Brett's Ramblings

What is the best way to get to Spokane from Seattle?
Brett Shavers
Digital Forensics
Stand by, here comes my opinion on forensic tools (software and hardware) I tend to prefer having the option to pick among a large selection of tools to be highly specific in solving problems. The fewer options I have, the more likely I will be doing an “OK” job instead of doing a “good” job. Worse still, when not having the...
Digital Forensics is Really Easy
Brett Shavers
Digital Forensics
The mechanics of digital forensics (and its related cousin, incident response) are fairly easy. A computer is a computer is a computer. Collecting data is collecting data. And an artifact is an artifact. As long as you follow the basic mechanical principles and concepts, you should be able to do the work without impossible obstacles. A most basic e...
On ransomware, my advice is different from that other guy's advice.
Brett Shavers
Digital Forensics
For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?” The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network he...
Don’t totally discount attribution in Incident Response work
Brett Shavers
Digital Forensics
I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done).  With that, I completely understand that the “IR” in “DFIR” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but still...
What is this thing called "Patreon?"
Brett Shavers
Digital Forensics
Some have found a Patreon page that I created for the DFIR Training website (http://www.patreon.com/dfirtraining). Here is a short description of what is going on with me, DFIR Training, and Patreon. First off, Patreon is just a way for you to support DFIR Training (and me!). You simply choose to subscribe at a level of support that you want. Right...
The Biggest, Baddest X-Ways Forensics Cheat Sheet ever
Brett Shavers
Digital Forensics
The short version: Support DFIR Training on Patreon and get this X-Ways Cheats ebook for free! The longer story: One of the most useful things I made for the 101+ Tips & Tricks X-Ways Forensics course was the Ultimate DFIR Cheats! X-Ways Forensics ebook.  This is a 118-page book that is a free ebook download in the course, or you...
#DFIR Traveling Isn’t
Brett Shavers
Digital Forensics
For those working in DFIR, there are some who don’t travel, some who travel a lot, and some who travel all the time. Depending on the person, any of these can be enjoyable or exhausting. Right to the point If you travel for business, try to carve out a little time for sanity and lifetime experiences. It may not cross your mind at the time, but...
Patreon at DFIR Training
Brett Shavers
Digital Forensics
If you haven’t seen yet, I started a Patreon page for DFIR Training (www.dfir.training). I’ve done this for a few reasons to benefit those interested and me personally. I think if you see the why, you may want to jump over and support the page. If you support the Patreon page, you’ll get access to the training courses that i have created and t...
You can hack if your government says so. Right?
Brett Shavers
Digital Forensics
Twitter had some great commented threads on the North Korean government hacker (PARK) who was criminally indicted by the United States. The main point in the threads that I read revolved around whether or not the NK hacker should have been indicted as he was ‘only following orders’. If we assume the attribution of PARK is correct, in that...
101+ Tips & Tricks with X-Ways Forensics
Brett Shavers
Digital Forensics
Let me get something out of the way: X-Ways Forensics (XWF) is not the only forensic suite I use. It just happens to be one that I use a lot, and I like it a lot. I also like plenty of other forensic suites, but XWF is my go-to, especially for deep dive forensics. To help me learn XWF, I wrote a QuickStart Guide, a book (with Eric Zimmerman), ...
How to Start a Digital Forensic Lab in Your Police Department
Brett Shavers
Digital Forensics
So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department?  Want some tips?  If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-time, commissioned examiners.  But if you (2) work for a small to mid-sized agency, your departmen...
X-Ways Forensics Cheat Sheet and “Three Things”
Brett Shavers
Digital Forensics
I had the pleasure of talking to a group of high schoolers about digital forensics recently. After showing some neat things to get interest, the fun really started with getting hands-on demonstrations. I decided to use X-Ways Forensics for the hands-on fun (tip: be sure to register your dongles with X-Ways Forensics insurance feature). Since the ta...
Brett's opinion on DFIR notes and note-taking
Brett Shavers
Digital Forensics
I’ve read some really good material on the importance of taking notes over the years and a recent post written by @mattnotmax is no exception (Contemporaneous Notes: a forensicator's best friend).  There are plenty of really good DFIR related blog posts on note-taking (like here: https://www.forensicnotes.com/digital-forensics-docume...
Low-Hanging Fruit Report
Brett Shavers
Digital Forensics
Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked t...
Leaking information isn’t the same as sharing information.
Brett Shavers
Digital Forensics
On a couple of private (mostly LEO) email lists that I am on, it seems that emails on the lists are being provided to media outlets, specifically those that relate to breaking into the iPhone. There is not any suspicion as if this is being done, because as I read the articles, I see the actual emails that I have seen in the email lists.  Someo...