Dragnet: 2018

Definition of dragnet

1a : a net drawn along the bottom of a body of water

   b : a net used on the ground (as to capture small game)

2: a network of measures for apprehension (as of criminals)


In Hollywood movies, citizens have virtually no expectation of privacy and no practically no protection from unreasonable searches and seizures.  The movies typically depict cops routinely committing dozens of felonies in search of the criminal.  Given any cop movie, I can (and usually do) count more than a dozen felonies committed before the credits roll.  In some movies, the lead police character actually commit more crimes of more seriousness than the suspect they are chasing...

We must keep the Hollywood movie fantasy separate from reality otherwise we risk moving over the line.

Case in point: Blanket search warrants


 “The demands Raleigh police issued for Google data described a 17-acre area that included both homes and businesses. In the Efobi homicide case, the cordon included dozens of units in the Washington Terrace complex near St. Augustine's University.” http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Where a warrant is supposed to describe a specific person, place, or thing, going beyond that criteria is getting close to the line, if not clearly jumping over it.   Creating an analogy of searching a person/place/thing using high tech methods (non-invasive) and physically searching a person/place/thing (invasive) escapes most.  Few want a stranger, police officer or otherwise, to open their closets and toss items around, but when it comes to digital information, it seems that many people don’t have the same concerns over privacy and their protections against unreasonable searches and seizures.

"…Another review would further cull the list, which police would use to request user names, birth dates and other identifying information of the phones' owners….At the end of the day, this tactic unavoidably risks getting information about totally innocent people," Wessler said. "Location information is really revealing and private about people's habits and activities and what they're doing." http://www.wral.com/Raleigh-police-search-google-location-history/17377435/ 

Our data privacy problem resides partly in the service providers and partly with us, the users.   For example, to have the convenience in finding a specific type of restaurant based on your location, a service provider needs to know (1) your location, and (2) your desires.  The service provider stores each of your location way-points and all of your typed desires. They keep this information well past your immediate use of the service.  Your consent is key to making this data fair game to advertisers, spammers, criminals, and the government today and into your foreseeable lifetime and after death.

The difference between your home being searched by the government and your data being searched by the government is that when it is your data stored by a service provider, you are not generally aware that it is going on.  It doesn’t feel invasive because it happens without you seeing it.  You don’t see an investigator reading details about your life and would not expect it happen anyway.   

For investigators, it is so much easier to search the private data of every citizen in an entire city than it is to physically go house-to-house and physically search the homes.  By the way, if there comes a day where we see blanket warrants to search house-to-house, we probably are not having a good day.  But that is what happens to our personal data.

My hope is that law enforcement doesn’t lose the ability to use high-tech methods because of an over-reaching search warrant, but I know that this is what invariably happens because the easy way is going to be chosen by someone when they should have chosen the more reasonable way.

I’m curious to see where the fine line will be drawn in using dragnets to obtain everything to search for a specific something.





Rate this blog entry:
90 Hits

Some things about training, education, and learning in DFIR

In theory, if you know what you are doing and are competent, that is all you need.  In practice, being competent is rarely enough. You probably need documentation....

The importance of documentation was hammered into me for years by my employers as a government employee (military and LE).  Courts made sure that anything that I did not realize was important to document before testifying, better be documented next time.  

TL/DR aka Cliff Notes: Don't just download some DFIR tool and use it. Create documentation to justify your self-training/education/experience in using that tool, especially if you will be facing a jury or hiring manager.

 One example I had early in police work was that of drug field tests (not the kind you see on TV, where the cop puts some unknown substance on their tongue and says, "That's good stuff").  Getting trained on how to do field drug test wasn't something that we'd get in the academy, or as a normal part of the job.  Most would just follow the instructions on the test kit and call it good.  I think I may have been the first person in my department to be eaten up on the stand for a drug test in my report because I said, "I followed the instructions on the kit", yet had no formal or informal training in it.  My field test result was confirmed by the state lab, but I was badgered for a bit on the stand by the defense attorney on the drug test because I had no formal training in how to do it.  I did nothing wrong, I followed the instructions perfectly, the case was fine, but I didn't like getting attacked for something minor like not having a piece of paper showing 'training'.  

Here is what I did that day after court.
 I found the most senior narc in the department, who had testified to field testing drugs, who had taught narcotic work at the academy, who did major cases, and most important, someone who would spend a few minutes with me.  The senior narc (who was a Commander at the time), spent 30 minutes teaching me what I already knew, but also gave me some things that I did not.  Before I left his office, I had a department head memo detailing the 'training' I just received with a brief bio of the Commander who taught me.  That memo went into my training record, which I would use any time I were to testify to a field test of drugs in a case.  

Having gone into narcs years afterward, I created a formal in-service class and taught every patrol officer in field-testing to make sure they didn't get eaten up on the stand for not having any training in field-testing drugs.  It's a little thing, a memo or a training record, until it's a big thing.

I apply the same concept in the DFIR world.  Every breakout session at every conference I attend incurs labor on my part.  I write up the specific session, with the name of the presenter, with notes I take, plus the time spent in that session.  If there is hands-on, I document that as well.  All the better if there is a booklet of the sessions that I get in the swag bag to keep me organized.  I have a spot on my shelf with these for reference. For anything that I learn on my own, guess what...I document that too.  I never ever get on the stand to testify about something I did in which I do not have documentation at the ready.  If/when asked, I know:

  • The names of the presenters that I have learned from at the specific courses and conferences I've attended, and/or
  • The number of hours that I have researched practiced with a tool or process (learning hours, not case hours), and/or
  • The tools that I have written (itty bitty things that I have written) and the tests done with them.

I have documented formal education/training and documented informal training.  Anything that is not documented, I don't even refer to it.  I don't comment on it.  I don't list it.  If you have ever been on the stand to testify about your training, education, and experience, then you know that if you don't have documentation to support it, you will be under a microscope about it.  If you are new to DFIR, you are lucky because you can start saving your documentation now.  If you have been doing this for some time and not been saving your documentation, then you have lots of work to do.  

For anyone who doesn't feel the need to keep training records or documentation, either you don't have court appearances in your planned future, haven't met the devil of an opposing counsel yet, or are in a job you don't ever plan to leave.

I tend to create online courses for the benefit of getting something on paper for those wanting something on paper.  I believe we can do this job without taking a class or getting a degree.  I believe that if you are in DFIR, you are smart enough to learn on your own.  Actually, if you can't learn on your own, you may have a difficult time in this field.  But that's not how it works if court appearances or job interviews are in your future.  You need paper, and lots of it.  Degrees, certifications, conferences, courses, and personally documented research & practice.  The learning is implied if you do these things.  Competence is assumed if you have them.  All becomes clear when you employ them (clear as in, your employer will see if you actually know what you are doing or not). 

If you are in a position of authority, leadership, or mentorship, teach others something.  In classes I teach, whether a LE course, college course, online course, or in person at coffee, I implore the learner to take seriously what I am saying in documenting what I am teaching them, because it may become useful later.  In one way that I have used this in my testimony is that I have specifically stated, "I have been trained in the use of this tool by the developer of the tool."  Or, "I have been taught this forensic process by name of person, who developed the process".  Or even, "I have been trained by the person who wrote a book on it."  This is all the better if you are the author, tool or process developer, but second best is being taught by the tool or process developer, or the organization that developed the tool or process you used.  

In a perfect world, everyone accepts that we are competent because we say that we are and we can prove it.  In reality, even proving it is sometimes not enough if you don't have a document that says it. 


Rate this blog entry:
288 Hits

Windows Forensic Environment - Newest project is complete

Forensic Operating Systems

The time has come!  The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated.  

**COURSE IS CURRENTLY AT CAPACITY**  However, send me an email (This email address is being protected from spambots. You need JavaScript enabled to view it.) to be put on a wait list for when it re-opens.


The course is arranged that you can skip over any topic to go right to what you need right now.  So, if you need a WinFE build right now, go to that section first and get the info you are looking for.  Complete the entire course for a cert of completion for training hours documentation (5 hours documented training time).

But it’s 2018.  Aren’t bootable forensic discs outdated?

We’ve come a long way from using bootable floppies to image drives with Safeback, but it seems the only thing that changed was the bootable media, not the method. 

Booting any system to external media is not my first choice, until it is.  Some systems can only be acquired, accessed, previewed, triaged, or touched by booting it to external media.  Some situations would best be approached by booting to external media. 

The real benefits are being able to more quickly acquire data, acquire data forensically when you can’t otherwise, acquire data that you couldn’t acquire at all, find evidence faster, eliminate and prioritize forensic examinations, and make your work more productive.

Who uses WinFE?

·         It is taught world-wide by training providers in government, universities, and private courses

·         It has been used in criminal and civil cases, and internal corporate matters (and courts!)

·         Over 3,500 users signed up and completed the first online WinFE course (now updated)

·         Over 10,000 downloads of the WinFE projects in the past 5 years

I am certain that Troy Larson had not idea that giving me instructions to build a WinFE would eventually turn out like this…

With the new WinFE build, the total time from start to finish is less than ten minutes.  That includes downloading the WinFE project, setting it up, creating the WinFE.iso, and finally creating a bootable CD/DVD/USB.  This means that if you were to build a WinFE today, you’d have it in your DFIR toolbox ready to go anytime in minutes.

But Linux and Mac!

I go over Linux distros and Mac options in the online course, and credit the best of each for what they do best for different needs.  I also go over negative points of each as well.  Working in this field requires walking into unknown environments all the time, therefore, be prepared with options before you end up in a situation where you find that you should have done this earlier. 

What's the big deal?

It's another tool in your toolbox.  I can't count the number of times I have been emailed by someone asking me to give them the 2 minute version of how they can build a WinFE, right now, while are onsite dealing with something they were ill-prepared to deal with.  Now is the best time to get your bootable forensic operating systems in order, because you will be in that spot one day.  Hint: emailing me isn't going to make a WinFE disc magically appear....you have to build it on your own.  The good news, you can do it in a few minutes and have a tool that might get you out of a jam that you otherwise would be stuck.  Your bootable media should also include Linux and Mac solutions as well, which are discussed in the course too.

The days of Safeback and floppies may be over, but we have been seeing more systems requiring forensic OS boots than ever before by sheer necessity due to hardware configurations.

Download the Mini-WinFE used in this course at: http://www.brettshavers.cc/index.php/mini-winfe-download 

Rate this blog entry:
908 Hits

Cyber Health

I was a spectator to a conversation between a law enforcement DFIRer and corporate computer user this week, and it got interesting when the name-calling started. 

The point of the conversation was about corporate computer users being ‘lazy’ with computer systems (whether it be managing the organizations website content or just basic cyber health such as not falling for phishing emails).  Then a point about law enforcement never calling victims back started another tangent of complaints.  And then a few other little complaints.  I felt like I was watching a tennis match being played on two separate courts.

The takeaway I got was that there is still a chasm of disconnect between the users and the examiners/investigators/responders.  For the DFIRrs, we practice good Cyber Health.  We would not think of leaving any building with any device that was not encrypted.  Phishing emails? We love them because we want to learn from them, not fall for them.  We care for our passwords as much as we care for our teeth by brushing and our hands by washing.  It is our way of life and we assume everyone is like us.  When we hear that a non-encrypted laptop containing tons of PII was stolen from the trunk of a car, we shake our heads at how that is even possible.

For the average home and corporate computer user….Cyber Health is inconvenient, unimportant, too much work, and not in their job description.  There is no way they will want to learn anything about lateral movement or tracing IP addresses. 

That is the chasm that needs a bridge.  Until every computer user (home or corporate) is literate in the dangers of bad cyber health, we will always be inundated with work.  If you don’t brush your teeth, eventually there will be lots of pain and maybe loss of a tooth.  This is no different when your life is derailed from ID theft, ransomware, or the loss of business revenue due to compromised systems.  User must learn more about the systems they use, just like they must know something about taking care of their physical health.

The chasm also includes law enforcement’s lack of understanding (or caring about) the frustrations of victims who (1) don’t know the extent of damage a computer compromise can be, and (2) what the response actually does.  Most victims don’t know that their case may never be investigated.  From the day it was reported by the victim, the case might be put into a file cabinet and marked ‘information only’ because it has no solvability factors.  The case may not ever have an investigator assigned to it, simply because of a heavy caseload or have a suspect that cannot be identified. Other cases may take years before anything happens, due to delays in getting information back from service providers or worse, delays in someone actually working the case at all due to reasons I care not to say publicly.  

Prevention is key, and so is education.  As a personal example, there is a local government organization in my area that has been hit with some pretty good phishing emails lately.  The response from IT has been to send generic emails to everyone in the organization about not clicking ‘suspicious’ emails.  So far, every time a user falls for one of the phishing emails, IT sends out another reminder to not click any suspicious email links, and then another user falls for another phishing email, and then cycle repeats.  There has been no education for the computer users, other than email from IT asking users to “stop falling for suspicious emails.”  I’m waiting for the entire system to go down before they have to call someone…

We have always worked to be the translator of tech talk for the layman, but we still fail at it.  Blaming the user isn’t going to help.  Name calling makes it worse.  But being patient and understanding the user’s perspective will help. 

When we expect users to do what we would do, without telling them what we would do or how to do it, we frustrate them and us, because we will always get the same thing happening over and over.  Most of use are Type A, driven, and have high personal expectations.  We have to tone that down to help the organizations that ask us to help them.  This includes those working in LE.  

The amazing thing that users don't know is that a simple and innocent (ignorant) click of a single phishing email can cause a cascading amount of highly complex, extremely expensive, and mind-numbing work by a team of highly trained DFIRrs to fix over a period of days, weeks, or months.  Users don’t get that because no one tells them.  They just want their computer to work so they can email clients.  Maybe Cyber Hygiene should be taught in schools in the same class where Personal Hygiene is taught?


Rate this blog entry:
356 Hits

Making Ham Sandwiches in DFIR

Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR:

1: Write it up (or else your work didn’t happen)

2: Write it for your audience (or it won’t matter what you did anyway)

If you follow those two tips, your writing will be fine.

In police work, report writing is frequently given the analogy of “Painting a picture”, in that you should write a story that doesn’t need explaining outside of what you wrote.  The canvas should tell the entire story.  Search warrant affidavits work the way in that the probable cause for the warrant must be contained (and comprehended) within the four corners of the affidavit.  An independent party should be able to read what was written without requiring outside information to either support the words or interpret them.  The report (aka, the picture) stands on its own to describe the story.   I usually use the analogy of making a ham sandwich instead of painting a picture.

When I read a report that doesn’t make sense to me, I typically say to myself, this person can’t make a ham sandwich.  I can see the tomatoes, the bread, and the ham, but it just doesn’t look like a ham sandwich.  If I need the writer to verbally explain to me what was written, then the report is meaningless.  It may be 100% technically accurate, but 100% worthless at the same time.  I do not mean to say 'worthless' in an insulting manner, as a technical report can be very well done for a technical audience. I mean worthless in the manner that if the intended audience can't understand it, then why write in the first place.

If any of these are true, then the report wasn’t written correctly.

1: The writer needs to explain the report.

2: There is no story.


You can do the best DFIR work in the world and yet write a report that ruins it all.  Or, you can write up what you did in a manner that the report can be read on national television, in full, without needing a word of exposition to translate it to the audience. 

Few of us are great DFIR’rs and great writers.  We tend to favor one side over the other.  Some of us however, tend to ignore the writing part completely.  We don’t like to write.  We don’t like to edit.  We don’t like to write for an audience who doesn’t know what a MFT is, after all, doesn’t everyone know what the MFT is?

The reality is, you have to write up what you did so that others can understand it.  Embrace writing.  Showcase your DFIR labor in your writing, so that the reader completely understands what you did, what you found, and what needs to be done next.   

Make that ham sandwich.

Rate this blog entry:
703 Hits

DFIR Case Studies #7

As I was going through Case Studies #7, I found several some reminders on tips for working a case.  The simple obstacles that make some investigators quit only make others drive forward with creativity.  One example is the suspect in Case Study #7 using open WiFi to be anonymous.  Sometimes, investigators quit once they find that the suspect used a public WiFi or Tor.  This case shows why you should not do that, and in fact, can make a really good case by following basic investigative principles regardless of what the suspect has used to try to stay anonymous.

And with every new case study I release (until I stop making case studies), I'm giving a promo for training bundles.  Until midnight Friday (16th), you can get the entire DFIR Case Studies series PLUS X-Ways Forensics Practitioner's Guide online course for only $25!  This is one of the better bundles I've done.  If you have already taken the X-Ways Course, you can choose the Case Studies Series with the Placing the Suspect Behind the Keyboard Course at the same promo price of $25.

Don't forget.  Registration with this promo ends midnight, Friday, February 16Promo extended through Feb 20 for the first 25 registrations as @PhillMoore linked the course to his ThisWeekin4n6 blog.  

When you see the price go back to $150, the 25 promotional registration spots will have been used up.  

Case Studies Series + X-Ways Forensics Practitioner's Guide online course:  http://courses.dfironlinetraining.com/series/case-studies-with-x-ways-forensics?pc=cs7gdfxwf 

Case Studies Series + Placing the Suspect Behind the Keyboard online course:   http://courses.dfironlinetraining.com/series/case-study-series-and-placing-the-suspect-behind-the-keyboard-training-bundle?pc=cs7gbspsbk 



*books not included!

Rate this blog entry:
679 Hits

How many exposure dollars do you need to buy a cup of coffee?

I am always flattered to be asked to speak in front of an audience on something that I know something about.  I have fun sharing information with great people about the ‘secrets’ on how to do neat things in forensics and investigations.

However, I find it odd to be asked to speak at conferences out of the state or out of the country, with the sole benefit of “exposure”.  I do not consider “waived tuition” to be a benefit to a conference that I wasn’t planning on attending anyway.

There are plenty of websites that talk about this topic, but here is my take on the topic as it applies to the DFIR field:

  • Speaking for free:  Gets old fast, unless it’s your hobby to personally foot the expenses for a one-line by-line on your CV.  Tax write-off? Spending money on travel and lodging to get a tax write off is probably not the best way to make money.
  • Don’t spend money to speak at a conference: Seriously.  Don’t spend money on expenses to speak at a conference where they charge attendees to attend.  Attendees pay to learn.  You should not be paying to teach.  That’s crazy.
  • Turn down “opportunities”.  You can’t buy a cup of coffee with exposure dollars. 

If the organization wants you bad enough, they will pay (in real money).  If they don’t truly want you, they are not going to pay.  I have turned down conference requests for that reason alone.  I figure that if they are not willing to foot the bill to at least cover the expenses, that they didn’t want me in the first place. They wanted a donation of time and money for their commercial endeavor.

If you speak at conferences, and the only payment is waived tuition with benefit of exposure, you can bet that other speakers were paid. In one instance,  while I waited in a prep room, I listened to other speakers complaining about having shell out to speak at the conference.  The whole time I was thinking, “Why did these speakers agree to come here without getting paid and then complain about not getting paid, and then believe the organizer’s excuse that speakers don’t get paid.  By the way, I was getting paid at this conference….”

I am not saying that money is your only goal or the most important thing in speaking at conferences.  I am saying that your time is valuable and limited.   Time is precious.


  • -A local non-profit org asks for your donated time to speak for an hour? Sure. Why not.  It's a good cause at the cost of a short drive.
  • -Potential revenue generation: You can sell something, like your company’s service or product at the conference to attendees?  Sure.  That’s business marketing.
  • First time presenting?  Probably a good idea to get the experience and name branding (and charge later..).

Once you start getting paid, your next thoughts are going to be:

  • -Am I charging too much?
  • -Should I charge more?
  • -How much is the other speaker charging?

There are no correct answers to these questions.  I can say that at one event, I learned that a co-speaker had charged $20,000 for a 45 minute talk...  Closed training events are a completely different animal.  When you get a call to talk in front of a closed audience, the only questions on getting paid are, "How much do we write the check and where do we mail it?".

The moral of the story is: If you don’t ask, you will never be paid. And yes, I did ask the guy on the phone if he'd fly out and wash my car for free but he still didn't get the point.


***A little more information*** 2/4/18

Ok.  Don't get me wrong.  Speaking for free is good for many reasons, such as building your resume, sharing information, and being part of a quality event.  If you agree to speak for free at a conference that costs you money for travel, lodging, and meals, that's OK too (but stop complaining about not getting paid to the speakers who got paid at the same event....).

My point in this post is that if a conference organization directly contacts you and asks that you volunteer your time and money to speak at their event, where they are charging thousands of dollars to attendees, then it is a different animal all together.  In that case, you have a choice to volunteer your time and money or simply ask at a minimum to have your expenses covered.   No one has more than 52 weeks a year.  Use the weeks wisely.

Rate this blog entry:
475 Hits

Rub some dirt on it.

Failing hurts helps.

Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath.  I mean, this work is usually pretty difficult to do but easy to make a mistake.  Missing an important artifact or misinterpreting data that gets caught by an opposing expert happens, and when it does, embarrassment sets in quite quickly.  How do these experts get away without making any mistakes?

The short answer

They made the same mistakes you make and are still making mistakes.  They fail every day.

The longer answer

We all fail and no one gets out of here alive (without failing).  The difference is what you do after you fail.  Having grown up in the South, whenever I would skin my knee or crash my bicycle, I was generally told to ‘rub some dirt on it' and get up.  I’ve pretty much lived with that advice and even raised my kids on it.  For my kids, I changed the ‘rub some dirt on it’ with ‘if you don’t see bone sticking out, get back up’.  

That’s as simple as it gets.  Fall down. Get back up.  There’s plenty of complex advice you can find on breaking this down into reflecting on how the fail happened, what steps you could have taken to prevent it, and how you can prevent the fail from happening again.  I take those steps as a given and simply know that I’ll rub dirt on it and keep going, making sure to not do that particular error again.

By the way, a failure by anyone feels the same as you do when you fail.  The difference is choosing to move past it as a learning experience.

A warning sign

If you don’t make mistakes, errors, or fails, then you are not moving forward.  You are not gaining experience or learning.  Obviously, the fewer fails you have, the better.  But having none is probably an indication that you are not trying to go beyond that what you already know.  You may not be testing your limits and pushing yourself to be better. You gotta know your limitations..

One of the worst pieces of advice that I have ever been given was from a 30-year police veteran when I was a new guy in patrol.  His advice was “never do anything and you’ll never get in trouble”.   Technically he was correct.  Don’t do any aggressive patrol and the risk of making a mistake drastically decreases.  Practically, that means you’d never get any better at the job you are getting paid to do.  Happily, I did the opposite and made enough mistakes to become so good at my job that a small-town cop traveled the world working international organized crime cases with just about every alphabet soup federal agency in North America.  I brought that attitude to digital forensics and believe me….I’ve made plenty of mistakes and fails, from forgetting to bring my presentation materials for a conference to totally missing a blatantly obvious piece of electronic evidence on a drive on a case.  Fails still smart, but rub dirt on it and learn from it.

What I am not saying

I am certainly not saying to intentionally make mistakes in order to learn or get better.  You will fail at something no matter how hard you try to succeed, so don’t worry about that.  The fails are coming, maybe in the next hour or next week.  As long as you work to learn and improve your skills, employ what you learned and master them, the mistakes will be there as you work through the process.  Try to keep the mistakes small and the learning big.  Worst are the big mistakes and small learning.  Fail small.  Learn big. 

Remember: Rub some dirt on it.  Learn from it.   Don’t do it again. 



Rate this blog entry:
907 Hits

Don’t look back.  Try to keep up.  This is #DFIR.

I do a lot of peer-reviews.  Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report.  Then reading it again, then again, and a few more times, all the while red-lining items of interest.  Basically, I am hired to read your reports and tear them apart.  Before you take that the wrong way, sometimes I am hired to read a report written by an expert that was hired by the same attorney that hired me to tear apart the report.  My aim is to make sure the report is good, insofar as my opinion goes.  I’m not a spell-checker or grammar cop, but I work on finding inconsistencies and where the analyst may be weak in their work, experience, or training.  I help with what to expect on the stand, and conversely, I help attorneys where they can focus on opposing witnesses during cross examination.

Now that this is out of the way…

Here is something I come across often: lack of continued education.

In the world of computing, if you don’t keep up your skills with today’s information, you will be outdated in a year or two.  That which you believed to be true yesterday may have been proven to be false last year or is no longer relevant.  If you plant your feet on what you know today and refuse to move forward, you will grow roots and the DFIR world will pass you by faster than a long-tailed cat running out of a room full of rocking chairs.  I would go so far to say that if you spend 5 years in college learning DFIR, by the time you graduate, much of what you learned in the first year or two will be severely outdated.

Some of the rationales to not continually attend training or education that I have heard include;

“I’ve been doing this for 10 years and know how to do it better than anyone.”

“I’ve been doing this before you got out of diapers.”

“I don’t need training because I can teach it better than anyone can teach me.”

“The technology is basically the same.”

The problem is that during a peer review, when I see a boilerplate bio or CV that shows the last training or conference attended being over two or more years ago, it screams to me “OUTDATED!”.  This is not always the case of course, but for the clear majority of us, if you aren’t updating your knowledge with some sort of formalized training or education, you might get called out on it at some point.  How valuable is a Computer Science degree from 2002 if nothing has been done since 2002 to keep up on technology?

Of course, if you are a researcher, or you publish the information you discover, or you research-teach-research, you are probably exempt from “taking a class” as you are on the cutting edge.  You are part of those who create the information to be taught in the classroom.  You are the source of DFIR information.  That looks great in court by the way.  For everyone else, be sure to sit in some classroom or conference on a regular basis or it will not look like you are working to keep abreast of the field.  If for no other reason to show that you are current, keep current.  Pick a class.  Any class, but pick one.

You don’t need to spend $20K a year on training to stay current.  You don’t need to attend conferences that are out-of-state every year either.  If you can do either or both, more power to you.  But most of us are (1) busy, and if we are not busy, we are (2) really busy.  But you can do some things.  You do these things for “credit”, aka credibility.  You need to look at what you do to stay current a little differently.  Everything you are doing outside a classroom is assumed to be informal or unstructured (aka: not credible).  I suggest that you structure your efforts to give some formality that you can use for credibility.  Turn yourself into a living classroom.  If you do something outside the classroom that would be have been good to have learned in a classroom, write it down.  

  • Read.
  • Test-practice.
  • Research.
  • Talk.

Your reading should be DFIR heavy (whichever part of DFIR that you do – DF or IR, or both).  Books are good for a few good reasons.  You put them on a shelf and you can pull them down anytime as reference.  You can list them in your CV.  You can state references to them in reports.  The book will last your lifetime because books can’t be deleted or be hacked and defaced like a website can.

On one court case, the court wanted to physically see every DFIR book I owned and had read because I said I read a lot of DFIR books.  The next day in court, I brought the books I still had (previously donated older books). This made an impact in the case, especially when I made sure to point out the extensive notes I have made in most of my books.  I needed a dolly to bring the boxes of books in....today, more than half my books are on my iPad :)

Blogs are great because the information is hot.  Sometimes, the information is so hot that the research and testing was completed only hours before you may have read it online.  You cannot get fresher information than that than you can with blogs!  Pro-tip:  when you find something really good in a blog, download it (PDF it, download, etc…).  Blogs disappear without notice and you don’t want to reference something that doesn’t exist anymore.

Your regular work doesn’t really count for practice, but you can develop practice scenarios based on your regular work.  For example, when you put in documentation about Shellbags in a report, be sure that you have practiced it too.  If/when ever asked about “how do you know” something, you want to be able to answer with (1) I was taught in this specific class, (2) I read it in these specific books, (3) corresponded with these specific experts x, y, and z, and (4) I tested-practiced the same scenario in controlled environments.  My common answer in cross examination to ‘how do you know’ is ‘because I personally tested it’.   I saw it with my own eyes.  I have seen this exact issue in a dozen prior examinations.

Research is fun.  Seriously.  When you research for an answer and find it, the retention of what you learn is so much better than posting a question on a forum and waiting for someone to spoon feed you the answer.  When you uncover the answer yourself, you will remember it and understand it much more than you can otherwise.   Document your research because you get credit for research only when you document it!

Some of us don’t like talking with others.  The computer is an easier companion.  Sure, a computer can cause some grief by not doing exactly what we want, but generally we can make the computer do what we want.  Talking with people is a skill that we also need.  When you talk to others in the field, you are learning.  You are forwarding your knowledge.  That goes both ways because by talking with someone else about DFIR, you are both sharing and both learning at the same time.  When you can say that you conferred with another practitioner, discussed the issue, shared experiences, and walked away with more information than before, you earned credit.

I give this advice mostly because this is the one area I see totally lacking in reporting (for legal documents such as a forensic analysis report, not internal documentation on a security breach), yet it is the easiest hole to shore up.  Take a class.  Read a book.  Research and practice. Talk with a peer.  Do these things and you’ll be 75% ahead of the game.  

Rate this blog entry:
861 Hits

X-Ways Forensics & eDiscovery

Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs.  Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts.

I would even go as far to say that an entire eDiscovery matter can be done by solely using X-Ways Forensics depending on the case matter.  For example, if the collection just involves workstations and laptops (even many aspects of server collections), you may not only ‘get by’ using XWF, but can do a more thorough job of collection.  However, when you get into the cloud, XWF is not going to be your best choice for a collection tool.

Here is a short video on how you can use XWF to collect data in a given eDiscovery matter.  

And, Case Studies #5 is published. 

The promo for this week is $75 for the Case Studies series which includes:

  • X-Ways Forensics Practitioner’s Guide Online Course for FREE, and
  • Placing the Suspect Behind the Keyboard Course for FREE, and
  • Advanced Internet Investigations Course for FREE.

Register here (discount will be applied automatically) for the 2-day promo: http://courses.dfironlinetraining.com/series/training-bundle-psbkxwfaitcs?pc=cs-bundle-02-11-17

This promo is only good for 2 days!  The first time I did this promo, it was for 2 weeks and I under estimated the number of registrations.  From now the promos will be a lot shorter.  Get in while you can, you have 2 days this time and the clock has started….

Rate this blog entry:
882 Hits