How many exposure dollars do you need to buy a cup of coffee?

I am always flattered to be asked to speak in front of an audience on something that I know something about.  I have fun sharing information with great people about the ‘secrets’ on how to do neat things in forensics and investigations.

However, I find it odd to be asked to speak at conferences out of the state or out of the country, with the sole benefit of “exposure”.  I do not consider “waived tuition” to be a benefit to a conference that I wasn’t planning on attending anyway.

There are plenty of websites that talk about this topic, but here is my take on the topic as it applies to the DFIR field:

  • Speaking for free:  Gets old fast, unless it’s your hobby to personally foot the expenses for a one-line by-line on your CV.  Tax write-off? Spending money on travel and lodging to get a tax write off is probably not the best way to make money.
  • Don’t spend money to speak at a conference: Seriously.  Don’t spend money on expenses to speak at a conference where they charge attendees to attend.  Attendees pay to learn.  You should not be paying to teach.  That’s crazy.
  • Turn down “opportunities”.  You can’t buy a cup of coffee with exposure dollars. 

If the organization wants you bad enough, they will pay (in real money).  If they don’t truly want you, they are not going to pay.  I have turned down conference requests for that reason alone.  I figure that if they are not willing to foot the bill to at least cover the expenses, that they didn’t want me in the first place. They wanted a donation of time and money for their commercial endeavor.

If you speak at conferences, and the only payment is waived tuition with benefit of exposure, you can bet that other speakers were paid. In one instance,  while I waited in a prep room, I listened to other speakers complaining about having shell out to speak at the conference.  The whole time I was thinking, “Why did these speakers agree to come here without getting paid and then complain about not getting paid, and then believe the organizer’s excuse that speakers don’t get paid.  By the way, I was getting paid at this conference….”

I am not saying that money is your only goal or the most important thing in speaking at conferences.  I am saying that your time is valuable and limited.   Time is precious.


  • -A local non-profit org asks for your donated time to speak for an hour? Sure. Why not.  It's a good cause at the cost of a short drive.
  • -Potential revenue generation: You can sell something, like your company’s service or product at the conference to attendees?  Sure.  That’s business marketing.
  • First time presenting?  Probably a good idea to get the experience and name branding (and charge later..).

Once you start getting paid, your next thoughts are going to be:

  • -Am I charging too much?
  • -Should I charge more?
  • -How much is the other speaker charging?

There are no correct answers to these questions.  I can say that at one event, I learned that a co-speaker had charged $20,000 for a 45 minute talk...  Closed training events are a completely different animal.  When you get a call to talk in front of a closed audience, the only questions on getting paid are, "How much do we write the check and where do we mail it?".

The moral of the story is: If you don’t ask, you will never be paid. And yes, I did ask the guy on the phone if he'd fly out and wash my car for free but he still didn't get the point.


***A little more information*** 2/4/18

Ok.  Don't get me wrong.  Speaking for free is good for many reasons, such as building your resume, sharing information, and being part of a quality event.  If you agree to speak for free at a conference that costs you money for travel, lodging, and meals, that's OK too (but stop complaining about not getting paid to the speakers who got paid at the same event....).

My point in this post is that if a conference organization directly contacts you and asks that you volunteer your time and money to speak at their event, where they are charging thousands of dollars to attendees, then it is a different animal all together.  In that case, you have a choice to volunteer your time and money or simply ask at a minimum to have your expenses covered.   No one has more than 52 weeks a year.  Use the weeks wisely.

  758 Hits

Rub some dirt on it.

Failing hurts helps.

Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath.  I mean, this work is usually pretty difficult to do but easy to make a mistake.  Missing an important artifact or misinterpreting data that gets caught by an opposing expert happens, and when it does, embarrassment sets in quite quickly.  How do these experts get away without making any mistakes?

The short answer

They made the same mistakes you make and are still making mistakes.  They fail every day.

The longer answer

We all fail and no one gets out of here alive (without failing).  The difference is what you do after you fail.  Having grown up in the South, whenever I would skin my knee or crash my bicycle, I was generally told to ‘rub some dirt on it' and get up.  I’ve pretty much lived with that advice and even raised my kids on it.  For my kids, I changed the ‘rub some dirt on it’ with ‘if you don’t see bone sticking out, get back up’.  

That’s as simple as it gets.  Fall down. Get back up.  There’s plenty of complex advice you can find on breaking this down into reflecting on how the fail happened, what steps you could have taken to prevent it, and how you can prevent the fail from happening again.  I take those steps as a given and simply know that I’ll rub dirt on it and keep going, making sure to not do that particular error again.

By the way, a failure by anyone feels the same as you do when you fail.  The difference is choosing to move past it as a learning experience.

A warning sign

If you don’t make mistakes, errors, or fails, then you are not moving forward.  You are not gaining experience or learning.  Obviously, the fewer fails you have, the better.  But having none is probably an indication that you are not trying to go beyond that what you already know.  You may not be testing your limits and pushing yourself to be better. You gotta know your limitations..

One of the worst pieces of advice that I have ever been given was from a 30-year police veteran when I was a new guy in patrol.  His advice was “never do anything and you’ll never get in trouble”.   Technically he was correct.  Don’t do any aggressive patrol and the risk of making a mistake drastically decreases.  Practically, that means you’d never get any better at the job you are getting paid to do.  Happily, I did the opposite and made enough mistakes to become so good at my job that a small-town cop traveled the world working international organized crime cases with just about every alphabet soup federal agency in North America.  I brought that attitude to digital forensics and believe me….I’ve made plenty of mistakes and fails, from forgetting to bring my presentation materials for a conference to totally missing a blatantly obvious piece of electronic evidence on a drive on a case.  Fails still smart, but rub dirt on it and learn from it.

What I am not saying

I am certainly not saying to intentionally make mistakes in order to learn or get better.  You will fail at something no matter how hard you try to succeed, so don’t worry about that.  The fails are coming, maybe in the next hour or next week.  As long as you work to learn and improve your skills, employ what you learned and master them, the mistakes will be there as you work through the process.  Try to keep the mistakes small and the learning big.  Worst are the big mistakes and small learning.  Fail small.  Learn big. 

Remember: Rub some dirt on it.  Learn from it.   Don’t do it again. 



  1128 Hits

Don’t look back.  Try to keep up.  This is #DFIR.

I do a lot of peer-reviews.  Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report.  Then reading it again, then again, and a few more times, all the while red-lining items of interest.  Basically, I am hired to read your reports and tear them apart.  Before you take that the wrong way, sometimes I am hired to read a report written by an expert that was hired by the same attorney that hired me to tear apart the report.  My aim is to make sure the report is good, insofar as my opinion goes.  I’m not a spell-checker or grammar cop, but I work on finding inconsistencies and where the analyst may be weak in their work, experience, or training.  I help with what to expect on the stand, and conversely, I help attorneys where they can focus on opposing witnesses during cross examination.

Now that this is out of the way…

Here is something I come across often: lack of continued education.

In the world of computing, if you don’t keep up your skills with today’s information, you will be outdated in a year or two.  That which you believed to be true yesterday may have been proven to be false last year or is no longer relevant.  If you plant your feet on what you know today and refuse to move forward, you will grow roots and the DFIR world will pass you by faster than a long-tailed cat running out of a room full of rocking chairs.  I would go so far to say that if you spend 5 years in college learning DFIR, by the time you graduate, much of what you learned in the first year or two will be severely outdated.

Some of the rationales to not continually attend training or education that I have heard include;

“I’ve been doing this for 10 years and know how to do it better than anyone.”

“I’ve been doing this before you got out of diapers.”

“I don’t need training because I can teach it better than anyone can teach me.”

“The technology is basically the same.”

The problem is that during a peer review, when I see a boilerplate bio or CV that shows the last training or conference attended being over two or more years ago, it screams to me “OUTDATED!”.  This is not always the case of course, but for the clear majority of us, if you aren’t updating your knowledge with some sort of formalized training or education, you might get called out on it at some point.  How valuable is a Computer Science degree from 2002 if nothing has been done since 2002 to keep up on technology?

Of course, if you are a researcher, or you publish the information you discover, or you research-teach-research, you are probably exempt from “taking a class” as you are on the cutting edge.  You are part of those who create the information to be taught in the classroom.  You are the source of DFIR information.  That looks great in court by the way.  For everyone else, be sure to sit in some classroom or conference on a regular basis or it will not look like you are working to keep abreast of the field.  If for no other reason to show that you are current, keep current.  Pick a class.  Any class, but pick one.

You don’t need to spend $20K a year on training to stay current.  You don’t need to attend conferences that are out-of-state every year either.  If you can do either or both, more power to you.  But most of us are (1) busy, and if we are not busy, we are (2) really busy.  But you can do some things.  You do these things for “credit”, aka credibility.  You need to look at what you do to stay current a little differently.  Everything you are doing outside a classroom is assumed to be informal or unstructured (aka: not credible).  I suggest that you structure your efforts to give some formality that you can use for credibility.  Turn yourself into a living classroom.  If you do something outside the classroom that would be have been good to have learned in a classroom, write it down.  

  • Read.
  • Test-practice.
  • Research.
  • Talk.

Your reading should be DFIR heavy (whichever part of DFIR that you do – DF or IR, or both).  Books are good for a few good reasons.  You put them on a shelf and you can pull them down anytime as reference.  You can list them in your CV.  You can state references to them in reports.  The book will last your lifetime because books can’t be deleted or be hacked and defaced like a website can.

On one court case, the court wanted to physically see every DFIR book I owned and had read because I said I read a lot of DFIR books.  The next day in court, I brought the books I still had (previously donated older books). This made an impact in the case, especially when I made sure to point out the extensive notes I have made in most of my books.  I needed a dolly to bring the boxes of books, more than half my books are on my iPad :)

Blogs are great because the information is hot.  Sometimes, the information is so hot that the research and testing was completed only hours before you may have read it online.  You cannot get fresher information than that than you can with blogs!  Pro-tip:  when you find something really good in a blog, download it (PDF it, download, etc…).  Blogs disappear without notice and you don’t want to reference something that doesn’t exist anymore.

Your regular work doesn’t really count for practice, but you can develop practice scenarios based on your regular work.  For example, when you put in documentation about Shellbags in a report, be sure that you have practiced it too.  If/when ever asked about “how do you know” something, you want to be able to answer with (1) I was taught in this specific class, (2) I read it in these specific books, (3) corresponded with these specific experts x, y, and z, and (4) I tested-practiced the same scenario in controlled environments.  My common answer in cross examination to ‘how do you know’ is ‘because I personally tested it’.   I saw it with my own eyes.  I have seen this exact issue in a dozen prior examinations.

Research is fun.  Seriously.  When you research for an answer and find it, the retention of what you learn is so much better than posting a question on a forum and waiting for someone to spoon feed you the answer.  When you uncover the answer yourself, you will remember it and understand it much more than you can otherwise.   Document your research because you get credit for research only when you document it!

Some of us don’t like talking with others.  The computer is an easier companion.  Sure, a computer can cause some grief by not doing exactly what we want, but generally we can make the computer do what we want.  Talking with people is a skill that we also need.  When you talk to others in the field, you are learning.  You are forwarding your knowledge.  That goes both ways because by talking with someone else about DFIR, you are both sharing and both learning at the same time.  When you can say that you conferred with another practitioner, discussed the issue, shared experiences, and walked away with more information than before, you earned credit.

I give this advice mostly because this is the one area I see totally lacking in reporting (for legal documents such as a forensic analysis report, not internal documentation on a security breach), yet it is the easiest hole to shore up.  Take a class.  Read a book.  Research and practice. Talk with a peer.  Do these things and you’ll be 75% ahead of the game.  

  1029 Hits

X-Ways Forensics & eDiscovery

Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs.  Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts.

I would even go as far to say that an entire eDiscovery matter can be done by solely using X-Ways Forensics depending on the case matter.  For example, if the collection just involves workstations and laptops (even many aspects of server collections), you may not only ‘get by’ using XWF, but can do a more thorough job of collection.  However, when you get into the cloud, XWF is not going to be your best choice for a collection tool.

Here is a short video on how you can use XWF to collect data in a given eDiscovery matter.  

And, Case Studies #5 is published. 

The promo for this week is $75 for the Case Studies series which includes:

  • X-Ways Forensics Practitioner’s Guide Online Course for FREE, and
  • Placing the Suspect Behind the Keyboard Course for FREE, and
  • Advanced Internet Investigations Course for FREE.

Register here (discount will be applied automatically) for the 2-day promo:

This promo is only good for 2 days!  The first time I did this promo, it was for 2 weeks and I under estimated the number of registrations.  From now the promos will be a lot shorter.  Get in while you can, you have 2 days this time and the clock has started….

  1048 Hits

When you think you know enough

If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work.  The reasoning is that we can never know enough, in the DF/IR field or any field.  Usually, there is something that kicks me right where it hurts and screams at me, "DUDE, YOU DON'T KNOW ANYTHING!  YOU BETTER KEEP LEARNING!"

When that happens, I quietly back into a dark corner and reflect upon how I either (1) screwed something up or (2) didn't have a clue as to what I was doing but thought I knew.  My goal is to reduce the number of times this happens to me.  One of the ways that I do this, and I've blogged about it before, is reading cases.  I just uploaded Case Study #4 today.  It was an easy, clear cut case with college students changing their grades.  The thing is, when you get an easy case, and if you don't put forth the same amount of focus as you do with a complex case, you will be kicked in the behind for doing something stupid or missing something that was really obvious.  

Occasionally, I may print out an entire affidavit and write all over it with notes if it is a really good case.  Usually that happens when I miss something easy on a case that I should have caught. I go overboard to get my mind back into focusing on analysis and investigations.  So, when I did today's case study, I picked an easy case and still I reflected on my mind being in the game, especially on the easy cases.  You don't want to mess up an easy case.  There aren't any excuses to miss the easy stuff.

I've been getting great feedback on the Case Study series for the same reasons I'm talking about.  Sure, DF/IR students learn a lot from case studies, but for those working cases, you have to keep your head in the game constantly.  Read cases.  Compare how you would have done the same case.  Would you do anything differently?  Anything better? Could you have worked it at all?  When you ask yourself these questions, your focus is sharpened.  When you read what others do, your brain is processing the case as if you are working it.  Other than working a case and learning the hard way, case studies are the best way to learn casework, do casework, and master casework.

But don't forget. The second that you master DF/IR work, take the rest of the day off... 


The Black Friday extreme promotion I had expired yesterday, but since Phill Moore mentioned it on his blog today, I'm extending through Sunday.

Use this link to turn $1,129 in online courses to only $95. 

The promo includes X-Ways Forensics, Case Studies Series, Placing the Suspect Behind the Keyboard, and Internet Investigations.

  826 Hits

DFIR Mentors.  You just might be one and not know it.

If you share information, openly discuss that which you can, and sincerely try to help others in the DF/IR field, you are probably someone’s mentor and do not even know it.   I have always understood the term of “mentor” seriously as it implies a responsibility to teach others, and also suggests that you know a lot more than you think you know.

When you are in that position of being a mentor, know that your words are heavy.  You may not have asked to be someone’s mentor.  You may not want to be anyone’s mentor.  You may refuse to even being called a mentor.  But guess what…you are, whether you like it or not.   My advice is to run with it.  Your words can make an incredible difference in someone’s career (aka: substantial part of their life).

Harlan Carvey may not remember the day I first spoke to him by phone, but I remember it like it was yesterday.  I may not exactly remember how I came about to call him, except through a series of emails and questions that I wanted to ask him.  At the time, I was extremely proficient at working my way as an undercover officer in any criminal organization I targeted, in any number of states (and internationally).  But at the time, I was moving into the computer forensics world and was a green as a gooseberry in the middle June when it came to forensics.   That one phone call with Harlan set me on a new career path that I am truly grateful, especially since the undercover work was getting a bit hairy at times…I would say that my wife and kids really appreciated the career move.

Harlan was my mentor, at least with that phone call, and practically still is. 

Through the following years, I have had several mentors from the DF/IR field.  Most of which I never spoke or corresponded.   I read their writings, took their courses, or used their software.  I followed them as my mentors as if they were actually mentoring me (hint: they were, they just didn’t know it).

Getting to the point.

Your words are heavy.  Did I say that already? This must be important then.  I most likely follow your words to this day and your words have influenced me to be better, do better, and keep learning.  Especially if you have spoken to me personally, or emailed me, or DM’d me….  You just might be one of my mentors and not know it.

Since you just might be someone's mentor, here is some friendly advice.

Lend a helping hand. Encourage those who you have influence to do better than you did.  Show them the way to do things more efficiently and more effectively.  Our goal is to improve our lot, not to personally be the better than everyone else or constantly be the only 'winner' because we are the only ones who know how to do this job.  We are better because we help our peers and our juniors be better than we ever were or will be. You are the Yoda to today's Luke and Rey.

One of the things I do today is that which was done for me.  On that first call I had with Harlan Carvey, he gave me some advice.  Start a blog.  Find something no else is doing and research it.  Write a book.  And so I did, for myself at first.  But since then, I have helped ghostwrite DF/IR books for first timers, tech edit other books, and encouraged more than a few others to start Microsoft Word and get typing on their ideas for a great DF/IR book.  Some have not only taken me up on the challenge and published their book after me pushing them a little forward, but a few are also helping others in the same way.  Technically, I call this super cool.  One of my shelves of DF/IR books, I have a special section of books that I had a hand in being published.  I am most proud of those, even more so than the ones I have written because they are better than mine. That was my intention.

As an example of lending a hand, for book topics with those wanting to be published, I often get asked questions like, “What would you recommend to write about?” or “What do you think of this idea?”.  I always give my honest opinion based on (1) would I buy this book today or (2) would I have bought this book when I first started.  If neither fits me, my opinion is that maybe the idea works for others, but not for me. As for book ideas, I believe you can take any minute topic in the entire field of Digital Forensics / Incident Response and expand an entire encyclopedia on that one specific topic.  I’m not exaggerating. There is no need in the world to take an idea that has already been done and do over unless you can completely change everything that has already been done.  Why do that when you can be innovative, creative, and original?  Don’t reinvent the wheel.

There are too many ways in which you can be a mentor to positively affect someone in the field.  You can not only mentor the new folks, but believe it or not, you are probably mentoring your peers as well.  There is not a thing I cannot learn from every person, regardless of who it is.  If someone speaks, writes, or teaches, I can learn something regardless if it from a student or professor, user or developer, writer or reader.  This thinking should apply to you as well.

Your words are heavy.  You influence more than the people around you.  You influence everyone in the field.  You are a mentor, whether you accept the challenge or not, it is what it is.  I’m happy with that.



  1276 Hits

Bitcoin Forensics | Investigating Cryptocurrency Crimes Online's coming...

You knew this was coming.  A course in cryptocurrency investigations.  There is no faster and comprehensive method to learn cryptocurrency investigations than to take a class in it and study a book about it.   As the book is being written, the course is being developed alongside the book as a companion to the book.  If you have not come across cryptocurrency in your investigations yet, I promise you that you will soon enough.  When it does show up, and you are not prepared, your case is not going to get the full attention needed if you are not already prepared.

"Bitcoin" has been in the news more and more lately.  You probably have already heard of Bitcoin, but may not actually own any, nor understand how it works.  The intention of both the book and course is to give you the 'need to know' information of what it is and also the 'must know' information of how to investigate cryptocurrency.  Cryptocurrency is much more than just Bitcoin.  Way way much more.  The entire blockchain universe has begun to change the way data and records (and currency!) are being created and maintained.   In your lifetime, there will not be an investigation where some aspect of the blockchain and cryptocurrency is not a part, whether it be a tangent to your case or instrumental to it.  Criminal and civil investigations both.  Crimes from petty theft to murder.  You will see aspects of the blockchain in most everything.

Bitcoin Forensics | Investigating Cryptocurrency Crimes

But don't worry.  This book, the first book to be conceived and to be published on this subject, is covering all of it.  And if you want to see demonstrations, follow along with exercises, and actually trace transactions online in real-time, this course that will compliment the book is for you.

You may be able to tell that I am really excited about this book and course.  I am actually excited about the changes to investigations as we know it today due to the blockchain.  You cannot ignore the future in your cases and how this technology is changing everything.  Money laundering is a whole new world with cryptocurrency.  From small time street dealers to international drug trafficking organizations, the time is not only coming near, but is already here.  If you have read any of my previous investigative books, you know that I cover not only the things you can only do with search warrants, but also the things that you can do without any court order.  This applies to both civil and criminal cases, as many times you can get exactly what you need in a timely fashion when you know exactly where to look and what to look for, when it is publicly available.  That is the intention of both this book and course.  Deep dive into the operating system to find the crypto artifacts and hop online to trace the transactions from their origin to destinations. 


  1846 Hits

Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.

I am very open on my opinions about writing books, specifically DF/IR books.  I encourage anyone who is thinking about writing a DF/IR book to write away and start right away!  The longer you wait, the more likely someone else will write the book you wanted to write.

Over the years, I have been asked questions about writing and I posted a fairly detailed blog post with my opinions.  Take into account that I am no JK Rowling, nor do I have dozens of books in print, and like anyone, my opinions are my own.

So, what is the writing tip that may or may not work out for you?

The tip is to decide whether you want to tell the world about the book you started or keep the project to yourself.  Here is my experience on this, with an example for both.

2010, Experience #1: 

Some years ago, I wrote two ‘papers’ on virtual machines and forensics.  I decided to write a book on virtualization forensics and mapped out a table of contents, and started the first chapter.  Before I sent out a proposal to publishers, I came across a post on by Diane Barrett in which she posted that she was writing a book on the same topic that I was (Virtualization and Forensics).   Totally coincidental and an obvious case of independent-invention (we both had the same idea, independently).  So…what did I do? 

I chose to not write “my” book.  Why write what someone else already publicly announced? That's be like making a Wonder Woman movie after hearing that someone else is already making a Wonder Woman movie.

2017, Experience #2:

My fourth and current book is titled Bitcoin Forensics: Investigating Cryptocurrency Crimes.  I did my due diligence in researching to see if any other book existed (it did not) and if anyone else was working on the same topic (no one that I could find online).  To make sure I wasn’t writing something that someone else was writing, I blogged it, tweeted it, and posted to online forums.  I even reached out to anyone who would be interested in contributing to the book and am fortunate to have some fantastic volunteer contributors, along with a super co-author.  So, what happened?

Well…one of the volunteer contributors who agreed to help with the book quit, then without a peep, proposed the same book to a publisher, got a book contract, and the book immediately went to pre-sale on Amazon.  Interesting enough, he wasn’t planning to write the book in the first place until after volunteering to help with this book.


That’s right.  It happened.….at least he changed the title from "Bitcoin Forensics: Investigating Cryptocurrency Crimes" to "Cryptocurrency Forensics"....   

So, this is a tip for future writers that could be more like a warning if it doesn’t work.   If you plan on writing a DF/IR book, you’ll have to decide to either keep it a secret or tell the world.  Keep it a secret and maybe no one else is writing the same thing.  That’s a big chance to take because I can tell you, everyone is thinking about the same book to write that you are.  Not the best thing to have two closely identical books come out at the same time to the same (fairly small) audience.  

Or, you can publicly announce your book and probably someone else won’t intentionally take your idea and write it.  However, worst case, someone could offer to to help with your book, then run off and sneak in a book contract with another publisher...good grief.

I prefer telling everyone.  Why hide what you are working on?  Why hide the research you discovered?  I believe in sharing to help push us all forward, even if just an inch forward.  This is the way I have seen others do it and actually what I prefer.  I would regret having written an entire book, or even half a book, only to find that someone else was writing the same thing, which could have been avoided by simply announcing my intentions.  Then again, this happens....

And yes, I am still writing this book.  The team of contributors, tech editor, and co-author is simply awesome.

  1464 Hits

DF/IR Case Studies

I've made three case studies so far and will have a fourth up this week.  From the feedback I've asked in a short survey about the case study series, here are the results:

  • The case studies are beneficial, useful, and job relevant.
  • The presentation format works (weekly to bi-weekly case studies).
  • Length is appropriate (between 30 minutes to 1 hour).
  • Printed certificates of completion are important to 90% of the respondents. 

With that, I'll keep going and adding one or two cases a week, more if I find relevant cases to recent news.  Personally, I have always benefited from case studies.  I get reminders of how investigations are done, tips on how to do them better, and sometimes learn things that I should never do in cases that go sideways.  I can tell you that after being assigned to over 100 criminal cases a year for 10 years, you can never learn enough to improve.  Some things you can learn may be small but have a huge impact on your case. 

In Case Studies #3, the case was solved in 6 months.  This was an international investigation spanning several countries and multiple states in the USA, with anonymity services used by the suspect.  I know that the investigators involved in the case used everything at their disposal to figure it out and all it took was a few little things to crack it open.  This is what case studies is all about.

I mentioned at the start of the Case Study series that I would have a short-run promo occasionally to entice more DFIRrs to start a habit of reviewing cases and continually be in some sort of training.  This time, the promo includes the Placing the Suspect Behind the Keyboard Course.  The Placing the Suspect Behind the Keyboard Course is 13-hours of the tactics, methods, and procedures to do the things that are being done in cyber cases today, in both the criminal investigation world and the private security world.  I'm giving it FREE with the Case Study series, but I'm limiting registrations to only 100 or Friday Nov 17, whichever comes first.

If you didn't need another reason for these courses, keep in mind that you should be doing case studies anyway, but when you do them by yourself, the only documentation you will have is that which you jot down on a piece of paper.  I'm keeping track of the hours you spend when you complete the each course and case study, and you can print it out for your records.  Take advantage of professional development when you can get it because you should constantly be improving your skills by doing something everyday: reading, courses, coding, practicing, teaching, something/anything. 

Register here to get the promo price of $75 for both the Case Studies Series and Placing the Suspect Behind the Keyboard course (promo code "cs-psbk"): 


  817 Hits

The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations...)

    As teenagers, we never liked rules growing up. Curfews. Chores. Homework.  But we know now that the rules were good for us.   It seems like nothing has changed for those of us in the DF/IR field.  We don’t particularly want to be regulated simply because, like when we were teenagers, we know what is best for us. 

    The DF/IR field, as it stands today, is practically the Wild Wild West.  We have few regulations outside of obtaining a business license. In some states, we might need a PI license, but that is about the most regulated we get today.  It’s freewheeling at the moment without any government intervention. What a great time to be in DF/IR!

  •  Licensing requirements? Nope.
  • Training requirements? Nope.
  • Education requirements? Nope.
  • Certification requirements? Nope.
  • Experience requirements? Nope.
  • Testing requirements? Nope.
  • Annual update requirements? Nope.

    To state the point quickly, I foresee this Wild Wild West coming to a screeching halt, where we will all be (willfully) blindsided, and potentially have our careers and businesses put on hiatus until we comply with mandated regulations that will take months, if not years for each of us to comply.  I expect that some currently working in DF/IR may not be able to comply!

    Let me get to the solution before getting into the issues.  Simply copy and modify what is being done in other professions to fit the DF/IR profession, and give our ideas to the respective government regulatory agencies to implement.  In this manner, everyone can keep doing what they are doing, begin to comply with the regulations, be grandfathered in where appropriate, and have reasonable standards created by those who know best (that’s you by the way).  Pick a profession, any profession, and get started.  The medical field, accounting field, anything.  Even hair stylists are regulated with training and education standards.  Pick several and meld them together to fit DF/IR.

Brett’s Opinion on a few things


I usually get on a soap box and rant against certifications, but I’ll make it shorter this time.  I’m not against certifications, and I believe that having a sheet of paper of classroom training completion is worthwhile.   Having that sheet of paper shows:

  •  I attended ‘x’ number of hours on "x" date and time
  • I was exposed to ‘x’ topics in those hours
  • I was taught by ‘x’ (person or organization)
  • I passed an exam (if one was given)



    Licensing is inconvenient to maintain, just ask any doctor if you are curious.  But, licensing is important to prevent unqualified people from practicing a service that can have serious consequences.   We certainly trust our doctors, but part of that trust is based on a license from the state, which is based on a successful internship, which is based on the degree granted by a university, which is based on the successful passages of a specific curriculum, and so forth. 

    In the DF/IR world, all we need to do is attend a 3-day FTK class and buy a dongle.  No, all we need is just buy the dongle.  Wait a sec, actually forget the dongle, we can just download some free forensic software and get started…

    We need licensing, and a standardized process to meet those licensing requirements.  Whatever that may end up becoming is currently up to the DFIR community, but will eventually be mandated by someone else if we sit idly by.  If you are reading this and doing DF/IR work, I would imagine that grandfather clauses will be inserted in every requirement, otherwise, the entire DF/IR field will grind to a halt.  Most of those working today in the DF/IR field can probably teach DF/IR at a post-graduate level, yet not personally hold a post-graduate degree (or any degree in any IT related field)

    I can foresee licensing based on a healthcare provider licensing model.  Each different job (doctor, nurse, etc…) has its basic foundational requirements.  Additional specializations have additional requirements (heart surgeon, registered nurse, etc…).  So that,

  • DF/IR Licensed Professional (much like a family doctor in general practice)
  • DF Licensed Specialist (operating system specialization, device type specialization, etc…)
  • IR Licensed Specialist (penetration specialization, intrusion specialization, etc…)
  • And so forth.

    Imagine looking for an employee and you can instantly see what they should know based on a standardized licensing model.  Today, you may be trying to weed out the IR applicants for a DF job you have, and that is not as easy to do when you have to go line-by-line to sort it out what the applicant’s skills are.  When looking at other professions, I usually point to one example of becoming a hair stylist.  I'm not knocking hair stylists, but the majority of us getting hair cuts don't even know the licensing requirements involved.  In Washington State, it's a lot of requirements to just cut hair...


    Think about what it takes to cut hair the next time you argue against any licensing requirements for DF/IR work...because we don't have anything that compares.  Another benefit of licensing is getting rid of the bad apples.  An example of how this is done in the police world (at least in WA state), is the Peace Officer Certification.   If the Peace Officer Certification is revoked, then that police officer will not be able to work anywhere in the state.  The world of lawyers is similar in they can be disbarred from practicing law.  How nice would it be to de-certify a DF/IR person who falsified evidence or doesn’t meet any minimum standards?  Everyone would benefit.

 <on soapbox>

    I want to rant a bit on certifications, only because I am asked about ‘which certs should I get’ all the time.  I am not anti-certification, but I have strong feelings about some of the certifications and about how certifications are looked at by students, employers, courts, and vendors.

     I believe certifications are important to more easily show in court that you at least completed training in a certain subject especially if you are using DF/IR skills in (1) helping put someone in or keep out of jail, or (2) helping someone keep or lose their job.  It doesn’t mean you know what you are doing, just that you had training in the subject.  Otherwise, it looks like you were winging it.  **exceptions exist, I know, but bear with me as speaking generally**.

    Here are some of issues I have personally seen in courses offering certifications:

  • ·         Students sleeping in class
  • ·         Students showing up late and leaving early due to “work”
  • ·         2-hour lunches on some rarer occasions
  • ·         20-minute breaks on many occasions
  • ·         Course over by lunchtime on the last day
  • ·         Everyone passes the test with multiple attempts
  • ·         Everyone getting a certificate even if they failed the test or didn’t attend the entire course

     Here are some of the issues I have personally seen about certification perceptions:

  • ·         Only “x” certified DF/IR employees know how to use “x” software
  • ·         You must have “x” certification to apply for this job
  • ·         If you self-studied and mastered “x”, you aren’t as good as an “x” certified applicant
  • ·         The “x” certification is better than the “y” certification
  • ·         The “x” certification is more expensive because it is the best certification

    I have seen certification-junkies, where almost like an obsessive collector, the more acronyms they collect, the better they feel.  What about the Challenge Coins!  Gotta have them!  Vendors have got to love these types.  It's like the Pokemon or Furby craze.  Employers are also at a loss because the only certifications they care about are the ones that are most hyped by a vendor that gives out the most cherished acryomn. 

    As for me, if I were ever a hiring manager again, rather than look at an applicant and see that box for “x” certification exists, I’d rather make sure that the certification was (1) relevant to the job, and (2) the applicant knows the material that the certificate says.  Otherwise, I look at certs as simply a document showing the number of hours that a person completed for professional development. No more. No less.

    Speaking of number of hours in courses, I am a stickler on actual numbers.  Every statement that I have ever made of the number of classroom hours I have completed, I have cut the documented number down by at least 25%.  On paper, I may have a certain number of hours in print, but in depositions, testimony, resumes, CVs, and informal conversations, I state the lower number.  Why? Because I see classroom hours as not including the breaks or the early-outs on Friday morning.   Or when the instructor has to cut the class short to make a flight.

    I have taken courses where a 40-hour course turns out to be 60 (like SWAT training….), but I have never seen that happen in the DF/IR training world.  If you don’t believe that a 40-hour course classroom time is closer to 30 hours, crank up Excel and put in the number to your last course.  Be honest in the numbers and you will be surprised.  And be sure to put in the extra-long breaks, the days that the class started late and ended early.  And the days that the class stalled because of this-reason or that-reason.  Add the time you stepped out for a phone call (if you ever did such a terrible thing!).



     The next time you testify and are asked about your classroom (formal) hours of training, think about the actual numbers before you answer.   Lunch time is not typically going to be considered DF/IR learning time.

 <off soapbox>

    I see the future where the road to working DF/IR will be as easy to figure out as it is today if you want to be a doctor or lawyer or house builder.  Follow the path to licensing and you will be good to go.  Salaries will be much higher, the profession will advance faster than ever, and employers/clients will have an easier time of finding exactly who they need.

    The requirements and qualifications? That’s up to us to figure out, and figure out fast.  Otherwise, I can also see government making the requirements so burdensome that it will push out those who are competent and prevent those with great potential from coming in.  That is totally opposite of what we want to happen.

  1474 Hits

Sharing is caring

One thing about the DFIR blogs is that they tend to bounce off each other.   This is a good thing because tidbits of gold nuggets can be expanded upon with different perspectives and experiences.  Never in human history have we ever been able to instantly connect world-wide to increase our knowledge base, especially in the technology field (specifically in the DFIR field!).

With that, to expand on Harlan Carvey’s never-ending quest to push ourselves to share, I want to credit those who do share as I constantly benefit personally and professionally from the work of others. For those who do not yet share, consider the benefits you will have by putting yourself out there, even just a little.  We are all smarter only because we communicate with each other.

I have seen polar opposites of how sharing knowledge works and how hoarding knowledge does not.  As I was a Marine at 17 years old, I had an unfair advantage of the benefits of sharing.  I never heard the actual word “sharing” in the Marines, but that is what we did.  We shared knowledge and experience.  From day one in the Fleet, I was shown the way to do ‘things’.   I was given the opportunity to try, fail, try, fail, try, fail, try, succeed.  No one ever gave up on me, nor wanted me to fail.  When my turn came to lead, I did the same to the boots that came in.  I showed them the way and made sure they were competent.  Allowing the failure of a Marine was not an option.  I naively believed that was the normal way of doing business everywhere, but I was wrong.    

Enter the private sector….

I have had both similar experiences in the private sector and a completely opposite experience.  The experiences that I had that were opposite in that I never expected professionals to hoard knowledge from their peers.  Co-workers, peers, and supervisors seemed to be on warpaths to make sure the newbies failed.  Those who did not fail were allowed to stay.  Those who failed were booted out the door.  Trial-by-fire was the method of training new employees.  I have even seen the sabotage of new employees in hopes to flunk them out. 

  • When the team shares, teaches, encourages, and supports each other, the team grows and bonds together.  This team can tackle anything that comes up, without hesitation, and without worry of being left to drown by an individual in their team. Expect failures, but also expect the failures to be turned around into successes.
  • When you have individuals who are only looking out for #1, your team isn’t a team.  It is a group of individuals, each with a different agenda.  Expect failures.  Don't expect success.

Having been in both types of situations, I can say without hesitation that when people share knowledge, everyone grows and benefits including the person who is sharing.  In the world of DFIR blogging, whether you are in a one-person company or working for a Fortune 50 organization, when you share your knowledge, you benefit more than you know.  If you are being paid as a leader in your organization, under whichever term (manager, supervisor, TL, etc...), your mission is to give every opportunity to grow your team.  Some tips:

  • Teach, show, do (you are a teacher. teach your members, show them how, let them try. rinse and repeat)
  • Don't give up  (if your member keeps trying, so do you. have patience)
  • Teamwork  (team success, not individual wins, makes for success)
  • Teach your peers and subordinates to succeed individually for the group and the unit will succeed as a team.

How does this apply to a DFIR blog?

Your blog is affects everyone in the field.  It is shared. It is talked about.  It is critiqued. It is criticized. It is praised.  It initiates conversation.  And most importantly, it moves the DFIR field forward.  Whether your blog moves us an inch forward or a light-year into the future, you are a part of it.  To those who don’t believe this, you don’t have to believe it.  We reap what we sow. To everyone else, I’m merely preaching to the choir (and I bet your team rocks).


PS. this applies to any line of work, but when our work is 'in computers', dude, we practically work on the Internet so share your brain :)

  1350 Hits
  1 Comment

A bundle of case studies and X-Ways Forensics Practitioner's Guide training

************UPDATE 10/29****************

Case studies 2 has been published.  It's the Mr Fuddlesticks case.


Out of the 100+ viewers of the case study I did last week, a bit more than half completed a survey with most of those including comments on the case study in regards to what they want to see.

With that, I decided to try a series of case studies with between 4 to 8 case studies added each month.  The first case study I did was longer than expected at almost an hour, but I plan for each case study to be between 15 to 45 minutes.   If you want an easy and inexpensive way to put training & education hours under your belt, this is good way to go.  Spend time reviewing case studies!

The goal in the case studies is to;

  • show how others do cases
  • show how suspects have been caught
  • show processes, techniques, and methods that suspects used to avoid being caught
  • show processes, techniques, and methods that investigators used to catch suspects
  • give insight on how to work cases with ideas and examples

As time is an issue for everyone, for each case study there is a short quiz to prove you watched the case study.  The quiz is a pre-requisite to receive a printable certificate that states the course title, date, and hours spent.  This is to make the bosses happy and add training time to your CV.  The cert is optional, as is the quiz, in case you just want to review the cases without documentation of your time.  As far as time goes to do a case study, I've broken down the case studies to bare bones important aspects of the cases.  You don't have to read every line of a 30 page affidavit to get the point of the case studies.  I'll spit it out the highlights for you with only the good stuff.  No fluff (as in, no need to read boiler plate after boiler plate).  

I want to make the case study series attractive to you because case studies are important.  If you are a student, there is no other way to watch a real case in the real world other than a case study. If you already work cases, you know that there must be a better way to do what you are doing; so case studies can give you a tip or two to get better at what you do. If you already know everything….that’s another issue (because no one knows everything).  Continually work on improving your skills and you will continually improve your skills.

I have case studies lined up already, but if you have a case you'd like an opinion on for a case study, I'll take a look and maybe add it to the series.  Just send it to me (This email address is being protected from spambots. You need JavaScript enabled to view it.). 

I’ll start the series with a short-run promo price that includes a 3-month access the Case Studies Series and also to the X-Ways Forensics Practitioner’s Guide Online Course for $95.  The regular price for the case series is $125 and the X-Ways Course is $599. 

This is short-run promo at $95 expiring on 11/11/2017 for both the

Case Studies Series and the X-Ways Forensics Practitioner's Guide Online Course.

Register here: 

Case Studies 2A will be posted this weekend.



  1280 Hits

Case studies are more helpful than you may think

Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…

I first started doing case studies when I made narc detective years ago.  I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process.  That’s when I started doing case studies.  It was a selfish attempt to save me from being killed.

I pulled as many adjudicated narc cases that I could get my hands on from the records room.  I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases.  My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance.  By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth.  Those were not fun days.  Some may call this ‘trial by fire’.  I called it “this sucks”.

But I learned to learn by reading the cases of what others had done.  I analyzed everything in the reports and affidavits, from the decisions made to the tactics used.  By the time I actually went through formal training for narc work, I pretty much had it figured out.  The formal training just solidified what I spent months learning by case studies.  

Fast forward to my digital forensic days.

When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0.  My agency not only never had a forensic capability, but rarely even sent out a computer for analysis.  I think we had one forensic exam completed by a private examiner…once.  At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.

So, I started the first forensic unit.  Guess I how I learned to do the job…  Case studies.  By the way, it worked out fine.  I did cases.  Administration was happy.   Bad guys went to prison.  The unit grew after I left, so there's that.

The technical part of forensics is not difficult.  I believe most anyone can figure out how to pull an artifact from a storage device.  A disk is a disk is a disk.  A file is a file is a file.  But running a case, when every case is different from the last?   We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case.  A solution: Case studies.

I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case.  Looking at a case from the outside misses a lot of important details and many assumptions have to be made.  I wouldn’t evaluate a pilot if I’ve never flown a plane.  Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events.  That’s how I look at case studies.  I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used.  Then I see if I could have done anything different or better.  Then I put what I learned to work and make sure that it does work.  It also doesn't hurt to also know the legal restrictions in running a case.  If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.

This is my intention with making my personal case study notes public.  Take a look at a case through the eyes of the investigator/examiner.  Watch how a case unfolds and how an investigator can take the case from start to finish.  Learn how someone else does the job and draw the best parts of it for your job.  There are few better ways to see how a case is worked other than reading the actual case and how it worked.

Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction.  The short answer I gave was that it isn’t easy to get right if you don’t know how it works.  If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one.  For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.

As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study.  If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…


Side note:

The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period.  Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies.  I also wanted to limit  the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well. 

The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.

Recent Comments
Brett Shavers
You hit on a few points. Knowing what to look for (the smoking gun) is critical in every analysis. To find the smoking gun, the ... Read More
Monday, 23 October 2017 23:51
  1670 Hits

Drop the mic...please.

Well...that didn't work out so well, did it?

I had a serious audio problem with the webinar today, from which I learned to mute attendees for the next time that someone doesn't mute their mic.  My fault on the audio, but on to the positive with the webinar: I'm going to make another (two more) presentations.  At the same time, I'm going to make it more in-depth, with more case studies, in more detail, at the same price of free.  Did I mention that I really feel bad about that audio problem.

Details on the upcoming presentations are at: In brief, I may be starting a series of Case Studies based on recent cases I find or cases of mine that I can talk about openly.  With that, this next presentation is Case Studies I - Placing the Suspect Behind the Keyboard (meaning that there most likely will be a Case Studies II, and a Case Studies III, etc...).  I'll provide case documents as I have them available for self-study into the cases that will be discussed.  My intention is to get you thinking like a detective in your cases, regardless of the type of case or importance of the case.  By important, I don't mean that any case is unimportant, but some cases are critical such as those that involve serious threats of harm to persons.  Every case is important to someone, but in some cases, people can be hurt or have been hurt in certain types of cases.

I am limiting the number of attendees to 50 per session and I'll have a promo each time for something neat.  For this upcoming session, I'm giving a promo of $45 (instead of the $799) to the full, 13-hour Placing the Suspect Behind the Keyboard course.  Next time, who knows what it will be and for what.  BTW, the sessions will not remain online past the dates presented as recordings.  These are one-time training sessions not to be repeated.

FAQ (that I've been asked so far...):

Will you keep recordings online for future reference?

Nope.  Either the presentations will be live or delivered as a recording on the day of release only.  

I missed the session, can you extend the promo for me?

Sorry.  The promotions are extremely short-lived for the few hours of the presentation time only because I'm near the point of making the course free when it goes from $799 to $45 (or so).

I missed the session.  Will it be replayed?

Nope. These will be shown once or twice at the most.

Can you put the videos on YouTube?

No Youtube for me.  I'm not a fan of Youtube 'training'.  The presentations I am giving each include a certificate of training attendance in order to give you documented training hours.  Sometimes you need to keep the mother-ship happy with training records, so I aim to help provide those records.  Also, it doesn't hurt to be able to claim training hours when you produce physical documentation instead of saying that you 'learned it on YouTube'. 

The direct link to the case study series is: 

  952 Hits

If you are a “Self-Proclaimed Hacker” looking for a job in LE…

We are almost fully into the computer-age.   In nearly every aspect of our lives and jobs, computers* in some form or another, are integrated.  This means that if you have the inclination and ability to work with computers, your time has come.  The world is your oyster as the doors are not only open with information security careers, but employers are fighting over you as their next new hire.  This is kinda true with law enforcement, but not so much. 

 <*by “computers”, I mean everything that encompasses technology from writing code to developing the devices>

 Let me give a little personal insight into one small aspect of a future career that is of interest to many: law enforcement.  I’ve never directly hired anyone into law enforcement, although I have participated in the interview process for those wanting to be hired, given my input on specific persons that I’ve known who applied to law enforcement, and I have seen people fired for doing some amazing dumb things as cops (and federal agents).  With that, here is one suggestion on increasing the odds you get hired if you work in information security.

 Be careful if you call yourself a hacker if you are not a criminal hacker.

Without clear context, calling yourself a ‘hacker’ implies calling yourself a ‘criminal’, which will cut you out the hiring process faster than a long-tailed cat running out of a room full of rocking chairs.  The primary mission of hiring in LE is to not hire criminals or anyone with the potential of committing crimes in the future.  Remember…past behavior is the best indicator of future performance and behavior.  Do not think that you will have an opportunity to spend a half hour as to why a hacker may or may not be a criminal.  Thousands of applications are submitted each month and one of the best ways to cut the workload of a background investigator is to dismiss as many applications as possible before doing too much work on them.  The easy ones are first, such as those not meeting the job requirements. Then go the ones with blatant problems (serious drugs, arrests, etc...).  Writing "hacker" on your application is a red flag.

I write this only because fairly recently, I was contacted by a background investigator for my thoughts on a police department hiring someone who is a self-proclaimed hacker on their social media. Having to explain what a hacker is, is not, or could be to someone who is not in the community is not usually productive in less than 10 minutes, especially if they are looking for an easy out to go on to the next application.

My opinion is that many times, we may call ourselves “hackers” but for all practical purposes, are actually “counter-hackers” or “anti-hackers”.   In the most commonly accepted perception of a hacker, the public sees a hacker as someone who steals their ID by hacking into their computers.  Regardless of how much you may try to explain that you are using “hacker” as a marketing slogan or that not all hackers commit crimes, it does not matter because you most likely will not be hired because of the perception and perception is reality for all intent purposes.  The liability of hiring someone into law enforcement who openly claims to be a hacker is not something a government agency will want to take on as a full-time employee.  Sure, maybe some contract work while you are escorted around the building while you work on a limited project, but not as a full-time, badge carrying, free to roam anywhere you want officer.  Do I agree with this?   It doesn’t matter because liability and the perception of future liability is what matters.

So, if you want a better chance of being hired in law enforcement, be careful with calling yourself a “hacker”.  I can promise you, without hesitation, that everything you put online, say at a conference, write in a blog, or speak to a future job reference, will be looked at by the agency that is considering hiring you.    Law enforcement needs better technically proficient cops, so get that job by marketing yourself as such.


  1085 Hits

Case study - Placing the Suspect Behind the Keyboard

Not too long ago, I read an article where the state’s largest cocaine bust happened because the driver was stopped for speeding.  The first thing I thought was, “Speeding…yeah, right”.   So, I called a good friend of mine who I worked some cool drug cases with and asked if that was his case.  But of course it was.  The article read like cases we worked together for some years.   The case is public knowledge today, but in short, a year of investigative work resulted in ‘taking off’ lots of drugs and cash using pre-textual traffic stops as wall cases to keep the core case going.  We did that a lot and it was a lot of work.

My point in the story is that when you see a simple case publicized, there is usually a lot more that has happened behind the scenes that most people will ever know.  Some of this is intentional, such as when a small part of a case is ‘walled off’ to protect the core of an investigation and other times the work is so intensive that to start talking about it will (1) bore the listener to death and (2) talk a week to flush out the details.

So here comes a really cool case I just found to illustrate these points.  In brief, this case is a cyberstalking case that was righteous in all aspects in that the cyberstalker truly needed to be caught and that the work done was awesometacular.

I’ve taken a few snippets from the affidavit to discuss some of the notable investigative aspects of the case.  As a reminder, that what you read in the affidavit is like seeing the tip of the iceberg of a case.  There is so much more in a case like this that is not in the affidavit.  Having written more search warrant affidavits than I can count, I cannot imagine how much work was done on the case based on what was included for the affidavit.  Very cool.

Side Note:  Read the entire affidavit when you get a chance.  Flesh it out.  Read it like a novel.  What would you have done differently or better? 


This is a key point. Either iCloud was hacked (as in a technical hack) or someone had access to the account physically (as in, someone who knew the victim and could have accessed her devices).  Eliminating the suspects who could hackers is impossible.  Eliminating suspects who are known to the victim is possible.

The suspect, “Lin”, erred in using variations of his name in social media accounts.  It’s only a clue, but important to build upon.  In all cyber cases, keep track of user names.  Sometimes there is a reason a username was chosen and perhaps clues to other information.   For each online service, such as Instagram, also consider that accessing each service can be done using many different devices from many different locations on many different occasions.  With each connection, the suspect risks being discovered either by his mistakes or service provider.  That means for you to look at every connection of every message, text, email, or login.


 Not much was mentioned in how the anonymity was obtained, but again, each communication is a potential disclosure due to a suspect’s mistake.  Considering that the false flag in the Matthew Brown is known by the victim, the assumption is that the suspect is known to the victim and/or Brown.  This can narrow the list of potential suspects down.

I threw this in just as a reminder for employers (and to remind your clients!) to backup/image departing employee devices for a set time period, just in case.  This is also a reminder to employers that even if they think nothing is left on the computer, usually there is something.  I’ve come across this multiple times and in one case, the entire case was closed with a single forensic analysis on a reinstalled OS from a departing employee.

At this point, it’s easy to see that the suspect (Lin) is probably the guy.

The similarity in style and content from multiple accounts can be tied together, at least as being too similar to be a coincidence.  By itself, not enough to prove a crime/incident, but when taken in totality of all evidence, it is very important.

This would be called a “slip up” by the suspect.  When details known only to a few people are discussed, the list of potential suspects gets very short.

Again, if physical access is needed to commit a crime, the list of suspects can be shortened.

Never give up on uncovering someone because of technology being used for anonymity.   Keep at it.  Keep looking.  Keeping thinking.  Time and effort works for you.  Time works against the suspect.

Technically, this is called, “the suspect screwed up”.   But it took getting the records from Google, which required having the idea to do along with the labor to gather legal cause to request it.


Social engineering by the suspect.  Very creative.  However, it required the suspect to create a social media account, email account, and obtain a phone number.  Again, consider how many times he would need to connect to the Internet, from one or more devices, from one or more locations in order to do this.  Each act is a potential windfall of evidence when the suspect makes a mistake. You just have to check every connection known and find the mistake. It is there.  You have to look.


And yet another Internet service to add (TextNow) to your investigation.  This is a good thing.  I have heard complaints from investigators about the number of leads to add to the list of things to do in an investigation every time something else comes up.  For me, I love it.  A dozen social media accounts? Cool.   A hundred social media accounts?  Even better.


Like I said, the more the merrier.  Most suspects do not realize that everything they do is not separate from each act.  There is usually some connection. It might be the same device used.  Or it might be the same IP address used. Or it might be the same service provider used.  The above would make a cool timeline to visually show the connections.

Again, when you have the “same” of anything in a case, do not discount it as a coincidence.  The same IP or the same email or the same username or the same style of writing can all point to the same suspect.

Search the devices to which you have access to either confirm or rule out suspects.  In this case, searching Lin’s previous workplace computer found evidence that linked him to the crimes he was committing using other devices.

Not conclusive, but when you put all the evidence together, no one will see anything other than Lin as the suspect because of being overwhelmed with the little things, like this, that point to him.


Past behavior is a good indicator of future performance/behavior.  In Lin’s case, based on his past behavior, I would say that this is what he is: a cyberstalker.  Once you read the entire affidavit, you’ll see what I mean.

Here’s my take on the case. 

The timespan was lengthy, and there isn’t a lot you can do about that.  I don’t know the details of how many people or agencies worked the case, but I can imagine that there were a few (maybe one or two) who spent a lot of time on it, bantered back and forth on the best way to work it, suffered through a lot of investigative failures and wasted time*, and worked hard to get resources to put the case together.

I can imagine the number of court and administrative orders to obtain the records of all the social media services, ISP records, and phone logs being overwhelming at times.  That is the way it is, so in that aspect, don’t feel like any one case is getting you down more than another case.  I would hope that every user account that the suspect used was investigated, including the “anonymous” accounts.   Other cases have shown that even when a third-party provider promises anonymity, they don’t really mean it.  You will never know until you ask and you will never know what great evidence you can get without asking for it.

I’m not plugging the books I wrote for these types of cases, but if you get these kind of cases, check out the books for some tips.  They are in a lot of libraries, easy to buy online, and the main point I work to get across is to find the one thing that will make your case

On Oct 17, I am giving a short webinar on Placing the Suspect Behind the Keyboard.  If you stick around for the entire half hour, you’ll get a printable cert of attendance that you can take back to your employer for training credit to justify the time to join during work.   And also, if you stick it out to the end (it’s only a half hour…..), I’m giving a discount to the 13-hour online course that is the biggest I’ve ever done.  $45 for the entire $799 course.   But the promo will only be good for an hour after the webinar, and only for 100 attendees in the webinar; meaning that you’ll have to sign up right away if you want the course. 

Be sure to add your name to the webinar here: Register

If you are like me, you like to dig.  You like to find out whodidit.  You want to put together a good case.  And most importantly, you want to stop bad people doing bad things to good people.  Isn’t that the point of all this?

 *Sarcastically I said “wasted time”. I mean that time spent without a positive result may seem like wasted time, but it is not, since you have to spend time investigating and much of it results in not much forward movement of the case.  Accept the time spent feeling like you are running in circles as part of what it takes to get it done.

  1517 Hits

Free Webinar - Tips and Case Studies on Placing the Suspect Behind the Keyboard

I had coffee with a detective (ie...consulted on a case....) to discuss his case where tying a person to one specific device was necessary for criminal charges in an overly complex investigation.  There were a few things I learned and a few things he learned because of our talk.  I think it would beneficial to talk about some of the things we discussed in a webinar to pass along tidbits that can help others.

Not to take up a lot of your time, but how about a half hour of talking about placing a suspect behind a device?   I want the webinar to be live in order to take as many questions as I can squeeze in, while also packing in as much as I can in half an hour.  If you'd like to attend, register here:  SIDE NOTE:  There will be a bonus in the webinar that most likely be of interest to you.


The webinar is scheduled for Oct 17 at 11:00am (PST).   The webinar will be limited by virtue of the platform I'm using so if you want to get in, register early.  Given enough registrations, I may do a second webinar on the same topic afterward.  And if you do register, have some questions ready or even send them in advance (email: This email address is being protected from spambots. You need JavaScript enabled to view it.) so I can be sure to cover as many of the questions as I can.  Or just listen in.  This topic applies to both criminal and civil cases, so whether your job is to have a person arrested (or vindicated) or an employee fired (or retained), the tips apply equally.

As I have always said and believed, keep looking for that one thing that can make your case or save you minutes or even weeks of work.  Once you find that one thing, you will crush your cases as if they were Styrofoam cups.  Tip: that "one thing" is different for everyone, but we all need it to be successful.  Those are the things I want to talk about and share.

And here is one tip you can use:  Get your mind in the game.  This is easier said than done.  You can tell yourself every day to do it, but it won't work unless you know how to do it.  Just saying it doesn't work.  But once you do get your mind in the game, you will be the master of that game.  By 'game', of course I mean your job or the task at hand.  When you can create laser beam focus on a task, you will own it.   I drill this concept with the ways to do it in every talk I do.  It's that important because if your mind is in the game, you can do anything.

**** Update -Oct 17 *****

I'll have one more webinar session, limited to 50 attendees.  Details to be posted soon.


  1250 Hits

Placing the Beard Behind the Keyboard

News reporting does an injustice to the work done in cases like these, only because the articles make it sound so easy.  But this particular case illustrates placing the suspect behind the keyboard using several methods that are sometimes overlooked (but of course, these methods and more are described in both my online course and book…).

In short, the case is simply that a criminal dark-web administrator (Gal Vallerius) was arrested.  The complaint can be read here:

The details of the case of how the suspect was identified and caught are more interesting, and are the things you can do in your cases.  One thing of note is that the number of agencies investigating Gal Vallerius included several alphabets (DEA, FBI, IRS, DHS, USPS) and probably several other LE agencies as well.  My point is that you can be the sole investigator for a police department of 5 officers and do most, if not all, of the same work on a case with positive results.  You just have to be creative, find resources, and use the resources available to you.

Some of the methods used in this case included:

  • ·         Bitcoin account tracing (a book is coming out on how to do it in 2018… “Bitcoin Forensics”)
  • ·         Writing style comparisons of known writings
  • ·         Open source information converted into intelligence (social media: Twitter, Instagram)
  • ·         Digital forensics (recovered log-in credentials to the dark web market, PGP encryption keys, and $500K of bitcoin)

These are just the public methods used for the complaint.  Criminal complaints/affidavits do not contain the entire case, the entirety of investigative methods, or even the entirety of evidence obtained.  Complaints only contain enough to establish probable cause for criminal charges/search warrants.  I can imagine that reading the case will have many more methods used to identify Vallerious, and I would imagine that none of the methods are secretive as typically they never are.  Practically, the methods to uncover criminals on the Internet regardless if they were secret or not, and most (if not all) are publicly known.   I’m not referring to the NSA/CIA methods, but the criminal investigator methods which require a higher approval of legal authority.

If you are not looking for cases like this to analyze, you are not going to improve in your cases as fast as you could be improving.  When I come across a case online that talks about how someone was caught, I review it, line by line.  When I come across someone who did a case like this, I buy a cup of coffee and talk about the case.  You should too.  Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better.  Debriefing cases makes future cases better.  Sometimes you even have to take a zinger for doing something wrong in order to do it right the next time.  It may hurt in the short term, but you’ll be a hero in the long term.  Do not ignore mistakes, errors, or omissions.  Debrief yourself and improve.  This is perhaps the best way to master a skill.  Consider that military special operations and law enforcement swat units do this for every mission and every training exercise in order to improve exponentially. 

In the next month I will have a live (and free) webinar of about 20 minutes to discuss and analyze a case of placing the suspect behind the keyboard.  Stand by for the notification in October via Twitter and this blog.

A point I want to make is my opinion on the investigative aspect of DFIR, or more pointedly, of “forensics”.  Digital forensics and investigations tied together as one.  An investigator does not have to be a digital forensics analyst in order to use the results of an analysis in a case.  A digital forensics analyst does not have to be an investigator in order to identify evidence.    However, you need both to pull evidence and apply it in an investigation.  One person can do both jobs or many people can do both jobs.

I have been fortunate to have worked as a police detective for years.  I took a lot of courses that taught investigations, was assigned hundreds of cases, initiated tons more, and worked with dozens of US and foreign law enforcement agencies on many of those cases.  So, getting into digital forensics only required I learn about computers (yes, it’s more than “computers”, but I’m coming to that shortly).  I can identify what is evidence, put information into intelligence, compile it all into a case, and wrap it up nicely with a big bow because I have successfully done it so many times before and worked with some very gifted investigators.  By gifted, I mean that they must have worked very hard to become very good in their jobs.  

I have found that it is easier to learn the technical part than the case-building part, only because outside the LE would, the technical training is everywhere, and the case-building part is not.  If a new DFIR person wanted to learn about the Windows registry, in about 3 minutes on the Internet, a dozen websites and videos can be found to show not only how, but with what tools to use.  The same can be said for any technical know-how.  Try to find case-building information and you’ll come up a bit short.  Case-building is not report writing. Without knowing what it takes to build a case, all the best DF work in the world won’t save the case.

Summary please…

When you work DFIR, work it like it’s a case, because it is.  Whether or not the ‘case’ goes to trial or to the boss, you really are investigating.  The only exception is if you are only pulling out data and then it’s just data recovery.  But if you are looking for a smoking gun (which could be a civil matter with document manipulation allegations or a criminal matter with dead bodies), you are investigating by looking for evidence, ergo: forensics.  Treat it as such.  Put yourself into an investigative mindset.   Ask yourself questions as you move forward;

  • What do I need?
  • How does it relate to the case?
  • How do I get it?
  • What do I do with it once I get it?

Think: a prefetch file is just a prefetch file unless you can show the relevance to the case.


Don’t just do data recovery.   Do DFIR.

  1127 Hits

Some of your cases probably already have cryptocurrency evidence in them...


The Bitcoin Forensic book is moving forward with a fantastic addition of a tech editor: Heather Mahalik!.  I could not be more honored than to have Heather as the tech editor.  If you are reading this, you already know who Heather is in the DFIR community, but if not, take a look here: Heather's Bio.

A few things about the book.

Yes, it is tentatively titled “Bitcoin Forensics”, but the subtitle is “Cryptocurrency Investigations”.  The intention is to not only cover Bitcoin, but the alternative coins (altcoins) as well.   Coins such as Litecoin and Monero will be in the book because few investigations will have only one coin involved since converting from one coin to another in attempts to launder proceeds will most likely occur in every fraud investigation.  I've had a few conversations about the anonymous coins, where tracing transactions is 'impossible'.   There is always something you can do that benefits a case, even when something is seemingly impossible.  The book will cover those difficult cases too.

Another thing…most analysts and investigators have not yet come across cryptocurrency in their investigations.  Consider that if you are not looking for it, you will not find it, and by not looking for it, this will be the biggest hole in your investigation.  Even if you find evidence of fraud/money laundering with cryptocurrency, you can easily miss important evidence that may not be found until later, if ever (such as this case).  Our current lack of competence in this area only makes it easier for criminals to succeed.  For the forensic analyst, you need to know not only the artifacts of cryptocurrency evidence, but also that what amounts to evidence (ie: what is evidence).  

If you don’t believe Bitcoin (as in all types of cryptocurrency, not just Bitcoin) isn’t going to be a major method of financial transactions and part of most every money laundering, fraud, and IP theft case, consider that it already is, you just don't know it yet.  The Bitcoin Forensics book will show the forensic artifacts along with the 'how money laundering works with cryptocurrency' in order to walk you through your first case and the next case and the next case and the...

As to cryptocurrency adoption in everyday is already here. 

A suggestion: You may want to buy a little Bitcoin to start your foundation of what you will be coming across in your cases...

If you haven't got into cryptocurrency yet and want $10 of free Bitcoin, use this referral link to sign up for a Coinbase account: .  


  1043 Hits

“Forensically Sound”.  One of those phrases that is commonly used, misused, unused, and abused.

Disclaimer: This is my opinion, which is not a legal opinion. I call it Brett's Opinion.  But along with that, I have identified, seized, analyzed, requested analysis, checked-in/out, transferred/assumed custody, and had entered into court cases thousands of items of evidence from electronic data to brain matter.   

This short post is to give my opinion on the use “forensically sound”.  The reason I want to mention this is because I witnessed a DF expert state in public that capturing live (volatile) memory is not forensically sound because you can’t reproduce it or enter it as evidence.  I think we must be careful about some things we say.  

In the most basic sense, any “thing” that is accepted by a court as evidence is forensically sound, since the court accepted the process used and admitted the "thing" as evidence.

We get caught up when performing computer science work in digital forensics and tend to forget that every situation is a bit different from the next situation, in either minor or major ways.  The general processes we use are similar for each situation, but of course we vary a little depending on what we come across.  The situation we approach dictates how we proceed.

There was a time when pulling the plug on a computer to image the hard drive with a hardware write blocker was the only forensically sound method accepted.  Doing it any other way meant you ruined the evidence.  This belief persisted for years even after realizing volatile memory is also valuable evidence (sometimes even more valuable than data on the drive).  Sure, sometimes you need to pull the plug and sometimes volatile memory has nothing to do with what a specific case may need.  That goes to the point of every case being different.  For the must-always-use-a-hardware-writeblocker crowd, I’m not sure what they do with the computers that the hard drive cannot be removed for a multitude of reasons.  Situation dictates choices.

My point is that we all have best intentions and rely upon generally accepted processes; however, we need to also be aware of what evidence is and what evidence is not.  If you can get a ‘thing’ admitted into court that can prove or disprove an allegation, then you have evidence.  Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not.

Another holdover from days past is that of being able to exactly reproduce an analysis in order to be forensically sound.  On a hard drive that was shut down when you approached it, imaged through a hardware write blocker, and verified using a software that everyone else uses – easy peasy.   On anything else, good luck.   Live memory changes as you capture it.  Shutting down/pulling the plug on a computer changes the data.  Waiting to decide whether or not to shutdown or pull the plug or image live changes the data (it changes as you watch and think about what to do!) A crime lab that tests the content of a drug destroys a portion of the drug that it tests.  An autopsy on a body damages and changes the body (as does the passage of time with decomposition).  A burning building destroys evidence of the cause of the fire, as does the efforts to put out the fire.

When teaching court admissibility of digital evidence, be careful if you are unsure of what is forensically sound, especially when talking about evidence.   You’d be amazed at the types of evidence that can be admitted in a trial along with the evidence that doesn’t.  Best answer: do your best with the evidence seizing situation you encounter, admit it as evidence, and let the court decide if it was forensically sound.  Personally, I believe anyone working in a job where you look at data should be versed in 'evidence'.  Cops have it easy.  They deal with it every day until it becomes second nature.  For everyone else, a short class in 'what is evidence' can make or break a case later.

Then there is the sliding scale of veracity…but that’s another story.

  1660 Hits