X-Ways Forensics & eDiscovery

Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs.  Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts.

I would even go as far to say that an entire eDiscovery matter can be done by solely using X-Ways Forensics depending on the case matter.  For example, if the collection just involves workstations and laptops (even many aspects of server collections), you may not only ‘get by’ using XWF, but can do a more thorough job of collection.  However, when you get into the cloud, XWF is not going to be your best choice for a collection tool.

Here is a short video on how you can use XWF to collect data in a given eDiscovery matter.  

And, Case Studies #5 is published. 

The promo for this week is $75 for the Case Studies series which includes:

  • X-Ways Forensics Practitioner’s Guide Online Course for FREE, and
  • Placing the Suspect Behind the Keyboard Course for FREE, and
  • Advanced Internet Investigations Course for FREE.

Register here (discount will be applied automatically) for the 2-day promo: http://courses.dfironlinetraining.com/series/training-bundle-psbkxwfaitcs?pc=cs-bundle-02-11-17

This promo is only good for 2 days!  The first time I did this promo, it was for 2 weeks and I under estimated the number of registrations.  From now the promos will be a lot shorter.  Get in while you can, you have 2 days this time and the clock has started….

Rate this blog entry:
0
324 Hits

When you think you know enough

If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work.  The reasoning is that we can never know enough, in the DF/IR field or any field.  Usually, there is something that kicks me right where it hurts and screams at me, "DUDE, YOU DON'T KNOW ANYTHING!  YOU BETTER KEEP LEARNING!"

When that happens, I quietly back into a dark corner and reflect upon how I either (1) screwed something up or (2) didn't have a clue as to what I was doing but thought I knew.  My goal is to reduce the number of times this happens to me.  One of the ways that I do this, and I've blogged about it before, is reading cases.  I just uploaded Case Study #4 today.  It was an easy, clear cut case with college students changing their grades.  The thing is, when you get an easy case, and if you don't put forth the same amount of focus as you do with a complex case, you will be kicked in the behind for doing something stupid or missing something that was really obvious.  

Occasionally, I may print out an entire affidavit and write all over it with notes if it is a really good case.  Usually that happens when I miss something easy on a case that I should have caught. I go overboard to get my mind back into focusing on analysis and investigations.  So, when I did today's case study, I picked an easy case and still I reflected on my mind being in the game, especially on the easy cases.  You don't want to mess up an easy case.  There aren't any excuses to miss the easy stuff.

I've been getting great feedback on the Case Study series for the same reasons I'm talking about.  Sure, DF/IR students learn a lot from case studies, but for those working cases, you have to keep your head in the game constantly.  Read cases.  Compare how you would have done the same case.  Would you do anything differently?  Anything better? Could you have worked it at all?  When you ask yourself these questions, your focus is sharpened.  When you read what others do, your brain is processing the case as if you are working it.  Other than working a case and learning the hard way, case studies are the best way to learn casework, do casework, and master casework.

But don't forget. The second that you master DF/IR work, take the rest of the day off... 

 


The Black Friday extreme promotion I had expired yesterday, but since Phill Moore mentioned it on his blog today, I'm extending through Sunday.

Use this link to turn $1,129 in online courses to only $95.  http://courses.dfironlinetraining.com/series/training-bundle-psbkxwfaitcs?pc=blackfriday 

The promo includes X-Ways Forensics, Case Studies Series, Placing the Suspect Behind the Keyboard, and Internet Investigations.

Rate this blog entry:
0
327 Hits

DFIR Mentors.  You just might be one and not know it.

If you share information, openly discuss that which you can, and sincerely try to help others in the DF/IR field, you are probably someone’s mentor and do not even know it.   I have always understood the term of “mentor” seriously as it implies a responsibility to teach others, and also suggests that you know a lot more than you think you know.

When you are in that position of being a mentor, know that your words are heavy.  You may not have asked to be someone’s mentor.  You may not want to be anyone’s mentor.  You may refuse to even being called a mentor.  But guess what…you are, whether you like it or not.   My advice is to run with it.  Your words can make an incredible difference in someone’s career (aka: substantial part of their life).

Harlan Carvey may not remember the day I first spoke to him by phone, but I remember it like it was yesterday.  I may not exactly remember how I came about to call him, except through a series of emails and questions that I wanted to ask him.  At the time, I was extremely proficient at working my way as an undercover officer in any criminal organization I targeted, in any number of states (and internationally).  But at the time, I was moving into the computer forensics world and was a green as a gooseberry in the middle June when it came to forensics.   That one phone call with Harlan set me on a new career path that I am truly grateful, especially since the undercover work was getting a bit hairy at times…I would say that my wife and kids really appreciated the career move.

Harlan was my mentor, at least with that phone call, and practically still is. 

Through the following years, I have had several mentors from the DF/IR field.  Most of which I never spoke or corresponded.   I read their writings, took their courses, or used their software.  I followed them as my mentors as if they were actually mentoring me (hint: they were, they just didn’t know it).

Getting to the point.

Your words are heavy.  Did I say that already? This must be important then.  I most likely follow your words to this day and your words have influenced me to be better, do better, and keep learning.  Especially if you have spoken to me personally, or emailed me, or DM’d me….  You just might be one of my mentors and not know it.

Since you just might be someone's mentor, here is some friendly advice.

Lend a helping hand. Encourage those who you have influence to do better than you did.  Show them the way to do things more efficiently and more effectively.  Our goal is to improve our lot, not to personally be the better than everyone else or constantly be the only 'winner' because we are the only ones who know how to do this job.  We are better because we help our peers and our juniors be better than we ever were or will be. You are the Yoda to today's Luke and Rey.

One of the things I do today is that which was done for me.  On that first call I had with Harlan Carvey, he gave me some advice.  Start a blog.  Find something no else is doing and research it.  Write a book.  And so I did, for myself at first.  But since then, I have helped ghostwrite DF/IR books for first timers, tech edit other books, and encouraged more than a few others to start Microsoft Word and get typing on their ideas for a great DF/IR book.  Some have not only taken me up on the challenge and published their book after me pushing them a little forward, but a few are also helping others in the same way.  Technically, I call this super cool.  One of my shelves of DF/IR books, I have a special section of books that I had a hand in being published.  I am most proud of those, even more so than the ones I have written because they are better than mine. That was my intention.

As an example of lending a hand, for book topics with those wanting to be published, I often get asked questions like, “What would you recommend to write about?” or “What do you think of this idea?”.  I always give my honest opinion based on (1) would I buy this book today or (2) would I have bought this book when I first started.  If neither fits me, my opinion is that maybe the idea works for others, but not for me. As for book ideas, I believe you can take any minute topic in the entire field of Digital Forensics / Incident Response and expand an entire encyclopedia on that one specific topic.  I’m not exaggerating. There is no need in the world to take an idea that has already been done and do over unless you can completely change everything that has already been done.  Why do that when you can be innovative, creative, and original?  Don’t reinvent the wheel.

There are too many ways in which you can be a mentor to positively affect someone in the field.  You can not only mentor the new folks, but believe it or not, you are probably mentoring your peers as well.  There is not a thing I cannot learn from every person, regardless of who it is.  If someone speaks, writes, or teaches, I can learn something regardless if it from a student or professor, user or developer, writer or reader.  This thinking should apply to you as well.

Your words are heavy.  You influence more than the people around you.  You influence everyone in the field.  You are a mentor, whether you accept the challenge or not, it is what it is.  I’m happy with that.

 

 

Rate this blog entry:
0
362 Hits

Bitcoin Forensics | Investigating Cryptocurrency Crimes Online Course....it's coming...

You knew this was coming.  A course in cryptocurrency investigations.  There is no faster and comprehensive method to learn cryptocurrency investigations than to take a class in it and study a book about it.   As the book is being written, the course is being developed alongside the book as a companion to the book.  If you have not come across cryptocurrency in your investigations yet, I promise you that you will soon enough.  When it does show up, and you are not prepared, your case is not going to get the full attention needed if you are not already prepared.

"Bitcoin" has been in the news more and more lately.  You probably have already heard of Bitcoin, but may not actually own any, nor understand how it works.  The intention of both the book and course is to give you the 'need to know' information of what it is and also the 'must know' information of how to investigate cryptocurrency.  Cryptocurrency is much more than just Bitcoin.  Way way much more.  The entire blockchain universe has begun to change the way data and records (and currency!) are being created and maintained.   In your lifetime, there will not be an investigation where some aspect of the blockchain and cryptocurrency is not a part, whether it be a tangent to your case or instrumental to it.  Criminal and civil investigations both.  Crimes from petty theft to murder.  You will see aspects of the blockchain in most everything.

Bitcoin Forensics | Investigating Cryptocurrency Crimes

But don't worry.  This book, the first book to be conceived and to be published on this subject, is covering all of it.  And if you want to see demonstrations, follow along with exercises, and actually trace transactions online in real-time, this course that will compliment the book is for you.

You may be able to tell that I am really excited about this book and course.  I am actually excited about the changes to investigations as we know it today due to the blockchain.  You cannot ignore the future in your cases and how this technology is changing everything.  Money laundering is a whole new world with cryptocurrency.  From small time street dealers to international drug trafficking organizations, the time is not only coming near, but is already here.  If you have read any of my previous investigative books, you know that I cover not only the things you can only do with search warrants, but also the things that you can do without any court order.  This applies to both civil and criminal cases, as many times you can get exactly what you need in a timely fashion when you know exactly where to look and what to look for, when it is publicly available.  That is the intention of both this book and course.  Deep dive into the operating system to find the crypto artifacts and hop online to trace the transactions from their origin to destinations. 

 

Rate this blog entry:
0
361 Hits

Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.

I am very open on my opinions about writing books, specifically DF/IR books.  I encourage anyone who is thinking about writing a DF/IR book to write away and start right away!  The longer you wait, the more likely someone else will write the book you wanted to write.

Over the years, I have been asked questions about writing and I posted a fairly detailed blog post with my opinions.  Take into account that I am no JK Rowling, nor do I have dozens of books in print, and like anyone, my opinions are my own.

So, what is the writing tip that may or may not work out for you?

The tip is to decide whether you want to tell the world about the book you started or keep the project to yourself.  Here is my experience on this, with an example for both.

2010, Experience #1: 

Some years ago, I wrote two ‘papers’ on virtual machines and forensics.  I decided to write a book on virtualization forensics and mapped out a table of contents, and started the first chapter.  Before I sent out a proposal to publishers, I came across a post on www.forensicfocus.com by Diane Barrett in which she posted that she was writing a book on the same topic that I was (Virtualization and Forensics).   Totally coincidental and an obvious case of independent-invention (we both had the same idea, independently).  So…what did I do? 

I chose to not write “my” book.  Why write what someone else already publicly announced? That's be like making a Wonder Woman movie after hearing that someone else is already making a Wonder Woman movie.

2017, Experience #2:

My fourth and current book is titled Bitcoin Forensics: Investigating Cryptocurrency Crimes.  I did my due diligence in researching to see if any other book existed (it did not) and if anyone else was working on the same topic (no one that I could find online).  To make sure I wasn’t writing something that someone else was writing, I blogged it, tweeted it, and posted to online forums.  I even reached out to anyone who would be interested in contributing to the book and am fortunate to have some fantastic volunteer contributors, along with a super co-author.  So, what happened?

Well…one of the volunteer contributors who agreed to help with the book quit, then without a peep, proposed the same book to a publisher, got a book contract, and the book immediately went to pre-sale on Amazon.  Interesting enough, he wasn’t planning to write the book in the first place until after volunteering to help with this book.

Huh?

That’s right.  It happened.….at least he changed the title from "Bitcoin Forensics: Investigating Cryptocurrency Crimes" to "Cryptocurrency Forensics"....   

So, this is a tip for future writers that could be more like a warning if it doesn’t work.   If you plan on writing a DF/IR book, you’ll have to decide to either keep it a secret or tell the world.  Keep it a secret and maybe no one else is writing the same thing.  That’s a big chance to take because I can tell you, everyone is thinking about the same book to write that you are.  Not the best thing to have two closely identical books come out at the same time to the same (fairly small) audience.  

Or, you can publicly announce your book and probably someone else won’t intentionally take your idea and write it.  However, worst case, someone could offer to to help with your book, then run off and sneak in a book contract with another publisher...good grief.

I prefer telling everyone.  Why hide what you are working on?  Why hide the research you discovered?  I believe in sharing to help push us all forward, even if just an inch forward.  This is the way I have seen others do it and actually what I prefer.  I would regret having written an entire book, or even half a book, only to find that someone else was writing the same thing, which could have been avoided by simply announcing my intentions.  Then again, this happens....

And yes, I am still writing this book.  The team of contributors, tech editor, and co-author is simply awesome.

Rate this blog entry:
1
745 Hits

DF/IR Case Studies

I've made three case studies so far and will have a fourth up this week.  From the feedback I've asked in a short survey about the case study series, here are the results:

  • The case studies are beneficial, useful, and job relevant.
  • The presentation format works (weekly to bi-weekly case studies).
  • Length is appropriate (between 30 minutes to 1 hour).
  • Printed certificates of completion are important to 90% of the respondents. 

With that, I'll keep going and adding one or two cases a week, more if I find relevant cases to recent news.  Personally, I have always benefited from case studies.  I get reminders of how investigations are done, tips on how to do them better, and sometimes learn things that I should never do in cases that go sideways.  I can tell you that after being assigned to over 100 criminal cases a year for 10 years, you can never learn enough to improve.  Some things you can learn may be small but have a huge impact on your case. 

In Case Studies #3, the case was solved in 6 months.  This was an international investigation spanning several countries and multiple states in the USA, with anonymity services used by the suspect.  I know that the investigators involved in the case used everything at their disposal to figure it out and all it took was a few little things to crack it open.  This is what case studies is all about.

I mentioned at the start of the Case Study series that I would have a short-run promo occasionally to entice more DFIRrs to start a habit of reviewing cases and continually be in some sort of training.  This time, the promo includes the Placing the Suspect Behind the Keyboard Course.  The Placing the Suspect Behind the Keyboard Course is 13-hours of the tactics, methods, and procedures to do the things that are being done in cyber cases today, in both the criminal investigation world and the private security world.  I'm giving it FREE with the Case Study series, but I'm limiting registrations to only 100 or Friday Nov 17, whichever comes first.

If you didn't need another reason for these courses, keep in mind that you should be doing case studies anyway, but when you do them by yourself, the only documentation you will have is that which you jot down on a piece of paper.  I'm keeping track of the hours you spend when you complete the each course and case study, and you can print it out for your records.  Take advantage of professional development when you can get it because you should constantly be improving your skills by doing something everyday: reading, courses, coding, practicing, teaching, something/anything. 

Register here to get the promo price of $75 for both the Case Studies Series and Placing the Suspect Behind the Keyboard course (promo code "cs-psbk"):

http://courses.dfironlinetraining.com/series/case-study-series-and-placing-the-suspect-behind-the-keyboard-training-bundle?pc=cs-psbk 

 

Rate this blog entry:
1
290 Hits

The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations...)

    As teenagers, we never liked rules growing up. Curfews. Chores. Homework.  But we know now that the rules were good for us.   It seems like nothing has changed for those of us in the DF/IR field.  We don’t particularly want to be regulated simply because, like when we were teenagers, we know what is best for us. 

    The DF/IR field, as it stands today, is practically the Wild Wild West.  We have few regulations outside of obtaining a business license. In some states, we might need a PI license, but that is about the most regulated we get today.  It’s freewheeling at the moment without any government intervention. What a great time to be in DF/IR!

  •  Licensing requirements? Nope.
  • Training requirements? Nope.
  • Education requirements? Nope.
  • Certification requirements? Nope.
  • Experience requirements? Nope.
  • Testing requirements? Nope.
  • Annual update requirements? Nope.

    To state the point quickly, I foresee this Wild Wild West coming to a screeching halt, where we will all be (willfully) blindsided, and potentially have our careers and businesses put on hiatus until we comply with mandated regulations that will take months, if not years for each of us to comply.  I expect that some currently working in DF/IR may not be able to comply!

    Let me get to the solution before getting into the issues.  Simply copy and modify what is being done in other professions to fit the DF/IR profession, and give our ideas to the respective government regulatory agencies to implement.  In this manner, everyone can keep doing what they are doing, begin to comply with the regulations, be grandfathered in where appropriate, and have reasonable standards created by those who know best (that’s you by the way).  Pick a profession, any profession, and get started.  The medical field, accounting field, anything.  Even hair stylists are regulated with training and education standards.  Pick several and meld them together to fit DF/IR.

Brett’s Opinion on a few things

Certifications

I usually get on a soap box and rant against certifications, but I’ll make it shorter this time.  I’m not against certifications, and I believe that having a sheet of paper of classroom training completion is worthwhile.   Having that sheet of paper shows:

  •  I attended ‘x’ number of hours on "x" date and time
  • I was exposed to ‘x’ topics in those hours
  • I was taught by ‘x’ (person or organization)
  • I passed an exam (if one was given)

 

Licensing

    Licensing is inconvenient to maintain, just ask any doctor if you are curious.  But, licensing is important to prevent unqualified people from practicing a service that can have serious consequences.   We certainly trust our doctors, but part of that trust is based on a license from the state, which is based on a successful internship, which is based on the degree granted by a university, which is based on the successful passages of a specific curriculum, and so forth. 

    In the DF/IR world, all we need to do is attend a 3-day FTK class and buy a dongle.  No, all we need is just buy the dongle.  Wait a sec, actually forget the dongle, we can just download some free forensic software and get started…

    We need licensing, and a standardized process to meet those licensing requirements.  Whatever that may end up becoming is currently up to the DFIR community, but will eventually be mandated by someone else if we sit idly by.  If you are reading this and doing DF/IR work, I would imagine that grandfather clauses will be inserted in every requirement, otherwise, the entire DF/IR field will grind to a halt.  Most of those working today in the DF/IR field can probably teach DF/IR at a post-graduate level, yet not personally hold a post-graduate degree (or any degree in any IT related field)

    I can foresee licensing based on a healthcare provider licensing model.  Each different job (doctor, nurse, etc…) has its basic foundational requirements.  Additional specializations have additional requirements (heart surgeon, registered nurse, etc…).  So that,

  • DF/IR Licensed Professional (much like a family doctor in general practice)
  • DF Licensed Specialist (operating system specialization, device type specialization, etc…)
  • IR Licensed Specialist (penetration specialization, intrusion specialization, etc…)
  • And so forth.

    Imagine looking for an employee and you can instantly see what they should know based on a standardized licensing model.  Today, you may be trying to weed out the IR applicants for a DF job you have, and that is not as easy to do when you have to go line-by-line to sort it out what the applicant’s skills are.  When looking at other professions, I usually point to one example of becoming a hair stylist.  I'm not knocking hair stylists, but the majority of us getting hair cuts don't even know the licensing requirements involved.  In Washington State, it's a lot of requirements to just cut hair...

 

    Think about what it takes to cut hair the next time you argue against any licensing requirements for DF/IR work...because we don't have anything that compares.  Another benefit of licensing is getting rid of the bad apples.  An example of how this is done in the police world (at least in WA state), is the Peace Officer Certification.   If the Peace Officer Certification is revoked, then that police officer will not be able to work anywhere in the state.  The world of lawyers is similar in they can be disbarred from practicing law.  How nice would it be to de-certify a DF/IR person who falsified evidence or doesn’t meet any minimum standards?  Everyone would benefit.

 <on soapbox>

    I want to rant a bit on certifications, only because I am asked about ‘which certs should I get’ all the time.  I am not anti-certification, but I have strong feelings about some of the certifications and about how certifications are looked at by students, employers, courts, and vendors.

     I believe certifications are important to more easily show in court that you at least completed training in a certain subject especially if you are using DF/IR skills in (1) helping put someone in or keep out of jail, or (2) helping someone keep or lose their job.  It doesn’t mean you know what you are doing, just that you had training in the subject.  Otherwise, it looks like you were winging it.  **exceptions exist, I know, but bear with me as speaking generally**.

    Here are some of issues I have personally seen in courses offering certifications:

  • ·         Students sleeping in class
  • ·         Students showing up late and leaving early due to “work”
  • ·         2-hour lunches on some rarer occasions
  • ·         20-minute breaks on many occasions
  • ·         Course over by lunchtime on the last day
  • ·         Everyone passes the test with multiple attempts
  • ·         Everyone getting a certificate even if they failed the test or didn’t attend the entire course

     Here are some of the issues I have personally seen about certification perceptions:

  • ·         Only “x” certified DF/IR employees know how to use “x” software
  • ·         You must have “x” certification to apply for this job
  • ·         If you self-studied and mastered “x”, you aren’t as good as an “x” certified applicant
  • ·         The “x” certification is better than the “y” certification
  • ·         The “x” certification is more expensive because it is the best certification

    I have seen certification-junkies, where almost like an obsessive collector, the more acronyms they collect, the better they feel.  What about the Challenge Coins!  Gotta have them!  Vendors have got to love these types.  It's like the Pokemon or Furby craze.  Employers are also at a loss because the only certifications they care about are the ones that are most hyped by a vendor that gives out the most cherished acryomn. 

    As for me, if I were ever a hiring manager again, rather than look at an applicant and see that box for “x” certification exists, I’d rather make sure that the certification was (1) relevant to the job, and (2) the applicant knows the material that the certificate says.  Otherwise, I look at certs as simply a document showing the number of hours that a person completed for professional development. No more. No less.

    Speaking of number of hours in courses, I am a stickler on actual numbers.  Every statement that I have ever made of the number of classroom hours I have completed, I have cut the documented number down by at least 25%.  On paper, I may have a certain number of hours in print, but in depositions, testimony, resumes, CVs, and informal conversations, I state the lower number.  Why? Because I see classroom hours as not including the breaks or the early-outs on Friday morning.   Or when the instructor has to cut the class short to make a flight.

    I have taken courses where a 40-hour course turns out to be 60 (like SWAT training….), but I have never seen that happen in the DF/IR training world.  If you don’t believe that a 40-hour course classroom time is closer to 30 hours, crank up Excel and put in the number to your last course.  Be honest in the numbers and you will be surprised.  And be sure to put in the extra-long breaks, the days that the class started late and ended early.  And the days that the class stalled because of this-reason or that-reason.  Add the time you stepped out for a phone call (if you ever did such a terrible thing!).

 

 

     The next time you testify and are asked about your classroom (formal) hours of training, think about the actual numbers before you answer.   Lunch time is not typically going to be considered DF/IR learning time.

 <off soapbox>

    I see the future where the road to working DF/IR will be as easy to figure out as it is today if you want to be a doctor or lawyer or house builder.  Follow the path to licensing and you will be good to go.  Salaries will be much higher, the profession will advance faster than ever, and employers/clients will have an easier time of finding exactly who they need.

    The requirements and qualifications? That’s up to us to figure out, and figure out fast.  Otherwise, I can also see government making the requirements so burdensome that it will push out those who are competent and prevent those with great potential from coming in.  That is totally opposite of what we want to happen.

Rate this blog entry:
0
769 Hits

Sharing is caring

One thing about the DFIR blogs is that they tend to bounce off each other.   This is a good thing because tidbits of gold nuggets can be expanded upon with different perspectives and experiences.  Never in human history have we ever been able to instantly connect world-wide to increase our knowledge base, especially in the technology field (specifically in the DFIR field!).

With that, to expand on Harlan Carvey’s never-ending quest to push ourselves to share, I want to credit those who do share as I constantly benefit personally and professionally from the work of others. For those who do not yet share, consider the benefits you will have by putting yourself out there, even just a little.  We are all smarter only because we communicate with each other.

I have seen polar opposites of how sharing knowledge works and how hoarding knowledge does not.  As I was a Marine at 17 years old, I had an unfair advantage of the benefits of sharing.  I never heard the actual word “sharing” in the Marines, but that is what we did.  We shared knowledge and experience.  From day one in the Fleet, I was shown the way to do ‘things’.   I was given the opportunity to try, fail, try, fail, try, fail, try, succeed.  No one ever gave up on me, nor wanted me to fail.  When my turn came to lead, I did the same to the boots that came in.  I showed them the way and made sure they were competent.  Allowing the failure of a Marine was not an option.  I naively believed that was the normal way of doing business everywhere, but I was wrong.    

Enter the private sector….

I have had both similar experiences in the private sector and a completely opposite experience.  The experiences that I had that were opposite in that I never expected professionals to hoard knowledge from their peers.  Co-workers, peers, and supervisors seemed to be on warpaths to make sure the newbies failed.  Those who did not fail were allowed to stay.  Those who failed were booted out the door.  Trial-by-fire was the method of training new employees.  I have even seen the sabotage of new employees in hopes to flunk them out. 

  • When the team shares, teaches, encourages, and supports each other, the team grows and bonds together.  This team can tackle anything that comes up, without hesitation, and without worry of being left to drown by an individual in their team. Expect failures, but also expect the failures to be turned around into successes.
  • When you have individuals who are only looking out for #1, your team isn’t a team.  It is a group of individuals, each with a different agenda.  Expect failures.  Don't expect success.

Having been in both types of situations, I can say without hesitation that when people share knowledge, everyone grows and benefits including the person who is sharing.  In the world of DFIR blogging, whether you are in a one-person company or working for a Fortune 50 organization, when you share your knowledge, you benefit more than you know.  If you are being paid as a leader in your organization, under whichever term (manager, supervisor, TL, etc...), your mission is to give every opportunity to grow your team.  Some tips:

  • Teach, show, do (you are a teacher. teach your members, show them how, let them try. rinse and repeat)
  • Don't give up  (if your member keeps trying, so do you. have patience)
  • Teamwork  (team success, not individual wins, makes for success)
  • Teach your peers and subordinates to succeed individually for the group and the unit will succeed as a team.

How does this apply to a DFIR blog?

Your blog is affects everyone in the field.  It is shared. It is talked about.  It is critiqued. It is criticized. It is praised.  It initiates conversation.  And most importantly, it moves the DFIR field forward.  Whether your blog moves us an inch forward or a light-year into the future, you are a part of it.  To those who don’t believe this, you don’t have to believe it.  We reap what we sow. To everyone else, I’m merely preaching to the choir (and I bet your team rocks).

 

PS. this applies to any line of work, but when our work is 'in computers', dude, we practically work on the Internet so share your brain :)

Rate this blog entry:
0
671 Hits

A bundle of case studies and X-Ways Forensics Practitioner's Guide training

************UPDATE 10/29****************

Case studies 2 has been published.  It's the Mr Fuddlesticks case.

******************************************************

Out of the 100+ viewers of the case study I did last week, a bit more than half completed a survey with most of those including comments on the case study in regards to what they want to see.

With that, I decided to try a series of case studies with between 4 to 8 case studies added each month.  The first case study I did was longer than expected at almost an hour, but I plan for each case study to be between 15 to 45 minutes.   If you want an easy and inexpensive way to put training & education hours under your belt, this is good way to go.  Spend time reviewing case studies!

The goal in the case studies is to;

  • show how others do cases
  • show how suspects have been caught
  • show processes, techniques, and methods that suspects used to avoid being caught
  • show processes, techniques, and methods that investigators used to catch suspects
  • give insight on how to work cases with ideas and examples

As time is an issue for everyone, for each case study there is a short quiz to prove you watched the case study.  The quiz is a pre-requisite to receive a printable certificate that states the course title, date, and hours spent.  This is to make the bosses happy and add training time to your CV.  The cert is optional, as is the quiz, in case you just want to review the cases without documentation of your time.  As far as time goes to do a case study, I've broken down the case studies to bare bones important aspects of the cases.  You don't have to read every line of a 30 page affidavit to get the point of the case studies.  I'll spit it out the highlights for you with only the good stuff.  No fluff (as in, no need to read boiler plate after boiler plate).  

I want to make the case study series attractive to you because case studies are important.  If you are a student, there is no other way to watch a real case in the real world other than a case study. If you already work cases, you know that there must be a better way to do what you are doing; so case studies can give you a tip or two to get better at what you do. If you already know everything….that’s another issue (because no one knows everything).  Continually work on improving your skills and you will continually improve your skills.

I have case studies lined up already, but if you have a case you'd like an opinion on for a case study, I'll take a look and maybe add it to the series.  Just send it to me (This email address is being protected from spambots. You need JavaScript enabled to view it.). 

I’ll start the series with a short-run promo price that includes a 3-month access the Case Studies Series and also to the X-Ways Forensics Practitioner’s Guide Online Course for $95.  The regular price for the case series is $125 and the X-Ways Course is $599. 

This is short-run promo at $95 expiring on 11/11/2017 for both the

Case Studies Series and the X-Ways Forensics Practitioner's Guide Online Course.

Register here: http://courses.dfironlinetraining.com/series/case-studies-with-x-ways-forensics?pc=cs-xwf-nb 

Case Studies 2A will be posted this weekend.

 

 

Rate this blog entry:
1
671 Hits

Case studies are more helpful than you may think

Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…

I first started doing case studies when I made narc detective years ago.  I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process.  That’s when I started doing case studies.  It was a selfish attempt to save me from being killed.

I pulled as many adjudicated narc cases that I could get my hands on from the records room.  I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases.  My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance.  By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth.  Those were not fun days.  Some may call this ‘trial by fire’.  I called it “this sucks”.

But I learned to learn by reading the cases of what others had done.  I analyzed everything in the reports and affidavits, from the decisions made to the tactics used.  By the time I actually went through formal training for narc work, I pretty much had it figured out.  The formal training just solidified what I spent months learning by case studies.  

Fast forward to my digital forensic days.

When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0.  My agency not only never had a forensic capability, but rarely even sent out a computer for analysis.  I think we had one forensic exam completed by a private examiner…once.  At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.

So, I started the first forensic unit.  Guess I how I learned to do the job…  Case studies.  By the way, it worked out fine.  I did cases.  Administration was happy.   Bad guys went to prison.  The unit grew after I left, so there's that.

The technical part of forensics is not difficult.  I believe most anyone can figure out how to pull an artifact from a storage device.  A disk is a disk is a disk.  A file is a file is a file.  But running a case, when every case is different from the last?   We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case.  A solution: Case studies.

I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case.  Looking at a case from the outside misses a lot of important details and many assumptions have to be made.  I wouldn’t evaluate a pilot if I’ve never flown a plane.  Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events.  That’s how I look at case studies.  I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used.  Then I see if I could have done anything different or better.  Then I put what I learned to work and make sure that it does work.  It also doesn't hurt to also know the legal restrictions in running a case.  If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.

This is my intention with making my personal case study notes public.  Take a look at a case through the eyes of the investigator/examiner.  Watch how a case unfolds and how an investigator can take the case from start to finish.  Learn how someone else does the job and draw the best parts of it for your job.  There are few better ways to see how a case is worked other than reading the actual case and how it worked.

Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction.  The short answer I gave was that it isn’t easy to get right if you don’t know how it works.  If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one.  For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.

As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study.  If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…

 

Side note:

The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period.  Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies.  I also wanted to limit  the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well. 

The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.

Recent Comments
Brett Shavers
You hit on a few points. Knowing what to look for (the smoking gun) is critical in every analysis. To find the smoking gun, the ... Read More
Monday, 23 October 2017 23:51
Rate this blog entry:
0
1016 Hits