Zombie-Cases:  Did you ever have a case that just wouldn’t die?

I just finished up Case Study #8, with one of those types of cases that just won’t die.  If you ever had a case like that, you know what I mean.  If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to life.  This happens with both civil and criminal cases (and internal corporate matters as well).

A few reasons that a case may live on well past the time you wish it would are; 

  •          You keep finding more evidence, even after the investigation is over
  •          Corners were cut and now the devil is calling
  •          The attorney keeps asking for more work on it
  •          Trial comes and goes, then comes back again, then goes, then…
  •          Evidence you initially found is now found to be inaccurate
  •          Interrogatories and interviews come and go and come and go and keep coming
  •          More jurisdictions join in
  •          Case agents/officers keep changing and rotating and being reassigned
  •          Errors that were made are now coming to light, just in time for court
  •          Reports are missing or don’t contain necessary information
  •          And worse yet, the case hits the news

Case Study #8 takes a case that has a few of these things, but as for how to keep a case from coming back to life, there are things you can do to reduce the risk.   The most important method is to do a thorough job.  Doing a good job will reduce the chances of a zombie case by 90%.  Do good work, double-check your work, triple-check it, and you have less than a 10% chance of it biting you later. 

The remaining 10% chance of your case turning into a zombie is probably out of your control.  If you are given the wrong information, evidence is misinterpreted, or workers in your case don’t do a good job, there is a good chance that the 10% zombie case is coming for you.  And of course, if the suspect wants to fight tough-and-nail, it will drag on.  However, if it is bad enough (ie: news worthy because of investigator ERRORS), and someone leaks it to the news media, you now have a full-blown zombie breakout that will last not only years, but perhaps the better part of your career.

Back to preventing the zombie-case outbreak

Do a good job.  Even on those cases that seem minuscule at the time.  You never know how one seemingly insignificant case can end up reaching the Supreme Court, and not because you did a good job, but just the opposite.  Trust me.  I’ve seen it.  Seriously.  Do a good job, because when it happens, it is so much better to be the person that did a good job in the case and not be the one that screwed something up.

  171 Hits

"I don’t want to learn.  Just give me the answer."

Figure it out

It’s been more than a few years since I was in the Marines, even though it still feels like yesterday.  Although it has been decades (has it really been that long?), it seems that I am still learning lessons today that the Marine Corps exposed me to back then.  I mean that in the sense that many times I come across an obstacle in life or work that is solved by falling back on the little things I learned way-back-when.  One of the biggest lessons I ever learned: Figure it out.

I give credit to technology for making our lives easier, which doesn’t always mean for the better.  If you don’t know something, you can ask Google and get the answer.  In fact, as you type your question, Google practically reads your mind and finishes your question for you while at the same time, giving you an answer.  I believe that this part of technology is a disservice, especially those in the DFIR field because being told the answer is not the most important thing compared to personally finding the answer. It is the journey, not the destination.

My first response to being asked “how to do something” is “Did you try everything you know before asking me?”  Whether it is a student or a peer, if I am asked a question, I naturally assume that everything possible was tried before asking me.  If not, I question the question of asking in the first place because asking without trying to figure it out yourself is simply asking for the answer.  You are asking to get to your destination without taking the journey.  You are asking someone to do your homework for you.  This is the easy way, the wrong path to take, and will gradually put a cap on your skills.  Try before asking.  Then try again.  At some point you will run out of different attempts and then when you ask, I know (or will assume) that you tried everything you know how to try.  Hopefully before that comes, you will find the answer before asking for your sake. Giving the answer will not be helpful if you have the ability to figure it out yourself.  By the way, it is way easier for me to answer a question than it is to push and prod for the student to figure it out.  Answering takes me 15 seconds while being patient to watch the process can take a lot longer...

I teach the Figure It Out* method because the Eureka!  moments are those times where you learn something that you will never forget. It is embedded into your cranial cavity as if you were the first person to ever discover that answer.  In reality, everyone could have known the answer before you, but as far as your brain is concerned, you did it first and therefore, will remember it forever because you discovered it.  This doesn’t work if someone tells you that “C” is the correct answer.  You will forget being given “C” as the answer minutes afterward but you will remember the “Ah ha!” discovery for a lifetime.  You will actually be able to figure out more problems because of increased confidence.  It's a good cycle to be in.

But, I have found that some people don’t want to take the journey to discovery.  They truly just want the answer for a varied number of reasons, which are technically defined as excuses.  Procrastination is not a reason.  Laziness is not a reason.  Not caring is not a reason.  Because Google answers it for you is not a reason.  I tend to feel that we need ‘figuring it out by yourself’ as a high school class, where cell phones are not allowed, nor any Internet, in order to teach that using our own brain is what solves problems. 

As far as how the Marines do it….when given the order to “Have your squad at this point by 0300” or "get across that river in the next 45 minutes", there were no answers on how to do it, what to take, what to eat, what to wear, or when to leave.  There were no expectations of failure or answers to what happens if you fail.  No Google either. Simply, you are given a mission and you figure out how to complete it.  That is what we do in DFIR.  We figure it out.  We have to.


How to figure it out

I'd be remiss in not giving some guidance on how to figure it out, or at least how to ask a question.  Firstly, depending on what you are doing, figuring it out is going to be different every time.  Basically;

1. Read the instructions, try and fail.

2. Figure out where the problem started and,

3. Try again.  If fail..

4. Go back, read the instructions and guides again, try to find where the error may be solved.

5. Try again.  If fail...

6. Get online and search.  Forums, support/chat rooms, email lists.  Find someone who has documented the same problem.

7. Try the suggestions that you found.  If fail...

8. Put together your question.  Do not ever ask, "Hey, this thing doesn't work.  Can you make it work for me?".  Rather, write up your question like a mini-research project: 

   -"I wanted to do this."

   -"But I got this error."

   -"So I tried this and got this error."

   -"Then I searched for an answer and found these suggestions."

   -"I tried again with the suggestions and got this error."

   -"I don't know what else to try.  Can you point me in the right direction?"

When I get a question like this in class, I am happy.  Maybe a few more tries would have done it, but there is a point where if each try is simply repeating the exact process without changes, it is time to stop and ask.  Part of the learning process in DFIR is self-learning.  That which you cannot teach yourself, take a course in that topic.  Read books.  Engage in conversations about the topic.  Practice and research.  The last thing that should on your mind is thinking that "I'll just ask for the answer" without first making some effort to learn first.  

*I can't claim credit for the "Figure It Out" method, since it was yelled at me by many senior Marines until I Figured It Out.

  516 Hits

5 Cool Things You Can Do with the Windows Forensic Environment (WinFE)

I’m a fan of WinFE.  I’ve used it, written about it, helped develop it, taught it, and assisted others to teach it.   The way that I talk about it, you’d think that WinFE is the best thing that ever came along, does everything you need in forensics, and nothing can out do what it does.    Actually, WinFE doesn’t do much at all.  But that for what it does, it does ingeniously.

The top 5 cool things

#5 Forensically boot a Windows, Mac, Linux machine to a Windows Forensic Environment

#4 Forensically Boot a Surface Pro to a Windows Forensic Environment

#3 Image storage drives (full, sparse, or targeted) with Windows tools

#2 Perform a triage or preview with Windows tools

#1 Do a complete exam with Windows tools on the evidence machine

There are even more things you can do as well that makes WinFE cool, but this is a good start.  Being a free tool makes it cool too.

What’s the big deal?

WinFE forensically boots to Windows. That means you can use Windows-based forensic tools!

The numbers

3,447  *  Years ago, I threw together a quick WinFE online class for free.  Over 3,000 took the course before I eventually took it offline since WinFE has had several updates since the course was developed. 

5,592  * I recently put on a longer Forensic Operating System course (that focused on WinFE more than other live CDs) and as of today, more than 5,500 have taken that course.  

15,000  * That’s the number where I stopped counting the downloads of the WinFE script and various WinFE builders from over the years.  That doesn’t mean 15,000 WinFE users, just that it is a lot of downloads of past and current WinFE build projects.  That also does not include WinFE basic builds where Microsoft downloads are required (and not a WinFE project).

The point is that WinFE is a valid tool used by many, and since there is no marketing department for it, I'm marketing it because I use it and prefer that it remain relevant in the community...so I can keep using it :)

The latest WinFE course

I had been asked for a new course just on WinFE and not any of the other live CDs, so here it is.  I included the multiple types of WinFE builds including Windows To Go in order to cover everything about a Windows-based, forensically sound, bootable operating system.  This course is only for those who did not take the Forensic Operating System course, since the WinFE information is the same in both courses.

Of course there is a promotion 😊

For any course I publish, you probably noticed that for a few days, I have a promotional discount.  This course is no different.  I ask that you share the promotion because invariably I get emails asking to extend the promotion (no extensions….sorry).


The Windows Forensic Environment social group

Since WinFE isn’t a commercial tool, with no developers or support staff, it has been pretty much living on its own, being pushed about by its community of users.  Searching for WinFE gets you about a dozen websites, most of which is outdated information, without any sole collection point.  Therefore, there is now a group for it. 


I will be putting everything in the social group as it comes up in terms of updates to WinFE building, usage, powerpoints for training, and curriculum if you want to have a turn-key model to add it in a forensic course that you teach.  Only those who have registered for either this new WinFE or Forensic Operating System course are invited.  The social group is a repository for community support, related downloads, and updates to the WinFE projects; it is not a beginner’s class in what WinFE is.

The time to self-learn WinFE can take days. There is no help desk, tech support, help line, or single point of reference information for WinFE.  If you don’t have patience to self-learn how to build it, you will give up.  Even tho the Internet is full of instructional guidelines, the good is intermingled with the outdated.  This course is the most current and up-to-date WinFE building and the WinFE social group will have all future updates for you to get it right the first time.

ps: Pass the quiz at the end of the course and receive a certificate of course completion (3 hours) in the instruction of building and using WinFE.

  298 Hits

Make DFIR easier to learn with visual aids (and teach students to share their work)

In my most recent course that I was teaching, the question of imaging speed came up during the hands-on imaging practicals (it's always the same question, "How can I make it go faster?").  My go-to illustration of imaging tests has been referring to Eric Zimmerman's imaging tests.  However, I tried something different this time.   I used Eric's tests (both imaging and software testing) and converted the spreadsheet data as visuals.   The visuals made all the difference, especially given mixed language in the course (as the course was not just in English…so it was a bit more difficult to get points across at times).  

With the visuals, it was easier for the class to see that some speed differences in the tests are slight enough to be irrelevant (in that personal preference of a tool may override the speed of another tool without detriment), while other speed differences are glaringly too far apart to rationalize a personal choice over a more logical choice when speed is important.  I ended up adding a separate lesson in doing personal testing, documenting the tests in the fashion of Eric Zimmerman's, and using the results to base decisions upon.  Nearly every slide had the same suggestion: "SHARE YOUR WORK'.   By sharing, I mean giving it away or selling it or teaching it or sharing it in any means you desire for fun or profit.  Just get your work out there.  

Eric set a standard in documenting imaging speed tests, but he also did something else; he showed that documenting and sharing tests results impacts the community globally for years as it is referenced constantly.  His test also shows that this is something any of us can also do.  If you think that your work is but a sliver in what can or should be done in sharing, keep in mind that a sliver to you is most likely an amazing bit of knowledge for someone else.  And by sharing, I mean publish, teach, show, or compare your work with others.  Most of the innovative developments in history have been inspired by a sliver of an idea.

The fear that your public work will be critiqued is real, not just because it will be, but because it must be.  Public peer-reviews require thick skin and a willingness to accept being wrong, and how to improve our work.  It also shows that you have the guts to put yourself out front, which any job in DFIR requires anyway.  Do it and be prepared to learn from your peers when your work is peer reviewed.  That is your goal: peer reviewed research that you personally conducted.  As a side benefit of sharing your work, software developers will certainly look at what you have documented to see where their tool stands.  Regardless of their tool is on the top or bottom, the tests show how developers can improve their tools, which benefits you (and me) directly.

About the critiques of your shared research….in a perfect world, everyone plays nice, is polite to each other, and we support the work of our peers with respectful and productive discussion.  But don’t expect that every time, and accept that some folks just aren’t nice.  Actually, be prepared for someone to be dismissive, impolite, and even downright disrespectful.  It happens because people are people.  My personal opinion is that everyone should be respectful or not say anything at all.  However, “polite” is not a word in the vocabulary of some.   Still, don’t let that stop you moving DFIR forward with your shared work and ideas.  Each of us have a choice to follow the path that others have blazed or we can blaze a trail that others will follow.  Blazing a trail sometimes means going the wrong way or hitting a dead end...you will be wrong on occasion.  

Back to the point of visuals in training: Here one example of turning Eric’s work into visual aids.  The takeaway in these visuals is not that a visual is ‘better’ than a spreadsheet, but that it is (1) different, and maybe (2) more appropriate for specific audience types.  The imaging example is just an example of practically anything in DFIR that can be more easily described in a visual compared to rows and columns, depending upon your goal of showing data.

I will post my slidedeck at some point, but I hope you got the point of taking complex data and painting a picture with it to make it easier to digest.


  630 Hits

Dragnet: 2018

Definition of dragnet

1a : a net drawn along the bottom of a body of water

   b : a net used on the ground (as to capture small game)

2: a network of measures for apprehension (as of criminals)


In Hollywood movies, citizens have virtually no expectation of privacy and no practically no protection from unreasonable searches and seizures.  The movies typically depict cops routinely committing dozens of felonies in search of the criminal.  Given any cop movie, I can (and usually do) count more than a dozen felonies committed before the credits roll.  In some movies, the lead police character actually commit more crimes of more seriousness than the suspect they are chasing...

We must keep the Hollywood movie fantasy separate from reality otherwise we risk moving over the line.

Case in point: Blanket search warrants


 “The demands Raleigh police issued for Google data described a 17-acre area that included both homes and businesses. In the Efobi homicide case, the cordon included dozens of units in the Washington Terrace complex near St. Augustine's University.” http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Where a warrant is supposed to describe a specific person, place, or thing, going beyond that criteria is getting close to the line, if not clearly jumping over it.   Creating an analogy of searching a person/place/thing using high tech methods (non-invasive) and physically searching a person/place/thing (invasive) escapes most.  Few want a stranger, police officer or otherwise, to open their closets and toss items around, but when it comes to digital information, it seems that many people don’t have the same concerns over privacy and their protections against unreasonable searches and seizures.

"…Another review would further cull the list, which police would use to request user names, birth dates and other identifying information of the phones' owners….At the end of the day, this tactic unavoidably risks getting information about totally innocent people," Wessler said. "Location information is really revealing and private about people's habits and activities and what they're doing." http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Our data privacy problem resides partly in the service providers and partly with us, the users.   For example, to have the convenience in finding a specific type of restaurant based on your location, a service provider needs to know (1) your location, and (2) your desires.  The service provider stores each of your location way-points and all of your typed desires. They keep this information well past your immediate use of the service.  Your consent is key to making this data fair game to advertisers, spammers, criminals, and the government today and into your foreseeable lifetime and after death.

The difference between your home being searched by the government and your data being searched by the government is that when it is your data stored by a service provider, you are not generally aware that it is going on.  It doesn’t feel invasive because it happens without you seeing it.  You don’t see an investigator reading details about your life and would not expect it happen anyway.   

For investigators, it is so much easier to search the private data of every citizen in an entire city than it is to physically go house-to-house and physically search the homes.  By the way, if there comes a day where we see blanket warrants to search house-to-house, we probably are not having a good day.  But that is what happens to our personal data.

My hope is that law enforcement doesn’t lose the ability to use high-tech methods because of an over-reaching search warrant, but I know that this is what invariably happens because the easy way is going to be chosen by someone when they should have chosen the more reasonable way.

I’m curious to see where the fine line will be drawn in using dragnets to obtain everything to search for a specific something.





  307 Hits

Some things about training, education, and learning in DFIR

In theory, if you know what you are doing and are competent, that is all you need.  In practice, being competent is rarely enough. You probably need documentation....

The importance of documentation was hammered into me for years by my employers as a government employee (military and LE).  Courts made sure that anything that I did not realize was important to document before testifying, better be documented next time.  

TL/DR aka Cliff Notes: Don't just download some DFIR tool and use it. Create documentation to justify your self-training/education/experience in using that tool, especially if you will be facing a jury or hiring manager.

 One example I had early in police work was that of drug field tests (not the kind you see on TV, where the cop puts some unknown substance on their tongue and says, "That's good stuff").  Getting trained on how to do field drug test wasn't something that we'd get in the academy, or as a normal part of the job.  Most would just follow the instructions on the test kit and call it good.  I think I may have been the first person in my department to be eaten up on the stand for a drug test in my report because I said, "I followed the instructions on the kit", yet had no formal or informal training in it.  My field test result was confirmed by the state lab, but I was badgered for a bit on the stand by the defense attorney on the drug test because I had no formal training in how to do it.  I did nothing wrong, I followed the instructions perfectly, the case was fine, but I didn't like getting attacked for something minor like not having a piece of paper showing 'training'.  

Here is what I did that day after court.
 I found the most senior narc in the department, who had testified to field testing drugs, who had taught narcotic work at the academy, who did major cases, and most important, someone who would spend a few minutes with me.  The senior narc (who was a Commander at the time), spent 30 minutes teaching me what I already knew, but also gave me some things that I did not.  Before I left his office, I had a department head memo detailing the 'training' I just received with a brief bio of the Commander who taught me.  That memo went into my training record, which I would use any time I were to testify to a field test of drugs in a case.  

Having gone into narcs years afterward, I created a formal in-service class and taught every patrol officer in field-testing to make sure they didn't get eaten up on the stand for not having any training in field-testing drugs.  It's a little thing, a memo or a training record, until it's a big thing.

I apply the same concept in the DFIR world.  Every breakout session at every conference I attend incurs labor on my part.  I write up the specific session, with the name of the presenter, with notes I take, plus the time spent in that session.  If there is hands-on, I document that as well.  All the better if there is a booklet of the sessions that I get in the swag bag to keep me organized.  I have a spot on my shelf with these for reference. For anything that I learn on my own, guess what...I document that too.  I never ever get on the stand to testify about something I did in which I do not have documentation at the ready.  If/when asked, I know:

  • The names of the presenters that I have learned from at the specific courses and conferences I've attended, and/or
  • The number of hours that I have researched practiced with a tool or process (learning hours, not case hours), and/or
  • The tools that I have written (itty bitty things that I have written) and the tests done with them.

I have documented formal education/training and documented informal training.  Anything that is not documented, I don't even refer to it.  I don't comment on it.  I don't list it.  If you have ever been on the stand to testify about your training, education, and experience, then you know that if you don't have documentation to support it, you will be under a microscope about it.  If you are new to DFIR, you are lucky because you can start saving your documentation now.  If you have been doing this for some time and not been saving your documentation, then you have lots of work to do.  

For anyone who doesn't feel the need to keep training records or documentation, either you don't have court appearances in your planned future, haven't met the devil of an opposing counsel yet, or are in a job you don't ever plan to leave.

I tend to create online courses for the benefit of getting something on paper for those wanting something on paper.  I believe we can do this job without taking a class or getting a degree.  I believe that if you are in DFIR, you are smart enough to learn on your own.  Actually, if you can't learn on your own, you may have a difficult time in this field.  But that's not how it works if court appearances or job interviews are in your future.  You need paper, and lots of it.  Degrees, certifications, conferences, courses, and personally documented research & practice.  The learning is implied if you do these things.  Competence is assumed if you have them.  All becomes clear when you employ them (clear as in, your employer will see if you actually know what you are doing or not). 

If you are in a position of authority, leadership, or mentorship, teach others something.  In classes I teach, whether a LE course, college course, online course, or in person at coffee, I implore the learner to take seriously what I am saying in documenting what I am teaching them, because it may become useful later.  In one way that I have used this in my testimony is that I have specifically stated, "I have been trained in the use of this tool by the developer of the tool."  Or, "I have been taught this forensic process by name of person, who developed the process".  Or even, "I have been trained by the person who wrote a book on it."  This is all the better if you are the author, tool or process developer, but second best is being taught by the tool or process developer, or the organization that developed the tool or process you used.  

In a perfect world, everyone accepts that we are competent because we say that we are and we can prove it.  In reality, even proving it is sometimes not enough if you don't have a document that says it. 


  546 Hits

Windows Forensic Environment - Newest project is complete

Forensic Operating Systems

The time has come!  The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated.  

**COURSE IS CURRENTLY AT CAPACITY**  However, send me an email (This email address is being protected from spambots. You need JavaScript enabled to view it.) to be put on a wait list for when it re-opens.


The course is arranged that you can skip over any topic to go right to what you need right now.  So, if you need a WinFE build right now, go to that section first and get the info you are looking for.  Complete the entire course for a cert of completion for training hours documentation (5 hours documented training time).

But it’s 2018.  Aren’t bootable forensic discs outdated?

We’ve come a long way from using bootable floppies to image drives with Safeback, but it seems the only thing that changed was the bootable media, not the method. 

Booting any system to external media is not my first choice, until it is.  Some systems can only be acquired, accessed, previewed, triaged, or touched by booting it to external media.  Some situations would best be approached by booting to external media. 

The real benefits are being able to more quickly acquire data, acquire data forensically when you can’t otherwise, acquire data that you couldn’t acquire at all, find evidence faster, eliminate and prioritize forensic examinations, and make your work more productive.

Who uses WinFE?

·         It is taught world-wide by training providers in government, universities, and private courses

·         It has been used in criminal and civil cases, and internal corporate matters (and courts!)

·         Over 3,500 users signed up and completed the first online WinFE course (now updated)

·         Over 10,000 downloads of the WinFE projects in the past 5 years

I am certain that Troy Larson had not idea that giving me instructions to build a WinFE would eventually turn out like this…

With the new WinFE build, the total time from start to finish is less than ten minutes.  That includes downloading the WinFE project, setting it up, creating the WinFE.iso, and finally creating a bootable CD/DVD/USB.  This means that if you were to build a WinFE today, you’d have it in your DFIR toolbox ready to go anytime in minutes.

But Linux and Mac!

I go over Linux distros and Mac options in the online course, and credit the best of each for what they do best for different needs.  I also go over negative points of each as well.  Working in this field requires walking into unknown environments all the time, therefore, be prepared with options before you end up in a situation where you find that you should have done this earlier. 

What's the big deal?

It's another tool in your toolbox.  I can't count the number of times I have been emailed by someone asking me to give them the 2 minute version of how they can build a WinFE, right now, while are onsite dealing with something they were ill-prepared to deal with.  Now is the best time to get your bootable forensic operating systems in order, because you will be in that spot one day.  Hint: emailing me isn't going to make a WinFE disc magically appear....you have to build it on your own.  The good news, you can do it in a few minutes and have a tool that might get you out of a jam that you otherwise would be stuck.  Your bootable media should also include Linux and Mac solutions as well, which are discussed in the course too.

The days of Safeback and floppies may be over, but we have been seeing more systems requiring forensic OS boots than ever before by sheer necessity due to hardware configurations.

Download the Mini-WinFE used in this course at: http://www.brettshavers.cc/index.php/mini-winfe-download 

  1641 Hits

Cyber Health

I was a spectator to a conversation between a law enforcement DFIRer and corporate computer user this week, and it got interesting when the name-calling started. 

The point of the conversation was about corporate computer users being ‘lazy’ with computer systems (whether it be managing the organizations website content or just basic cyber health such as not falling for phishing emails).  Then a point about law enforcement never calling victims back started another tangent of complaints.  And then a few other little complaints.  I felt like I was watching a tennis match being played on two separate courts.

The takeaway I got was that there is still a chasm of disconnect between the users and the examiners/investigators/responders.  For the DFIRrs, we practice good Cyber Health.  We would not think of leaving any building with any device that was not encrypted.  Phishing emails? We love them because we want to learn from them, not fall for them.  We care for our passwords as much as we care for our teeth by brushing and our hands by washing.  It is our way of life and we assume everyone is like us.  When we hear that a non-encrypted laptop containing tons of PII was stolen from the trunk of a car, we shake our heads at how that is even possible.

For the average home and corporate computer user….Cyber Health is inconvenient, unimportant, too much work, and not in their job description.  There is no way they will want to learn anything about lateral movement or tracing IP addresses. 

That is the chasm that needs a bridge.  Until every computer user (home or corporate) is literate in the dangers of bad cyber health, we will always be inundated with work.  If you don’t brush your teeth, eventually there will be lots of pain and maybe loss of a tooth.  This is no different when your life is derailed from ID theft, ransomware, or the loss of business revenue due to compromised systems.  User must learn more about the systems they use, just like they must know something about taking care of their physical health.

The chasm also includes law enforcement’s lack of understanding (or caring about) the frustrations of victims who (1) don’t know the extent of damage a computer compromise can be, and (2) what the response actually does.  Most victims don’t know that their case may never be investigated.  From the day it was reported by the victim, the case might be put into a file cabinet and marked ‘information only’ because it has no solvability factors.  The case may not ever have an investigator assigned to it, simply because of a heavy caseload or have a suspect that cannot be identified. Other cases may take years before anything happens, due to delays in getting information back from service providers or worse, delays in someone actually working the case at all due to reasons I care not to say publicly.  

Prevention is key, and so is education.  As a personal example, there is a local government organization in my area that has been hit with some pretty good phishing emails lately.  The response from IT has been to send generic emails to everyone in the organization about not clicking ‘suspicious’ emails.  So far, every time a user falls for one of the phishing emails, IT sends out another reminder to not click any suspicious email links, and then another user falls for another phishing email, and then cycle repeats.  There has been no education for the computer users, other than email from IT asking users to “stop falling for suspicious emails.”  I’m waiting for the entire system to go down before they have to call someone…

We have always worked to be the translator of tech talk for the layman, but we still fail at it.  Blaming the user isn’t going to help.  Name calling makes it worse.  But being patient and understanding the user’s perspective will help. 

When we expect users to do what we would do, without telling them what we would do or how to do it, we frustrate them and us, because we will always get the same thing happening over and over.  Most of use are Type A, driven, and have high personal expectations.  We have to tone that down to help the organizations that ask us to help them.  This includes those working in LE.  

The amazing thing that users don't know is that a simple and innocent (ignorant) click of a single phishing email can cause a cascading amount of highly complex, extremely expensive, and mind-numbing work by a team of highly trained DFIRrs to fix over a period of days, weeks, or months.  Users don’t get that because no one tells them.  They just want their computer to work so they can email clients.  Maybe Cyber Hygiene should be taught in schools in the same class where Personal Hygiene is taught?


  490 Hits

Making Ham Sandwiches in DFIR

Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR:

1: Write it up (or else your work didn’t happen)

2: Write it for your audience (or it won’t matter what you did anyway)

If you follow those two tips, your writing will be fine.

In police work, report writing is frequently given the analogy of “Painting a picture”, in that you should write a story that doesn’t need explaining outside of what you wrote.  The canvas should tell the entire story.  Search warrant affidavits work the way in that the probable cause for the warrant must be contained (and comprehended) within the four corners of the affidavit.  An independent party should be able to read what was written without requiring outside information to either support the words or interpret them.  The report (aka, the picture) stands on its own to describe the story.   I usually use the analogy of making a ham sandwich instead of painting a picture.

When I read a report that doesn’t make sense to me, I typically say to myself, this person can’t make a ham sandwich.  I can see the tomatoes, the bread, and the ham, but it just doesn’t look like a ham sandwich.  If I need the writer to verbally explain to me what was written, then the report is meaningless.  It may be 100% technically accurate, but 100% worthless at the same time.  I do not mean to say 'worthless' in an insulting manner, as a technical report can be very well done for a technical audience. I mean worthless in the manner that if the intended audience can't understand it, then why write in the first place.

If any of these are true, then the report wasn’t written correctly.

1: The writer needs to explain the report.

2: There is no story.


You can do the best DFIR work in the world and yet write a report that ruins it all.  Or, you can write up what you did in a manner that the report can be read on national television, in full, without needing a word of exposition to translate it to the audience. 

Few of us are great DFIR’rs and great writers.  We tend to favor one side over the other.  Some of us however, tend to ignore the writing part completely.  We don’t like to write.  We don’t like to edit.  We don’t like to write for an audience who doesn’t know what a MFT is, after all, doesn’t everyone know what the MFT is?

The reality is, you have to write up what you did so that others can understand it.  Embrace writing.  Showcase your DFIR labor in your writing, so that the reader completely understands what you did, what you found, and what needs to be done next.   

Make that ham sandwich.

  910 Hits

DFIR Case Studies #7

As I was going through Case Studies #7, I found several some reminders on tips for working a case.  The simple obstacles that make some investigators quit only make others drive forward with creativity.  One example is the suspect in Case Study #7 using open WiFi to be anonymous.  Sometimes, investigators quit once they find that the suspect used a public WiFi or Tor.  This case shows why you should not do that, and in fact, can make a really good case by following basic investigative principles regardless of what the suspect has used to try to stay anonymous.

And with every new case study I release (until I stop making case studies), I'm giving a promo for training bundles.  Until midnight Friday (16th), you can get the entire DFIR Case Studies series PLUS X-Ways Forensics Practitioner's Guide online course for only $25!  This is one of the better bundles I've done.  If you have already taken the X-Ways Course, you can choose the Case Studies Series with the Placing the Suspect Behind the Keyboard Course at the same promo price of $25.

Don't forget.  Registration with this promo ends midnight, Friday, February 16Promo extended through Feb 20 for the first 25 registrations as @PhillMoore linked the course to his ThisWeekin4n6 blog.  

When you see the price go back to $150, the 25 promotional registration spots will have been used up.  

Case Studies Series + X-Ways Forensics Practitioner's Guide online course:  http://courses.dfironlinetraining.com/series/case-studies-with-x-ways-forensics?pc=cs7gdfxwf 

Case Studies Series + Placing the Suspect Behind the Keyboard online course:   http://courses.dfironlinetraining.com/series/case-study-series-and-placing-the-suspect-behind-the-keyboard-training-bundle?pc=cs7gbspsbk 



*books not included!

  1007 Hits