Let me get something out of the way: X-Ways Forensics (XWF) is not the only forensic suite I use. It just happens to be one that I use a lot, and I like it a lot. I also like plenty of other forensic suites, but XWF is my go-to, especially for deep dive forensics.

To help me learn XWF, I wrote a QuickStart Guide, a book (with Eric Zimmerman), created an online course, and most recently a Cheat Sheet (or cheat-booklet..).  All of these things helped me learn XWF enough to really exploit XWF to my potential. There are certainly more uses of XWF that I haven’t come across yet and aren’t documented either.  I'm always looking for the undocumented features of any tool.

Here is what I gathered on the demand for the past XWF material that I have created. The QuickStart guide has been downloaded well over 10K+.  The Cheat Sheet reached over 3K downloads in just a few days.  The book has sold thousands of copies. And the online course recently reached over 2K registrations. 

So, what is next with you, me, and XWF?

The current XWF online course will stop taking new registrations at the end of September 2018 and eventually be taken offline by the end of 2018.  A new course will be published in October that will be a supplement to what you have learned with the XWF online course. The new course is……

The new XWF course is unlike the online XWF course, in both presentation and material.  Since it is not a basic usage of XWF, I am only opening the course to those who have taken the basic XWF course, since you’re going to have to know the basics of XWF to take advantage of 101+ Tips & Tricks of X-Ways Forensics. There will be fewer explanations of XWF since the topics will be straight to the point of demonstrating more than 101 tips & tricks.

For those who have taken the current XWF online course, you can expect an email when 101+ Tips & Tricks with X-Ways Forensics opens up in October (if you haven’t unsubscribed from your course emails). Course registration will be $150, but as usual, the first weeks will have a promotion for early registrations.  And as usual, completion of the course earns you a printable certificate (not a certification, but validation that you completed the course as proof of professional education and training hours). 

*  If your access to the online XWF course has expired, you will still receive an invite if you did not opt out of course emails.

*  If you unsubscribed from course emails, email me directly so that I can put you on the notification email list (This email address is being protected from spambots. You need JavaScript enabled to view it.).

So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department?  Want some tips? 

If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-time, commissioned examiners.  But if you (2) work for a small to mid-sized agency, your department may either farm out forensic work to an outside agency (OSA) or simply doesn’t even do any forensic work on any seized electronic device.  Hard to believe, but yeah, it still happens.

If you fit the second situation, the first question that I have for you is, does your department want a digital forensic lab or is it just you? This is a crucial question, because if your department is behind implementing a forensic lab, then you have a gravy meal ticket to get it done, within whatever budgetary means allowed. For this scenario, there’s not a whole lot I can tell you, other than congrats! You have it easier than most. I’m not going to talk about that scenario since the hard part is done, that is, having pre-approval to build out a lab.

Now, for the rest of you, where your department doesn’t even know it needs a digital forensics lab, or refuses to consider it, or may not have a penny in the budget to spare, this blog post is for you 😊.  If you want a lab, you can have it by you doing what needs to be done, in a manner that works with your agency, not against it.

Let’s picture the lab you want before we get started. Given an unlimited budget, what would you want? Would it look something like this?

Enjoy that moment you had with your dream lab, because unless you control the checkbook, dream on….your dream lab isn’t going to be even close to this.  But, you can still start a lab using a few tips and tricks. Think big and accept you most likely will start out small…very very small..

Common obstacles

Staffing

There is no ‘free’ person to be assigned to a new forensic position. Staffing is already (always) short.

Budget

The mysterious budget is never enough to cover the basics as it is, let alone build out a forensic lab.

Space

We have no room to spare to create a forensic lab.

Time

Spending months to train someone on department time probably won’t happen when the department doesn’t see the benefit.

Examiner selection

Maybe you won’t be the person selected for the position that you suggested ☹

Opinions

We need cops on the street, not on a computer. Plus, we’ll send out any evidence to an OSA and accept the length of time it takes for someone else to do our forensic work.

Examples of not the best methods to try (not just my agency)

I have seen a detective take one basic course in forensics, come back and demand that the agency spend $30,000+ on gear and training to create a forensic lab. The agency agreed to spend a little, but the detective said “all or nothing” and the result was nothing. The detective never did get into forensics…

I have also seen detectives who were selected for forensic spots turn down training and gear because of the strings attached to it, such as sharing with another agency, or sharing forensic work with other agencies, or having to attend (free) training that didn’t fit the detective’s personal schedule (even one turned down a conference because lunch wasn't being paid by the agency..). If you turn down something free, like a two-week forensic course or a conference out of spite or whatever else, you probably set yourself back a year. Not the best idea. Plus, if you have someone like me working in your agency, I'm coming for your spot because I'll do whatever I can to get it.....keep that in mind.

Some ways that I have seen work

The mobile lab

Before I started a forensic lab in my agency, I first saw a ‘mobile lab’ that a patrol officer created, and I was both impressed and inspired. The patrol officer took a lot of training on his own time (vacation) and own dime (he paid out of his own pocket). He even bought the basic gear needed for the most basic of forensic work with his own money. He carried around the gear in the trunk of his patrol car, ie, a “mobile lab”.

Whenever there was an electronic evidence item seized, if he could do the work, he did it in addition to his handling calls. It took several exams of the most basic nature before his agency took notice and eventually, crowned him the department forensic examiner. However, he was still in patrol. The good news was that he had the title of 'forensic examiner' as an added duty. The better news was that the tab for his continuing education training and gear was picked up by his agency.

The closet lab

My personal example is the closet lab. Having seen how the mobile lab example worked, I took this route to start a forensic lab in my department. At the time, my department was sending out any forensic work to either the state lab, agencies that would take the work as their time allowed, and sometimes even hired private sector examiners. I figured the path of least resistance would be best, where making an offer that can't be refused to be the goal.

Here are some of the things I did in preparation:

• *  Took vacation and paid out-of-pocket for training courses
• *  Joined the local high-tech crime association
• *  Gathered FOSS tools, paid for some basic software (WinHex, etc…)
• *  Became certified in the basic of tech (A+, etc…)
• *  Hosted forensic courses for a free seat in the courses
• *  Visited every lab within driving distance for tips, guidance, and ideas
• *  Wrote an entire policy on forensics (merely customized what others had done in other agencies)
• *  Wrote a proposal for the implementation of a digital (computer) forensics lab
• *  Created a list of every ‘free’ training and gear available (coming back to this list later…)
• *  Found a closet full of junk that I could fit a small desk and chair
• *  Made friends with the IT department (important!)
• *  Joined the local ICAC
• *  I did a lot of little things too, like read books, talk to anyone/everyone in forensics that would talk to me, etc...

All of this took my personal time and my own money. It took a lot of time. I don't even know how long I worked on it before I even proposed it.

A personal point on spending your own money. I am a believer in that if I want something to use in my job, that I feel best fits me or helps me, and my job doesn’t provide it, I will buy it. This is a personal decision based on personal factors and your opinion may vary.

Then I waited for a case. As soon as I saw one, I jumped on it and helped the case detective with the forensic part. I did that what I knew how to do. Easy things at first.  I did this as much as I could and luckily, I was in a position where I could do it in between other work I was assigned.  As a side note, I carried over 100 cases at a time, including major casework, and undercover assignments...and more. It can be done if you want to do it.

Then came the big ask.

Remember what I mentioned about creating a list of free training/gear? Get it ready. There are plenty of federal grants for free software, hardware, and training. Print out the forms, fill them out, and bring it along with your proposal and policy to whomever can crown you the forensic examiner. At that point, your agency will have not spent any money (sorry, but you had to), they will have a basically trained examiner at the ready (turnkey, on the spot), and be able to sign an agreement for free stuff that you already put together.

Hopefully, you kept stats on what you have done in forensic casework, the results of the cases (plea deals, convictions otherwise not have happened, etc…), plus records of any and all training you have done on your own.  Maybe have some recommendations from detectives that you have helped in their cases. You’ll be amazed at how happy a detective becomes when you find all the PC they need for their case on a hard drive…

Remember that closet you found earlier? If at this point you aren’t given a ‘lab’, point out that as long as you have a locked room, like that unused closet in the basement, you are happy and good to go. I was given my closet, which became the "Computer Forensic Lab". I tossed out the garbage, put in a desk, chair, and all the scraps from IT to build out a lab. The grant gear came in piece by piece until I had it all. The goal is to get your foot in a door, any door. You can expand everything in time.

Excuses and roadblocks

I believe that an excuse is merely giving up.  I also believe that some roadblocks can’t be overcome easily, and a few cannot be overcome at all. It is difficult to know which is in front of you. Sometimes you work hard on one of the insurmountable roadblocks and other times you may give up on something that you could have gotten with a little more time and effort. You just never know. Also, government work is different than the private sector. In most instances, it is not merit that is rewarded or compensated in government work. That is just the way it is. In the private sector, if an employee comes up with an idea that makes money, that employee is given a whole lot more leeway in doing things. In government, not so much. Sometimes, it is just the opposite.

I have seen more people in police work try to get into forensics and give up than I have seen succeed, due to both personal reasons and the office roadblocks. Politics plays a part. Staffing plays a part. Even personability plays a role. But if you want it, prepare yourself for lots of work, a long period of time, and possible rejection at every step. As for me, I was getting into forensics one way or another, in or out of government service.

The short story of this guidance is simply:

1. Become a forensic examiner on your own time and own dime.
2. Prep everything your department needs to start a lab.
3. Be the only person fit and competent to carry out the position when you ask for it.

I’m sure other methods work too, but as for me, I rather plan it out, prep everything up front, become the only person for the position (at least the only turnkey ready person), be happy with what I get, and work forward from there. The negative in doing nothing more than asking to be sent to training and be given everything up front probably will result in either a terse ‘No’ or a ‘Good idea!. We’ll need a committee to discuss, request for next year’s budget, and then the following year open the position up to everyone in the department’.

Getting in is the hard part. It’s a cakewalk after that.

If you read this far and already have a forensic lab in your agency, they probably went through something like this in the beginning just to get started in a small closet 😊

If you have done something like this, or especially if you did it differently, let me know. I'm curious to the innovators in police work in this field. By the way, if you can get something like this done in police work, you are extremely marketable outside of police work. 

I had the pleasure of talking to a group of high schoolers about digital forensics recently. After showing some neat things to get interest, the fun really started with getting hands-on demonstrations. I decided to use X-Ways Forensics for the hands-on fun (tip: be sure to register your dongles with X-Ways Forensics insurance feature).

Since the talk time was limited, I broke X-Ways Forensics down to three things:

1. Add the source
2. Process the data
3. Find the evidence

Breaking a topic into three parts makes it easier to understand and learn, especially for new, complex, or new and complex topics. X-Ways Forensics can certainly fit in the new and complex area. However, when you look at X-Ways Forensics or any digital forensics application, they all break down into the same three functions of adding the source, processing the data, and finding the evidence. Actually, if you can break down anything you teach into three parts, you'll be more effective in getting your topics across to your audience (be it a supervisor or an auditorium of students).

Based on these three functions, I created a X-Ways Forensics cheat sheet for the students which I think will benefit anyone using X-Ways Forensics. What I wanted to show visually is that there are “x” ways of using X-Ways Forensics. For many of the functions, you can get there in one, two, three, four, or more different routes (via menu, icon, right click, command line, x-tensions, shortcuts, or etc…).

Perhaps this is a reason why X-Ways Forensics seems to be initially overwhelming, but when looked at differently, will is seen as not “how do you make sense of this”, but more as “of course this is how it works”.  This is how I look at any software, especially DFIR software since few are overtly designed to be intuitive, and some appear to be designed intentionally as counter-intuitive.

How to learn X-Ways Forensics

Self-learning can be painful and slow. For anyone thinking about using X-Ways Forensics, or wanting to learn more about it if they are currently using it, here are suggestions ranked from free to not-free to do.

• Read the manual. Free
• Read the book.  Inexpensive
• Take the online practitioner's course. Half price this week at $29.99!
• Take the official X-Ways Forensics course. 

Half price registration expires August 29, 2018.  (30 day access) Over 13 hours with a certificate of completion! 

I’ve read some really good material on the importance of taking notes over the years and a recent post written by @mattnotmax is no exception (Contemporaneous Notes: a forensicator's best friend).  There are plenty of really good DFIR related blog posts on note-taking (like here: https://www.forensicnotes.com/digital-forensics-documentation-contemporaneous-notes-required  and here: https://windowsir.blogspot.com/2018/08/notes-etc.html) . This is just my personal take on the matter.

Contemporaneous Notes: a forensicator's best friend #DFIR https://t.co/qdGRs4OzEI

— Matt (@mattnotmax) August 2, 2018

Here comes Brett's opinion...

People don’t take notes because:

*  lazy, or

*  fear, or

*  believing notes are unimportant, or

*  no one makes them

On Laziness

If you have the time, a pen, and paper, there is no excuse for laziness. If you simply don’t want to take notes because of too much hassle, that is your choice. You could work an entire murder investigation without taking a single note if you wanted….however, good luck with that.

On Fear

If you are afraid of being called out on your notes, it is much worse to be called out without notes. The opposing counsel is going to accuse you of not taking notes, taking too many notes, too much detail in notes, not enough details in notes, bad handwriting, transcriptions not being exact to your handwritten notes, and anything else to discredit you.  The worst situation is not having notes.  With notes, you’ll come out of the cross-examination fire less scathed.

On Importance

If you don’t believe notes are important, one day you will find out just how important they are. This could be due to personal embarrassment or a hit on your professional reputation when all you had to do was take a few notes a few months earlier on one of those few cases you were working. Regret sucks, let me tell you…

Because no one requires you 

Some organizations don't care if you take notes or not. Supervisors may not even have a clue as to the importance, or maybe nothing is ever called into question which creates the perception that it is not worth the effort.  In those cases, good luck. Hope it works out that you never needed to take notes. I'd prefer making note taking a habit, required or not.

Brett’s Tips on Note Taking

* If you are a messy writer to the point that you can barely read your own notes five minutes after scratching them down, transcribe them right away via writing neatly or typing them out. Or use technology to take notes, not a pen.

* Keep your notepads. Don’t tear out sheets. Keep all of them. Store them in a box when full..forever.

* Date/time stamp your notes. You’ll appreciate this later.

* Write as much as you need that you know will refresh your memory years later.

* Correct your notes when you realize you made a mistake. It’s better that you catch your mistakes before opposing counsel does, because opposing counsel won’t tell you about your mistakes until the jury is present….their goal is to embarrass you, discredit you, and catch you off guard.

* If time is tight, use a voice recorder as you work. Talk to the recorder as you do each step (“Aug 1, 1455, I removed the hard drive with serial number xxxxx from workstation xxx”).  Transcribe the recordings when you have time.

Taking notes

Try different methods and find one you like. Some like a pen and pad of paper. Others prefer a tablet, typing into an application that encrypts the notes, then hashes the notes, then stores it in the cloud, and you need a fingerprint scan coupled with a DNA sample to open (jk).  Simply pick what you like to do, and keep doing it.

As for me, I use a recorder if I am doing a lot of things at the same time with a short time to get it down. I transcribe the recording into notes/report and keep the recording just in case. On very important jobs, I will audio/video record it even though the physical tasks are simple. But everything I do gets written down.

Relying on memory instead of note taking

Don’t do it. Seriously. Don't do it.

A few of my experiences directly related to note taking/report writing

Felony trial: I was the only one who wrote a report in an arrest, and had notes backing up the report. When all involved got subpoenaed for trial, everyone used my report to refresh their memory in order for each of them to write a report….months after the fact.  win for me, fail for everyone else.

He-said interview: I interviewed an informant with my partner taking notes as we spoke. Informant later testified that he never said certain things. I didn’t have notes (only my report) since I was doing the talking, but my partner did. Win.

Damned if you do: On cross-examination, opposing counsel criticized that I took too much detail in my notes and implied that I must have made some of it up.  Felt like a fail, but ended up a win.

Damned if you don’t: On cross-examination, opposing counsel criticized that my notes didn’t reflect all the important things in the case, and that I was ‘filling in the blanks’ in court. Felt like a fail, took a lot longer to testify, lots of double-bind questioning, but ended up with a sweaty win the hard way.

Brother, can you spare a dime?: While at FLETC forensic training, I typed notes with every lesson.  Literally, I typed notes as the instructors spoke, sometimes transcribing verbatim what was being said, pasting screengrabs during demos, and basically writing a FLETC forensic course book as my notes….  At the end of PCERT, BCERT, and ACERT, I had a word document the size of a novel.  Can you guess what the guy sitting next to me said on the last week? “Hey, can I get a copy of your notes?” He took no notes for months (and didn’t get a copy of mine, seeing that I kept telling him to take his own notes the entire time)...fail.

Time to re-do everything:  I took on a case where the client fired their prior forensic examiner. I received all the prior work, which was simply a hard drive of exported files in folders. No notes. No reports. Nothing. I had to re-do everything as I had no idea what they did to find what they found, or the relevance to anything on the hard drive. Fail for the prior examiner.

Cringing when watching: I watched someone who qualified as “expert” minutes earlier get grilled when he didn’t know the version of a program that he used, nor if he had a license for it. His notes didn’t have anything, nor did his report. He didn’t even remember or write down which software he used for some findings. I felt really bad for the guy, but then again, he was on the other side….win (for me).

Validation of wiping a drive: I was hired to wipe a drive. There was data on the drive that was really really important, like potentially national security important, and the data was court-ordered to be destroyed beyond recovery. I didn't pick the wiping/destruction method or had any input on the method, but I did the work. We had 5 witnesses, a cameraman, a note-taker, two attorneys, and two forensic examiners, all cramped in a small conference room. The wiping process consisted of drilling holes through the hard drive, all the while being video-recorded, and then holding up the hard drive to the camera with pencils sticking through the hard drive. Then the drive was destroyed even more. That was the most intensive "note-taking" I've done.

There are many other little stories, but it all comes down to either you take good notes or you don’t. This is a personal decision based on what you prefer to do. However, when I am in charge of any engagement, everyone takes notes. Everyone. I mean everyone. Literally everyone. If you show up expecting to get paid, you write what you did.

I’ve been the case agent or project manager on too many occasions where people were ‘helping’ at the time, but when the fun and games are over, they go home without writing a thing because writing is apparently no fun and unimportant since it’s not their project or case. As for me, no one goes home until the paperwork is done. That means everyone writes and everyone writes before closing up shop. If you don't make it happen at the time, do not expect it to ever happen and it will be your fault, not the fault of your helpers.

Note-taking tip for DFIR hiring managers and applicants

Ask the interviewees if they have a pen and paper on them at the time of the interview. If someone does, you got yourself a note-taker.  Extra points if there are actual notes in the pad and it's not wrapped in plastic because they bought on the way to the interview for the interview, in hopes you ask for it...

What's the standard?

As far as I can tell, there is no standard. If you ask the cross-examining attorney, she will tell you that the standard is the opposite of what you did, regardless of what you did. One supervisor will have a different standard than other. Different organizations may have different standards. Some may base their standards on technology, as in, "I really like this note taking application, so everyone use it!" or "I hate typed notes, everyone write them on paper."  It all depends. Practically, I believe that as long as you write it down, you will remember what you did, and that which you did not write, hopefully will be refreshed when reading your great notes. 

As to having to compute a hash value for your notes, encrypt the file, store it in a container, and preserve all metadata for eternity, I don't think that is all necessary. I have never been accused as to whether I fabricated any notes or evidence. I write it down. I write what I did. I write the date and time on everything. If my integrity is challenged as to the validity of the evidence I recovered, then that is the sign that the opposing counsel has absolutely nothing else to work with, other than trying to sling mud that isn't going to stick. All because I took notes. That's a win.

Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge

When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked to develop a list of ISPs.

Here is my understanding of their proposal

Problem and Objective:

-Cops don’t know which ISP to ask for data

-Teach cops how to ask for data from service providers by creating a “New national digital evidence policy” that is also “going to require a dedicated office”.

Staffing needed for the new federal agency:

--10 to 15 technical experts

--10 to 15 additional support staff

--Director

--Deputy Director

--Administration assistant

--Part time administration assistant

--“Additional staff”

--“Additional expenditures” could include more staff and attorneys

--“Honorariums” to advisory board members

The cost? Hold on to your seat.

--$10 million for staff

--$100 million OR MORE for support

The part of $100 million that rubs me a little raw is that the amount was downplayed because it is so small compared to other government spending. That simply sounds to me like, ‘hey government, you spend so much money, how about I create a new agency and you give me a little off the top, like a cool 100 million?’  Even the staffing requirements are limitless with “additional staff”.

I’m not going into what I really feel about another federal government agency for $110+ million that is created to research the development of a spreadsheet of ISPs just so that law enforcement knows where to send a legal demand…

But I’ll get a little bit into the training that was referenced in the presentation. From their research/survey, they found that law enforcement only receives between 10-15 hours a year of digital evidence training. This was conflated with training related to legal requests (search warrants, etc…) and training in forensics. On top of that, I found no separation between “law enforcement officer” and “digital forensics examiner” in what training they referred. I would say that 10-15 hours a year in digital evidence training to first responders is more than sufficient, but for a forensic examiner, a wee bit on the low side of annual training in analysis, but certainly not insufficient.

Some points of digital forensics training in law enforcement, and the obstacles I have seen go beyond what ISP to send a legal request.  In my experience, practically any detective or patrol officer can type up a legal demand and find out where to send it without having a bit of digital forensics training, yet it was the number one issue in this report.

It’s the individual

There are two types of forensic analysts in government service. One who does the minimum. The other who goes well beyond the minimum.

I have seen some who are assigned to the cyber unit (cyber as in whatever the name of the digital forensics unit is called by each agency), take not a minute more training than being paid to take by their employer. For some, learning a skill for the job is directly tied to being on-the-clock and not a second more. This also applies to law enforcement lifesaving skill training…

The expectation is that the agency must provide everything they need to do their job. I’m not agreeing or disagreeing, nor getting into guild contract issues.  But I will say that some do go beyond that which is given them. I have certainly enjoyed the benefits of government provided training, spending months at FLETC and other out-of-state trips for training. I have also used vacation leave and spent my own money on training, books, and software when I was a government employee because I knew  I needed more than what was going to be provided to me. Hearing statements like, “I haven’t read that book because my department won’t buy it” continues to amaze me.

The difference that I have seen in the skill level between both groups is that of night and day. One detective told me that he refused to go to a forensic conference that his agency agreed to pay because lunch wasn’t covered. He wasn’t going foot the bill for his lunch and turned down the conference. The same detective also simply exports lists of CP filenames in his cases without any analysis, and sends the reports for charging, specifically blaming his lack of analysis skills on a lack of department provided training. A different forensic detective in a different agency spent three months trying to image a hard drive that I had already imaged for him but couldn’t figure it out (errors of some sort, I have no idea), but lives by the same rule as the first example. You no pay me, me no learn.

I’ve seen other law enforcement forensic folks who are forensic gods. Their departments will be at a great loss when they retire or move into the private sector. This is not due to having higher IQs or the agency having a bigger budget but instead, they are putting forth the effort with a willingness to do better regardless of who pays.

Back to the $110+ million dollar agency

The main issue of this research was that cops don’t know which ISP to send legal demands. Their entire premise boiled down to one statement:

“Law enforcement needs to understand where to go to in order to ask for data.”  - Low Hanging Fruit presentation

My solution: We just need to create a list to do that.  

Another issue in the research was that current forensic programs don’t include legal demands in their training. Please, do not start doing this! Forensic training is forensic training.  Legal demands (like search warrants), don’t need forensic training and many times, it is not even the analyst writing the warrants if there is a case detective/agent working the case. Don’t waste an examiner’s time on how to write a warrant when they need to know how to extract the evidence and interpret it.

On the training and skill side of things, I don’t see a federal agency fixing anything as detailed in the report. We already have tons of grants, more training from more vendors than ever before, more folks trying to get into forensics, and more work than can ever be done. I can see $110+ million being spent on more effective measures for law enforcement forensics than what is proposed in this report.

Internal agency specific problems

My suggestions to increasing competence in law enforcement digital forensics is that each agency needs to make changes in how they do business when electronic evidence analysis is concerned.

--Select those who can do the job to do the job (seniority does not equal potential competence)

--Pay for their training (to speed up the learning process)

--Stop rotating them out of the job (or competence in the unit will never be obtained)

--Create promotions within the unit rather than promote them out of forensics

--Remove those who can’t do the job and find someone who can

I make these suggestions only because I have seen it done opposite of what I am suggesting. This is not a federal agency’s responsibility to fix the state and local digital forensics issues, especially at $110+ million.

I’ve been on a few boards and committees at the local and state level at attempts to do something about the lack of LE forensic analysis, but mostly they resulted in lots of talk, lots of notes, and the creation of another committee or board to start over. It is good to see interest in trying to make it better, but sometimes someone just has to put their foot down, stop talking, stop researching, and plainly get things moving.

Check out the research video here:

On a couple of private (mostly LEO) email lists that I am on, it seems that emails on the lists are being provided to media outlets, specifically those that relate to breaking into the iPhone. There is not any suspicion as if this is being done, because as I read the articles, I see the actual emails that I have seen in the email lists.  Someone is leaking the emails from the lists. This is different from another email list that I am on where the emails were actually hacked and posted online a few years back.

In this current instance, someone on the list is sending copies of emails to the media, in nearly real-time.

https://www.forbes.com/sites/thomasbrewster/2018/07/26/apple-ios-security-boost-not-stopping-cops-hacking-iphones/#d43899171294

Side note: I’m not getting into how to hack iPhones.

However, in this instance of leaking emails to the media, I also don’t think it is a cool thing to do. There isn’t any whistleblower type of information that the public must know; it is just vendor stuff, and the vendors are private companies. If nothing else, the vendors are just gaining more marketing since media is reporting on the companies (see above leaked email as an example).

Plus, it is not cool to leak emails from a list that is intended to share information with those needing the information to work important cases. As someone who worked in military intel, and then investigating violent offenders and terrorists, I know that these cases are important and information needs to be shared in order to be effective.  When a murder needs to be solved, a child must be recovered, or violence prevented, it is the sharing of investigative methods that will solve these cases. Leaks for no good reason only result in less sharing, resulting in fewer cases being resolved, and potentially, more victims being harmed. The fear that answering a question via email will end up on Motherboard means that few will be answering questions. The fear is not that the answer is top secret, but that public scrutiny for the sake of gaining readership is not worth sharing information to most people.

I’m all for public records requests and transparency in government, but for those who make it unnecessarily more difficult to do these jobs…that is not cool at all.  But these email lists do not fall under public records anyway.

As for me, I'll keep sharing because I know as a fact, that one small piece of advice, one small bit of how-to, or a few words of encourgement to keep looking will make a world of difference to a victim by having their case solved. Solving a case doesn't just mean arresting someone. It means the difference of whether or not a family is reunited, whether or not a domestic violence victim can feel safe, and make the difference as to if a victim can finally sleep at night without waking to nightmares of being victimized again.

Shame on anyone who makes it this work harder than it already is.

Working in DFIR requires that you convey information to someone else. There is no way around this requirement. You simply must do it. Whether talking to a client, a supervisor, or a class, you convey information all the time.  I am not talking about communication or interpersonal skills, but rather the act of presenting information as an instructor. I'm surprised that DFIR courses don't address this aspect of the job.

Instructing is telling someone how to do something or how something should be done. (Brett’s definition).

There are drill instructors, adjunct instructors, primary instructors, driving instructors, flying instructors, and instructors for any type of skill, including DFIR instructors. The job of each is to convey the “how-to” in a manner that the recipient understands. Being able to convey information concisely, accurately, and in an entertaining manner will propel your DFIR skills farther than you may realize because you need this skill everytime you have to tell someone about something you did or how someone can do what you do.

I won’t get into the benefits of speaking in front of audiences (there are many), but I will say that if you never work toward becoming a great presenter or instructor, you will not grow as much as you would otherwise. Whether you like to speak in front of audiences or not, does not have an effect on whether you can or not.  I’m nervous every time. I over-prepare way in advance. I worry about things like if my fly is down, or I misspoke, or I am speaking too loud or too soft. Remember: practically everyone else is worried about the same thing when they speak.  It is normal. Anyone you see speak as if they were born to do it, simply worked and practiced.

Here is my DFIR career suggestion. Take an adult learning course, presenter course, instructor course, any course where the goal of the course is to put you on stage to convey information on “how to do” something. You will be amazed at how much speaking to any size audience will enhance your skills and knowledge. It really does. You will also be surprised at the minute details involved in 'teaching'. It is way more than you think but well worth the effort to learn. Don't wait until you become an 'expert' in your job before you consider learning how to present that what you know. Start now.

As for me, I was fortunate to get an early start. At 19, I was an instructor in the Marines and through the next 20 or so years, I went through at least 15 instructor/train-the-trainer courses in both military and law enforcement. Had I known at the time how important those courses would be for me today, I would have put even more effort into the courses than I did. As for you, know now that this is such an important skill, that you need to start today and hone it because you can use this skill tomorrow.  Don't wait for a course that teaches you how to teach DFIR topics. ANY instructor/adult learning course works as the concepts and principles in the courses are what matters, not the topic. You'll learn little things like, 'don't walk in front of a visual aid', and major things like, 'how to be entertaining to keep interest'. 

If you think you already know everything you need to know about effectively presenting a topic, or conveying information to a client/boss, you may want to rethink what you know, if you haven't had any coursework in it. I’ve not taken an instructor course or adult learning course where I did not learn something that completely changed the way I present in some form or another. 

Consider that in Jessica Hyde’s DFIR Hierarchy of Needs, there are two levels of sharing information and giving back to the community. Both of these usually require conveying that-what-you-know to someone who may-not know anything about what-you-know.  Yes, if you can write, that helps. But if you can instruct in addition to writing, I promise that you will grow so so much more.

Going back to Jessica Hyde and her blog about the DFIR Hierarchy of Needs, I look at the hierarchy as being dynamic in nature. We continually train, continue work cases, continually share, and continually give back. When I look at the triangle, I see that any person can jump around from level to level or be in more than one level at the same time. Keep in mind that you don’t need to start at the bottom and work through to the top before you can give back.  That means you can be presenting at any level.  So why not get started now?

To put a little more emphasis into how important this is, if you cannot write and cannot speak, then no matter how good you are at your job, not only will few people know about your work efforts, but you will not be sharing your knowledge with anyone. To not share or teach is to have stunted growth. For those who wish to neither write nor speak, that is a personal decision because nothing requires anyone to do anything to better the field or themselves.

From personal experience, I remember sitting in my first forensic presentation given by Troy Larson in Seattle way back when. Troy was apparently speaking a language that I did not understand, because I didn't have a clue as to what he was talking about (I was really really green at the time...). But he kept me engaged and entertained.  Enough that I wanted to keep going. Today is different (and I can understand what the DFIR pros are talking about...) and I credit most of what I have learned simply because I choose to research it, write about it, and teach others about it.  I certainly don't know everything, but everything that I know, I can teach someone else to do what I can do.

Let me preface this post:

When I worked undercover, I was one of the most paranoid extremists in trying to be as unrecognizable as possible. I worked cases involving dangerous individuals, career criminals, street gangs, and organized crime groups that operated not only locally, but internationally. While undercover, I was searched, followed, interrogated, and threatened by those I was investigating both inside and outside the US. One night, I had a gun stuck in my belly and quickly learned that the brain is the most important security feature that we have.

Let’s get to the point of where the ethics and morals fit in

So, while on twitter the other day, I saw a “live event” that a plane passenger was tweeting. The passenger and her boyfriend were taking photos and videos of two unidentified passengers and creating a ‘love story’ between them, even to the point of following them to the baggage claim. The two unidentified passengers were unaware of the online event they were the focus of. Even their private comments were being tweeted. The spectator comments only encouraged more of the same, even with T-Mobile CEO John Legere stepping into the tweet stream to offer free WiFi to keep the story going .Voyeurism at its finest, security at its worst. The female victim (I say victim as she had no choice in being the target of online voyeurism) has since been doxed, stalked, insulted, and harassed, leaving her to delete her social media accounts and hire an attorney to speak for her.

The point is that we in the cyber/information security community should take stories like this as ethical and moral reminders. Although personal privacy has been eroded due to haphazard use of the Internet, let’s not be part of that problem. Just as important, educate others to not do this sort of thing either. Any person who touches the electronic data about any other person surely assumes the awesome responsibility of securing that data against inadvertent and intentional release into the public space. Also, creating data where other persons can be negatively affected should be treated no differently.

Some of this is easy. We sign NDAs with clients that legally bind us to protections of client data. We see things in the data that is sometimes embarrassing for clients, yet it never crosses our mind to publicly out the information. We are professionals, both at work and private lives.

Some of this may not be as easy. If you are hunting for, or inadvertently find, publicly accessible data (which should not be publicly accessible) on the Internet, and you have no legal obligation to safeguard the data you find, fall back on ethics and morals. For those who don’t care (ie; no morals or ethics, or just plain evil people) finding and publicly outing embarrassing data causes no dilemma to them; in effect, the hell if someone gets harmed (or even killed) because of it.

For those who do find this data and care about security, do what you ethically are obligated to do, based on what you found, how you found it, and what should legally be done about it. Different situations are different, and if you are ‘ethical’, then you know what you should do.

We live in an amazing technological age that is nothing related to the pre-Internet days as if we live on a completely different planet.  Take bullying as an example. The difference between traditional bullying and cyber-bullying is so far apart, we should have a different word for bullying because of the dramatically more harmful effects ‘cyberbullying’ has compared to bullying of days before the Internet.  Today, bullying lasts forever, because the Internet is forever. 

When we can tweet a thought faster than we can actually think about what we are doing, we risk harming ourselves and others out of sheer carelessness.  Consider Twitter like an arrow flown. Any person tweeting about another person, can directly impact that person's life either positively or negatively. The range of effect can also be a small embarrassment to suicide. Wielding the Internet is an awesome power that we treat as serious as putting on our socks. 

Even taking photos in public, where bystanders are unknowingly included the photos (legal, as they are in public, right?), photos posted online can have harmful ramifications. Imagine a photo of someone in witness protection, or the victim of a domestic violence, or even an undercover officer who is off duty with family. They may not want images of them on the Internet for good reason. Be judicious in your photos in public places as the last thing you'd want is to hear about a murder victim who was identified by the suspect through your Facebook photo at Disneyland.

So, I propose that in addition to our moral, ethical, and legal obligations of personal security and client data security, we take into consideration the security of others who are doing nothing more than going about their business in public. You might never comprehend the damage done to another person with a photo, a tweet, or social media post that you made. But now that you know, you should be make others aware as well.  Be the security pro that can also talk about security outside the CPU.  And certainly don't be that person who harms someone else just because you can or because you have no idea that you are doing it in the first place.

**side note**
I'm not referring to being snarky, sarcastic, self-deprecating, or legitimately humorous online. I’m talking about being intentionally mean or ignorant as to the harm done to others through comments and memes. I know that 2019 is already approaching, but the Golden Rule still applies regardless of what year it is.

Reading through the paper“Forensic framework to identify local vs synced artefacts” from DFRWS 2018 Europe, I came across a paragraph with several statements that I had to read twice, actually several times. The paper cited a book that I wrote in 2013 (Placing the Suspect Behind the Keyboard). The paper states:

Actually, back in 2013, in that cited book, that was exactly what I wrote about: the challenges of not only attributing activity of a user to a device, but the activity and data of interconnected devices. Then I read...

I respectfully disagree with the premise that the forensic community has not been trying to determine which device data has been created.  Even going back way before 2013, metadata has been paramount to every case, from all evidence devices, connected to each other or not. As soon as mobile devices became connected to other devices, correlating the data between devices became something done as manner of practice. To state that “It is something that computer forensic examiners are not even considering in many cases” is foreign to me. One of the major points of my first book was to instill the concept that electronic evidence needs to be integrated with the physical world to make a complete case (or more eloquently, paint a beautiful picture). 

 Oh well. They must have missed those pages about inteconnected devices...and the pictures of interconnected devices too...

Today’s lesson, “Interconnected Devices and Your Investigations”

There are two things to consider with interconnected devices in your investigations:

1)      Do the forensics independently on each device

2)      Correlate the evidence you find from all the devices

That’s it. There isn’t much more to the secret other than forensics in/on the cloud. Interconnected devices may likely have data contained in the cloud (it’s how the data propagates between devices…). But even then, correlating the data between devices is no more difficult than the forensic work you do on each device.

Here is a visual figure from Placing the Suspect Behind the Keyboard, where I show a visual of a circle of interconnected devices. Every case you do, you should be thinking about this circle that revolves around your suspect (or custodian). It is constant and ever-changing with new and newly replaced devices. Keep this in mind as we continue.

The “I didn’t sync that file to my phone” defense

Let’s take a scenario of finding evidence on a mobile device that is synced to other devices (and the cloud) through a service like Dropbox. Finding the evidence on the mobile device, which was seized from the suspect, in which only the suspect ever had control, generally ties that evidence to the suspect. The defense that mobile device evidence was unknowingly synced to the suspect's mobile device depends on who else had access to the synched accounts.  Meaning, if the suspect is in sole control of the Dropbox account, then the synced files are his. If not, maybe they are and maybe they are not. You need to dig a little more to be sure.

The “Someone else searched that on my home computer” defense

Internet browsing synching is cool. You can bookmark something on your home PC, it gets synched to your tablet, and also gets synched to your smartphone. Cool. However, if browsing history is the evidence found on the tablet, it might be important to know if the evidence was synced from another device if other persons had access to the other devices. Conversely, if the suspect has sole control of all devices, then the defense claim is moot as only the suspect had physical access to all devices (or is the only person with the creds to log into the devices).  There is a trend here: he who controls the devices is generally going to be the possessor of the evidence found on those devices.

Ease your mind by doing a little extra work

With every case I have ever done, I have always wished that I had more time to work it. No matter if I worked 10 hours on a case or 10 thousand hours, I can work a case forever because I want to make sure I got it right. With that, you can probably tell that I love interconnected devices in a case because it gives me corroboration of what I found on other devices in a case. Even evidence files that are not synched between devices are great finds to corroborate findings and suspect’s intentions.

A lack of activity can be an indication of activity

Smartphones are great for historical activity. If Google is turned on (as in, logging everything you do), you can recover a great deal of geolocation data, which can be accessed through Google without even having the device in hand. This is a great tool for investigators. Just as cool is that for criminals who leave their phones at home when they are criming* in town, even a log of missed calls can give an indication that perhaps the suspects weren’t actually home with their phone since no one answered any of the incoming calls…or logged into email…or surfed the net…all while a bank robbery or drug deal was happening downtown…  Historical activity is great to place suspects at a scene, and a complete lack of activity can give indications they were not where they said they were.

Circles of non-interconnected devices can be connected to each other

One suspect with multiple devices is easy enough to put together. Examine all the devices in the suspect’s circle of interconnected devices and put together a timeline of the important data points.  But here comes the really fun part: In some cases, you have several suspects and each suspect has his own circle of interconnected devices. This type of case gives you a world of opportunities to reconstruct history by combining each suspect’s circle of interconnecting devices into one glorious timeline.

I’ve done this type of case on few occasions and assisted others. Without doubt, it is an immense amount of effort that exponentially increases with every device. In one particular case, we had a big box of smartphones was seized. The case revolved mostly around geolocation and text messages. The end result was that each phone geolocations were matched to a person, and the text messages matched between phones. Those with multiple phones had the identical geolocation on their phones, indicating they were carried together. The timeline of criminal activity was superimposed over the geolocation of each device along with text messages sent/received by geolocation. I can tell you that there are a group of criminals who will forever hate mobile devices because of this work.

We simply connected a circle of interconnected devices to other circles of interconnected devices and let the data paint the picture of what happened. Very cool. And you can do it too.

**updated with a tidbit more information**

Check out Magnet Forensics on how its software connects artifacts together in an automated process.

https://www.magnetforensics.com/blog/axiom-connections-qa-part-1/  

*the act of committing crimes, “criming”

The Reality Winner case is good example where a basic investigative method still works regardless of how much publicity that the same method has received for years prior. In the Winner case, printed documents were tied to Winner based on “microdots”. This article below does a decent job of explaining what micro dots are if you haven’t heard of this before, or if you associate microdots with LSD...

https://www.grahamcluley.com/reality-winner-pleads-guilty-after-being-unmasked-by-microdots/ 

Basic (and non-secret) investigative methods suceed more often than not, and actually happens all the time. It doesn’t really matter that criminals know police investigative methods, because the methods still work. A personal example that I had when I was doing drug investigations, was ‘knock-and-talks’, where my partner and I would knock on the door of a suspected drug dealer and ask consent to search for drugs.  On one knock-and-talk, we were given permission to search a home that had hundreds of marijuana plants. Not that unusual. But what was unusual was finding a book written by a prominent Seattle defense attorney, opened to a page on “Police Knock and Talks”, with a highlighted sentenced that stated something to the effect of ‘Say no to the police when asked for consent to search’.  Even the attorney’s business card was used as a bookmark that had the same advice printed on the back of the card. Yet he willingly let us in.

This concept applies to all aspects of investigations, including technology related investigations like the Reality Winner case.

Part of the reason why the tried and true, traditional methods continue to work is that no matter how secure a criminal will try to be in all that he or she does, there are times where complacency creeps in. Add a bit of arrogance (“They’ll never catch me!”), and BAM. It’s over.

I’ve had cases where a dozen hard drives were wiped clean, but another dozen had plenty of evidence (illicit images). In these instances, the suspects were fanatical about wiping evidence until they weren’t. This applies to everything that anyone does with their electronic devices and online behavior. Complacency allows traditional methods to work and the complacency monster always wins because eventually everyone slacks off in something they do eventually.

Search warrants are not difficult to get

In a recent court decision, law enforcement is now required to obtain a search warrant for cell phone records. If you didn’t know how it worked before this decision came out…

http://www.governing.com/topics/public-justice-safety/tns-supreme-court-privacy.html

Depending on how you think this affects you personally, your perspective may be different. But in all practical reality, nothing really changed. Your cell phone records are not protected from reasonable search and seizure. The records are still there, and if probable causes exists, law enforcement can get it with a warrant. I do not believe any criminals are jumping for joy over this court decision, because they are still ripe to have their records pulled with search warrants.

As far as how difficult is it to get a search warrant…it’s not difficult at all if you have probable cause. I have found that the longest time to apply for a warrant is the time it takes to type up the affidavit. The faster you can type, the faster you can get a warrant. The rest of the process only takes minutes (not counting any traffic while driving to the judge’s home…). But you don’t even have to type up a warrant if you don’t have time. Simply call a judge, get sworn in over the phone, and ask the judge for a telephonic warrant with a verbal affidavit. I’ve done both ways and typically had a signed warrant in under an hour…nearly every single time. I've had warrants in less than 30 minutes on a few occasions. If a warrant is needed faster than 30 minutes, then you might be dipping into exigent circumstances, which is a different topic.

Your cell phone records probably weren’t going to be pulled anyway, and won’t be unless there is probable cause to do. As for criminals knowing that cops need a warrant now, that won’t make a bit of difference as to how they use cell phones to commit or facilitate crimes and it won’t make a difference in that law enforcement will still get 100% access to everything. 

The point

No matter how sophisticated your suspect in (or custodian in a civil case), never forego looking for the low hanging fruit first. Don't assume that files were wiped, browsing was only done with Tor, or that the suspect didn't use his home Internet to hack into a victim's system. Because they do and always will. Old hat stuff works.

…because everyone can be an expert.

One thing about the DFIR field and all of its ever-encompassing related fields, is that it is physically impossible for any one person to be an expert in the entirety of the field. To even try to be ‘that DFIR expert’ is to set yourself up for failure.

I base my opinion on what I’ve seen over the years, especially after the first time being court qualified as an expert. Once, I was even qualified as a “computer forensic expert”. It makes me cringe every time I think about that, because as far as I am concerned, no one can be realistically be an all-encompassing DFIR expert.

The reason I distance myself from being looked at as an expert is that the perception of what a court qualified expert means to many people is most time incorrect.  Being an expert implies that you know everything, that you are smarter than anyone else in that area, and that your opinion is practically fact. 

Reality is a bit different.

Without getting into the nitty gritty of expert witness testimony or how to become court qualified, let me talk about the one aspect of specialization. If you are in the field of DFIR, working to get into the field of DFIR, or preparing yourself to eventually get into the field of DFIR, you have a 100% chance of becoming an expert in a shorter period of time than you can imagine.

You can do this because you can focus on something in this field, something as little as a few bytes or as massive as some function of an operating system and learn everything about it. You can learn so much, that eventually you start discovering things about it that no one knows. You can be the expert of that thing that you researched. Do not take this lightly. If you are looking for something to propel you into DFIR, find something that no one is doing, cares about, or knows about. Research that thing and find the DFIR relationship of that thing. Master it. Publish it with any means possible, including a blog post.

I can see the future…

Here is what will happen if, I mean when, you do this. You will be recognized in the community as an expert. Court? You will shine as an expert. Confidence? Oh yeah, you will get some. Take that one thing you did and do it again with something else.

That’s all you need to do.

A warning…

Once you become noticed for something in DFIR, you are going to be known as an expert in DFIR, which means some will will think that you know everything.  For example, I was having I was having a conversation with an awesome malware researcher, who has done amazing things in her career. She can tear apart malware as if it were packaged in a wet, paper bag. As for me, I can reverse malware too! However, I can’t do it as well, or as fast, or as complete as she can. Nowhere near it.  It is not the best thing I that I can do. I actually have a 90-second conversation limit when talking about reversing malware, because after 90 seconds, all I hear is a foreign language that I do not know. (I have been increasing my 90 seconds of knowledge on a slow, but steady rate...).

The point in this story is that in this awesome conversation, after that 90 second mark, I am sure that my face turned blank and she realized that she was the expert in malware, not me. There is nothing wrong in not knowing something, and part of the expertise field is recognizing your limits, that others will know more than you do in one area of DFIR, and you will know more than they do in other areas.  This is also makes a good team, when team members cover a broad range of expertise, spread out among the team. 

So don’t be shy to say, “I have no idea what you are talking about” when you have no idea of what someone is talking about, because in this field, we each do different things, enjoy different aspects, focus on different specifics, and excel in different facets. That is how you can be an expert too. Focus on that one thing, and one thing at a time.

An incredible new Gmail feature, “Confidential E-mail Mode” by Google looks to be one of those wonderful surprises that will be catching people off guard in a bad way.

TL:DR version.

Send an email using Gmail in which Google puts a link in the body (and removes your e-mail content from the e-mail). The link, in which only the recipient can open, opens an external webpage where the e-mail content can be read. The e-mail can be read, but not forwarded, downloaded, copied, or printed. This is probably a bad idea.

Google needs to first define what “confidential” means as it applies to their Confidential Mode e-mail. In plain understanding, it should mean that only the intended recipients should be able to read the contents as it is private. In practice, the email is still on Google’s hard drives, most likely still indexed by Google, and ‘deleted’ only from the sender and receiver’s view, but not from Google.

As a point of privacy, Google Confidential E-mail is not private and average users could mistakenly believe the Google confidential E-mail is encrypted e-mail that no one can read.  The good news is that if Google is not deleting the messages from its servers, they would be available with court orders in criminal investigations.

Only one of my Gmail accounts has the Confidential Mode option, and you can send a Google Confidential e-mail to any e-mail service besides Google and it will work the same: User clicks a link in the e-mail and prays that the e-mail is legitimate. 

Perhaps the biggest issue will be the ease at which phishing campaigns will take on using a Confidential Gmail, where the user has no idea of the content or can judge maliciousness based on content.  Users will now only have the sender and subject-line to determine if the e-mail is a phishing attempt. If the sender e-mail address is from a known sender that has been compromised or spoofed, then only the subject-line will be available for a clue as to the legitimacy of the e-mail.

Nothing should change related to host forensics, as webmail/Internet forensics is the same (same or more difficult depending on everything, such if the Tor browser was used).

The big change is yet another entry point through a potentially well-crafted phishing attempt using a Gmail feature.  Users can’t see the content until they click the link to open the external webpage, which will be too late. Personally, I don’t see this taking off as a widely used feature since it involves adding a step to read an e-mail.  One extra button will make it useless as it will be more frustrating when it consumes three more seconds to read every e-mail sent via Confidential e-mail. As for the Confidential e-mail not being able to print or forward, taking a photo with a smart phone quickly negates the security feature of deleting the e-mail all together (yes, I know the content may be gone, but the original e-mail metadata is still there with the original e-mail).

For the infosec folks. Maybe it is a good time to make sure users don't click links in e-mails. Hey…don’t we say that already anyway? Sheesh.

Thanks Google.

Emotions run deep if you are victimized.  Initially, you want blood at any cost.  You also willingly accept any potential future regret, as long as you get blood today.  And unfortunately, no matter how fast justice may come, it will not be soon enough.  This rationale applies to being a victim of any crime and having your computer system hacked counts.

I’ll give a quick two cents in this post just as I did to a victim-client that was hacked.  "Don’t hack back."  Stop talking about and stop thinking about it.  To be clearer, make sure everyone in your company understands not to hack back. Better to focus on plugging the holes and implement your response plan.

Here are some bullet points I give to clients who are blinded by revenge and want blood:

• You might spend more money than you have in a vain attempt to ID the attacker
• You might hack an innocent party
• You might hack a nation-state
• You might be hacked back by the “innocent” party you hacked back (eg: a nation-state or a better hacker than you would be)
• You might become a criminal hacker

There are more reasons, but I believe these pretty much cover it.  Going broke, victimizing an innocent party, and going to jail are strong motivators to counter the emotion to exact revenge on a hack.

Occasionally I am asked by police officers working in digital forensics if they should leave their current job to go to the private sector.  Luckily, I can now refer them to read Eric Huber’s blog series “Life After Law Enforcement: Do I Stay Or Do I Go?” to let not your heart be troubled when making this decision.

For the vast majority of everyone working in law enforcement, the effort to eventually be issued a gun and badge can take a year or more.  I’ve only known one person in my career who decided to apply on a whim and be hired in months.  Literally within six months from submitting one application to one department and being on the street in a patrol car.  Everyone else I've ever known in law enforcement (including me…) took more than a year to even be offered an interview after a battery of physical, mental, and written exams after applying to many agencies.  If you haven't experienced the LE hiring process, you may not fully comprehend how difficult this decision can be.  Compared with the private sector where you can practically be hired on the spot and start the next day (and negotiate a higher salary!), getting into LE is a bit more time consuming and more difficult. 

With that, when I am asked about leaving law enforcement before retirement to get into the private digital forensics world, I have never ever said, “Go for it!” or advised “Stay where you are!”.  It is a personal decision.  However, there is usually one point that I have to help make the decision, which Eric touched on. The main point for me is that for many law enforcement agencies, working in digital forensics is a temporary gig.  Few agencies allow for a career working in any specialty, and digital forensics falls into that category of a temporary assignment.  Being promoted is more like a trade of your digital forensic dongles for chevrons or bars.

A police officer who is assigned to work digital forensics, who is also trained to the hilt in forensics on the public dime, and inundated with incredible case experience usually has a date on their calendar when the uniform will be put back on in order to work a beat, driving a patrol car…. never to plug a dongle in again.   I have always found it incredible, as in unbelievable, that police agencies do this to all specialties with only a few exceptions.  Even when someone is Knighted by the Chief to be permanently ‘exempt’ from rotation, that exemption is many times taken away at some point, which basically means you are permanently exempted until we decide the permanence was only temporary.

Given that the majority of police agencies are fairly small (less than 100 officers), it is understandable that the agencies want to spread the wealth among officers by giving everyone a chance to work a specialty position, such as SWAT or narcs or cyber crimes.  And it is understandable that those who want to get into a specialty, like digital forensics, are advocates of rotations back to patrol simply because they want the old guy out so that they can take their spot.  Both perspectives work to placate the officers, at least initially.  It also gives the impression to administrations that a highly trained digital forensics examiner who rotated back to patrol will be good for patrol to bring that experience to the street.  In reality, both perspectives don’t work.

The same officer who demands that rotations happen will also be the same officer fighting against rotation after having learned how much effort and time goes into becoming competent in that specialty.  Agency heads learn (and ignore) the fact that a 10-year detective going back to patrol isn’t going to be able to put that expertise to work on the street simply because it is a different job.  The former detective experts also are not going to be turn a patrol squad into super detectives simply by being there. It doesn’t work that way and is unreasonable to think otherwise.  You want street cops working the streets, not detectives driving police cars.

This brings me to two personal examples.

In one example, a friend of mine left law enforcement because he was told that due to career progression, he would be moved out of digital forensics.  In this case, career progression meant ‘we are taking you out of forensics to give someone else a chance to learn forensics’.  This was an investigator with more than a decade of experience and training.  I would rank him top in the LE field of forensics.  He subsequently quit and went joined the private sector world of digital forensics.  Years later, his skill and knowledge became more awesome.  And he is happy.

Conversely, another friend of mine in digital forensics was rotated back to patrol, and he had the intention of retiring from LE years later to then get into the private sector world of digital forensics.  Unfortunately, by the time his retirement rolled around this year, he was well out of the game.   You may be like me when you gauge someone’s experience in DF with the versions of software they began with.  In this example, my friend rotated out of digital forensics when he was using Encase v4 and hasn’t done forensics since.  That says a lot, at least in my mind.  Leaving so long ago means that getting ‘back’ into digital forensics is more like getting into it from the beginning (not as bad, but close).  And he is not happy.

So, for the questions I get from active police officers asking this question, which many of us have asked ourselves, I simply say, go check Eric Huber’s blog for points to consider.  But also consider that if you really like police work and digital forensics in police work, you may want to figure out a way to keep that specialty for as long as you can, because eventually, the street will drag you back and the odds of doing forensics when you are taking stolen bicycle reports and running radar are slim to none.

I just finished up Case Study #8, with one of those types of cases that just won’t die.  If you ever had a case like that, you know what I mean.  If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to life.  This happens with both civil and criminal cases (and internal corporate matters as well).

A few reasons that a case may live on well past the time you wish it would are; 

•          You keep finding more evidence, even after the investigation is over
•          Corners were cut and now the devil is calling
•          The attorney keeps asking for more work on it
•          Trial comes and goes, then comes back again, then goes, then…
•          Evidence you initially found is now found to be inaccurate
•          Interrogatories and interviews come and go and come and go and keep coming
•          More jurisdictions join in
•          Case agents/officers keep changing and rotating and being reassigned
•          Errors that were made are now coming to light, just in time for court
•          Reports are missing or don’t contain necessary information
•          And worse yet, the case hits the news

Case Study #8 takes a case that has a few of these things, but as for how to keep a case from coming back to life, there are things you can do to reduce the risk.   The most important method is to do a thorough job.  Doing a good job will reduce the chances of a zombie case by 90%.  Do good work, double-check your work, triple-check it, and you have less than a 10% chance of it biting you later. 

The remaining 10% chance of your case turning into a zombie is probably out of your control.  If you are given the wrong information, evidence is misinterpreted, or workers in your case don’t do a good job, there is a good chance that the 10% zombie case is coming for you.  And of course, if the suspect wants to fight tough-and-nail, it will drag on.  However, if it is bad enough (ie: news worthy because of investigator ERRORS), and someone leaks it to the news media, you now have a full-blown zombie breakout that will last not only years, but perhaps the better part of your career.

Back to preventing the zombie-case outbreak

Do a good job.  Even on those cases that seem minuscule at the time.  You never know how one seemingly insignificant case can end up reaching the Supreme Court, and not because you did a good job, but just the opposite.  Trust me.  I’ve seen it.  Seriously.  Do a good job, because when it happens, it is so much better to be the person that did a good job in the case and not be the one that screwed something up.

#DFIR Case Studies #8 released today. I picked a case where an innocent person was arrested and talk about the mistakes to avoid.
Get the entire case study series + the WinFE course with 3-day promotion at: https://t.co/aKZhmkijc4 #infosec pic.twitter.com/TQQKSPuOsq

— Brett Shavers ? (@Brett_Shavers) April 12, 2018