Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
9 minutes reading time (1802 words)

Digital Forensics is Really Easy

Digital Forensics
Brett Shavers
Wednesday, 28 November 2018
6261 Hits
0 Comments

The mechanics of digital forensics (and its related cousin, incident response) are fairly easy. A computer is a computer is a computer. Collecting data is collecting data. And an artifact is an artifact. As long as you follow the basic mechanical principles and concepts, you should be able to do the work without impossible obstacles.

A most basic example is imaging a hard drive on computer that is not running.

  1. Protect the source
  2. Image it

That’s about it. This example carries into all things DF/IR, as it is mechanical work coupled with decisions on overcoming obstacles in order to get the job done.

Here is where digital forensics is most easy!

DF/IR is easy to screw up. It is really really easy to screw up. Besides the mechanical ways to make an error, such as overwriting the original data, there ways to make things worse by thinking you know what you are doing, but actually don’t. Using the above example, there are a lot of little things that are needed for a complete job (like documenation, chain of custody, etc...).

Here are two personal examples.

Example 1:

I was hired for a civil case to examine a hard drive image. I received the image that was created by an employee from a nationally known computer repair company. The part of the case that matters is that after the computer was dropped off at this repair company, the computer was identified as being pivotal in a substantial and public civil case. An employee at the computer repair company talked his supervisor and attorney into believing that he could create a ‘forensic’ image of the hard drive.

The employee was first level IT in that I didn’t see much more experience than having an A+ certification and zero experience or education in digital forensics. The employee's only forensic work experience was creating this “forensic” image for the case using FTK Imager.

The process was not correct, as the employee believed that because FTK Imager (ie: “Forensic” Tool Kit Imager) was used, all was well in the world with the forensic image. Some of the issues: there was no chain of custody with the image or original source, the original source was subsequently lost, data was overwritten prior to and during imaging*, and barely any documentation existed. The only documents created were the receipt to drop off the computer and a text file created by FTK Imager.

I was hired to fix the ‘forensics’ in this case. The point of the story is that the employee thought he was doing forensics, but actually, he was screwing it all up by not having any basis of knowledge in the legal aspects of forensics or the technical aspects of creating an image (or much else).

End result: I couldn’t fix it because I didn’t have a time machine to go back in time to prevent the employee from touching the computer. Oh yeah. A new policy on not doing forensics was incorporated in the computer repair company.

Example 2:

On a civil case where I found child porn on a device, I immediately transferred the evidence to the local police department and wished the attorney-client luck (I don’t do those types of cases outside of law enforcement anymore). I also gave the PD the only image that I made of the original, along with an extensive report of what I saw that included verification of known CP hash comparisons. I’m stressing to you in this post that I made it extremely clear to the police department that without a doubt there was child porn on the hard drive, some of the worst that I have ever seen in my career. I even wrote my report as if it were an affidavit for a search warrant because what I saw certainly deserved police attention. 

Months later, the forensic detective told me in a phone call that he couldn’t image the drive and tried for months. He apparently gave up because he said that he was busy with more important cases (than child abuse), like rape and homicide...  He didn’t want any help, so that was it for me in the case. I offered that he could at least use my image that I gave...but nope.

Months later, I was re-hired to examine the drive, specifically for child porn, as the device owner was accused of also molesting his daughters. Then a weird thing happened. The wife (of the device owner) asked the PD to pick up the hard drive. She simply called and said it was her hard drive in evidence. They told her to come pick it up. Then they gave it (the original drive!) to her. Child porn and all. Nothing wiped, no court order for anyone to possess or examine.  Not only that, but the case was still open, and now included child molestation allegations.

The wife (client of my attorney-client) carried the original drive around, passed it on to her attorney, who days later wanted to give it to me. No one (including the police department) cared that child pornography on a hard drive in an active case of child abuse was being passed around without any a sliver of chain of custody or concern of what it legally means to possess that stuff. Or any care of how the data on the drive may refute or collaborate the real-time child abuse allegations.

PS: I refused custody of the drive until I was given a court order that said I could touch it.

The point of this story is that I wouldn’t expect the wife to know anything about chain of custody or possession of child pornography, but I would certainly expect (actually, demand) that the police detective and attorney exactly know. I further would expect that a police officer working in digital forensics could figure out how to image a hard drive in a day rather than never figure it out in months before giving up.

End result: I ended up in court. So did the detective. Some people got yelled at by the judge. I wasn’t one of the people getting yelled at. One positive out of this case is that there were so many problems, that I can use a hundred examples from it for a decade of how not to do digital forensics or police work.

These two examples, out of more than a few that I have personally seen, reinforce a largely ignored aspect of digital forensics work: a basic foundation.

A basic foundation is just that.  Basic. Foundation.

I am not talking about the basics of a specific job in DF/IR, but rather the basics that cut across all the jobs in DF/IR. This includes law enforcement! No one is perfect or exempt from being expected to have a basic foundation.

The DF/IR field typically focuses away from the legal aspects because many in the field wrongly assume that they are not working within the legal arena. For the most part, many are correct, until they aren’t. It is because that not only do we work with data, we also have a high risk of interacting with data that constitutes evidence in a legal case (civil or criminal). We should know what evidence is, how to know it when we see it, and what to do with it if and when we come across it.

Never complain about a problem without following up with a proposed solution

We need to know the foundational basics of both DF and IR.  When you focus on one small aspect of the entire field, you are working with a hammer. All your decisions will be based upon that small part of the field that you work with.  By “small part”, I do not mean insignificant. I mean that if we, in DF, come across an obstacle or issue that clearly fits the other side of the house, that we can identify it as such, and be able to refer or delegate it to more appropriate specialists. Same thing if we, in IR, come across a legal issue, that we handle it appropriately by knowing who best should handle it.

We cannot expect those who do not work in either DF or IR to know how to forensically image a hard drive, or have any of idea of the legalities of passing around a hard drive with child pornography (albeit, at the request of an attorney…after receiving it from law enforcement….). But we can require that us in the field have some basic foundation of both the common legal and technical aspects that cut across the disciplines.

A simple solution is requiring that those who work in either DF or IR, have this foundational knowledge. You don’t need to be an attorney to know chain of custody for evidence. You don’t need to be a police officer to know what evidence looks like. You don’t need to know how to reverse engineer malware if its not your job, but you should be able to know when it needs to be done. You don’t need to know how to do a chip off of a mobile device if you don't work with mobile devices, but you should know that it can be done if needed when you come across it.

What does a basic foundation look like?

  1. What you need to know legally (only those things that everyone in DF and IR should both know)
  2. What you need to know technically (only those things that everyone in DF and IR should both know)

Anything else is job specific and from which core competencies are built upon,  therefore not part of what I am talking about. Just the basics, like the very basics.  Because without it, digital forensics is really easy..to screw up.

**updated 11-29-18
I had a comment about the example of the IT employee overwriting data during imaging. To clarify, data was modified prior to imaging, during imaging, and after imaging. The data modified prior to imaging was not problematic as it was part of the service requested before being identified as relevant in the civil matter. Data was modified during imaging because the employee did not use a write blocker (hardware or software) while he was imaging and at the same time, was apparently looking through the drive while it was being imaged. It was continued to be modified after imaging as he kept looking through the drive.
On the child porn case, this was where the wife's attorney hired me to examine a common computer between the wife/husband, and I discovered that the husband had been downloading some of the worst child porn that I have ever seen. Another one of the investigative errors was that the local PD failed to seize any additional devices before they were either destroyed or hidden out of the residence by the husband.
Tweet
Share on Pinterest
0
What is the best way to get to Spokane from Seattl...
On ransomware, my advice is different from that ot...

About the author

Brett Shavers

Brett Shavers

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Saturday, 16 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

training presentations surveillance Windows Forensic Environment privacy windows fe case studies dfir North korea Registry Forensics Jimmy Weg writing windows forensic environment investigation RegRipper 4cast Volume Shadow Copy imaging X-Ways Forensics Practitioner's Guide X-Ways Forensics tor browser gmail investigations book forensics University of Washington email bitcoin forensics Bitcoin Forensics bitcoin phishing winfe Hacker Placing the Suspect Behind the Keyboard Hiding Behind the Keyboard expert wiretap Virtualization

Search Blog

Most popular posts

Brett Shavers
Brett Shavers
06 December 2015
RegRipper
RegRipper
Digital Forensics
The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)http://github.com/keydet89What is RegRipper?RegRipper was created and maintained by Harlan Carvey. ...
0
38633 Hits
3 comments
Read More
Brett Shavers
Brett Shavers
25 April 2019
Game of Thrones, DFIR Style
Game of Thrones, DFIR Style
Digital Forensics
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find trul...
0
37004 Hits
0 comments
Read More
Brett Shavers
Brett Shavers
10 September 2019
The Five Stages of the DFIR Career Grief Cycle
The Five Stages of the DFIR Career Grief Cycle
Digital Forensics
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerma...
1
36728 Hits
0 comments
Read More

Magnet Forensics Conversation

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!

More posts

Date
Date
  • When OSINT is turned into the Baseball Bat of Internet Mob Justice

    When OSINT is turned into…

    When OSINT is turned into the Baseball Bat of Internet Mob Justice

    We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…

    Thursday January 14

    by Brett Shavers

    1901 hits / 0 comments

  • I took a look at Instagram's Terms of Service so that you won't have to.

    I took a look at…

    I took a look at Instagram's Terms of Service so that you won't have to.

    Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…

    Saturday December 26

    by Brett Shavers

    8488 hits / 0 comments

  • White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    White Paper: The Susceptibility of…

    White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...

    Wednesday December 16

    by Brett Shavers

    4613 hits / 0 comments

  • How long does it take to get into the DFIR field?

    How long does it take…

    How long does it take to get into the DFIR field?

    Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…

    Thursday November 12

    by Brett Shavers

    14870 hits / 0 comments

  • An expert is just one page in a book ahead of you

    An expert is just one…

    An expert is just one page in a book ahead of you

    Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…

    Friday October 30

    by Brett Shavers

    5795 hits / 0 comments

  • Should you improve your DFIR skills on your personal time?

    Should you improve your DFIR…

    Should you improve your DFIR skills on your personal time?

    Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…

    Friday September 04

    by Brett Shavers

    28095 hits / 0 comments

  • TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    TikTok is like a big,…

    TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy,…

    Tuesday July 07

    by Brett Shavers

    23929 hits / 0 comments

  • Jessica Hyde and I talk about forensic stuff

    Jessica Hyde and I talk…

    Jessica Hyde and I talk about forensic stuff

    Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

    Thursday June 11

    by Brett Shavers

    10714 hits / 0 comments

  • Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    Facebook Spoofing: Your Reputation, Investigations,…

    Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue,…

    Sunday June 07

    by Brett Shavers

    2644 hits / 0 comments

  • You do not want to work in DFIR.

    You do not want to…

    You do not want to work in DFIR.

     The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…

    Thursday June 04

    by Brett Shavers

    3243 hits / 0 comments

  • COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    COVID-19’s Investigative Impacts on Digital…

    COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…

    Saturday April 25

    by Brett Shavers

    16843 hits / 0 comments

  • Mini-WinFE 10 and WinFE 10 Updated

    Mini-WinFE 10 and WinFE 10…

    Mini-WinFE 10 and WinFE 10 Updated

    The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for…

    Sunday April 05

    by Brett Shavers

    10768 hits / 2 comments

  • Eat your broccoli first

    Eat your broccoli first

    Eat your broccoli first

    Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…

    Saturday January 18

    by Brett Shavers

    30952 hits / 0 comments

  • The Second Decade of the 2000s is almost over!

    The Second Decade of the…

    The Second Decade of the 2000s is almost over!

    We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…

    Thursday December 26

    by Brett Shavers

    10693 hits / 0 comments

  • Public Records

    Public Records

    Public Records

    I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…

    Thursday December 12

    by Brett Shavers

    5206 hits / 0 comments

  • The Five Stages of the DFIR Career Grief Cycle

    The Five Stages of the…

    The Five Stages of the DFIR Career Grief Cycle

    I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…

    Tuesday September 10

    by Brett Shavers

    36728 hits / 0 comments

  • Our World is Going to Turn Upside Down with DeepFakes

    Our World is Going to…

    Our World is Going to Turn Upside Down with DeepFakes

    The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…

    Sunday September 01

    by Brett Shavers

    4440 hits / 0 comments

  • If you are comfortable in DFIR, you might be doing it wrong

    If you are comfortable in…

    If you are comfortable in DFIR, you might be doing it wrong

    I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…

    Thursday August 29

    by Brett Shavers

    4790 hits / 0 comments

  • Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    Everything I Needed to Know…

    Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits.  In fact, you can probably enjoy the…

    Saturday August 17

    by Brett Shavers

    6407 hits / 0 comments

  • Personality of a computer

    Personality of a computer

    Personality of a computer

    From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…

    Wednesday July 31

    by Brett Shavers

    5067 hits / 0 comments

© 2021 Brett Shavers