Brett's Blog

Just some ramblings.

Compiling Identity in Cyber Investigations

Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

...
Continue reading
1120 Hits
0 Comments

The Secret to Becoming More-Than-Competent in Your Job

The Secret to Becoming More-Than-Competent in Your Job

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

...
Continue reading
997 Hits
0 Comments

Behind the Keyboard - Enfuse 2016 Presentation download

I had the amazing honor of speaking before a full room at Enfuse this week.  This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well.  Kudos to poolside event coordinator.  Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool.  However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).

This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard).  I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books.  I was able to give a few good tips that I hope someone will be able to take the bank and boost case work.   I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.   

After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides.  However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases.  I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well.   Nonetheless, the meat and potatoes of the presentation is in the below PDF.

  

 

...
Continue reading
1191 Hits
0 Comments

Reviewing a tech book technically makes you a peer reviewer…

    If you have been in the digital forensics world for more than a day, then you know about peer reviews of analysis reports.  If you have ‘only’ been doing IR work where forensics isn't the main point (as in taking evidence collection all the way to court), then you may not be reading reports of opposing experts.  Anyway, the opposing expert peer review is one of the scariest reviews of all since the reader, which is again, the opposing expert, tries to find holes in your work.  The peer review is so effective to push toward doing a good job that I think it prevents errors by the examiner more than it does help opposing experts find errors of the examiner.  Peer reviews take different shapes depending on where it is being done (review of a book draft, review of a report, etc...) but in general, a peer review is checking the accuracy of the written words.

    Academia has always been under the constant worry of peer reviews.  One professor's journal may be peer reviewed by dozens of other professors in the same field, with the end result being seen by the public, whether good or bad. Peer reviews are scary, not for the sake that you made a mistake, but that maybe you could have missed something important that someone else points out to you.

    If you read a tech book and write a review of it (formally in an essay/journal, or informally on social media), consider yourself a peer reviewer of tech writings.  That which you say, based on what you read, is a peer review of that material.  Think about that for a second.  If you are in the field of the book you are reviewing, you practically are tech reviewing that book for accuracy (so make sure you are correct!).  That is a good thing for you as it boosts your experience in the field.  Always be the expert on the stand who can say, “I’ve read x number of forensic books and have given x number peer reviews on social media, Amazon, essays, etc….”.  If for nothing else, this shows more than that you just read books.  You read for accuracy and give public review of your findings. Nice.

    There is some stress in writing a peer review because you have to be correct in your claims.  Sure, maybe some things in the book could have been done a different way, but was it the wrong way?  The manner in which you come across in a peer review is important too.  Crass and rude really doesn't make you look great on the stand if you slam a book or paper.  You can get the point across just as well by being professional.

    Writing books takes no back seat to peer review stress, especially when it comes to technical books.  Not only does the grammar get combed by reviewers, but the actual technical details get sliced and diced.  Was the information correct? Was it current and up-to-date?  Is there any other information that negates what was written in the book?

...
Continue reading
613 Hits
0 Comments

Bio-hacked humans and digital forensic issues...

Bio-hacked humans and digital forensic issues...

If you thought The Grudge was the scariest thing you’ve seen on screen, you must have not yet watched Showtime’s ‘The Dark Net’.  In short, the series show how humans are procreating less and merging digitally into technology with bio-hacks. That makes for a bad combination on a few different levels.

Without getting into non-techical issues (such as moral, ethical, or legal), I have a technical question: How the heck are we going to going to do a forensic analysis of a bio-hacked…human?

Before the human race ends up looking like robots, we are already in the era of implanting electronic data devices in our bodies.  Check out http://dangerousthings.com to find how you too can jab an injection device into your hand and shoot a RFID under your skin…all by doing it yourself. As for me, I don't think I'll be joining in that movement anytime soon.

RFID (http://en.wikipedia.org/wiki/Radio-frequency_identification) tags store data. Data such as medical, financial, personal, or any type of information can be stored on a RFID tag, although the amount is quite limited currently (2-10 kilobytes?).  That's not much data, but depending on the content, it may be more than enough to cause a war or bankrupt a company.

...
Continue reading
1288 Hits
1 Comment

Tech Talk Can Get You Lost in Lingo

Tech Talk Can Get You Lost in Lingo

    Every career and academic field has its own “lingo” to the extent that a conversation buried deep in lingo sounds like a foreign language. I have experienced military lingo, law enforcement lingo, and technical lingo in my life to the point that I practically dream in acronyms, speak with words not recognized by Webster’s Dictionary, and instantly recognize the glazed-over look when speaking to an non-native lingo listener.

                The reasons for individualized lingo range from the coolness factor such “oh dark thirty”  in order to express time as ‘really damn early’ to efficiency such as using “HMMWV” instead of saying “High Mobility Multi-purpose Wheeled Vehicle”.  Many acronyms are spoken as works when gives an added effect of the listener not having a clue of what you are talking about.  For example, “I’m going to pick up a hum-v” means “I’m going to pick up a high mobility multipurpose wheeled vehicle”. Even in law enforcement, the acronyms can irritate the most patient listener if they are not in the club.

b2ap3_thumbnail_hmmwv.JPG

                There are two situations where lingo can get you killed, or at least make you feel like you are getting killed. One is in court. The other in your writing.

                Getting killed in court by lingo as a witness is painful. In fact, I’ve seen witnesses get physically ill as if the roach coach burrito eaten at lunch has suddenly reached its final destination in all its glory. Getting beat up on the stand by an attorney or judge is so unpleasant, that time actually slows to a stop and you wonder why you even got up that morning. Using lingo on the stand can give you a bad case of ‘why did I say that?” when being cross examined.

                I talk about lingo today, because I recently experienced one of the best cases of using lingo in all the wrong ways in a federal district court.  I gave my testimony first as the defense expert in a class action lawsuit, and spoke as simply as I could to make sure the judge understood what I intended to say. Then the opposing expert was called. One of the attorneys asked her a question, she answered, but her answer was not only complicated, it was complex, full of lingo, and I even felt a sway of arrogance. I barely understood what she said and took notes to make sure I got correct what she said.

...
Continue reading
1841 Hits
1 Comment

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

...
Continue reading
1148 Hits
0 Comments

RegRipper

RegRipper

The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)

http://github.com/keydet89

 

What is RegRipper?

RegRipper was created and maintained by Harlan Carvey.  RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations.  RegRipper has been downloaded over 5000 times and used by examiners everywhere.

...
Continue reading
10293 Hits
3 Comments

Libraries and the Tor Browser

Libraries and the Tor Browser

A few weeks ago, I was asked by a librarian for my opinion on library patrons using Tor in public libraries. My initial reaction, based upon having done more than a few cybercrime cases, is that Tor in public libraries is a bad idea. How can law enforcement track criminals who use library computers when the Tor browser is being used?  And libraries are government entities! Tax dollars would be spent helping criminals commit crimes on the Internet and remain anonymous. By all means, NO! Don’t do it!

From a law enforcement perspective (which I have not lost since my days in law enforcement), the Tor browser makes cybercrime investigations practically impossible to identify the user for 99% of cyber detectives and this is a major problem for investigators.  The remaining 1% of cyber analyts have access to supercomputers and virtually unlimited budgets that is beyond the scope and reach of the regular police detective.   Since the Tor network is so effective in providing anonymity to Internet users and police are practically powerless against it, why support it since criminals are using it?

About a half second later, my opinion changed.

The public library protects freedoms more than most people will ever know (except for librarians…they know about freedom protections). Sure, police protect freedoms by protecting Constitutions (state and federal versions) but law enforcement has a dilemma. On one hand, they swear to protect freedoms and on the other, the freedoms restrict their ability to protect.  Using the First Amendment as an example;

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

...
Continue reading
4131 Hits
0 Comments

Teaching Digital Forensics at the University of Washington

Teaching Digital Forensics at the University of Washington

Several years ago, I taught at the UW Digital Forensics Continuing Education program before taking a break. Now I'm back at it.  A new course with new material, including mobile device forensics.  A change in the program is that the course is offered online as well (not on demand, as the classroom will be broadcast in real-time).

A continual theme in the program is case development.  From the smallest piece of evidence through gathering more evidence, broad analysis to specific targeting focus, to search warrants, and putting an entire case together; that is the goal of the course.

My primary purpose is teaching how to do an actual digital forensic case as I firmly believe that a certification without competence is not useful in the least bit.

A potpourri of software is used throughout the program to show that there are many ways to get to the answer using different tools.  In fact, the tool is not the focus as much as running a case is.  Using software tools gets the information you need to further your case development through case closure.

Consider registrating for the course, it'll be lots of work, but lots of fun to work cases along the way.

...
Continue reading
1418 Hits
0 Comments