Working in DFIR requires that you convey information to someone else. There is no way around this requirement. You simply must do it. Whether talking to a client, a supervisor, or a class, you convey information all the time.  I am not talking about communication or interpersonal skills, but rather the act of presenting information as an instructor. I'm surprised that DFIR courses don't address this aspect of the job.

Instructing is telling someone how to do something or how something should be done. (Brett’s definition).

There are drill instructors, adjunct instructors, primary instructors, driving instructors, flying instructors, and instructors for any type of skill, including DFIR instructors. The job of each is to convey the “how-to” in a manner that the recipient understands. Being able to convey information concisely, accurately, and in an entertaining manner will propel your DFIR skills farther than you may realize because you need this skill everytime you have to tell someone about something you did or how someone can do what you do.

I won’t get into the benefits of speaking in front of audiences (there are many), but I will say that if you never work toward becoming a great presenter or instructor, you will not grow as much as you would otherwise. Whether you like to speak in front of audiences or not, does not have an effect on whether you can or not.  I’m nervous every time. I over-prepare way in advance. I worry about things like if my fly is down, or I misspoke, or I am speaking too loud or too soft. Remember: practically everyone else is worried about the same thing when they speak.  It is normal. Anyone you see speak as if they were born to do it, simply worked and practiced.

Here is my DFIR career suggestion. Take an adult learning course, presenter course, instructor course, any course where the goal of the course is to put you on stage to convey information on “how to do” something. You will be amazed at how much speaking to any size audience will enhance your skills and knowledge. It really does. You will also be surprised at the minute details involved in 'teaching'. It is way more than you think but well worth the effort to learn. Don't wait until you become an 'expert' in your job before you consider learning how to present that what you know. Start now.

As for me, I was fortunate to get an early start. At 19, I was an instructor in the Marines and through the next 20 or so years, I went through at least 15 instructor/train-the-trainer courses in both military and law enforcement. Had I known at the time how important those courses would be for me today, I would have put even more effort into the courses than I did. As for you, know now that this is such an important skill, that you need to start today and hone it because you can use this skill tomorrow.  Don't wait for a course that teaches you how to teach DFIR topics. ANY instructor/adult learning course works as the concepts and principles in the courses are what matters, not the topic. You'll learn little things like, 'don't walk in front of a visual aid', and major things like, 'how to be entertaining to keep interest'. 

If you think you already know everything you need to know about effectively presenting a topic, or conveying information to a client/boss, you may want to rethink what you know, if you haven't had any coursework in it. I’ve not taken an instructor course or adult learning course where I did not learn something that completely changed the way I present in some form or another. 

Consider that in Jessica Hyde’s DFIR Hierarchy of Needs, there are two levels of sharing information and giving back to the community. Both of these usually require conveying that-what-you-know to someone who may-not know anything about what-you-know.  Yes, if you can write, that helps. But if you can instruct in addition to writing, I promise that you will grow so so much more.

Going back to Jessica Hyde and her blog about the DFIR Hierarchy of Needs, I look at the hierarchy as being dynamic in nature. We continually train, continue work cases, continually share, and continually give back. When I look at the triangle, I see that any person can jump around from level to level or be in more than one level at the same time. Keep in mind that you don’t need to start at the bottom and work through to the top before you can give back.  That means you can be presenting at any level.  So why not get started now?

To put a little more emphasis into how important this is, if you cannot write and cannot speak, then no matter how good you are at your job, not only will few people know about your work efforts, but you will not be sharing your knowledge with anyone. To not share or teach is to have stunted growth. For those who wish to neither write nor speak, that is a personal decision because nothing requires anyone to do anything to better the field or themselves.

From personal experience, I remember sitting in my first forensic presentation given by Troy Larson in Seattle way back when. Troy was apparently speaking a language that I did not understand, because I didn't have a clue as to what he was talking about (I was really really green at the time...). But he kept me engaged and entertained.  Enough that I wanted to keep going. Today is different (and I can understand what the DFIR pros are talking about...) and I credit most of what I have learned simply because I choose to research it, write about it, and teach others about it.  I certainly don't know everything, but everything that I know, I can teach someone else to do what I can do.

Let me preface this post:

When I worked undercover, I was one of the most paranoid extremists in trying to be as unrecognizable as possible. I worked cases involving dangerous individuals, career criminals, street gangs, and organized crime groups that operated not only locally, but internationally. While undercover, I was searched, followed, interrogated, and threatened by those I was investigating both inside and outside the US. One night, I had a gun stuck in my belly and quickly learned that the brain is the most important security feature that we have.

Let’s get to the point of where the ethics and morals fit in

So, while on twitter the other day, I saw a “live event” that a plane passenger was tweeting. The passenger and her boyfriend were taking photos and videos of two unidentified passengers and creating a ‘love story’ between them, even to the point of following them to the baggage claim. The two unidentified passengers were unaware of the online event they were the focus of. Even their private comments were being tweeted. The spectator comments only encouraged more of the same, even with T-Mobile CEO John Legere stepping into the tweet stream to offer free WiFi to keep the story going .Voyeurism at its finest, security at its worst. The female victim (I say victim as she had no choice in being the target of online voyeurism) has since been doxed, stalked, insulted, and harassed, leaving her to delete her social media accounts and hire an attorney to speak for her.

The point is that we in the cyber/information security community should take stories like this as ethical and moral reminders. Although personal privacy has been eroded due to haphazard use of the Internet, let’s not be part of that problem. Just as important, educate others to not do this sort of thing either. Any person who touches the electronic data about any other person surely assumes the awesome responsibility of securing that data against inadvertent and intentional release into the public space. Also, creating data where other persons can be negatively affected should be treated no differently.

Some of this is easy. We sign NDAs with clients that legally bind us to protections of client data. We see things in the data that is sometimes embarrassing for clients, yet it never crosses our mind to publicly out the information. We are professionals, both at work and private lives.

Some of this may not be as easy. If you are hunting for, or inadvertently find, publicly accessible data (which should not be publicly accessible) on the Internet, and you have no legal obligation to safeguard the data you find, fall back on ethics and morals. For those who don’t care (ie; no morals or ethics, or just plain evil people) finding and publicly outing embarrassing data causes no dilemma to them; in effect, the hell if someone gets harmed (or even killed) because of it.

For those who do find this data and care about security, do what you ethically are obligated to do, based on what you found, how you found it, and what should legally be done about it. Different situations are different, and if you are ‘ethical’, then you know what you should do.

We live in an amazing technological age that is nothing related to the pre-Internet days as if we live on a completely different planet.  Take bullying as an example. The difference between traditional bullying and cyber-bullying is so far apart, we should have a different word for bullying because of the dramatically more harmful effects ‘cyberbullying’ has compared to bullying of days before the Internet.  Today, bullying lasts forever, because the Internet is forever. 

When we can tweet a thought faster than we can actually think about what we are doing, we risk harming ourselves and others out of sheer carelessness.  Consider Twitter like an arrow flown. Any person tweeting about another person, can directly impact that person's life either positively or negatively. The range of effect can also be a small embarrassment to suicide. Wielding the Internet is an awesome power that we treat as serious as putting on our socks. 

Even taking photos in public, where bystanders are unknowingly included the photos (legal, as they are in public, right?), photos posted online can have harmful ramifications. Imagine a photo of someone in witness protection, or the victim of a domestic violence, or even an undercover officer who is off duty with family. They may not want images of them on the Internet for good reason. Be judicious in your photos in public places as the last thing you'd want is to hear about a murder victim who was identified by the suspect through your Facebook photo at Disneyland.

So, I propose that in addition to our moral, ethical, and legal obligations of personal security and client data security, we take into consideration the security of others who are doing nothing more than going about their business in public. You might never comprehend the damage done to another person with a photo, a tweet, or social media post that you made. But now that you know, you should be make others aware as well.  Be the security pro that can also talk about security outside the CPU.  And certainly don't be that person who harms someone else just because you can or because you have no idea that you are doing it in the first place.

**side note**
I'm not referring to being snarky, sarcastic, self-deprecating, or legitimately humorous online. I’m talking about being intentionally mean or ignorant as to the harm done to others through comments and memes. I know that 2019 is already approaching, but the Golden Rule still applies regardless of what year it is.

Reading through the paper“Forensic framework to identify local vs synced artefacts” from DFRWS 2018 Europe, I came across a paragraph with several statements that I had to read twice, actually several times. The paper cited a book that I wrote in 2013 (Placing the Suspect Behind the Keyboard). The paper states:

Actually, back in 2013, in that cited book, that was exactly what I wrote about: the challenges of not only attributing activity of a user to a device, but the activity and data of interconnected devices. Then I read...

I respectfully disagree with the premise that the forensic community has not been trying to determine which device data has been created.  Even going back way before 2013, metadata has been paramount to every case, from all evidence devices, connected to each other or not. As soon as mobile devices became connected to other devices, correlating the data between devices became something done as manner of practice. To state that “It is something that computer forensic examiners are not even considering in many cases” is foreign to me. One of the major points of my first book was to instill the concept that electronic evidence needs to be integrated with the physical world to make a complete case (or more eloquently, paint a beautiful picture). 

 Oh well. They must have missed those pages about inteconnected devices...and the pictures of interconnected devices too...

Today’s lesson, “Interconnected Devices and Your Investigations”

There are two things to consider with interconnected devices in your investigations:

1)      Do the forensics independently on each device

2)      Correlate the evidence you find from all the devices

That’s it. There isn’t much more to the secret other than forensics in/on the cloud. Interconnected devices may likely have data contained in the cloud (it’s how the data propagates between devices…). But even then, correlating the data between devices is no more difficult than the forensic work you do on each device.

Here is a visual figure from Placing the Suspect Behind the Keyboard, where I show a visual of a circle of interconnected devices. Every case you do, you should be thinking about this circle that revolves around your suspect (or custodian). It is constant and ever-changing with new and newly replaced devices. Keep this in mind as we continue.

The “I didn’t sync that file to my phone” defense

Let’s take a scenario of finding evidence on a mobile device that is synced to other devices (and the cloud) through a service like Dropbox. Finding the evidence on the mobile device, which was seized from the suspect, in which only the suspect ever had control, generally ties that evidence to the suspect. The defense that mobile device evidence was unknowingly synced to the suspect's mobile device depends on who else had access to the synched accounts.  Meaning, if the suspect is in sole control of the Dropbox account, then the synced files are his. If not, maybe they are and maybe they are not. You need to dig a little more to be sure.

The “Someone else searched that on my home computer” defense

Internet browsing synching is cool. You can bookmark something on your home PC, it gets synched to your tablet, and also gets synched to your smartphone. Cool. However, if browsing history is the evidence found on the tablet, it might be important to know if the evidence was synced from another device if other persons had access to the other devices. Conversely, if the suspect has sole control of all devices, then the defense claim is moot as only the suspect had physical access to all devices (or is the only person with the creds to log into the devices).  There is a trend here: he who controls the devices is generally going to be the possessor of the evidence found on those devices.

Ease your mind by doing a little extra work

With every case I have ever done, I have always wished that I had more time to work it. No matter if I worked 10 hours on a case or 10 thousand hours, I can work a case forever because I want to make sure I got it right. With that, you can probably tell that I love interconnected devices in a case because it gives me corroboration of what I found on other devices in a case. Even evidence files that are not synched between devices are great finds to corroborate findings and suspect’s intentions.

A lack of activity can be an indication of activity

Smartphones are great for historical activity. If Google is turned on (as in, logging everything you do), you can recover a great deal of geolocation data, which can be accessed through Google without even having the device in hand. This is a great tool for investigators. Just as cool is that for criminals who leave their phones at home when they are criming* in town, even a log of missed calls can give an indication that perhaps the suspects weren’t actually home with their phone since no one answered any of the incoming calls…or logged into email…or surfed the net…all while a bank robbery or drug deal was happening downtown…  Historical activity is great to place suspects at a scene, and a complete lack of activity can give indications they were not where they said they were.

Circles of non-interconnected devices can be connected to each other

One suspect with multiple devices is easy enough to put together. Examine all the devices in the suspect’s circle of interconnected devices and put together a timeline of the important data points.  But here comes the really fun part: In some cases, you have several suspects and each suspect has his own circle of interconnected devices. This type of case gives you a world of opportunities to reconstruct history by combining each suspect’s circle of interconnecting devices into one glorious timeline.

I’ve done this type of case on few occasions and assisted others. Without doubt, it is an immense amount of effort that exponentially increases with every device. In one particular case, we had a big box of smartphones was seized. The case revolved mostly around geolocation and text messages. The end result was that each phone geolocations were matched to a person, and the text messages matched between phones. Those with multiple phones had the identical geolocation on their phones, indicating they were carried together. The timeline of criminal activity was superimposed over the geolocation of each device along with text messages sent/received by geolocation. I can tell you that there are a group of criminals who will forever hate mobile devices because of this work.

We simply connected a circle of interconnected devices to other circles of interconnected devices and let the data paint the picture of what happened. Very cool. And you can do it too.

**updated with a tidbit more information**

Check out Magnet Forensics on how its software connects artifacts together in an automated process.

https://www.magnetforensics.com/blog/axiom-connections-qa-part-1/  

*the act of committing crimes, “criming”

The Reality Winner case is good example where a basic investigative method still works regardless of how much publicity that the same method has received for years prior. In the Winner case, printed documents were tied to Winner based on “microdots”. This article below does a decent job of explaining what micro dots are if you haven’t heard of this before, or if you associate microdots with LSD...

https://www.grahamcluley.com/reality-winner-pleads-guilty-after-being-unmasked-by-microdots/ 

Basic (and non-secret) investigative methods suceed more often than not, and actually happens all the time. It doesn’t really matter that criminals know police investigative methods, because the methods still work. A personal example that I had when I was doing drug investigations, was ‘knock-and-talks’, where my partner and I would knock on the door of a suspected drug dealer and ask consent to search for drugs.  On one knock-and-talk, we were given permission to search a home that had hundreds of marijuana plants. Not that unusual. But what was unusual was finding a book written by a prominent Seattle defense attorney, opened to a page on “Police Knock and Talks”, with a highlighted sentenced that stated something to the effect of ‘Say no to the police when asked for consent to search’.  Even the attorney’s business card was used as a bookmark that had the same advice printed on the back of the card. Yet he willingly let us in.

This concept applies to all aspects of investigations, including technology related investigations like the Reality Winner case.

Part of the reason why the tried and true, traditional methods continue to work is that no matter how secure a criminal will try to be in all that he or she does, there are times where complacency creeps in. Add a bit of arrogance (“They’ll never catch me!”), and BAM. It’s over.

I’ve had cases where a dozen hard drives were wiped clean, but another dozen had plenty of evidence (illicit images). In these instances, the suspects were fanatical about wiping evidence until they weren’t. This applies to everything that anyone does with their electronic devices and online behavior. Complacency allows traditional methods to work and the complacency monster always wins because eventually everyone slacks off in something they do eventually.

Search warrants are not difficult to get

In a recent court decision, law enforcement is now required to obtain a search warrant for cell phone records. If you didn’t know how it worked before this decision came out…

http://www.governing.com/topics/public-justice-safety/tns-supreme-court-privacy.html

Depending on how you think this affects you personally, your perspective may be different. But in all practical reality, nothing really changed. Your cell phone records are not protected from reasonable search and seizure. The records are still there, and if probable causes exists, law enforcement can get it with a warrant. I do not believe any criminals are jumping for joy over this court decision, because they are still ripe to have their records pulled with search warrants.

As far as how difficult is it to get a search warrant…it’s not difficult at all if you have probable cause. I have found that the longest time to apply for a warrant is the time it takes to type up the affidavit. The faster you can type, the faster you can get a warrant. The rest of the process only takes minutes (not counting any traffic while driving to the judge’s home…). But you don’t even have to type up a warrant if you don’t have time. Simply call a judge, get sworn in over the phone, and ask the judge for a telephonic warrant with a verbal affidavit. I’ve done both ways and typically had a signed warrant in under an hour…nearly every single time. I've had warrants in less than 30 minutes on a few occasions. If a warrant is needed faster than 30 minutes, then you might be dipping into exigent circumstances, which is a different topic.

Your cell phone records probably weren’t going to be pulled anyway, and won’t be unless there is probable cause to do. As for criminals knowing that cops need a warrant now, that won’t make a bit of difference as to how they use cell phones to commit or facilitate crimes and it won’t make a difference in that law enforcement will still get 100% access to everything. 

The point

No matter how sophisticated your suspect in (or custodian in a civil case), never forego looking for the low hanging fruit first. Don't assume that files were wiped, browsing was only done with Tor, or that the suspect didn't use his home Internet to hack into a victim's system. Because they do and always will. Old hat stuff works.

…because everyone can be an expert.

One thing about the DFIR field and all of its ever-encompassing related fields, is that it is physically impossible for any one person to be an expert in the entirety of the field. To even try to be ‘that DFIR expert’ is to set yourself up for failure.

I base my opinion on what I’ve seen over the years, especially after the first time being court qualified as an expert. Once, I was even qualified as a “computer forensic expert”. It makes me cringe every time I think about that, because as far as I am concerned, no one can be realistically be an all-encompassing DFIR expert.

The reason I distance myself from being looked at as an expert is that the perception of what a court qualified expert means to many people is most time incorrect.  Being an expert implies that you know everything, that you are smarter than anyone else in that area, and that your opinion is practically fact. 

Reality is a bit different.

Without getting into the nitty gritty of expert witness testimony or how to become court qualified, let me talk about the one aspect of specialization. If you are in the field of DFIR, working to get into the field of DFIR, or preparing yourself to eventually get into the field of DFIR, you have a 100% chance of becoming an expert in a shorter period of time than you can imagine.

You can do this because you can focus on something in this field, something as little as a few bytes or as massive as some function of an operating system and learn everything about it. You can learn so much, that eventually you start discovering things about it that no one knows. You can be the expert of that thing that you researched. Do not take this lightly. If you are looking for something to propel you into DFIR, find something that no one is doing, cares about, or knows about. Research that thing and find the DFIR relationship of that thing. Master it. Publish it with any means possible, including a blog post.

I can see the future…

Here is what will happen if, I mean when, you do this. You will be recognized in the community as an expert. Court? You will shine as an expert. Confidence? Oh yeah, you will get some. Take that one thing you did and do it again with something else.

That’s all you need to do.

A warning…

Once you become noticed for something in DFIR, you are going to be known as an expert in DFIR, which means some will will think that you know everything.  For example, I was having I was having a conversation with an awesome malware researcher, who has done amazing things in her career. She can tear apart malware as if it were packaged in a wet, paper bag. As for me, I can reverse malware too! However, I can’t do it as well, or as fast, or as complete as she can. Nowhere near it.  It is not the best thing I that I can do. I actually have a 90-second conversation limit when talking about reversing malware, because after 90 seconds, all I hear is a foreign language that I do not know. (I have been increasing my 90 seconds of knowledge on a slow, but steady rate...).

The point in this story is that in this awesome conversation, after that 90 second mark, I am sure that my face turned blank and she realized that she was the expert in malware, not me. There is nothing wrong in not knowing something, and part of the expertise field is recognizing your limits, that others will know more than you do in one area of DFIR, and you will know more than they do in other areas.  This is also makes a good team, when team members cover a broad range of expertise, spread out among the team. 

So don’t be shy to say, “I have no idea what you are talking about” when you have no idea of what someone is talking about, because in this field, we each do different things, enjoy different aspects, focus on different specifics, and excel in different facets. That is how you can be an expert too. Focus on that one thing, and one thing at a time.

An incredible new Gmail feature, “Confidential E-mail Mode” by Google looks to be one of those wonderful surprises that will be catching people off guard in a bad way.

TL:DR version.

Send an email using Gmail in which Google puts a link in the body (and removes your e-mail content from the e-mail). The link, in which only the recipient can open, opens an external webpage where the e-mail content can be read. The e-mail can be read, but not forwarded, downloaded, copied, or printed. This is probably a bad idea.

Google needs to first define what “confidential” means as it applies to their Confidential Mode e-mail. In plain understanding, it should mean that only the intended recipients should be able to read the contents as it is private. In practice, the email is still on Google’s hard drives, most likely still indexed by Google, and ‘deleted’ only from the sender and receiver’s view, but not from Google.

As a point of privacy, Google Confidential E-mail is not private and average users could mistakenly believe the Google confidential E-mail is encrypted e-mail that no one can read.  The good news is that if Google is not deleting the messages from its servers, they would be available with court orders in criminal investigations.

Only one of my Gmail accounts has the Confidential Mode option, and you can send a Google Confidential e-mail to any e-mail service besides Google and it will work the same: User clicks a link in the e-mail and prays that the e-mail is legitimate. 

Perhaps the biggest issue will be the ease at which phishing campaigns will take on using a Confidential Gmail, where the user has no idea of the content or can judge maliciousness based on content.  Users will now only have the sender and subject-line to determine if the e-mail is a phishing attempt. If the sender e-mail address is from a known sender that has been compromised or spoofed, then only the subject-line will be available for a clue as to the legitimacy of the e-mail.

Nothing should change related to host forensics, as webmail/Internet forensics is the same (same or more difficult depending on everything, such if the Tor browser was used).

The big change is yet another entry point through a potentially well-crafted phishing attempt using a Gmail feature.  Users can’t see the content until they click the link to open the external webpage, which will be too late. Personally, I don’t see this taking off as a widely used feature since it involves adding a step to read an e-mail.  One extra button will make it useless as it will be more frustrating when it consumes three more seconds to read every e-mail sent via Confidential e-mail. As for the Confidential e-mail not being able to print or forward, taking a photo with a smart phone quickly negates the security feature of deleting the e-mail all together (yes, I know the content may be gone, but the original e-mail metadata is still there with the original e-mail).

For the infosec folks. Maybe it is a good time to make sure users don't click links in e-mails. Hey…don’t we say that already anyway? Sheesh.

Thanks Google.

Emotions run deep if you are victimized.  Initially, you want blood at any cost.  You also willingly accept any potential future regret, as long as you get blood today.  And unfortunately, no matter how fast justice may come, it will not be soon enough.  This rationale applies to being a victim of any crime and having your computer system hacked counts.

I’ll give a quick two cents in this post just as I did to a victim-client that was hacked.  "Don’t hack back."  Stop talking about and stop thinking about it.  To be clearer, make sure everyone in your company understands not to hack back. Better to focus on plugging the holes and implement your response plan.

Here are some bullet points I give to clients who are blinded by revenge and want blood:

• You might spend more money than you have in a vain attempt to ID the attacker
• You might hack an innocent party
• You might hack a nation-state
• You might be hacked back by the “innocent” party you hacked back (eg: a nation-state or a better hacker than you would be)
• You might become a criminal hacker

There are more reasons, but I believe these pretty much cover it.  Going broke, victimizing an innocent party, and going to jail are strong motivators to counter the emotion to exact revenge on a hack.

Occasionally I am asked by police officers working in digital forensics if they should leave their current job to go to the private sector.  Luckily, I can now refer them to read Eric Huber’s blog series “Life After Law Enforcement: Do I Stay Or Do I Go?” to let not your heart be troubled when making this decision.

For the vast majority of everyone working in law enforcement, the effort to eventually be issued a gun and badge can take a year or more.  I’ve only known one person in my career who decided to apply on a whim and be hired in months.  Literally within six months from submitting one application to one department and being on the street in a patrol car.  Everyone else I've ever known in law enforcement (including me…) took more than a year to even be offered an interview after a battery of physical, mental, and written exams after applying to many agencies.  If you haven't experienced the LE hiring process, you may not fully comprehend how difficult this decision can be.  Compared with the private sector where you can practically be hired on the spot and start the next day (and negotiate a higher salary!), getting into LE is a bit more time consuming and more difficult. 

With that, when I am asked about leaving law enforcement before retirement to get into the private digital forensics world, I have never ever said, “Go for it!” or advised “Stay where you are!”.  It is a personal decision.  However, there is usually one point that I have to help make the decision, which Eric touched on. The main point for me is that for many law enforcement agencies, working in digital forensics is a temporary gig.  Few agencies allow for a career working in any specialty, and digital forensics falls into that category of a temporary assignment.  Being promoted is more like a trade of your digital forensic dongles for chevrons or bars.

A police officer who is assigned to work digital forensics, who is also trained to the hilt in forensics on the public dime, and inundated with incredible case experience usually has a date on their calendar when the uniform will be put back on in order to work a beat, driving a patrol car…. never to plug a dongle in again.   I have always found it incredible, as in unbelievable, that police agencies do this to all specialties with only a few exceptions.  Even when someone is Knighted by the Chief to be permanently ‘exempt’ from rotation, that exemption is many times taken away at some point, which basically means you are permanently exempted until we decide the permanence was only temporary.

Given that the majority of police agencies are fairly small (less than 100 officers), it is understandable that the agencies want to spread the wealth among officers by giving everyone a chance to work a specialty position, such as SWAT or narcs or cyber crimes.  And it is understandable that those who want to get into a specialty, like digital forensics, are advocates of rotations back to patrol simply because they want the old guy out so that they can take their spot.  Both perspectives work to placate the officers, at least initially.  It also gives the impression to administrations that a highly trained digital forensics examiner who rotated back to patrol will be good for patrol to bring that experience to the street.  In reality, both perspectives don’t work.

The same officer who demands that rotations happen will also be the same officer fighting against rotation after having learned how much effort and time goes into becoming competent in that specialty.  Agency heads learn (and ignore) the fact that a 10-year detective going back to patrol isn’t going to be able to put that expertise to work on the street simply because it is a different job.  The former detective experts also are not going to be turn a patrol squad into super detectives simply by being there. It doesn’t work that way and is unreasonable to think otherwise.  You want street cops working the streets, not detectives driving police cars.

This brings me to two personal examples.

In one example, a friend of mine left law enforcement because he was told that due to career progression, he would be moved out of digital forensics.  In this case, career progression meant ‘we are taking you out of forensics to give someone else a chance to learn forensics’.  This was an investigator with more than a decade of experience and training.  I would rank him top in the LE field of forensics.  He subsequently quit and went joined the private sector world of digital forensics.  Years later, his skill and knowledge became more awesome.  And he is happy.

Conversely, another friend of mine in digital forensics was rotated back to patrol, and he had the intention of retiring from LE years later to then get into the private sector world of digital forensics.  Unfortunately, by the time his retirement rolled around this year, he was well out of the game.   You may be like me when you gauge someone’s experience in DF with the versions of software they began with.  In this example, my friend rotated out of digital forensics when he was using Encase v4 and hasn’t done forensics since.  That says a lot, at least in my mind.  Leaving so long ago means that getting ‘back’ into digital forensics is more like getting into it from the beginning (not as bad, but close).  And he is not happy.

So, for the questions I get from active police officers asking this question, which many of us have asked ourselves, I simply say, go check Eric Huber’s blog for points to consider.  But also consider that if you really like police work and digital forensics in police work, you may want to figure out a way to keep that specialty for as long as you can, because eventually, the street will drag you back and the odds of doing forensics when you are taking stolen bicycle reports and running radar are slim to none.

I just finished up Case Study #8, with one of those types of cases that just won’t die.  If you ever had a case like that, you know what I mean.  If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to life.  This happens with both civil and criminal cases (and internal corporate matters as well).

A few reasons that a case may live on well past the time you wish it would are; 

•          You keep finding more evidence, even after the investigation is over
•          Corners were cut and now the devil is calling
•          The attorney keeps asking for more work on it
•          Trial comes and goes, then comes back again, then goes, then…
•          Evidence you initially found is now found to be inaccurate
•          Interrogatories and interviews come and go and come and go and keep coming
•          More jurisdictions join in
•          Case agents/officers keep changing and rotating and being reassigned
•          Errors that were made are now coming to light, just in time for court
•          Reports are missing or don’t contain necessary information
•          And worse yet, the case hits the news

Case Study #8 takes a case that has a few of these things, but as for how to keep a case from coming back to life, there are things you can do to reduce the risk.   The most important method is to do a thorough job.  Doing a good job will reduce the chances of a zombie case by 90%.  Do good work, double-check your work, triple-check it, and you have less than a 10% chance of it biting you later. 

The remaining 10% chance of your case turning into a zombie is probably out of your control.  If you are given the wrong information, evidence is misinterpreted, or workers in your case don’t do a good job, there is a good chance that the 10% zombie case is coming for you.  And of course, if the suspect wants to fight tough-and-nail, it will drag on.  However, if it is bad enough (ie: news worthy because of investigator ERRORS), and someone leaks it to the news media, you now have a full-blown zombie breakout that will last not only years, but perhaps the better part of your career.

Back to preventing the zombie-case outbreak

Do a good job.  Even on those cases that seem minuscule at the time.  You never know how one seemingly insignificant case can end up reaching the Supreme Court, and not because you did a good job, but just the opposite.  Trust me.  I’ve seen it.  Seriously.  Do a good job, because when it happens, it is so much better to be the person that did a good job in the case and not be the one that screwed something up.

#DFIR Case Studies #8 released today. I picked a case where an innocent person was arrested and talk about the mistakes to avoid.
Get the entire case study series + the WinFE course with 3-day promotion at: https://t.co/aKZhmkijc4 #infosec pic.twitter.com/TQQKSPuOsq

— Brett Shavers ? (@Brett_Shavers) April 12, 2018

Figure it out

It’s been more than a few years since I was in the Marines, even though it still feels like yesterday.  Although it has been decades (has it really been that long?), it seems that I am still learning lessons today that the Marine Corps exposed me to back then.  I mean that in the sense that many times I come across an obstacle in life or work that is solved by falling back on the little things I learned way-back-when.  One of the biggest lessons I ever learned: Figure it out.

I give credit to technology for making our lives easier, which doesn’t always mean for the better.  If you don’t know something, you can ask Google and get the answer.  In fact, as you type your question, Google practically reads your mind and finishes your question for you while at the same time, giving you an answer.  I believe that this part of technology is a disservice, especially those in the DFIR field because being told the answer is not the most important thing compared to personally finding the answer. It is the journey, not the destination.

My first response to being asked “how to do something” is “Did you try everything you know before asking me?”  Whether it is a student or a peer, if I am asked a question, I naturally assume that everything possible was tried before asking me.  If not, I question the question of asking in the first place because asking without trying to figure it out yourself is simply asking for the answer.  You are asking to get to your destination without taking the journey.  You are asking someone to do your homework for you.  This is the easy way, the wrong path to take, and will gradually put a cap on your skills.  Try before asking.  Then try again.  At some point you will run out of different attempts and then when you ask, I know (or will assume) that you tried everything you know how to try.  Hopefully before that comes, you will find the answer before asking for your sake. Giving the answer will not be helpful if you have the ability to figure it out yourself.  By the way, it is way easier for me to answer a question than it is to push and prod for the student to figure it out.  Answering takes me 15 seconds while being patient to watch the process can take a lot longer...

I teach the Figure It Out* method because the Eureka!  moments are those times where you learn something that you will never forget. It is embedded into your cranial cavity as if you were the first person to ever discover that answer.  In reality, everyone could have known the answer before you, but as far as your brain is concerned, you did it first and therefore, will remember it forever because you discovered it.  This doesn’t work if someone tells you that “C” is the correct answer.  You will forget being given “C” as the answer minutes afterward but you will remember the “Ah ha!” discovery for a lifetime.  You will actually be able to figure out more problems because of increased confidence.  It's a good cycle to be in.

But, I have found that some people don’t want to take the journey to discovery.  They truly just want the answer for a varied number of reasons, which are technically defined as excuses.  Procrastination is not a reason.  Laziness is not a reason.  Not caring is not a reason.  Because Google answers it for you is not a reason.  I tend to feel that we need ‘figuring it out by yourself’ as a high school class, where cell phones are not allowed, nor any Internet, in order to teach that using our own brain is what solves problems. 

As far as how the Marines do it….when given the order to “Have your squad at this point by 0300” or "get across that river in the next 45 minutes", there were no answers on how to do it, what to take, what to eat, what to wear, or when to leave.  There were no expectations of failure or answers to what happens if you fail.  No Google either. Simply, you are given a mission and you figure out how to complete it.  That is what we do in DFIR.  We figure it out.  We have to.

How to figure it out

I'd be remiss in not giving some guidance on how to figure it out, or at least how to ask a question.  Firstly, depending on what you are doing, figuring it out is going to be different every time.  Basically;

1. Read the instructions, try and fail.

2. Figure out where the problem started and,

3. Try again.  If fail..

4. Go back, read the instructions and guides again, try to find where the error may be solved.

5. Try again.  If fail...

6. Get online and search.  Forums, support/chat rooms, email lists.  Find someone who has documented the same problem.

7. Try the suggestions that you found.  If fail...

8. Put together your question.  Do not ever ask, "Hey, this thing doesn't work.  Can you make it work for me?".  Rather, write up your question like a mini-research project: 

   -"I wanted to do this."

   -"But I got this error."

   -"So I tried this and got this error."

   -"Then I searched for an answer and found these suggestions."

   -"I tried again with the suggestions and got this error."

   -"I don't know what else to try.  Can you point me in the right direction?"

When I get a question like this in class, I am happy.  Maybe a few more tries would have done it, but there is a point where if each try is simply repeating the exact process without changes, it is time to stop and ask.  Part of the learning process in DFIR is self-learning.  That which you cannot teach yourself, take a course in that topic.  Read books.  Engage in conversations about the topic.  Practice and research.  The last thing that should on your mind is thinking that "I'll just ask for the answer" without first making some effort to learn first.  

*I can't claim credit for the "Figure It Out" method, since it was yelled at me by many senior Marines until I Figured It Out.

I’m a fan of WinFE.  I’ve used it, written about it, helped develop it, taught it, and assisted others to teach it.   The way that I talk about it, you’d think that WinFE is the best thing that ever came along, does everything you need in forensics, and nothing can out do what it does.    Actually, WinFE doesn’t do much at all.  But that for what it does, it does ingeniously.

The top 5 cool things

#5 Forensically boot a Windows, Mac, Linux machine to a Windows Forensic Environment

#4 Forensically Boot a Surface Pro to a Windows Forensic Environment

#3 Image storage drives (full, sparse, or targeted) with Windows tools

#2 Perform a triage or preview with Windows tools

#1 Do a complete exam with Windows tools on the evidence machine

There are even more things you can do as well that makes WinFE cool, but this is a good start.  Being a free tool makes it cool too.

What’s the big deal?

WinFE forensically boots to Windows. That means you can use Windows-based forensic tools!

The numbers

3,447  *  Years ago, I threw together a quick WinFE online class for free.  Over 3,000 took the course before I eventually took it offline since WinFE has had several updates since the course was developed. 

5,592  * I recently put on a longer Forensic Operating System course (that focused on WinFE more than other live CDs) and as of today, more than 5,500 have taken that course.  

15,000  * That’s the number where I stopped counting the downloads of the WinFE script and various WinFE builders from over the years.  That doesn’t mean 15,000 WinFE users, just that it is a lot of downloads of past and current WinFE build projects.  That also does not include WinFE basic builds where Microsoft downloads are required (and not a WinFE project).

The point is that WinFE is a valid tool used by many, and since there is no marketing department for it, I'm marketing it because I use it and prefer that it remain relevant in the community...so I can keep using it :)

The latest WinFE course

I had been asked for a new course just on WinFE and not any of the other live CDs, so here it is.  I included the multiple types of WinFE builds including Windows To Go in order to cover everything about a Windows-based, forensically sound, bootable operating system.  This course is only for those who did not take the Forensic Operating System course, since the WinFE information is the same in both courses.

Of course there is a promotion 😊

For any course I publish, you probably noticed that for a few days, I have a promotional discount.  This course is no different.  I ask that you share the promotion because invariably I get emails asking to extend the promotion (no extensions….sorry).

The new Windows Forensic Environment online course is open! Use promo code "miniwinfe" for 50% off through April 10 for the first 100 registrations.https://t.co/urGlmsKHLH #dfir #infosec pic.twitter.com/duU3fEYnHU

— WinFE 💽 (@WindowsFE) April 8, 2018

The Windows Forensic Environment social group

Since WinFE isn’t a commercial tool, with no developers or support staff, it has been pretty much living on its own, being pushed about by its community of users.  Searching for WinFE gets you about a dozen websites, most of which is outdated information, without any sole collection point.  Therefore, there is now a group for it. 

I will be putting everything in the social group as it comes up in terms of updates to WinFE building, usage, powerpoints for training, and curriculum if you want to have a turn-key model to add it in a forensic course that you teach.  Only those who have registered for either this new WinFE or Forensic Operating System course are invited.  The social group is a repository for community support, related downloads, and updates to the WinFE projects; it is not a beginner’s class in what WinFE is.

The time to self-learn WinFE can take days. There is no help desk, tech support, help line, or single point of reference information for WinFE.  If you don’t have patience to self-learn how to build it, you will give up.  Even tho the Internet is full of instructional guidelines, the good is intermingled with the outdated.  This course is the most current and up-to-date WinFE building and the WinFE social group will have all future updates for you to get it right the first time.

ps: Pass the quiz at the end of the course and receive a certificate of course completion (3 hours) in the instruction of building and using WinFE.

In my most recent course that I was teaching, the question of imaging speed came up during the hands-on imaging practicals (it's always the same question, "How can I make it go faster?").  My go-to illustration of imaging tests has been referring to Eric Zimmerman's imaging tests.  However, I tried something different this time.   I used Eric's tests (both imaging and software testing) and converted the spreadsheet data as visuals.   The visuals made all the difference, especially given mixed language in the course (as the course was not just in English…so it was a bit more difficult to get points across at times).  

With the visuals, it was easier for the class to see that some speed differences in the tests are slight enough to be irrelevant (in that personal preference of a tool may override the speed of another tool without detriment), while other speed differences are glaringly too far apart to rationalize a personal choice over a more logical choice when speed is important.  I ended up adding a separate lesson in doing personal testing, documenting the tests in the fashion of Eric Zimmerman's, and using the results to base decisions upon.  Nearly every slide had the same suggestion: "SHARE YOUR WORK'.   By sharing, I mean giving it away or selling it or teaching it or sharing it in any means you desire for fun or profit.  Just get your work out there.  

Eric set a standard in documenting imaging speed tests, but he also did something else; he showed that documenting and sharing tests results impacts the community globally for years as it is referenced constantly.  His test also shows that this is something any of us can also do.  If you think that your work is but a sliver in what can or should be done in sharing, keep in mind that a sliver to you is most likely an amazing bit of knowledge for someone else.  And by sharing, I mean publish, teach, show, or compare your work with others.  Most of the innovative developments in history have been inspired by a sliver of an idea.

The fear that your public work will be critiqued is real, not just because it will be, but because it must be.  Public peer-reviews require thick skin and a willingness to accept being wrong, and how to improve our work.  It also shows that you have the guts to put yourself out front, which any job in DFIR requires anyway.  Do it and be prepared to learn from your peers when your work is peer reviewed.  That is your goal: peer reviewed research that you personally conducted.  As a side benefit of sharing your work, software developers will certainly look at what you have documented to see where their tool stands.  Regardless of their tool is on the top or bottom, the tests show how developers can improve their tools, which benefits you (and me) directly.

About the critiques of your shared research….in a perfect world, everyone plays nice, is polite to each other, and we support the work of our peers with respectful and productive discussion.  But don’t expect that every time, and accept that some folks just aren’t nice.  Actually, be prepared for someone to be dismissive, impolite, and even downright disrespectful.  It happens because people are people.  My personal opinion is that everyone should be respectful or not say anything at all.  However, “polite” is not a word in the vocabulary of some.   Still, don’t let that stop you moving DFIR forward with your shared work and ideas.  Each of us have a choice to follow the path that others have blazed or we can blaze a trail that others will follow.  Blazing a trail sometimes means going the wrong way or hitting a dead end...you will be wrong on occasion.  

Back to the point of visuals in training: Here one example of turning Eric’s work into visual aids.  The takeaway in these visuals is not that a visual is ‘better’ than a spreadsheet, but that it is (1) different, and maybe (2) more appropriate for specific audience types.  The imaging example is just an example of practically anything in DFIR that can be more easily described in a visual compared to rows and columns, depending upon your goal of showing data.

I will post my slidedeck at some point, but I hope you got the point of taking complex data and painting a picture with it to make it easier to digest.

Definition of dragnet

1a : a net drawn along the bottom of a body of water

   b : a net used on the ground (as to capture small game)

2: a network of measures for apprehension (as of criminals)

In Hollywood movies, citizens have virtually no expectation of privacy and no practically no protection from unreasonable searches and seizures.  The movies typically depict cops routinely committing dozens of felonies in search of the criminal.  Given any cop movie, I can (and usually do) count more than a dozen felonies committed before the credits roll.  In some movies, the lead police character actually commit more crimes of more seriousness than the suspect they are chasing...

We must keep the Hollywood movie fantasy separate from reality otherwise we risk moving over the line.

Case in point: Blanket search warrants

http://www.wral.com/Raleigh-police-search-google-location-history/17377435/

 “The demands Raleigh police issued for Google data described a 17-acre area that included both homes and businesses. In the Efobi homicide case, the cordon included dozens of units in the Washington Terrace complex near St. Augustine's University.” http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Where a warrant is supposed to describe a specific person, place, or thing, going beyond that criteria is getting close to the line, if not clearly jumping over it.   Creating an analogy of searching a person/place/thing using high tech methods (non-invasive) and physically searching a person/place/thing (invasive) escapes most.  Few want a stranger, police officer or otherwise, to open their closets and toss items around, but when it comes to digital information, it seems that many people don’t have the same concerns over privacy and their protections against unreasonable searches and seizures.

"…Another review would further cull the list, which police would use to request user names, birth dates and other identifying information of the phones' owners….At the end of the day, this tactic unavoidably risks getting information about totally innocent people," Wessler said. "Location information is really revealing and private about people's habits and activities and what they're doing." http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Our data privacy problem resides partly in the service providers and partly with us, the users.   For example, to have the convenience in finding a specific type of restaurant based on your location, a service provider needs to know (1) your location, and (2) your desires.  The service provider stores each of your location way-points and all of your typed desires. They keep this information well past your immediate use of the service.  Your consent is key to making this data fair game to advertisers, spammers, criminals, and the government today and into your foreseeable lifetime and after death.

The difference between your home being searched by the government and your data being searched by the government is that when it is your data stored by a service provider, you are not generally aware that it is going on.  It doesn’t feel invasive because it happens without you seeing it.  You don’t see an investigator reading details about your life and would not expect it happen anyway.   

For investigators, it is so much easier to search the private data of every citizen in an entire city than it is to physically go house-to-house and physically search the homes.  By the way, if there comes a day where we see blanket warrants to search house-to-house, we probably are not having a good day.  But that is what happens to our personal data.

My hope is that law enforcement doesn’t lose the ability to use high-tech methods because of an over-reaching search warrant, but I know that this is what invariably happens because the easy way is going to be chosen by someone when they should have chosen the more reasonable way.

I’m curious to see where the fine line will be drawn in using dragnets to obtain everything to search for a specific something.

In theory, if you know what you are doing and are competent, that is all you need.  In practice, being competent is rarely enough. You probably need documentation....

The importance of documentation was hammered into me for years by my employers as a government employee (military and LE).  Courts made sure that anything that I did not realize was important to document before testifying, better be documented next time.  

TL/DR aka Cliff Notes: Don't just download some DFIR tool and use it. Create documentation to justify your self-training/education/experience in using that tool, especially if you will be facing a jury or hiring manager.

 One example I had early in police work was that of drug field tests (not the kind you see on TV, where the cop puts some unknown substance on their tongue and says, "That's good stuff").  Getting trained on how to do field drug test wasn't something that we'd get in the academy, or as a normal part of the job.  Most would just follow the instructions on the test kit and call it good.  I think I may have been the first person in my department to be eaten up on the stand for a drug test in my report because I said, "I followed the instructions on the kit", yet had no formal or informal training in it.  My field test result was confirmed by the state lab, but I was badgered for a bit on the stand by the defense attorney on the drug test because I had no formal training in how to do it.  I did nothing wrong, I followed the instructions perfectly, the case was fine, but I didn't like getting attacked for something minor like not having a piece of paper showing 'training'.  

Here is what I did that day after court.  I found the most senior narc in the department, who had testified to field testing drugs, who had taught narcotic work at the academy, who did major cases, and most important, someone who would spend a few minutes with me.  The senior narc (who was a Commander at the time), spent 30 minutes teaching me what I already knew, but also gave me some things that I did not.  Before I left his office, I had a department head memo detailing the 'training' I just received with a brief bio of the Commander who taught me.  That memo went into my training record, which I would use any time I were to testify to a field test of drugs in a case.  

Having gone into narcs years afterward, I created a formal in-service class and taught every patrol officer in field-testing to make sure they didn't get eaten up on the stand for not having any training in field-testing drugs.  It's a little thing, a memo or a training record, until it's a big thing.

I apply the same concept in the DFIR world.  Every breakout session at every conference I attend incurs labor on my part.  I write up the specific session, with the name of the presenter, with notes I take, plus the time spent in that session.  If there is hands-on, I document that as well.  All the better if there is a booklet of the sessions that I get in the swag bag to keep me organized.  I have a spot on my shelf with these for reference. For anything that I learn on my own, guess what...I document that too.  I never ever get on the stand to testify about something I did in which I do not have documentation at the ready.  If/when asked, I know:

• The names of the presenters that I have learned from at the specific courses and conferences I've attended, and/or
• The number of hours that I have researched practiced with a tool or process (learning hours, not case hours), and/or
• The tools that I have written (itty bitty things that I have written) and the tests done with them.

I have documented formal education/training and documented informal training.  Anything that is not documented, I don't even refer to it.  I don't comment on it.  I don't list it.  If you have ever been on the stand to testify about your training, education, and experience, then you know that if you don't have documentation to support it, you will be under a microscope about it.  If you are new to DFIR, you are lucky because you can start saving your documentation now.  If you have been doing this for some time and not been saving your documentation, then you have lots of work to do.  

For anyone who doesn't feel the need to keep training records or documentation, either you don't have court appearances in your planned future, haven't met the devil of an opposing counsel yet, or are in a job you don't ever plan to leave.

I tend to create online courses for the benefit of getting something on paper for those wanting something on paper.  I believe we can do this job without taking a class or getting a degree.  I believe that if you are in DFIR, you are smart enough to learn on your own.  Actually, if you can't learn on your own, you may have a difficult time in this field.  But that's not how it works if court appearances or job interviews are in your future.  You need paper, and lots of it.  Degrees, certifications, conferences, courses, and personally documented research & practice.  The learning is implied if you do these things.  Competence is assumed if you have them.  All becomes clear when you employ them (clear as in, your employer will see if you actually know what you are doing or not). 

If you are in a position of authority, leadership, or mentorship, teach others something.  In classes I teach, whether a LE course, college course, online course, or in person at coffee, I implore the learner to take seriously what I am saying in documenting what I am teaching them, because it may become useful later.  In one way that I have used this in my testimony is that I have specifically stated, "I have been trained in the use of this tool by the developer of the tool."  Or, "I have been taught this forensic process by name of person, who developed the process".  Or even, "I have been trained by the person who wrote a book on it."  This is all the better if you are the author, tool or process developer, but second best is being taught by the tool or process developer, or the organization that developed the tool or process you used.  

In a perfect world, everyone accepts that we are competent because we say that we are and we can prove it.  In reality, even proving it is sometimes not enough if you don't have a document that says it. 

Forensic Operating Systems

The time has come!  The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated.  

**COURSE IS CURRENTLY AT CAPACITY**  However, send me an email (This email address is being protected from spambots. You need JavaScript enabled to view it.) to be put on a wait list for when it re-opens.

The Forensic Operating System with Mini-WinFE may re-open early depending upon the numbers on the wait list. If you are interested, please send me an email or DM so that I can plan for increasing the allotted number of registrations.https://t.co/20jvXlHkV6 pic.twitter.com/2rj6SLop4B

— WinFE ? (@WindowsFE) March 22, 2018

The course is arranged that you can skip over any topic to go right to what you need right now.  So, if you need a WinFE build right now, go to that section first and get the info you are looking for.  Complete the entire course for a cert of completion for training hours documentation (5 hours documented training time).

But it’s 2018.  Aren’t bootable forensic discs outdated?

We’ve come a long way from using bootable floppies to image drives with Safeback, but it seems the only thing that changed was the bootable media, not the method. 

Booting any system to external media is not my first choice, until it is.  Some systems can only be acquired, accessed, previewed, triaged, or touched by booting it to external media.  Some situations would best be approached by booting to external media. 

The real benefits are being able to more quickly acquire data, acquire data forensically when you can’t otherwise, acquire data that you couldn’t acquire at all, find evidence faster, eliminate and prioritize forensic examinations, and make your work more productive.

Who uses WinFE?

·         It is taught world-wide by training providers in government, universities, and private courses

·         It has been used in criminal and civil cases, and internal corporate matters (and courts!)

·         Over 3,500 users signed up and completed the first online WinFE course (now updated)

·         Over 10,000 downloads of the WinFE projects in the past 5 years

I am certain that Troy Larson had not idea that giving me instructions to build a WinFE would eventually turn out like this…

With the new WinFE build, the total time from start to finish is less than ten minutes.  That includes downloading the WinFE project, setting it up, creating the WinFE.iso, and finally creating a bootable CD/DVD/USB.  This means that if you were to build a WinFE today, you’d have it in your DFIR toolbox ready to go anytime in minutes.

But Linux and Mac!

I go over Linux distros and Mac options in the online course, and credit the best of each for what they do best for different needs.  I also go over negative points of each as well.  Working in this field requires walking into unknown environments all the time, therefore, be prepared with options before you end up in a situation where you find that you should have done this earlier. 

What's the big deal?

It's another tool in your toolbox.  I can't count the number of times I have been emailed by someone asking me to give them the 2 minute version of how they can build a WinFE, right now, while are onsite dealing with something they were ill-prepared to deal with.  Now is the best time to get your bootable forensic operating systems in order, because you will be in that spot one day.  Hint: emailing me isn't going to make a WinFE disc magically appear....you have to build it on your own.  The good news, you can do it in a few minutes and have a tool that might get you out of a jam that you otherwise would be stuck.  Your bootable media should also include Linux and Mac solutions as well, which are discussed in the course too.

The days of Safeback and floppies may be over, but we have been seeing more systems requiring forensic OS boots than ever before by sheer necessity due to hardware configurations.

Download the Mini-WinFE used in this course at: http://www.brettshavers.cc/index.php/mini-winfe-download