Case studies are more helpful than you may think

**A quickly fading online course promo: read about it here: http://brettshavers.cc/index.php/brettsblog/entry/a-bundle-of-cases-and-x-ways-forensics-training **

Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…

I first started doing case studies when I made narc detective years ago.  I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process.  That’s when I started doing case studies.  It was a selfish attempt to save me from being killed.

I pulled as many adjudicated narc cases that I could get my hands on from the records room.  I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases.  My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance.  By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth.  Those were not fun days.  Some may call this ‘trial by fire’.  I called it “this sucks”.

But I learned to learn by reading the cases of what others had done.  I analyzed everything in the reports and affidavits, from the decisions made to the tactics used.  By the time I actually went through formal training for narc work, I pretty much had it figured out.  The formal training just solidified what I spent months learning by case studies.  

Fast forward to my digital forensic days.

When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0.  My agency not only never had a forensic capability, but rarely even sent out a computer for analysis.  I think we had one forensic exam completed by a private examiner…once.  At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.

So, I started the first forensic unit.  Guess I how I learned to do the job…  Case studies.  By the way, it worked out fine.  I did cases.  Administration was happy.   Bad guys went to prison.  The unit grew after I left, so there's that.

The technical part of forensics is not difficult.  I believe most anyone can figure out how to pull an artifact from a storage device.  A disk is a disk is a disk.  A file is a file is a file.  But running a case, when every case is different from the last?   We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case.  A solution: Case studies.

I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case.  Looking at a case from the outside misses a lot of important details and many assumptions have to be made.  I wouldn’t evaluate a pilot if I’ve never flown a plane.  Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events.  That’s how I look at case studies.  I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used.  Then I see if I could have done anything different or better.  Then I put what I learned to work and make sure that it does work.  It also doesn't hurt to also know the legal restrictions in running a case.  If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.

This is my intention with making my personal case study notes public.  Take a look at a case through the eyes of the investigator/examiner.  Watch how a case unfolds and how an investigator can take the case from start to finish.  Learn how someone else does the job and draw the best parts of it for your job.  There are few better ways to see how a case is worked other than reading the actual case and how it worked.

Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction.  The short answer I gave was that it isn’t easy to get right if you don’t know how it works.  If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one.  For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.

As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study.  If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…

 

Side note:

The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period.  Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies.  I also wanted to limit  the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well. 

The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.

Rate this blog entry:
0
A bundle of case studies and X-Ways Forensics Prac...
Drop the mic...please.
 

Comments 2

Guest - D.Eno Forensics PLLC on Monday, 23 October 2017 17:44

"The technical part of forensics is not difficult. I believe most anyone can figure out how to pull an artifact from a storage device. A disk is a disk is a disk. A file is a file is a file. "

I beg to differ. An individual may be looking at the 'smoking gun' but unless that individual knows what they are looking at and how it applies... its meaningless. How does an examiner answer questions like: 1) "I keep turning off my wifi and Internet access... I have no ISP but somehow my computer keeps hooking up to the Internet...am I being hacked?" or...
2) "how do these porn images keep showing up on my computer? I don't look at porn!" or....
3) How does an examiner resolve the fact that the "Last Shutdown Time" of the computer shows a date previous to other file create date entries?

I have found that unless an examiner has a fairly hefty background in computer science... these types of questions may go unanswered. It is our duty to keep up with technology, understand fully what we are dealing with and above all else... research, research, research, research and ... oh btw... research some more. As the technology is evolving..so must we.

For the record:
Scenario 1) above: No..the client was NOT being hacked. Serious bleed-over from the local electric company who was breaking out into the ISP business and decided to run their Internet lines right next to their power lines without sufficient shielding.
Scenario 2) above: Yes..the client was being hacked by an individual sitting in the parking lot planting porn images on computers who's wifi were not password protected as well as their computers.
Scenario 3) above: Nope. Not Hacked. Client physically unplugged the computer AFTER an update occurred.

D. Eno Forensics, PLLC

"The technical part of forensics is not difficult. I believe most anyone can figure out how to pull an artifact from a storage device. A disk is a disk is a disk. A file is a file is a file. " I beg to differ. :) An individual may be looking at the 'smoking gun' but unless that individual knows what they are looking at and how it applies... its meaningless. How does an examiner answer questions like: 1) "I keep turning off my wifi and Internet access... I have no ISP but somehow my computer keeps hooking up to the Internet...am I being hacked?" or... 2) "how do these porn images keep showing up on my computer? I don't look at porn!" or.... 3) How does an examiner resolve the fact that the "Last Shutdown Time" of the computer shows a date previous to other file create date entries? I have found that unless an examiner has a fairly hefty background in computer science... these types of questions may go unanswered. It is our duty to keep up with technology, understand fully what we are dealing with and above all else... research, research, research, research and ... oh btw... research some more. As the technology is evolving..so must we. For the record: Scenario 1) above: No..the client was NOT being hacked. Serious bleed-over from the local electric company who was breaking out into the ISP business and decided to run their Internet lines right next to their power lines without sufficient shielding. Scenario 2) above: Yes..the client was being hacked by an individual sitting in the parking lot planting porn images on computers who's wifi were not password protected as well as their computers. Scenario 3) above: Nope. Not Hacked. Client physically unplugged the computer AFTER an update occurred. D. Eno Forensics, PLLC
Brett Shavers on Monday, 23 October 2017 23:51

You hit on a few points. Knowing what to look for (the smoking gun) is critical in every analysis. To find the smoking gun, the examiner needs to be proficient in identifying abnormal computer behavior, compiling computer user activity, and recovering specific electronic data of importance.

I feel that the technical know-how of a forensic analysis can be self-learned by the vast majority of those already in the field. Advanced computer science background and degrees can be important in learning, but I have never assumed competence based solely on education. Given any computer system along with time and tools, a competent examiner can pretty much figure out anything, even if it is the time to see a certain artifact or type of system.

One of the main themes of the Case Studies I may plan to continue on doing publicly, is showing how each examiner or investigator uses technology and investigative methods to run a case. Running a case is probably the most important, yet overlooked aspect of DF/IR training.

You hit on a few points. Knowing what to look for (the smoking gun) is critical in every analysis. To find the smoking gun, the examiner needs to be proficient in identifying abnormal computer behavior, compiling computer user activity, and recovering specific electronic data of importance. I feel that the technical know-how of a forensic analysis can be self-learned by the vast majority of those already in the field. Advanced computer science background and degrees can be important in learning, but I have never assumed competence based solely on education. Given any computer system along with time and tools, a competent examiner can pretty much figure out anything, even if it is the time to see a certain artifact or type of system. One of the main themes of the Case Studies I may plan to continue on doing publicly, is showing how each examiner or investigator uses technology and investigative methods to run a case. Running a case is probably the most important, yet overlooked aspect of DF/IR training.
Already Registered? Login Here
Guest
Wednesday, 22 November 2017
If you'd like to register, please fill in the username, password and name fields.