA (and NK specifically) is:  I’ve been deployed all over Asia (including Korea) for a few years in military service, did police work after that and was assigned to a federal task force that investigated Asian organized crime, I operated as an undercover officer outside the USA, and I have lived in an Asian culture for 30+ years to the extent that both my kids speak 2 different Asian languages (one even degreed in Chinese..), and I taught Asian OC investigations to a few hundred investigators over the years. In other words, Asian culture and North Korean history is not new to me, nor is operating in foreign countries.

Let me get something out of the way: X-Ways Forensics (XWF) is not the only forensic suite I use. It just happens to be one that I use a lot, and I like it a lot. I also like plenty of other forensic suites, but XWF is my go-to, especially for deep dive forensics.

To help me learn XWF, I wrote a QuickStart Guide, a book (with Eric Zimmerman), created an online course, and most recently a Cheat Sheet (or cheat-booklet..).  All of these things helped me learn XWF enough to really exploit XWF to my potential. There are certainly more uses of XWF that I haven’t come across yet and aren’t documented either.  I'm always looking for the undocumented features of any tool.

Here is what I gathered on the demand for the past XWF material that I have created. The QuickStart guide has been downloaded well over 10K+.  The Cheat Sheet reached over 3K downloads in just a few days.  The book has sold thousands of copies. And the online course recently reached over 2K registrations. 

So, what is next with you, me, and XWF?

The current XWF online course will stop taking new registrations at the end of September 2018 and eventually be taken offline by the end of 2018.  A new course will be published in October that will be a supplement to what you have learned with the XWF online course. The new course is……

The new XWF course is unlike the online XWF course, in both presentation and material.  Since it is not a basic usage of XWF, I am only opening the course to those who have taken the basic XWF course, since you’re going to have to know the basics of XWF to take advantage of 101+ Tips & Tricks of X-Ways Forensics. There will be fewer explanations of XWF since the topics will be straight to the point of demonstrating more than 101 tips & tricks.

For those who have taken the current XWF online course, you can expect an email when 101+ Tips & Tricks with X-Ways Forensics opens up in October (if you haven’t unsubscribed from your course emails). Course registration will be $150, but as usual, the first weeks will have a promotion for early registrations.  And as usual, completion of the course earns you a printable certificate (not a certification, but validation that you completed the course as proof of professional education and training hours). 

*  If your access to the online XWF course has expired, you will still receive an invite if you did not opt out of course emails.

*  If you unsubscribed from course emails, email me directly so that I can put you on the notification email list (This email address is being protected from spambots. You need JavaScript enabled to view it.).

So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department?  Want some tips? 

If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-time, commissioned examiners.  But if you (2) work for a small to mid-sized agency, your department may either farm out forensic work to an outside agency (OSA) or simply doesn’t even do any forensic work on any seized electronic device.  Hard to believe, but yeah, it still happens.

If you fit the second situation, the first question that I have for you is, does your department want a digital forensic lab or is it just you? This is a crucial question, because if your department is behind implementing a forensic lab, then you have a gravy meal ticket to get it done, within whatever budgetary means allowed. For this scenario, there’s not a whole lot I can tell you, other than congrats! You have it easier than most. I’m not going to talk about that scenario since the hard part is done, that is, having pre-approval to build out a lab.

Now, for the rest of you, where your department doesn’t even know it needs a digital forensics lab, or refuses to consider it, or may not have a penny in the budget to spare, this blog post is for you 😊.  If you want a lab, you can have it by you doing what needs to be done, in a manner that works with your agency, not against it.

Let’s picture the lab you want before we get started. Given an unlimited budget, what would you want? Would it look something like this?

Enjoy that moment you had with your dream lab, because unless you control the checkbook, dream on….your dream lab isn’t going to be even close to this.  But, you can still start a lab using a few tips and tricks. Think big and accept you most likely will start out small…very very small..

Common obstacles

Staffing

There is no ‘free’ person to be assigned to a new forensic position. Staffing is already (always) short.

Budget

The mysterious budget is never enough to cover the basics as it is, let alone build out a forensic lab.

Space

We have no room to spare to create a forensic lab.

Time

Spending months to train someone on department time probably won’t happen when the department doesn’t see the benefit.

Examiner selection

Maybe you won’t be the person selected for the position that you suggested ☹

Opinions

We need cops on the street, not on a computer. Plus, we’ll send out any evidence to an OSA and accept the length of time it takes for someone else to do our forensic work.

Examples of not the best methods to try (not just my agency)

I have seen a detective take one basic course in forensics, come back and demand that the agency spend $30,000+ on gear and training to create a forensic lab. The agency agreed to spend a little, but the detective said “all or nothing” and the result was nothing. The detective never did get into forensics…

I have also seen detectives who were selected for forensic spots turn down training and gear because of the strings attached to it, such as sharing with another agency, or sharing forensic work with other agencies, or having to attend (free) training that didn’t fit the detective’s personal schedule (even one turned down a conference because lunch wasn't being paid by the agency..). If you turn down something free, like a two-week forensic course or a conference out of spite or whatever else, you probably set yourself back a year. Not the best idea. Plus, if you have someone like me working in your agency, I'm coming for your spot because I'll do whatever I can to get it.....keep that in mind.

Some ways that I have seen work

The mobile lab

Before I started a forensic lab in my agency, I first saw a ‘mobile lab’ that a patrol officer created, and I was both impressed and inspired. The patrol officer took a lot of training on his own time (vacation) and own dime (he paid out of his own pocket). He even bought the basic gear needed for the most basic of forensic work with his own money. He carried around the gear in the trunk of his patrol car, ie, a “mobile lab”.

Whenever there was an electronic evidence item seized, if he could do the work, he did it in addition to his handling calls. It took several exams of the most basic nature before his agency took notice and eventually, crowned him the department forensic examiner. However, he was still in patrol. The good news was that he had the title of 'forensic examiner' as an added duty. The better news was that the tab for his continuing education training and gear was picked up by his agency.

The closet lab

My personal example is the closet lab. Having seen how the mobile lab example worked, I took this route to start a forensic lab in my department. At the time, my department was sending out any forensic work to either the state lab, agencies that would take the work as their time allowed, and sometimes even hired private sector examiners. I figured the path of least resistance would be best, where making an offer that can't be refused to be the goal.

Here are some of the things I did in preparation:

• *  Took vacation and paid out-of-pocket for training courses
• *  Joined the local high-tech crime association
• *  Gathered FOSS tools, paid for some basic software (WinHex, etc…)
• *  Became certified in the basic of tech (A+, etc…)
• *  Hosted forensic courses for a free seat in the courses
• *  Visited every lab within driving distance for tips, guidance, and ideas
• *  Wrote an entire policy on forensics (merely customized what others had done in other agencies)
• *  Wrote a proposal for the implementation of a digital (computer) forensics lab
• *  Created a list of every ‘free’ training and gear available (coming back to this list later…)
• *  Found a closet full of junk that I could fit a small desk and chair
• *  Made friends with the IT department (important!)
• *  Joined the local ICAC
• *  I did a lot of little things too, like read books, talk to anyone/everyone in forensics that would talk to me, etc...

All of this took my personal time and my own money. It took a lot of time. I don't even know how long I worked on it before I even proposed it.

A personal point on spending your own money. I am a believer in that if I want something to use in my job, that I feel best fits me or helps me, and my job doesn’t provide it, I will buy it. This is a personal decision based on personal factors and your opinion may vary.

Then I waited for a case. As soon as I saw one, I jumped on it and helped the case detective with the forensic part. I did that what I knew how to do. Easy things at first.  I did this as much as I could and luckily, I was in a position where I could do it in between other work I was assigned.  As a side note, I carried over 100 cases at a time, including major casework, and undercover assignments...and more. It can be done if you want to do it.

Then came the big ask.

Remember what I mentioned about creating a list of free training/gear? Get it ready. There are plenty of federal grants for free software, hardware, and training. Print out the forms, fill them out, and bring it along with your proposal and policy to whomever can crown you the forensic examiner. At that point, your agency will have not spent any money (sorry, but you had to), they will have a basically trained examiner at the ready (turnkey, on the spot), and be able to sign an agreement for free stuff that you already put together.

Hopefully, you kept stats on what you have done in forensic casework, the results of the cases (plea deals, convictions otherwise not have happened, etc…), plus records of any and all training you have done on your own.  Maybe have some recommendations from detectives that you have helped in their cases. You’ll be amazed at how happy a detective becomes when you find all the PC they need for their case on a hard drive…

Remember that closet you found earlier? If at this point you aren’t given a ‘lab’, point out that as long as you have a locked room, like that unused closet in the basement, you are happy and good to go. I was given my closet, which became the "Computer Forensic Lab". I tossed out the garbage, put in a desk, chair, and all the scraps from IT to build out a lab. The grant gear came in piece by piece until I had it all. The goal is to get your foot in a door, any door. You can expand everything in time.

Excuses and roadblocks

I believe that an excuse is merely giving up.  I also believe that some roadblocks can’t be overcome easily, and a few cannot be overcome at all. It is difficult to know which is in front of you. Sometimes you work hard on one of the insurmountable roadblocks and other times you may give up on something that you could have gotten with a little more time and effort. You just never know. Also, government work is different than the private sector. In most instances, it is not merit that is rewarded or compensated in government work. That is just the way it is. In the private sector, if an employee comes up with an idea that makes money, that employee is given a whole lot more leeway in doing things. In government, not so much. Sometimes, it is just the opposite.

I have seen more people in police work try to get into forensics and give up than I have seen succeed, due to both personal reasons and the office roadblocks. Politics plays a part. Staffing plays a part. Even personability plays a role. But if you want it, prepare yourself for lots of work, a long period of time, and possible rejection at every step. As for me, I was getting into forensics one way or another, in or out of government service.

The short story of this guidance is simply:

1. Become a forensic examiner on your own time and own dime.
2. Prep everything your department needs to start a lab.
3. Be the only person fit and competent to carry out the position when you ask for it.

I’m sure other methods work too, but as for me, I rather plan it out, prep everything up front, become the only person for the position (at least the only turnkey ready person), be happy with what I get, and work forward from there. The negative in doing nothing more than asking to be sent to training and be given everything up front probably will result in either a terse ‘No’ or a ‘Good idea!. We’ll need a committee to discuss, request for next year’s budget, and then the following year open the position up to everyone in the department’.

Getting in is the hard part. It’s a cakewalk after that.

If you read this far and already have a forensic lab in your agency, they probably went through something like this in the beginning just to get started in a small closet 😊

If you have done something like this, or especially if you did it differently, let me know. I'm curious to the innovators in police work in this field. By the way, if you can get something like this done in police work, you are extremely marketable outside of police work. 

I had the pleasure of talking to a group of high schoolers about digital forensics recently. After showing some neat things to get interest, the fun really started with getting hands-on demonstrations. I decided to use X-Ways Forensics for the hands-on fun (tip: be sure to register your dongles with X-Ways Forensics insurance feature).

Since the talk time was limited, I broke X-Ways Forensics down to three things:

1. Add the source
2. Process the data
3. Find the evidence

Breaking a topic into three parts makes it easier to understand and learn, especially for new, complex, or new and complex topics. X-Ways Forensics can certainly fit in the new and complex area. However, when you look at X-Ways Forensics or any digital forensics application, they all break down into the same three functions of adding the source, processing the data, and finding the evidence. Actually, if you can break down anything you teach into three parts, you'll be more effective in getting your topics across to your audience (be it a supervisor or an auditorium of students).

Based on these three functions, I created a X-Ways Forensics cheat sheet for the students which I think will benefit anyone using X-Ways Forensics. What I wanted to show visually is that there are “x” ways of using X-Ways Forensics. For many of the functions, you can get there in one, two, three, four, or more different routes (via menu, icon, right click, command line, x-tensions, shortcuts, or etc…).

Perhaps this is a reason why X-Ways Forensics seems to be initially overwhelming, but when looked at differently, will is seen as not “how do you make sense of this”, but more as “of course this is how it works”.  This is how I look at any software, especially DFIR software since few are overtly designed to be intuitive, and some appear to be designed intentionally as counter-intuitive.

How to learn X-Ways Forensics

Self-learning can be painful and slow. For anyone thinking about using X-Ways Forensics, or wanting to learn more about it if they are currently using it, here are suggestions ranked from free to not-free to do.

• Read the manual. Free
• Read the book.  Inexpensive
• Take the online practitioner's course. Half price this week at $29.99!
• Take the official X-Ways Forensics course. 

Half price registration expires August 29, 2018.  (30 day access) Over 13 hours with a certificate of completion! 

I’ve read some really good material on the importance of taking notes over the years and a recent post written by @mattnotmax is no exception (Contemporaneous Notes: a forensicator's best friend).  There are plenty of really good DFIR related blog posts on note-taking (like here: https://www.forensicnotes.com/digital-forensics-documentation-contemporaneous-notes-required  and here: https://windowsir.blogspot.com/2018/08/notes-etc.html) . This is just my personal take on the matter.

Contemporaneous Notes: a forensicator's best friend #DFIR https://t.co/qdGRs4OzEI

— Matt (@mattnotmax) August 2, 2018

Here comes Brett's opinion...

People don’t take notes because:

*  lazy, or

*  fear, or

*  believing notes are unimportant, or

*  no one makes them

On Laziness

If you have the time, a pen, and paper, there is no excuse for laziness. If you simply don’t want to take notes because of too much hassle, that is your choice. You could work an entire murder investigation without taking a single note if you wanted….however, good luck with that.

On Fear

If you are afraid of being called out on your notes, it is much worse to be called out without notes. The opposing counsel is going to accuse you of not taking notes, taking too many notes, too much detail in notes, not enough details in notes, bad handwriting, transcriptions not being exact to your handwritten notes, and anything else to discredit you.  The worst situation is not having notes.  With notes, you’ll come out of the cross-examination fire less scathed.

On Importance

If you don’t believe notes are important, one day you will find out just how important they are. This could be due to personal embarrassment or a hit on your professional reputation when all you had to do was take a few notes a few months earlier on one of those few cases you were working. Regret sucks, let me tell you…

Because no one requires you 

Some organizations don't care if you take notes or not. Supervisors may not even have a clue as to the importance, or maybe nothing is ever called into question which creates the perception that it is not worth the effort.  In those cases, good luck. Hope it works out that you never needed to take notes. I'd prefer making note taking a habit, required or not.

Brett’s Tips on Note Taking

* If you are a messy writer to the point that you can barely read your own notes five minutes after scratching them down, transcribe them right away via writing neatly or typing them out. Or use technology to take notes, not a pen.

* Keep your notepads. Don’t tear out sheets. Keep all of them. Store them in a box when full..forever.

* Date/time stamp your notes. You’ll appreciate this later.

* Write as much as you need that you know will refresh your memory years later.

* Correct your notes when you realize you made a mistake. It’s better that you catch your mistakes before opposing counsel does, because opposing counsel won’t tell you about your mistakes until the jury is present….their goal is to embarrass you, discredit you, and catch you off guard.

* If time is tight, use a voice recorder as you work. Talk to the recorder as you do each step (“Aug 1, 1455, I removed the hard drive with serial number xxxxx from workstation xxx”).  Transcribe the recordings when you have time.

Taking notes

Try different methods and find one you like. Some like a pen and pad of paper. Others prefer a tablet, typing into an application that encrypts the notes, then hashes the notes, then stores it in the cloud, and you need a fingerprint scan coupled with a DNA sample to open (jk).  Simply pick what you like to do, and keep doing it.

As for me, I use a recorder if I am doing a lot of things at the same time with a short time to get it down. I transcribe the recording into notes/report and keep the recording just in case. On very important jobs, I will audio/video record it even though the physical tasks are simple. But everything I do gets written down.

Relying on memory instead of note taking

Don’t do it. Seriously. Don't do it.

A few of my experiences directly related to note taking/report writing

Felony trial: I was the only one who wrote a report in an arrest, and had notes backing up the report. When all involved got subpoenaed for trial, everyone used my report to refresh their memory in order for each of them to write a report….months after the fact.  win for me, fail for everyone else.

He-said interview: I interviewed an informant with my partner taking notes as we spoke. Informant later testified that he never said certain things. I didn’t have notes (only my report) since I was doing the talking, but my partner did. Win.

Damned if you do: On cross-examination, opposing counsel criticized that I took too much detail in my notes and implied that I must have made some of it up.  Felt like a fail, but ended up a win.

Damned if you don’t: On cross-examination, opposing counsel criticized that my notes didn’t reflect all the important things in the case, and that I was ‘filling in the blanks’ in court. Felt like a fail, took a lot longer to testify, lots of double-bind questioning, but ended up with a sweaty win the hard way.

Brother, can you spare a dime?: While at FLETC forensic training, I typed notes with every lesson.  Literally, I typed notes as the instructors spoke, sometimes transcribing verbatim what was being said, pasting screengrabs during demos, and basically writing a FLETC forensic course book as my notes….  At the end of PCERT, BCERT, and ACERT, I had a word document the size of a novel.  Can you guess what the guy sitting next to me said on the last week? “Hey, can I get a copy of your notes?” He took no notes for months (and didn’t get a copy of mine, seeing that I kept telling him to take his own notes the entire time)...fail.

Time to re-do everything:  I took on a case where the client fired their prior forensic examiner. I received all the prior work, which was simply a hard drive of exported files in folders. No notes. No reports. Nothing. I had to re-do everything as I had no idea what they did to find what they found, or the relevance to anything on the hard drive. Fail for the prior examiner.

Cringing when watching: I watched someone who qualified as “expert” minutes earlier get grilled when he didn’t know the version of a program that he used, nor if he had a license for it. His notes didn’t have anything, nor did his report. He didn’t even remember or write down which software he used for some findings. I felt really bad for the guy, but then again, he was on the other side….win (for me).

Validation of wiping a drive: I was hired to wipe a drive. There was data on the drive that was really really important, like potentially national security important, and the data was court-ordered to be destroyed beyond recovery. I didn't pick the wiping/destruction method or had any input on the method, but I did the work. We had 5 witnesses, a cameraman, a note-taker, two attorneys, and two forensic examiners, all cramped in a small conference room. The wiping process consisted of drilling holes through the hard drive, all the while being video-recorded, and then holding up the hard drive to the camera with pencils sticking through the hard drive. Then the drive was destroyed even more. That was the most intensive "note-taking" I've done.

There are many other little stories, but it all comes down to either you take good notes or you don’t. This is a personal decision based on what you prefer to do. However, when I am in charge of any engagement, everyone takes notes. Everyone. I mean everyone. Literally everyone. If you show up expecting to get paid, you write what you did.

I’ve been the case agent or project manager on too many occasions where people were ‘helping’ at the time, but when the fun and games are over, they go home without writing a thing because writing is apparently no fun and unimportant since it’s not their project or case. As for me, no one goes home until the paperwork is done. That means everyone writes and everyone writes before closing up shop. If you don't make it happen at the time, do not expect it to ever happen and it will be your fault, not the fault of your helpers.

Note-taking tip for DFIR hiring managers and applicants

Ask the interviewees if they have a pen and paper on them at the time of the interview. If someone does, you got yourself a note-taker.  Extra points if there are actual notes in the pad and it's not wrapped in plastic because they bought on the way to the interview for the interview, in hopes you ask for it...

What's the standard?

As far as I can tell, there is no standard. If you ask the cross-examining attorney, she will tell you that the standard is the opposite of what you did, regardless of what you did. One supervisor will have a different standard than other. Different organizations may have different standards. Some may base their standards on technology, as in, "I really like this note taking application, so everyone use it!" or "I hate typed notes, everyone write them on paper."  It all depends. Practically, I believe that as long as you write it down, you will remember what you did, and that which you did not write, hopefully will be refreshed when reading your great notes. 

As to having to compute a hash value for your notes, encrypt the file, store it in a container, and preserve all metadata for eternity, I don't think that is all necessary. I have never been accused as to whether I fabricated any notes or evidence. I write it down. I write what I did. I write the date and time on everything. If my integrity is challenged as to the validity of the evidence I recovered, then that is the sign that the opposing counsel has absolutely nothing else to work with, other than trying to sling mud that isn't going to stick. All because I took notes. That's a win.

Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge

When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked to develop a list of ISPs.

Here is my understanding of their proposal

Problem and Objective:

-Cops don’t know which ISP to ask for data

-Teach cops how to ask for data from service providers by creating a “New national digital evidence policy” that is also “going to require a dedicated office”.

Staffing needed for the new federal agency:

--10 to 15 technical experts

--10 to 15 additional support staff

--Director

--Deputy Director

--Administration assistant

--Part time administration assistant

--“Additional staff”

--“Additional expenditures” could include more staff and attorneys

--“Honorariums” to advisory board members

The cost? Hold on to your seat.

--$10 million for staff

--$100 million OR MORE for support

The part of $100 million that rubs me a little raw is that the amount was downplayed because it is so small compared to other government spending. That simply sounds to me like, ‘hey government, you spend so much money, how about I create a new agency and you give me a little off the top, like a cool 100 million?’  Even the staffing requirements are limitless with “additional staff”.

I’m not going into what I really feel about another federal government agency for $110+ million that is created to research the development of a spreadsheet of ISPs just so that law enforcement knows where to send a legal demand…

But I’ll get a little bit into the training that was referenced in the presentation. From their research/survey, they found that law enforcement only receives between 10-15 hours a year of digital evidence training. This was conflated with training related to legal requests (search warrants, etc…) and training in forensics. On top of that, I found no separation between “law enforcement officer” and “digital forensics examiner” in what training they referred. I would say that 10-15 hours a year in digital evidence training to first responders is more than sufficient, but for a forensic examiner, a wee bit on the low side of annual training in analysis, but certainly not insufficient.

Some points of digital forensics training in law enforcement, and the obstacles I have seen go beyond what ISP to send a legal request.  In my experience, practically any detective or patrol officer can type up a legal demand and find out where to send it without having a bit of digital forensics training, yet it was the number one issue in this report.

It’s the individual

There are two types of forensic analysts in government service. One who does the minimum. The other who goes well beyond the minimum.

I have seen some who are assigned to the cyber unit (cyber as in whatever the name of the digital forensics unit is called by each agency), take not a minute more training than being paid to take by their employer. For some, learning a skill for the job is directly tied to being on-the-clock and not a second more. This also applies to law enforcement lifesaving skill training…

The expectation is that the agency must provide everything they need to do their job. I’m not agreeing or disagreeing, nor getting into guild contract issues.  But I will say that some do go beyond that which is given them. I have certainly enjoyed the benefits of government provided training, spending months at FLETC and other out-of-state trips for training. I have also used vacation leave and spent my own money on training, books, and software when I was a government employee because I knew  I needed more than what was going to be provided to me. Hearing statements like, “I haven’t read that book because my department won’t buy it” continues to amaze me.

The difference that I have seen in the skill level between both groups is that of night and day. One detective told me that he refused to go to a forensic conference that his agency agreed to pay because lunch wasn’t covered. He wasn’t going foot the bill for his lunch and turned down the conference. The same detective also simply exports lists of CP filenames in his cases without any analysis, and sends the reports for charging, specifically blaming his lack of analysis skills on a lack of department provided training. A different forensic detective in a different agency spent three months trying to image a hard drive that I had already imaged for him but couldn’t figure it out (errors of some sort, I have no idea), but lives by the same rule as the first example. You no pay me, me no learn.

I’ve seen other law enforcement forensic folks who are forensic gods. Their departments will be at a great loss when they retire or move into the private sector. This is not due to having higher IQs or the agency having a bigger budget but instead, they are putting forth the effort with a willingness to do better regardless of who pays.

Back to the $110+ million dollar agency

The main issue of this research was that cops don’t know which ISP to send legal demands. Their entire premise boiled down to one statement:

“Law enforcement needs to understand where to go to in order to ask for data.”  - Low Hanging Fruit presentation

My solution: We just need to create a list to do that.  

Another issue in the research was that current forensic programs don’t include legal demands in their training. Please, do not start doing this! Forensic training is forensic training.  Legal demands (like search warrants), don’t need forensic training and many times, it is not even the analyst writing the warrants if there is a case detective/agent working the case. Don’t waste an examiner’s time on how to write a warrant when they need to know how to extract the evidence and interpret it.

On the training and skill side of things, I don’t see a federal agency fixing anything as detailed in the report. We already have tons of grants, more training from more vendors than ever before, more folks trying to get into forensics, and more work than can ever be done. I can see $110+ million being spent on more effective measures for law enforcement forensics than what is proposed in this report.

Internal agency specific problems

My suggestions to increasing competence in law enforcement digital forensics is that each agency needs to make changes in how they do business when electronic evidence analysis is concerned.

--Select those who can do the job to do the job (seniority does not equal potential competence)

--Pay for their training (to speed up the learning process)

--Stop rotating them out of the job (or competence in the unit will never be obtained)

--Create promotions within the unit rather than promote them out of forensics

--Remove those who can’t do the job and find someone who can

I make these suggestions only because I have seen it done opposite of what I am suggesting. This is not a federal agency’s responsibility to fix the state and local digital forensics issues, especially at $110+ million.

I’ve been on a few boards and committees at the local and state level at attempts to do something about the lack of LE forensic analysis, but mostly they resulted in lots of talk, lots of notes, and the creation of another committee or board to start over. It is good to see interest in trying to make it better, but sometimes someone just has to put their foot down, stop talking, stop researching, and plainly get things moving.

Check out the research video here:

On a couple of private (mostly LEO) email lists that I am on, it seems that emails on the lists are being provided to media outlets, specifically those that relate to breaking into the iPhone. There is not any suspicion as if this is being done, because as I read the articles, I see the actual emails that I have seen in the email lists.  Someone is leaking the emails from the lists. This is different from another email list that I am on where the emails were actually hacked and posted online a few years back.

In this current instance, someone on the list is sending copies of emails to the media, in nearly real-time.

https://www.forbes.com/sites/thomasbrewster/2018/07/26/apple-ios-security-boost-not-stopping-cops-hacking-iphones/#d43899171294

Side note: I’m not getting into how to hack iPhones.

However, in this instance of leaking emails to the media, I also don’t think it is a cool thing to do. There isn’t any whistleblower type of information that the public must know; it is just vendor stuff, and the vendors are private companies. If nothing else, the vendors are just gaining more marketing since media is reporting on the companies (see above leaked email as an example).

Plus, it is not cool to leak emails from a list that is intended to share information with those needing the information to work important cases. As someone who worked in military intel, and then investigating violent offenders and terrorists, I know that these cases are important and information needs to be shared in order to be effective.  When a murder needs to be solved, a child must be recovered, or violence prevented, it is the sharing of investigative methods that will solve these cases. Leaks for no good reason only result in less sharing, resulting in fewer cases being resolved, and potentially, more victims being harmed. The fear that answering a question via email will end up on Motherboard means that few will be answering questions. The fear is not that the answer is top secret, but that public scrutiny for the sake of gaining readership is not worth sharing information to most people.

I’m all for public records requests and transparency in government, but for those who make it unnecessarily more difficult to do these jobs…that is not cool at all.  But these email lists do not fall under public records anyway.

As for me, I'll keep sharing because I know as a fact, that one small piece of advice, one small bit of how-to, or a few words of encourgement to keep looking will make a world of difference to a victim by having their case solved. Solving a case doesn't just mean arresting someone. It means the difference of whether or not a family is reunited, whether or not a domestic violence victim can feel safe, and make the difference as to if a victim can finally sleep at night without waking to nightmares of being victimized again.

Shame on anyone who makes it this work harder than it already is.