Brett's Ramblings

Old hat investigative work will always work
Brett Shavers
Digital Forensics
The Reality Winner case is good example where a basic investigative method still works regardless of how much publicity that the same method has received for years prior. In the Winner case, printed documents were tied to Winner based on “microdots”. This article below does a decent job of explaining what micro dots are if you haven’t heard of this...
In the #DFIR world, it seems like everyone is an expert….
Brett Shavers
Digital Forensics
…because everyone can be an expert. One thing about the DFIR field and all of its ever-encompassing related fields, is that it is physically impossible for any one person to be an expert in the entirety of the field. To even try to be ‘that DFIR expert’ is to set yourself up for failure. I base my opinion on what I’ve seen over the years, especiall...
Why does Google think this is a good idea?
Brett Shavers
Digital Forensics
An incredible new Gmail feature, “Confidential E-mail Mode” by Google looks to be one of those wonderful surprises that will be catching people off guard in a bad way. TL:DR version. Send an email using Gmail in which Google puts a link in the body (and removes your e-mail content from the e-mail). The link, in which only the recipient can open, op...
Don't become a hacker by hacking back a hacker that hacked you
Brett Shavers
Digital Forensics
Emotions run deep if you are victimized.  Initially, you want blood at any cost.  You also willingly accept any potential future regret, as long as you get blood today.  And unfortunately, no matter how fast justice may come, it will not be soon enough.  This rationale applies to being a victim of any crime and having your computer system hacked co...
Digital Forensics Tenure in Law Enforcement, and other fairy tales
Brett Shavers
Digital Forensics
Occasionally I am asked by police officers working in digital forensics if they should leave their current job to go to the private sector.  Luckily, I can now refer them to read Eric Huber’s blog series “Life After Law Enforcement: Do I Stay Or Do I Go?” to let not your heart be troubled when making this decision. For the vast majority of everyone...
Zombie-Cases:  Did you ever have a case that just wouldn’t die?
Brett Shavers
Digital Forensics
I just finished up Case Study #8, with one of those types of cases that just won’t die.  If you ever had a case like that, you know what I mean.  If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to life.  This happens with both civil and criminal cases (and internal corporate matters as we...
"I don’t want to learn.  Just give me the answer."
Brett Shavers
Digital Forensics
Figure it out It’s been more than a few years since I was in the Marines, even though it still feels like yesterday.  Although it has been decades (has it really been that long?), it seems that I am still learning lessons today that the Marine Corps exposed me to back then.  I mean that in the sense that many times I come across an obstacle in life...
5 Cool Things You Can Do with the Windows Forensic Environment (WinFE)
Brett Shavers
Digital Forensics
v\:* {behavior:url(#default#VML);}o\:* {behavior:url(#default#VML);}w\:* {behavior:url(#default#VML);}.shape {behavior:url(#default#VML);} Normal 0 false false false false EN-US JA X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style...
Make DFIR easier to learn with visual aids (and teach students to share their work)
Brett Shavers
Digital Forensics
In my most recent course that I was teaching, the question of imaging speed came up during the hands-on imaging practicals (it's always the same question, "How can I make it go faster?").  My go-to illustration of imaging tests has been referring to Eric Zimmerman's imaging tests.  However, I tried something different this time.   I used Eric's tes...
Dragnet: 2018
Brett Shavers
Digital Forensics
Definition of dragnet 1a : a net drawn along the bottom of a body of water    b : a net used on the ground (as to capture small game) 2: a network of measures for apprehension (as of criminals)   In Hollywood movies, citizens have virtually no expectation of privacy and no practically no protection from unreasonable searches and seizures.  The movi...
Some things about training, education, and learning in DFIR
Brett Shavers
Digital Forensics
In theory, if you know what you are doing and are competent, that is all you need.  In practice, being competent is rarely enough. You probably need documentation.... The importance of documentation was hammered into me for years by my employers as a government employee (military and LE).  Courts made sure that anything that I did not realize was i...
Windows Forensic Environment - Newest project is complete
Brett Shavers
Digital Forensics
Forensic Operating Systems The time has come!  The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated.   **COURSE IS CURRENTLY AT CAPACITY**  However, send me an email (This email address is being protected from spambots. You need JavaScript enabled to view it.) to be put on a wait list for when it re-opens.   {source}<blockquote class="twitter-tweet" data-lang="en"><p lan...
Cyber Health
Brett Shavers
Digital Forensics
I was a spectator to a conversation between a law enforcement DFIRer and corporate computer user this week, and it got interesting when the name-calling started.  The point of the conversation was about corporate computer users being ‘lazy’ with computer systems (whether it be managing the organizations website content or just basic cyber health su...
Making Ham Sandwiches in DFIR
Brett Shavers
Digital Forensics
Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR: 1: Write it up (or else your work didn’t happen) 2: Write it for your audience (or it won’t matter what you did anyway) If you follow those two tips, your writing will be fine. {source}<blockquote class="twitter-tw...
DFIR Case Studies #7
Brett Shavers
Digital Forensics
As I was going through Case Studies #7, I found several some reminders on tips for working a case.  The simple obstacles that make some investigators quit only make others drive forward with creativity.  One example is the suspect in Case Study #7 using open WiFi to be anonymous.  Sometimes, investigators quit once they find that the suspect used a...