Search Brett's Ramblings

Placing the Beard Behind the Keyboard

http://www.miamiherald.com/news/nation-world/article175557206.html

News reporting does an injustice to the work done in cases like these, only because the articles make it sound so easy.  But this particular case illustrates placing the suspect behind the keyboard using several methods that are sometimes overlooked (but of course, these methods and more are described in both my online course and book…).

In short, the case is simply that a criminal dark-web administrator (Gal Vallerius) was arrested.  The complaint can be read here: https://regmedia.co.uk/2017/09/27/gal_vallerius.pdf

The details of the case of how the suspect was identified and caught are more interesting, and are the things you can do in your cases.  One thing of note is that the number of agencies investigating Gal Vallerius included several alphabets (DEA, FBI, IRS, DHS, USPS) and probably several other LE agencies as well.  My point is that you can be the sole investigator for a police department of 5 officers and do most, if not all, of the same work on a case with positive results.  You just have to be creative, find resources, and use the resources available to you.

Some of the methods used in this case included:

  • ·         Bitcoin account tracing (a book is coming out on how to do it in 2018… “Bitcoin Forensics”)
  • ·         Writing style comparisons of known writings
  • ·         Open source information converted into intelligence (social media: Twitter, Instagram)
  • ·         Digital forensics (recovered log-in credentials to the dark web market, PGP encryption keys, and $500K of bitcoin)

These are just the public methods used for the complaint.  Criminal complaints/affidavits do not contain the entire case, the entirety of investigative methods, or even the entirety of evidence obtained.  Complaints only contain enough to establish probable cause for criminal charges/search warrants.  I can imagine that reading the case will have many more methods used to identify Vallerious, and I would imagine that none of the methods are secretive as typically they never are.  Practically, the methods to uncover criminals on the Internet regardless if they were secret or not, and most (if not all) are publicly known.   I’m not referring to the NSA/CIA methods, but the criminal investigator methods which require a higher approval of legal authority.

If you are not looking for cases like this to analyze, you are not going to improve in your cases as fast as you could be improving.  When I come across a case online that talks about how someone was caught, I review it, line by line.  When I come across someone who did a case like this, I buy a cup of coffee and talk about the case.  You should too.  Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better.  Debriefing cases makes future cases better.  Sometimes you even have to take a zinger for doing something wrong in order to do it right the next time.  It may hurt in the short term, but you’ll be a hero in the long term.  Do not ignore mistakes, errors, or omissions.  Debrief yourself and improve.  This is perhaps the best way to master a skill.  Consider that military special operations and law enforcement swat units do this for every mission and every training exercise in order to improve exponentially. 

In the next month I will have a live (and free) webinar of about 20 minutes to discuss and analyze a case of placing the suspect behind the keyboard.  Stand by for the notification in October via Twitter and this blog.

A point I want to make is my opinion on the investigative aspect of DFIR, or more pointedly, of “forensics”.  Digital forensics and investigations tied together as one.  An investigator does not have to be a digital forensics analyst in order to use the results of an analysis in a case.  A digital forensics analyst does not have to be an investigator in order to identify evidence.    However, you need both to pull evidence and apply it in an investigation.  One person can do both jobs or many people can do both jobs.

I have been fortunate to have worked as a police detective for years.  I took a lot of courses that taught investigations, was assigned hundreds of cases, initiated tons more, and worked with dozens of US and foreign law enforcement agencies on many of those cases.  So, getting into digital forensics only required I learn about computers (yes, it’s more than “computers”, but I’m coming to that shortly).  I can identify what is evidence, put information into intelligence, compile it all into a case, and wrap it up nicely with a big bow because I have successfully done it so many times before and worked with some very gifted investigators.  By gifted, I mean that they must have worked very hard to become very good in their jobs.  

I have found that it is easier to learn the technical part than the case-building part, only because outside the LE would, the technical training is everywhere, and the case-building part is not.  If a new DFIR person wanted to learn about the Windows registry, in about 3 minutes on the Internet, a dozen websites and videos can be found to show not only how, but with what tools to use.  The same can be said for any technical know-how.  Try to find case-building information and you’ll come up a bit short.  Case-building is not report writing. Without knowing what it takes to build a case, all the best DF work in the world won’t save the case.

Summary please…

When you work DFIR, work it like it’s a case, because it is.  Whether or not the ‘case’ goes to trial or to the boss, you really are investigating.  The only exception is if you are only pulling out data and then it’s just data recovery.  But if you are looking for a smoking gun (which could be a civil matter with document manipulation allegations or a criminal matter with dead bodies), you are investigating by looking for evidence, ergo: forensics.  Treat it as such.  Put yourself into an investigative mindset.   Ask yourself questions as you move forward;

  • What do I need?
  • How does it relate to the case?
  • How do I get it?
  • What do I do with it once I get it?

Think: a prefetch file is just a prefetch file unless you can show the relevance to the case.

 

Don’t just do data recovery.   Do DFIR.

  1226 Hits
  0 Comments

Some of your cases probably already have cryptocurrency evidence in them...

subway

The Bitcoin Forensic book is moving forward with a fantastic addition of a tech editor: Heather Mahalik!.  I could not be more honored than to have Heather as the tech editor.  If you are reading this, you already know who Heather is in the DFIR community, but if not, take a look here: Heather's Bio.

A few things about the book.

Yes, it is tentatively titled “Bitcoin Forensics”, but the subtitle is “Cryptocurrency Investigations”.  The intention is to not only cover Bitcoin, but the alternative coins (altcoins) as well.   Coins such as Litecoin and Monero will be in the book because few investigations will have only one coin involved since converting from one coin to another in attempts to launder proceeds will most likely occur in every fraud investigation.  I've had a few conversations about the anonymous coins, where tracing transactions is 'impossible'.   There is always something you can do that benefits a case, even when something is seemingly impossible.  The book will cover those difficult cases too.

Another thing…most analysts and investigators have not yet come across cryptocurrency in their investigations.  Consider that if you are not looking for it, you will not find it, and by not looking for it, this will be the biggest hole in your investigation.  Even if you find evidence of fraud/money laundering with cryptocurrency, you can easily miss important evidence that may not be found until later, if ever (such as this case).  Our current lack of competence in this area only makes it easier for criminals to succeed.  For the forensic analyst, you need to know not only the artifacts of cryptocurrency evidence, but also that what amounts to evidence (ie: what is evidence).  

If you don’t believe Bitcoin (as in all types of cryptocurrency, not just Bitcoin) isn’t going to be a major method of financial transactions and part of most every money laundering, fraud, and IP theft case, consider that it already is, you just don't know it yet.  The Bitcoin Forensics book will show the forensic artifacts along with the 'how money laundering works with cryptocurrency' in order to walk you through your first case and the next case and the next case and the...

As to cryptocurrency adoption in everyday life....it is already here.

 

https://cointelegraph.com/news/first-bitcoin-only-real-estate-transaction-completed-in-texas 

A suggestion: You may want to buy a little Bitcoin to start your foundation of what you will be coming across in your cases...

If you haven't got into cryptocurrency yet and want $10 of free Bitcoin, use this referral link to sign up for a Coinbase account: https://www.coinbase.com/join/57c8a8bcded4fa009924eae5 .  

 

Tags:
  1166 Hits
  0 Comments

“Forensically Sound”.  One of those phrases that is commonly used, misused, unused, and abused.

Disclaimer: This is my opinion, which is not a legal opinion. I call it Brett's Opinion.  But along with that, I have identified, seized, analyzed, requested analysis, checked-in/out, transferred/assumed custody, and had entered into court cases thousands of items of evidence from electronic data to brain matter.   

This short post is to give my opinion on the use “forensically sound”.  The reason I want to mention this is because I witnessed a DF expert state in public that capturing live (volatile) memory is not forensically sound because you can’t reproduce it or enter it as evidence.  I think we must be careful about some things we say.  

In the most basic sense, any “thing” that is accepted by a court as evidence is forensically sound, since the court accepted the process used and admitted the "thing" as evidence.

We get caught up when performing computer science work in digital forensics and tend to forget that every situation is a bit different from the next situation, in either minor or major ways.  The general processes we use are similar for each situation, but of course we vary a little depending on what we come across.  The situation we approach dictates how we proceed.

There was a time when pulling the plug on a computer to image the hard drive with a hardware write blocker was the only forensically sound method accepted.  Doing it any other way meant you ruined the evidence.  This belief persisted for years even after realizing volatile memory is also valuable evidence (sometimes even more valuable than data on the drive).  Sure, sometimes you need to pull the plug and sometimes volatile memory has nothing to do with what a specific case may need.  That goes to the point of every case being different.  For the must-always-use-a-hardware-writeblocker crowd, I’m not sure what they do with the computers that the hard drive cannot be removed for a multitude of reasons.  Situation dictates choices.

My point is that we all have best intentions and rely upon generally accepted processes; however, we need to also be aware of what evidence is and what evidence is not.  If you can get a ‘thing’ admitted into court that can prove or disprove an allegation, then you have evidence.  Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not.

Another holdover from days past is that of being able to exactly reproduce an analysis in order to be forensically sound.  On a hard drive that was shut down when you approached it, imaged through a hardware write blocker, and verified using a software that everyone else uses – easy peasy.   On anything else, good luck.   Live memory changes as you capture it.  Shutting down/pulling the plug on a computer changes the data.  Waiting to decide whether or not to shutdown or pull the plug or image live changes the data (it changes as you watch and think about what to do!) A crime lab that tests the content of a drug destroys a portion of the drug that it tests.  An autopsy on a body damages and changes the body (as does the passage of time with decomposition).  A burning building destroys evidence of the cause of the fire, as does the efforts to put out the fire.

When teaching court admissibility of digital evidence, be careful if you are unsure of what is forensically sound, especially when talking about evidence.   You’d be amazed at the types of evidence that can be admitted in a trial along with the evidence that doesn’t.  Best answer: do your best with the evidence seizing situation you encounter, admit it as evidence, and let the court decide if it was forensically sound.  Personally, I believe anyone working in a job where you look at data should be versed in 'evidence'.  Cops have it easy.  They deal with it every day until it becomes second nature.  For everyone else, a short class in 'what is evidence' can make or break a case later.

Then there is the sliding scale of veracity…but that’s another story.

  1782 Hits
  0 Comments

When “intent” is an element of the crime, you better find the intent.

planning

Proving intent can give you the dickens of a time.  It’s easy to prove what happened.  And it is mostly easy to prove how it happened.  Many times you can even prove who caused it to happen.  But the stickler is always the why (aka: intent or reason).

A murder-for-hire case I solved some years back required finding the intention of the hired gun (so we could arrest him!).  The investigative plan was to not only prevent a murder, but gather enough evidence to arrest and charge the murderer-to-be without having a murder occur.  We had about an hour to find the hit-man before he was on his way out the door to kill the victim-to-be.

This particular case was a husband (Suspect #1) who hired a hit-man (Suspect #2) to kill Suspect #1’s ex-wife.  The hit-man's girlfriend wanted to turn in both #1 and #2.  Suspect #1 paid $5,000 to Suspect #2 to kill the ex-wife in a very specific and explicit manner that included a Corona beer bottle, duct tape, and a few other specific items.  You can imagine the rest.  If the girlfriend didn’t come forward at the last minute, it would have been a murder case instead of a murder-for-hire case.

Anyway, we found where the hit-man was holed up and arrived just as he was preparing to leave for the murder.  When I approached him, guess what he had on him (besides the meth pipe between his lips)?   He had a Corona beer bottle, duct tape, and the few specific items that he was told to use in the murder. 

The point of the story is that the items he possessed spoke volumes of his intention.   

I also found a printed Google map of the victim-to-be's home address….added to the computer search artifacts on the computer.  So yeah, we had intention all over the place.  The end result of this case was the hit-man fessed up, agreed to cooperate against Suspect #1 by making a recorded call about the murder-for-hire (in return for nothing but him begging for forgiveness), and both #1 and #2 were arrested, charged, and convicted.

A side note to this story was that Suspect #1 was mistaken in the address of his ex-wife.  He had Google’d his ex-wife’s name and clicked a link to a woman with the same name in the same city, but….it was a completely different person.  I called this case my “Sarah Connor Case”. 

Back to intention.  With any crime or civil matter where you need to know the why, find the little things that imply the why.  You can’t ever get the real answer, even when told by the suspect because you can’t read a person’s mind.  But you can get the inferences based on the implications of evidence you find.  Examples are Internet browsing forensic artifacts such as searching for a person, searching for a hit-man, and searching for how to cover up a murder.  Add that to the physical items you may come across and you start to overload intention onto the defense.  

Here comes the Amazon Bookstore.

I thought about finding intention today (everyday actually) when I checked out the Amazon bookstore, and I mean the actual brick-and-mortal Amazon bookstore, like a real bookstore.  I saw that the books had 3x5 cards with bar-codes.  A salesperson showed me the Amazon app to scan the bar-code and immediately be taken to the Amazon.com website to order the book.  The interesting part is that the Amazon app works with just about anything you can take a photo of.  Take a photo of a pressure cooker and you’ll be directed to the Amazon URL to purchase the pressure cooker directly from your phone.   This is great for Amazon’s business.  Take a photo of practically any object and your phone’s browser will open to the Amazon.com page with that item. Works well enough to be more than impressive.

But I think differently.  Yes, it’s cool to be able to be in a department store, take a photo of a high-priced item, and have Amazon show you their less expensive price; however, if you investigate anything, you probably already thought about what I am about to say.

Photos are good.  Online shopping is good.  Physical shopping is good.  Shopping for elements of a crime and taking photos of them is super!

I blogged about photos before in the manner of placing the suspect behind the camera.  In that post, I mentioned that the content of the photo may be relevant to the crime. Maybe it is a photo of the crime scene, victim, witness, or even the suspect as a selfie.  But it may also contain elements of a crime or future crime in regards to the tools of the trade.  Perhaps photos of houses or a business that are the potential targets of a robbery or burglary.

As another example, I assisted in a unique gang case, where one gang member took a photo of a car that was similar to a rival gang member’s car.  That single photo was sent to all gang members with an order to find the car and then do something not-so-nice to the rival gang member, which they eventually did.  The photo content was evidence of course, but more so, the intention implied by the photo and text.  This type of evidence screams confession without the suspect ever having to speak a word.

More to the point is that you already know that Internet search terms can imply intent.  Now you know that shopping can imply intent and you can get shopping habits not only from Internet search terms, but smart phone photos, like the ones you can take with the Amazon app.  Imagine finding photos in a case, where the content somehow matches the evidence in the case.  It may not be photos of the evidence, but perhaps photos of items that resemble your evidence, much like a gang member taking a photo of a car that is looks like a car of someone he wants dead.

Remember now…tools don’t commit crimes. People do.   Apps are just apps, but boy do they hold some gold nuggets of evidence.  In your cases, keep asking yourself, "how can I show intention and prove the suspect did it?".  You'll be surprised at the little things you can find when you ask yourself about the little things.

 

  1257 Hits
  0 Comments

Luck has nothing to do with it if you are good at what you do.

luck

When the bad guy is caught because the bad guy made a mistake, that does not mean bad luck for the bad guy or good luck for the good guy.   It just means that the investigator not only caught the mistake, but ran with it.  This takes effort and skill, not luck.   If you want to see luck (good or bad), watch a Roulette table or throw some dice in Vegas.  Granted, I have seen bad guy mistakes that truly dropped into the lap of an investigator, but that is typically not typical, and even then, if you don't recognize it for what it is, you'll miss out on a freebie.

A good case study you can see on Youtube is Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev

One of the really good statements from the presentation is “…mistakes just happen…and if law enforcement sees that one mistake it’s something to run on…”.

The trick in seeing that one mistake resides in only three questions to ask yourself (today, ask yourself these questions today):

1.  What kind of mistakes happen?

2.  Where do I look for those mistakes?

3.  What do I do when I find one?

Use three simple questions to solve the most complex of cases, whether it is a hacking case or a murder case or a fraud case or an employee theft case.  Any case.  I harp on this concept often, only because it is so important. I harp on it enough to write books about it, teach it, and do it myself.  The concept is the same.  Know the mistakes that the bad guys make, find the mistakes, and know what to do with the mistakes when you find them.  

The old adage of the bad guy has to be right 100% of the time and the police only need to be right once is true in that you only need to find the one mistake to break the case.   Looking back on my biggest cases that were overwhelmingly complex on the surface, I can reflect on the first little cracks in the cases that were all tied back to an error by the suspect.  Every single one of them.  It took effort to find the mistakes, but they were there.

Solving cases has always been this way.   There is no magic in solving a complex case other than the illusion of magic that you create for everyone who watches you run circles around them as you close cases.   When you meet someone who always has a difficult time of closing a case, it is because they are not finding the errors that are being made by the suspect.  That’s it.  For whatever reason, the mistakes are not being caught or if they are, the mistakes are not being exploited by the investigator to break the case open.  Anyone who says that mistakes don't happen anymore are mistaken.  Mistakes happen, have always happened, and will continue to happen.  Human nature and technology failures will continue to allow investigators to solve the unsolvable cases.

You still have to work hard even after being skilled at finding mistakes made by the suspect.  There is no way around that.  When I was a young patrol officer, I made a lot of arrests.  I'm talking a lot of felony arrests.  My department had a tad bit over 125 commissioned officers, but in one year alone, I made more felony drug arrests than the rest of the department...combined.  I was called "lucky".  I was asked constantly, "How are you so lucky?".   My answer was always something to the effect of "I'm just lucky I guess."   In reality, I worked hard.  I talked to a lot of people on the street (citizens and not-so-much-citizens).  I watched drug houses every minute I could.  I simply worked hard and it appeared that I was "lucky". Luck has nothing to do it.  You need the effort and you need to know what you are looking for.  I brought that same luck with me when I made detective.  I bring it whereever I go.  You can see this concept in business where a business makes a mistake and a competitor exploits the heck out of it.  You can do it too with your cases, regardless of the type of case, size of case, or importance of the case.

If you are looking for a headstart on answering the three questions, I’ll give you  50% off the Placing the Suspect Behind the Keyboard online course, plus two free books (PSBK and HBTK) to go along with the course.  $399.50 for 13 hours of (1) what mistakes are made, (2) where to look for the mistakes, and (3) what to do when you find one.  But hurry, you only have a few days before the promo expires on 8/31/17.

  1259 Hits
  0 Comments

Kicking in the wrong doors

I like reading Brian Krebs’ blog.  Brian is awesome at tracking hackers and writing about it.  While reading his latest post, Blowing the Whistle on Bad Attribution, my internal response was to keep repeating, “yes yes yes”.

I’m not going to get into his blog post other than recommend it as a good read about attribution.  Now…about kicking in the wrong doors….

My #1 concern as a police officer and detective was arresting the right bad guy.  The last thing I ever wanted was to arrest the wrong person (aka.. an innocent person).  I took more steps to verify that probable cause existed than was probably legally required to arrest the right person, but arresting the wrong person is way worse than missing the right person.  Police work was my entry into attribution.  

I experienced the effects of wrongful attribution in police work by other investigators.  On one occasion, a detective in a task force I was assigned had worked a drug case that was at best described as a disaster.  This detective that I shall not name typed up an affidavit, swore to it, had the judge sign the search warrant, and gave that search warrant to the SWAT team to serve on an early morning.  After the SWAT team secured the house, I went in to help with the search.  Guess what.  Wrong house.  Wasn't even close.   I could tell as soon as I walked inside.  The ‘right’ house was a block away.

This particular case was due to a single and sole factor of not doing a good job.  The detective never visually identified the right house (and never even looked at the wrong house either).  The work was lazy; the detective assumed that she had the right house because the informant told her it was the right house.  The funny thing was…the informant gave the correct address but the detective even got that wrong and never corroborated the right address or the wrong address.  Didn’t even check any records to see who lived at the address to which the affidavit attested or even the right address. 

And yes, a friend of mine who was in a different drug unit presented me with a sarcastic, yet humorous, certificate for the detective’s work in the drug case…I still have it as a reminder to never let this happen to me.

Oh well…that doesn’t happen much..right?

Turns out that I saw this happen on more than a few occasions, where the wrong door was kicked in, or the wrong person was arrested, or evidence that was seized and used against someone actually turned out not to be evidence at all.  It happens, but it really shouldn’t.  I know a prosecutor who had been chilling after work in her living room when her door was kicked in by police error...whups.  Bad attribution with a quick legal settlement.

On the cyber aspect of attribution, the job is way harder than a traditional criminal case such a bank robbery or burglary.  Traditional crimes require the physical person to be physically present to physically commit the crime on a physical person or physical item of property.  The amount of evidence left behind ranges from fingerprints to security camera videos that captures the entire crime as it happens.  With digital crimes, not so much.  With digital crimes, we get deep in guesswork without the benefit of getting our hands on the tools used in the crime, other than the electronic data we can find.

Let’s get to the point.

Wrongful attribution is more than just wrong; it is dangerous. Attribution of digital crimes is also easy to get wrong, because not only is there less evidence, but the evidence left behind can be intentionally or inadvertently misleading.  A malware that looks Russian does not mean that Russia did it.  Maybe "Russia" did, maybe they didn’t.  Even then, to broadly state that a nation-state, organization, group, or specific person did it, cannot be taken as totally accurate without a lot of corroborating evidence.  Maybe the allegation is correct.  Maybe it is not.  

Even if attribution is spot on (in that you guessed correctly), unless you have the actual devices used and the person in cuffs admitting to it, you really only have assumptions that are difficult at best to prove or disprove.  IP addresses can be misleading or intentionally deceptive.  MAC addresses can be spoofed.  Caller ID can be spoofed. Malware can be modified to appear to originate from a specific person or organization.  Online claims can be false (where someone else takes the credit to get ‘street cred’ or fake online accounts can be created to point to innocent persons taking the blame).  

At best, we can only say things like, “Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”.   Proving a crime was committed by a specific suspect is a leap beyond believing that a specific suspect did it if you don't have enough direct and circumstantial evidence that can convince a judge or jury of peers.

I don’t fault anyone making bad attributions as long as everyone knows that without hard evidence, we are only making assumptions. It’s only human nature to assume, especially if emotions and bias is involved.  I can’t remember the number of times where a victim told me that he knew who victimized him but in actuality, the victim was only assuming who did it based on his emotion of who he thought did it, not on any evidence.  If police officers ran out and arrested people based on their feelings or mere suspicions, we’d be living a way different country.  We shouldn’t be doing that in the cyber cases either.

 

  1104 Hits
  0 Comments

Knowing “how-to-do-it” is important, but first you need to know “what-to-do”.

My first months as a narcotic detective sucked.  My partner (ie. the senior narc) was less helpful than a doorknob on the ceiling.  The initial On-the-job training basically consisted of “figure it out” and “I am not going to help you figure it out”.   In time, I figured it out.  It took nearly being killed on occasion and suffering through a few investigations.  Did I mention my first months as a narc sucked?

Here is what I learned with that experience: Knowing what you have to do is more important than the how to do it, because if you don’t know the what-to-do, the how-to-do-it doesn’t matter.   It’s like registry forensics.  If you learn all about how to do it, but you have no idea of why you should in one case but not in another, then you are missing the what.

Let’s consider one registry item.  There are probably dozens of software applications that will deliver you straight to USBStor in the registry where you can pull out data on USB devices.  You can spend a week in a registry course working one specific software and then self-learn a dozen more registry tools all for the effort of pulling out registry information. But, so what?  Being able to pull out registry information willy nilly is useless if you don't know what to do with it (or why).

The what is having an objective and purpose to go into the registry for that specific data.  You need to know what you need for evidence to prove or disprove an allegation.  You need to know what you need to make the case.   The what is going to be a lot more than pulling out a registry key.  

Then, after pulling the data out that you determined is necessary to make your case, you need to tie the data to a person.  And you need to articulate how the data you found is relevant and that it is evidence which relates to a person.  Simply finding that a flash drive was plugged into a machine does not make a case if you can’t articulate the connection, no matter how great of a forensic job you did to ‘recover data’.

I bring this up so that when you take a training course in forensics, ask the instructor to also cover the what in addition to the how.  Learn the individual skills, but also learn when you need to employ those skills and why; otherwise, spending a full workday in the registry just because you know how isn’t going to make your case if you don’t know what you need to do in your case. 

The what is the forest.  The how are the trees.  You really do need to see the forest.

Going back to my narc years, as soon as I figured out what makes a good case, my effectiveness (and workload...) skyrocketed.  I initiated more than a dozen international organized drug trafficking cases (aka: OCDETF), seized over a ton of drugs, worked several wiretaps, solved murders, recruited into a federal task force, uncovered terror training cells, and traveled internationally working undercover.  All it took was seeing the big picture in what was needed for a good case. 

The skills? Those are the easy things to learn.  That's why I push the big picture so hard with the training I give and the things I write because once you get it, your effectiveness will skyrocket and you can focus on learning the skills that you know you will need, not skills for sake of having skills.

As a side note, I used this concept when getting into forensics more than a decade ago.  It worked out just fine (but that first month of narc work still sucked).

  1530 Hits
  0 Comments

Bitcoin Forensics - The book

crypto

The table of contents is done!  Or at least the tentative table of contents is done.

You'd figure that a table of contents would be the easiest thing to write for a nonfiction book, but not only is it not the easiest, but it changes as you write.  I've learned that a good plan for a table of contents helps keep the book focused, but I also learned that as you research, you either add or subtract to the original plan.  Some of the book has been started as well, but the table of contents is what I want to get out for a few reasons.  One, build your interest in cryptocurrency investigations and get you excited about the book, (2) get input if you have it on what you would like to see in the book, and (3) check if you have interest in contributing to the book process.

The tentative table of contents
  • Introduction
    • You should maybe get started learning this sooner than later
    • Eventually, every case where money is involved will involve cryptocurrency
  • Chapter 1 - Money
    • Currency
    • Physical money
    • Virtual money
  • Chapter 2 - Money Laundering
    • Traditional methods (simple to complex) with physical money
    • High tech methods (simple to complex) with virtual money
  • Chapter 3 - The Blockchain
    • It is not just for Bitcoin
    • Blockchain is a big deal
  • Chapter 4 - Wallets, Exchanges, and Transactions
    • How to use cryptocurrency
    • How cryptocurrency changes everything in money laundering investigations
  • Chapter 5 - Anonymity and Cryptocurrency
    • You are not anonymous when using cryptocurrency
    • You are anonymous when using cryptocurrency
    • The Dark Web Markets and Cryptocurrency
  • Chapter 6 - Cryptocurrency Investigations
    • Device forensics (artifacts)
    • Forensic tools
    • Tracking transactions on the Blockchain
    • Seizing wallets
    • Identifying the owner of a cryptocurrency wallet
    • Legal issues
  • Chapter 7 - Case Studies
    • Money laundering related crimes
    • Terrorism
  • Chapter 8
    • Putting it all together
    • Tying suspects to wallets and devices
    • Tying suspects to cryptocurrency transactions
  • Summary
  • Appendix
    • Everything we can put together as resources for you!

We have a general idea of how long each section will be, but won't know until we write it.  So one chapter may be way longer than another simply because there is so much to discuss.  Don't worry about being overwhelmed with cryptocurrency information as this book is for you, the practitioner, the investigator, and the trier of cases.

There is one request (or offer, depending on how you look at it):

Contribute to the book.

If you ever thought of writing a book, or contributing to a book, but wanted to dip your toes in first, this is an opportunity.  I have a handful of crypo cases worked and Tim has more than a bit of research into cryptocurrency investigations.  I already have a few offers of case studies and research that I will be taking people up on; however, if you have interest as a contributor, email me (This email address is being protected from spambots. You need JavaScript enabled to view it.).  Whether you'd like one of your cases featured in a case study, share some things you did in a case, or share some research findings, we are open to all.  That what we use is credited directly to you in a peer-reviewed, tech-edited, professionally published digital forensics book.  

On case studies you may want to use, I am way familiar with police cases, privacy, and legal restrictions on public disemination. I am also aware of public records laws and if you have a case to talk about, I can easily formally receive a copy through public records and be able to talk to you about it without worrying of releasing any information that should not be released.

On research, if you have done some work already, we're glad to incorporate part or whole, as you would like seen in the book.

Our goal is not fame or fortune, but to write the best book on a topic that will be red hot sooner than you think.  But if you want to be famous...get ahold of me. I'll put in you in the book :)

  2345 Hits
  0 Comments

Yes, you can place the suspect behind the keyboard, even if Tor is used.

Earlier this year, I was asked to give a talk to a small group of investigators on putting together a case on anonymous criminals on the Internet.  Right out of the gate, from the back forty (ie..the back of the room), I was told that it can’t be done, that only the NSA can do it, and that this was going to be a waste of time.  No kidding.  I never met that guy before in my life, didn’t even start the talk yet, and he instantly reminded me of someone I worked with before, who was affectionately known, “the dinosaur” before he retired.  Within five minutes, I regretted doing this presentation.

Four hours later, the “dinosaur” apologized to me after I gave a dozen tips to try in his cases and gave a demonstration of how some of them can work in just a few minutes.

I bring this up because I know what this detective has gone through, having been given cases where there is no suspect information, or little-to-no evidence, and even uncooperative victims, yet, it’s your case to work.  After a few years, you either get burned out from failures or you learn to beat the technology by using your brain.

One of the demonstrations I did in the talk was to deanonymize a Tor user.  One person created a Tor account in class and sent me an email.  In 5 minutes, I had her IP address, which was verified as her agency’s IP address.

I didn’t use magic. I didn’t use a top-secret government hack.  And I didn’t disclose something that wasn’t already known how to do.  But what it showed was that it can be done on some occasions, and that it can disclose by physical location of where the suspect’s device was being used at a given time.  The recent FBI case of “booby-trapping” a video is an example of this method.

 

https://motherboard.vice.com/en_us/article/gyyxb3/the-fbi-booby-trapped-a-video-to-catch-a-suspected-tor-sextortionist

I am not the world’s best investigator, or a most famous hacker, or a super-forensic guru.  But I am someone that will chip away at a problem until I crack it open.  I search and experiment and search and experiment until I find something that works.  I quickly toss aside anything that slows me down or leads me in the wrong direction.  I want tools that work as I want them to work because I believe every case can be solved given the right circumstance.

When I wrote Placing the Suspect Behind the Keyboard, I truly meant every word in the book.  You can do it.   You can not only find criminals who are attempting to hide behind technology, but you can tie them to activity on a computing device.  It may take longer than you want, but you can do it, and when you do, the impact on the lives of others is immense.

For anyone thinking that I give away the ‘secrets’ for the world to see, I am not.  The secrets are already out there, except the problem is that only the bad guys know them.  On top of that, you can tell a criminal exactly how you are coming for him, step-by-step, and you will still be able to catch him just as you warned.  Investigative methods work regardless of the preparation to defeat them, as long as you do it right.  Sloppy work doesn’t work.

As the simplest example, I once did a knock-n-talk for a marijuana grow operation with my partner.  I knocked on the door and asked the owner for consent to search. I told the owner that he had the right to refuse consent, right to restrict the scope of a search, and the right to rescind the consent at any time.  He let the two of us in and of course, we found hundreds of marijuana plants.  My point….at the front door on a table was a book on cultivating marijuana, which was laid open to a chapter titled something to the effect of, “When the police ask for consent to search, just say no”.   Either the grower skipped that chapter or didn’t get to it yet, or politely asking for consent worked.  I’ve worked computer cases with the same story, where books on ‘how to get away with computer crime’ didn’t help the criminal.

The Internet is not evil.  Computers are not evil, (except many Artificial Intelligence robots, but that’s another story).  Even the Dark Web is not evil.  However, anything can be used for evil and criminals have exploited everything from a screwdriver to a smart phone for evil.  Your job, and I am sure your personal mission, is to find them.

With technology becoming easier to use every day, including using for bad intent, it is your duty to know how to use the same technology to defeat criminal use of technology.  Crimes will continue as they have for as long as humanity has existed, with the only difference being the tools used.  With the Dark Web, I foresee more cases of kidnappings, rapes, and murders being facilitated in the physical world because of it. 

http://www.thedailybeast.com/the-case-of-the-kidnapped-model-exposes-dark-corners-of-the-deep-web

You can solve these hard to solve crimes.  Trust that you can, because you can.  Here are some of Brett’s Tips:

  1. Don’t quit.
  2. Don’t close a case that should never be closed.
  3. Try and try again.
  4. Learn how you can do something you didn’t know before.
  5. Know that if a device is connected to the Internet, it can be tracked.
  6. Know that if a device has been used to commit a crime, you can tie it to the criminal.
  7. Know that you don’t need superpowers or the Patriot Act to find criminals on the Internet.

I feel so strongly about the importance of this that I wrote two books about it.  I didn’t write the books to be famous, but to give some glimmer of hope for those investigators who only need to see how to do something to make their cases which they didn’t know before. 

For the investigators that would rather listen and watch how it can be done, I created an online course.  I taught the course for a year in rooms full of investigators and solved a few of their cases IN CLASS.  All it takes is a spark to get your brain on the right track at full speed and no brakes.  All it takes is that ‘one thing’.

The course I teach (Placing the Suspect Behind the Keyboard) is expensive when I give it in a classroom ($1895 a person).  It’s less expensive online ($799).  It’s even less expensive when you find and read blog posts like this ($95).  I feel that if you are reading these types of posts on the Internet, you must be looking for something to help close your cases.  That means you have the drive to do better and be better at your job.  And..I want to help.  Imagine spending a few hours to learn something that will affect the rest of your cases for the rest of your career.  

There really isn’t any reason to not learn how to work computer-facilitated cases when $95 can give you a whole box of “one things” to spark your investigations.  If you put forth the effort detailed in my books or courses, you can run circles around your peers and close the hell out of cases.  Who knows, you may even make the news.  More importantly, you may be saving someone's life.  What could be more important?

Use this link to register for Placing the Suspect Behind the Keyboard for $95 instead of the listed price of $799 (books not included in this promo). http://courses.dfironlinetraining.com/placing-the-suspect-behind-the-keyboard?pc=blognb

  2087 Hits
  0 Comments

Placing the Suspect Behind the Camera

*Hint: If the topic of this post is of value to you, there is a special gift at the end of this post that may interest you.

Let’s say you have a digital photo that is evidence in your case, perhaps critical to the case.  The questions: Who took the photo?  How can you prove it?   How can you tie the photo with a camera to the suspect? 

In the context of this blog, a “photo” means an electronic file (image or picture).  But some of what I am talking about can apply to a physical photo that may be pertinent to your case.  This post mainly focuses on child exploitation investigations, but the methods apply to any case where digital photos are evidence in the case (civil, criminal, or an internal corporate matter).  Whether it is a violent crime or stolen Intellectual Property, a picture can be worth a thousand words (or a conviction).  As for the forensic 'how to', I am only writing on the 'what to do'.  Most likely, you already know how to pull EXIF data from a digital photo, from within a forensic image of a hard drive or smartphone.  If you do this job, you probably got that part mastered.  For the part you don't have mastered (analysis and investigation!), this post is to shore that up.

 

Proving who took a photo is no different than proving who was behind a keyboard at a specific point in time.  It takes a critical eye, an analytical mind, and an inquisitive attitude.  Regardless if the camera was a typical digital camera or a smart phone, there are many aspects of looking at the digital photo to place the suspect behind the lens.   Some or all of the following may or may not be available, but if you don’t look, you will not find.

 

 

Proving it

Without direct evidence, it’s all circumstantial.  But with enough circumstantial evidence, it’s enough to prove beyond a reasonable doubt that a specific person committed a specific crime.  Without getting into “what is evidence”, let’s talk about the things you can find out about a photo that can constitute evidence.

First, the easy stuff, like metadata (Exchangable image file format, aka EXIF data). EXIF data is simply information about the photo (digital image) that is embedded in the photo.  EXIF data is easy to pull out and see using forensic software, free software, and even through Windows Explorer.  The type and amount of EXIF data depends on the settings and capabilities of the camera.  For example, one camera may have GPS off by default while another camera has GPS on by default.  Also, a user can turn off GPS from being embedded into photos by choosing the setting to turn it off.  Some cameras may include a serial number or unique ID of the camera as metadata, while other cameras will not.

So, depending on the camera and the user selected settings, you may or may not some or all EXIF data to exam.   Best case scenario, you get it all, or just enough to make your case.  EXIF data is also the second thing to exam with a digital exam as content of the photo is usually most important.  I’ll get into content as well as the EXIF data.

Each item below is relevant to an investigation as a source of evidence, corroboration of evidence, or leads to other evidence.  The more you focus in looking at photos in this manner, you faster you become proficient in finding clues.

Device Used (EXIF data)

Make, Model, Type, Serial Number, Unique ID

If this data exists AND you have the camera, you are way ahead of the game because you have the camera used to take the evidence photo (unless it can be proven otherwise)

Geolocation (EXIF data)

Location of the photo

Having the GPS coordinates allows you to (1) find the location of the crime and (2) corroborate the GPS coordinates by visually inspecting the location to match the photo.   As an example, GPS coordinates pointing to a specific location (such as a house), can be visited and confirmed by matching the photo to the location.

Date/Time Group-DTG (EXIF data)

Date and time of the photo

Important because if you can place the suspect at the location (see geolocation above) at the date and time noted in the EXIF data, you are getting close to tying the camera to the suspect.

Content of the Photo

The content can be (1) a photo of the crime, (2) a crime in and of itself, (3) corroborating evidence, or (4) any or all of these.

Examining the content can corroborate or disprove EXIF data.  For example, if the DTG states December 15, 2016 at 2pm, and the GPS states Alaska, but the content shows a moonlit Hawaii beach, then something is wrong with the EXIF data.  Conversely, if the content matches, such as a bright sunny day with a snow-covered tree in Alaska, then EXIF data is corroborated.

Of course, persons in the photo can be important. Victims, witnesses, and your suspect might be identifiable by visual inspection or facial recognition.

Items in the photo can be important clues.  Electronic devices in a photo of a crime scene that have not been seized might be able to be identified.  Violent crime scenes may show blood spatter that may have been cleaned, or perhaps a rug in the photo is no longer at the scene.  New paint on walls can give some implication that damage (bullet holes?) may have been repaired and repainted over.  Anything that is different from the scene as it sits as you see it compared to a photo taken at the time of a crime is suspicious.

Items that similar to other photos in other cases may be important as well.  Using a tool such as Google’s Bedspread Detector can find items of similarity across other cases.  Perhaps there is a child’s toy that is consistently seen in different photos, which could be an item used by the suspect in a child exploitation case.

Look at every item in a photo for clues.  The content is just as important as the metadata.

Photos recovered from devices or media

Other devices that can be tied to the photo, such as computers, laptops, tablets, etc..

Same photo (by hash) or similar photo by content

Compare photos from recovered devices by hash, EXIF data, and content.   The more devices you can identify, the more chance you have at tying the suspect to one or more of the devices.

Photos recovered from websites

From any website or social media site.

Although the EXIF data of photos is usually removed when uploaded to most social media websites, you still may have some EXIF data on other websites.  Finding an evidence photo on the blog controlled by your suspect is a lead to tying it to your suspect.

Photos downloaded from the Internet

From any website or peer-to-peer connection

If a photo has been downloaded from the Internet, it may be tied to a camera, but, it might not be the camera of your suspect.   However, a photo can be taken with a camera/smartphone with Internet access, in which the photo is uploaded to the cloud, and subsequently downloaded.  An example would be a smartphone photo automatically uploading to a Dropbox account and the subsequently downloaded to the suspect’s Dropbox folder on his/her computer. 

Another example of a download that can be tied to the suspect’s camera is where a WiFi digital camera is synched to a smartphone.  Photos taken with the digital camera are automatically copied to the smartphone, which can then be sent to the cloud to sync with local storage on a computer.  The smartphone and computer will show a “downloaded” photo, but the EXIF data will point to the camera used by the suspect.

The suspect

Location corroborated by additional geolocation intelligence (place the suspect at the scene)

DTG corroborated by additional intelligence (suspected placed at the scene at a specific DTG)

Device corroborated by ownership/possession/control of photo device (who owns the camera)

Fingerprints on devices (in cases where photos are critical, it is critical to fingerprint the cameras)

Statements made by witnesses and the suspect (Claims ownership of the camera, but not the photo as an example)

Other photos taken by the suspect and uploaded (http://www.cameratrace.com/learn-more

Your photos

The photos taken of the crime scene matched against the photos you find

If you have a photo taken by the suspect of the crime scene, take your own photo to replicate the evidence photo at the same DTG.  Place side-by-side to compare.  What is missing?  What is different? What is there now that wasn’t there before. 

Don’t give up and don’t take shortcuts

Child exploitation cases generally have more than one photo and sometimes upwards of tens of thousands of photos (or hundreds of thousands!).  Reviewing every photo is obviously labor intensive, but as one who has identified additional victims, found more evidence by looking, and closed more cases than not, I can say that it pays to look at the content and the EXIF data to the extent possible.

When software tools make it easier to do, use them to the extent they can do the work of many eyes to at least give you a dataset to find more clues and evidence.  It is easy to find evidence when evidence is plentiful, but be sure to corroborate what you find.  If you have GPS data, verify it.  Does the GPS data and photo content match with the physical location? Check Google Maps to confirm, or better yet, visit the location if the photo content is important to the case.

**Update 8/13/2017**

Thanks to Phill Moore for suggesting this great tool for photo forensics

Brett’s Tip

Find one thing in this post to help make a case.  Find closure for victims.  Convict suspects.  Prevent children from becoming victimized.  All you need is one good clue, one good idea, one good lead, one drop of inspiration.  I hope I gave one of these to you, or at a minimum, gave you something to think about that will be helpful in your cases.

Side note

This post was inspired by a conversation I had with perhaps the world’s greatest forensic company working in the field developing tools to do what this post describes.  I also wanted to give a little bit of inspiration to push you into working harder, digging deeper, and thinking cleverly in your cases.  I know you do a great job already, but if you are like me, you want to do better and learn more.

I created an entire online course in this area of investigations in addition to writing two books about it.   And if you are reading this blog, I’ll give you a unique deal on the online course

Use this link to register for Placing the Suspect Behind the Keyboard for $95 instead of the listed price of $799. http://courses.dfironlinetraining.com/placing-the-suspect-behind-the-keyboard?pc=blognb

The books are not included, but you do get the entire 12+ hours of learning to do what can make your cases: Placing the Suspect at the Keyboard.  This discount is steep because the course content is important to the cases that mean everything.  And you are getting it because you read my blog today.  But you may want to hurry, the discount is good only for a few weeks and when the discount link stops working, the discount is over.

 

  2143 Hits
  0 Comments

Bitcoin Forensics

Two books in the works.

In between the adventures in life and work, I have been busy with writing.  One, a fiction book, is expected to be in print next year (all on the publisher's schedule).  It’s an exciting book and sure to grab your attention. More on that sometime later.  The second book is another nonfiction forensics book, Bitcoin Forensics 😊.

There were a few topics I wanted to write about for my next forensic book; however, considering the recent cases involving cryptocurrency, Bitcoin Forensics is at the top of the list.  A couple of points on the book before you make an assumption about what the book is or is not:

1. The book is not anti-cryptocurrency.  In fact, this book is pro-cryptocurrency not only as use as a currency, but as an investigative target for investigators when following the money.

2.The book will not be about only Bitcoin.  The book will cover cryptocurrency in totality of all-the-coins, to include the major coins (Bitcoin, Ethereum, etc…) and the Altcoins.

 

Like my other books, it will be written for the practitioner, the investigator, and the court officer with duties of trying cases involving cryptocurrency.  Our goal is to write a book that you can read and put to use on day-one.  Oh yeah, did I say “our”?  I sure did.  Tim Carver is my co-author.   If you know of Professor Carver, then you know that you will be learning all you need with the investigative aspects of cryptocurrency in your cases.  Additionally, we have a few contributors (and on the lookout for more!) that have either conducted extensive research or have conducted successfully cases with cryptocurrency as a money laundering aspect of their cases.

I have one confession to make.   Some time ago (a few years?), Tim asked for my opinion on cryptocurrency and money laundering with criminals.  At the time, I said that I believe it may be years before the common criminal uses cryptocurrency for money laundering simply because of the technology.  “Blockchain technology” is not something that everyday meth dealers may be knowledgeable about.  The other obstacle I thought was that converting physical cash into digital cash is not that easy.  On the other end of the criminal spectrum is the DTO (drug trafficking organization). The amount of physical cash generated alone is enough to prohibit converting into digital cash.  I just didn't see cryptocurrency being a major criminal investigative aspect.

But here comes 2017...  I’ve seen more than a few cases in the news of BILLIONS of dollars being laundered. On top of that, after doing research on cryptocurrency for over a year (talking to Tim generated an interest to test theories in cryptocurrency) and coincidentally getting a case with cryptocurrency being a central target in the case….I think I was mistaken.  Cryptocurrency has come and will eventually be part of every criminal investigation that has any financial aspect.

So, there you have it.  The inspiration of the book came from Tim Carver calling me to ask my opinion, a year of research afterward, a cryptocurrency case to figure out, and finally me asking Tim to co-author a book on it.

If you have conducted a cryptocurrency case or done research into cryptocurrency, and you want to be in the book as a contributor (named or unnamed), This email address is being protected from spambots. You need JavaScript enabled to view it. right away.   If you want to be a bigger part of the book, that is a possibility as well.  Email me and let’s talk.

Until then, expect the book to be in print (or on your mobile device) in 2018.  Cool book topic, and probably one of the most relevant subjects for the years ahead in forensic investigations, both in the criminal case world and private sector engagements.  Don't believe?  No worries.  You will soon enough, just like I did.

 

 

 

  2006 Hits
  0 Comments

Anonymity: Criminals are only as good as their last mistake

I’m big on privacy, even though I know that practically, the only information that is private today is that which (1) only you know and (2) does not exist anywhere outside your head.  Everything else can be had one way or another, by hook or crook.  Most personal information we willingly give away, such as our date of birth when signing up for “free” online services.  Other personal information we are required to give in order to abide by laws, such as applying for a driver’s license.                         


I’m also big on de-anonymizing criminals.   Supporting privacy efforts while at the same supporting de-anonymization efforts is contradictory, but realty. If you have ever been a victim of a crime where the criminal got away with it, you probably feel the same.  Both aspects contradict each other, where I want to have individual privacy but at the same time, I want to be able to de-anonymize someone who is committing crimes facilitated with technology.  What a dilemma...

I tend to focus on de-anonymization of criminals more since we are on a never-ending trend of breaches, hacks, and theft of personal information, let alone crimes against persons using technology. Two of my books were solely focused on the topic.  During presentations on the subject, I have regularly been questioned on “How do I…” in this case or that case from investigators* looking for the magic bullet.  Given just a 15 second brief of an investigation that has been ongoing for months, my typical answer is – the answer is there, you just have to find it. 

Secret Tip: there is no magic bullet until there is one.

The magic bullet in almost every case is a mistake made by the suspect.  An oversight.  An error.  A bad decision.  Or just plain ignorance.  All on the part of the suspect.  But a mistake by itself is not enough to crack a case.  You, the investigator or the analyst, need to catch that mistake.  You have to look for it constantly.  You have to expect to find where the suspect made the error because if you don’t have the intention to find the criminal’s mistakes, you will not find them.  That is when you find the magic bullet to solve your case, by looking for it and not hoping it drops in your lap.

When you do find the break in an analysis or investigation, everything becomes clear and appears to be such an easy thing that you wonder why you didn’t think of it before.  The fact is, finding the errors is not always simple or easy.  The little mistakes are usually hidden in tons of data and easily overlooked.  Sometimes the answer is plain view and no one sees it. Even when you find the suspect’s mistake, if you do not recognize it for what it is, you will quickly pass it and keep looking without realizing you could have solved your case a few minutes prior.

The steps in finding these mistakes made suspects are:

If you don’t have #1 above, then #2 and #3 won’t matter since you won’t be able to identify the evidence or clues you need.  The first things I do in any case is determine the goal or goals. Sometimes the goal is either dictated by someone else or it is obvious.  If the goal is not dictated or obvious, you have to identify the goal or again, step #1 is useless which renders #2 and #3 just as useless.

When you work with these 3 steps, the 6-Ws naturally come up in the case (the 6-Ws: who, what, when, where, how, why).  You need the above 3 steps as your foundation to actually work a case in order to get to the 6 Ws.  Focus on the 3 and the world is yours.  A tip: not everyone does this.  Many many examiners/investigators/analysts simply collect data without reason other than to collect data with the hope the case solves itself.  Don't be that person.

When I was a new investigator, it seemed that every case I received was like Groundhog Day.  No case was like the last, no evidence was consistent among the cases, and the goals were sporadic (other than “find the bad guy”).  Basically, every day I was starting over as new in each assigned case. In time, I learned a few things from experienced investigators, other things I learned the hard way.   In more than one case, I would be given a hint or a tip that would put me on a path to close a case.  A question as simple as, “Did you try this?” or “Did you look here?” was all I needed to plow ahead.  Sometimes, i would figure out an easy way or more effective means of gathering information and intelligence.  Many training courses focus on the technical means, but not the thinking part.  It's nice to know how to recover deleted event logs, but why? If you don't know why you should do it, you won't get anything out of it because you won't see the clues.

In cases with electronic media, the process is the same as in any investigation you have, whether it is a criminal or civil case (or even an internal corporate matter).  Define the goal so you know what to look for, know where to look, and figure out how to look for it.  Apply this to every case and incident you have and your case closure rates will be much better with less work.

For example, a case involving an unidentified cyber-criminal who is ‘hiding behind the keyboard’ clearly means that the what is anything that ties directly to the criminal.  The specifics of the what is important. The where depends on what you have to work with.  Perhaps you have an email, or network traffic, or maybe even physical media.  Somewhere in that data is the where and you need to know in what part of that data you should be looking.  The how is maybe the easiest part.  Maybe you need to look at metadata, or reverse engineer a file, or simply recover a deleted file.  That’s the manual labor part.  You need to work the brain part first, otherwise the labor will be for nothing.  

Recent cases in the news have shown that this method of investigation works on the most difficult of cases.  I must stress that when you see that a major case was solved by the simple piece of evidence of identifying an email address, that this is not so simple.  Every case has at least one error that was made by the suspect, and to discount looking for that mistake is a mistake on your part.

Any case where the article states that, “Oh, the case was easily solved because the suspect forget his email was in the code” seriously discounts the effort of the investigator who took the time to know what to look for, where to look for it, and how to look for it.  Cold cases are solved the very same way.

It’s not the size of the dog in the fight, but the size of the fight in the dog.

This is what I have been teaching for almost 20 years now.  I believe that anyone from any place in any job with any education level can be a superb investigator.   I have met young investigators from small towns who can run circles around someone with 10 times their experience and education in the largest agencies because they apply the foundation principles of what it takes to solve a case.  Once they learn the how of digital forensics, they are just as effective in the digital world as if they were working a street corner robbery.  It’s not a diploma, or a certificate, or a coin in your pocket that makes you good.  You make yourself good.  If you happen to collect some tokens along the way, add them to a shadow box, but bragging about having certs has no weight if you can't work a case.

Another benefit of getting the investigative skills down is that you can apply it to other areas and other types of cases.  If you have the desire and can finesse the skill, you can run with the big dogs in working any type of case.  I truly mean that in every sense.  My first investigator duties, after being a patrol officer, was a narcotics detective.  I used the skills learned in narcs to solve murders, uncover and disrupt organized crime groups, identify terrorists, and work all types of crimes involving technology.   

Be prepared that when you start solving cases by finding the “easy” things, that those around you will call you names, like lucky or you only solved the case because of a suspect's mistake. Just smile and carry on.  After enough cases, you won’t be called lucky anymore; you will be called good and that is the goal: be good at what you do. 

 

* I use the term “investigator” to apply to anyone who has the job to find information, curate into intelligence, on which assumptions, conclusions, and judgments can be made.  That means a police detective, federal agent, incident responder, or forensic examiner.

 

 

 

 

  1231 Hits
  0 Comments

Placing the Suspect Behind the Keyboard online course

My newest course is out and it is the best course you will find on the topic.  More than 12 hours of investigative methods and effective techniques to build a case against criminals who use technology to commit crimes.  

  • Learn the methods to track criminals online and in the real world
  • Learn the tricks of the trade (tradecraft) of covert communications and breaking those communications
  • Learn how to build a case that would not have been closed without this course
  • Learn the one thingI that will give you the tools to become not only a great forensicator, but someone that can place a suspect behind the keyboard

Placing the Suspect Behind the Keyboard was the first digital forensics book focusing on building a good case on criminals who use technology to commit crimes. This also the first course teaching that specific topic.  My intention with this online course is to put you into the mindset of someone working toward identifying the suspect, gathering evidence on the suspect, and proving allegations against your suspect; in effect, placing the suspect behind the keyboard.


If your career has been like mine, most cases are fairly straightforward. Perhaps a suspect was already identified and most of the evidence already seized.  In many cases, whether it is a criminal arrest or being hired as a private consultant, generally, you start with all you need to begin examining the media.  But if your career is like mine, there have been a few cases where that is simply not the case.  This course is not only for the easy cases, but especially for the tough ones.Holistically, this course covers everything you need, whether working in the private or public sector.  Investigative techniques are discussed for both sectors as many methods can be used in both case types.  A few sections are LE-only simply because citizens cannot wiretap other citizens (as an example), however, you can see the differences between a method used by law enforcement and the private sector.  Practically speaking however, the actual methods are the same.  A forensic analysis of a flash drive in a criminal case is not different than in a civil case, nor are the methods to tie a person to a device different.

This course is not just for the average case, but developed especially to address the difficult cases.

Cases where the suspect has not been identified.  Cases where the electronic evidence has not been seized.  Cases where there are many suspects.  Cases where the evidence linking the suspect to the device or crime is weak at best.  For those cases, you need to take extra measures, think out of the box, and use everything at your disposal.  You have to work at putting the suspect behind the keyboard, because if you don’t, it won’t happen. 

Don’t let your case go to the cold-case files.  Solve it!  This course shows you how to do it.  The books detail even more on how to put cases together, especially the really difficult cases where you have little to go.  As for incident response cases (breaches), this is not a course on mitigating a breach, or tracking hackers in cyberspace.  Although, many of the methods will work for just that.   Incident Response can benefit greatly for the sake of sometimes the suspect in a breach must be caught for a variety of reasons.  This course and books brings it to you.

The Placing the Suspect Behind the Keyboard online course uses the same material as the 2-day workshop with the biggest difference being not working actual cases in class.  As a side note, in a previous class, a suicide case was reopened as a potential homicide case based on course methods in the class!  The methods are proven to work.

FAQ:

Is there a discount for a bulk order?

With 50%, two free books, and free access to the X-Ways Forensics Practitioner's Guide course, there are no bulk discounts.

My agency/company will take a week or two to get approval to pay.  Can the discount be extended?

Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. and let me know.  I can extend to get approval, but not for too long.

Will there be another promotion after this one?

Most probably, but it won't be (1) 50% off, and (2) may not include the two books, and (3) most likely won't include access to the X-Ways Forensics Practitioner's Guide course.  This is the best time to get both courses and both books at this price.

  3974 Hits
  0 Comments

The 2 Worst Games to Play in #infosec

The “Hot Potato” Game

The goal of the Hot Potato Game is to simply pass off responsibility to the next person as soon as you can before something bad happens.  When the responsibility lands in your lap again, you pass it to someone else as soon as you can.  Eventually, someone gets caught holding the hot potato and they lose (and you win!!).  A similar version of this game is “Musical Chairs” game or “Kicking the Can Down the Road” game.  By the way, it sucks to lose this game.

I have seen this game played in both the government and the private sector.  Any long-time government employee can point to dozens of managers who are experts at this game.   I believe there are so many experts because it is rare for a government employee to actually suffer when losing this game, which only encourages more people to play and gain experience in tossing the hot potato to the next guy at the table.

In the private sector, losing this game is an entirely different matter, especially when PII or PHI has been stolen.  When that happens, fingers get pointed awfully quick and the government comes in with a hammer to smash as many thumbs as they can find.  Did I mention that losing this game sucks?

  1. The “Are We There Yet” Game

The "Are We There Yet" game is another popular game played in both the public and private sector.  This particular game is also known as “We’ll Cross that Bridge When We Come to It” game.   In this game, you know bad things are coming one day, and you accept that being worry-free today is worth the stress of dealing with an incident tomorrow, because we all know that tomorrow never comes.

I have actually seen budgets with anticipated expenses planned for incidents that could be avoided with preparation and less money.  I guess some organizations believe that if they don’t spend money now on preparation (defense), they may not need it for remediation after a breach, so it may make a better business decision.  This game is also known as “Craps”.

When I consult for corporations and government entities, I always advise to not play these games (in a professional manner rather than saying 'don't play these games').  Fortunately, I find that many organizations are spending money now to prepare rather than hope for the best.  The organizations that want to prepare are doing really good, taking advice, and in some cases, going beyond what is required.  In technical terms, I call this a great job.

I have gotten to the point that when I hear a client choose to play either of these games, I don’t laugh out loud anymore, especially when I hear verbatim, “We’ll cross that bridge when we come to it”.   When I hear that, I usually leave a half dozen business cards…

Hopefully you aren’t forced to play in these games and that when you say that you need money and time to prepare for unexpected breaches, you get it.  This same thing applies to internal employee matters too.  Any organization that haphazardly gives out electronic devices without any controls to employees….is an organization playing the hot potato game.  I tend to believe that with so many attacks, so many breaches, and so many organizations frozen with Ransonware, organizations start to take notice.  It's kind of like everyone in your neighborhood getting burglarized.  You can choose to either hope your house is not burglarized or you can install an alarm, lock your doors and windows, and prepare just in case.

  992 Hits
  0 Comments

The 2 Fastest and Least Expensive Ways to Learn X-Ways Forensics

***4/18/2017***

***UPDATE ON THE PROMO***

This is all you need to know: The X-Ways Forensics Practitioner's Guide online course is still available at only $119 instead of the regular tuition of $599 until April 19.

If you missed the promo for 80% with a FREE copy of the X-Ways Forensics Practitioner's Guide book, you still have time to get 80% off the online course without a free copy of the book.  This is still a great deal off the 12-hour, $599 course at only $119.  There will never be a discount this steep again for this course, so get it while you can, because the time to register is running out.

 

   

XWF Practitioner's Guide Promo Countdown! Wednesday, April 19, 2017 11:59 PM 424 Days XWF Practitioner's Guide Promo Countdown!

 

-------------------------------------------------

My advice to X-Ways Forensics users is to stop thinking you can figure it out by yourself, even if you have been using X-Ways Forensics for any length of time.  There are simply far too many nuances and hidden features that you are missing every time you try to figure it out or use on cases.  If you really want to get down and dirty to learn X-Ways Forensics fast and cheap, here is the ONLY way to do it.

  1. Buy the book (list price is $59.95)
  2. Take the online class (regular price is $599.00)

But, wouldn't you rather want to learn how to use X-Ways Forensics saving even more money?  If so, you want to sign up right now because right now is the biggest discount for the course while getting the most swag! Get up to 80% off the price PLUS a FREE copy of the book and if you act fast enough, be invited to even more FREE trainingFree book offer has expired.

If you register within the next 7 days (April 19), you can get the X-Ways Forensics Practitioner’s Guide online course at 50% off for only $299.  80% off for only $119.

**UPDATE  4/16/2017**

The promo is almost over for the free book...  

 

If you do not receive your 80% promo link via Twitter DM, email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I'll email it to you.

How about even more!  The first 20 registrations will be invited to a live, 2-hr online X-Ways Forensics course with me to demonstrate using X-Ways Forensics as a triage tool and for electronic discovery (this includes using the latest build of the Windows Forensic Environment – WinFE).  These first 25 registations still receive over 12 hours of the online X-Ways Forensics Practitioner's course and a FREE COPY of the book!   The first 20 just filled up the live course, but the promo for up to 80% plus a FREE book is still good.

The course has never been discounted this deep, so this is the best time to take advantage of learning to how you can exploit X-Ways Forensics to its fullest potential, learning from your computer, on your own time, at the lowest price.  

Since 2014, more than 2,000 students have registered and taken my online courses with 24/7 access.  

“It has helped shed lights on things I have missed in the past.”  -student

“I got to say I’m enjoying the videos.” – student

Don't miss the boat!  80% off 12 hours of X-Ways Forensics Practitioner's Guide training plus a FREE COPY of the X-Ways Forensics Practitioner's Guide.  ONLY $119 for the regular $599 tuition with a free copy of the book!

http://bit.ly/xwfpromo80 expired

 

*For outside the USA, only a Kindle version is available as part of this promotion.  Registrations within the USA can choose between print or Kindle.

  2477 Hits
  0 Comments

FREEZE! Busted by the Fridge. The ways that tech influences writing fiction, making movies, and busting criminals.

One interesting investigation I had was that of a murder-for-hire in one city that the suspect used a Google search to find the victim’s home address in another city.  Simple enough crime to plan.  Google the name, find the address, do the hit.  Except in this particular case, although the suspect Googled the correct name, there were two people with the same name in the same city and he picked the wrong one.  I called this case my “Sarah Connor” case.

Fortunately, we intercepted the hit before it happened and prevented a random murder on the wrong person (as well as preventing the murder of the ‘right’ person).  In a basic sense, the suspect used the technology of one of the most advanced computer systems in the world (Google….) to attempt a murder only to choose the wrong name in a Google search hit.  This type of criminal incompetence and carelessness is commonplace.  It is also the way that most get caught. 

On the other end of the spectrum, we have Hollywood’s version of high tech crime fighting.  Minority Report with Tom Cruise showed us that not only can crimes be solved with technology, but that crimes can also be prevented with technology.  As for the technology used in the movie, it could have only been more accurate had a predictive analysis computer system been used in place of the fortune-telling humans (“Precogs”) in a big bathtub.

In a turn-key surveillance system, no person is anonymous.  Whether it is a private business or government agency, no one is immune from potentially being watched, tracked, or reported.  Private businesses use facial recognition for both improving customer service by detecting your mood through facial expressions as well as preventing crime.

“…faces of individuals caught on camera are converted into a biometric template and cross-referenced with a database for a possible match with past shoplifters or known criminals.” https://www.theguardian.com/cities/2016/mar/03/revealed-facial-recognition-software-infiltrating-cities-saks-toronto  

Criminals who try to avoid using technology are severely limited on the type of crimes they can commit.  That’s a good thing.  A drug dealer without a cell phone is like a taxi cab driver without a taxi.  It is part of the business and can be tracked, traced, monitored, intercepted, and forensically examined.  Technology is a natural and required part of any criminal’s operations.  Criminals not using technology are ineffective as criminals, for the most part.

Criminals who try to avoid surveillance technology in public, such as license plate readers and facial recognition are also extremely limited in the crimes they can commit since they would have to remain in their homes to commit crimes outside of public surveillance methods.  Even then, committing a crime in a home is not without the risk of being monitored, either by a government agency, a private corporation, or an electronic device plugged into an outlet.  If you own a Vizio television, consider yourself tracked, hacked, and sold to the highest bidder. http://www.theverge.com/2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings

From Amazon’s Echo to an Internet-connected fridge, data is collected as it happens, and stored either locally on the device or on a remote server (or both).  Depending on how ‘smart’ a home is, every drop of water usage can be tracked, every door opening logged, and every person entering and leaving the home gets recorded.  This does not even include cell phone use that is tracked within the home by providers.  And the computer use!  The things we do on the computer leave traces not only on the hard drive, but also on the servers we touch with every www typed.  Criminals in their home are no more protected from being discovered than on the street.  This is a good thing.

As to the significance of some of these high tech smart home devices, consider that water usage can give inferences as to what was done in a home, such as cleaning up a crime scene…

 

https://arstechnica.com/tech-policy/2016/12/police-ask-alexa-did-you-witness-a-murder/ 

During all the years of being a detective, I did trash runs.  Lots and lots of trash runs.  I hated the trash runs until I found good evidence.  Garbage smells really bad, especially during the summer.  Digging through garbage bags in a dumpster in the middle of a hot day can make the toughest person gag or puke.  But you can get some really good information on the criminals you seek. Did I mention it can smell really bad?

That is one of the reasons I really enjoyed moving into digital forensics.  Digging through the garbage of data on a hard drive is a lot easier on the nose than digging through a dumpster.  Plus, the information you get is sometimes a lot better than what you can find in a garbage can.  There are exceptions…you won’t find the murder weapon in a folder on the C:/ drive of a hard drive unless the murder weapon was a computer program. 

You would think that with the amount of technology available and already in place that police would be able to uncover more crimes, find more criminals, and be more effective.  When a smart home can email the home owner a photo of someone ringing the doorbell, newer cars come with pre-installed GPS tracking systems, and a fridge can record a live stream of residents in the kitchen, the ease of finding evidence should be easier…right?

Not quite.

That brings us to the biggest hurdle to crime fighting: incompetency and laziness.  Government agencies are not immune to the same human fallacies found elsewhere. There are hard workers in government just as there are hard workers in the private sector.  Same holds true for laziness and incompetence, which criminals take advantage.

In any case where electronic devices are not being seized for examination, evidence is intentionally being left behind.  I am not referring to the electronic devices that are difficult to find, like a camouflaged USB device hidden within a teddy bear. I’m talking about the cell phone sitting on the car seat of the suspect arrested for burglary.  Yes. I’ve seen it happen.  Part of the reason is that unless lead is flying, most criminal cases and dispatched calls are boring to the responding officer.  As an example, with a residential burglary, the suspect is usually gone and the victim is lucky if the officer even tries to recover prints from the scene.  Stolen car?  Oh well. Fill out the report and call your insurance company.

I have been out of police work for about 10 years and I had hoped this lack of urgency in police work has changed.  But apparently not.  I recently helped someone with their stolen purse from a gym.  I got the call first instead of 911, but that’s another story.  Anyway, I showed up to give some guidance and eventually the district officers arrived.  Even after being told that video cameras faced the parking lot, and that the suspect/s went inside another victim’s car, the officers said, “The cameras probably didn’t get it”. The manager of the gym even offered up the video and said the cameras face the victim’s car... but the officers they left without even asking to see the video.  After telling the officers that the suspect/s just used the stolen credit cards in a store less than 5 miles away and that the store surely must have cameras, one of the officers said, “We can’t get much from a store’s security cameras.  You just need to call your bank to cancel your cards.” End result: File a report.  Call the banks. Get a replacement driver’s license.  Yes.  This still happens.  And criminals thrive on it.

The irony with a lack of seizing electronic evidence is that for most of the forensic examiners in law enforcement, they love to dig and dig and dig and dig through data to find the smoking gun.  It is the lifeblood of what they do.  If only the devices were seized and given to them.  Case in point:  I was called to exam a laptop of a missing teenager, six months after she was reported missing.   The detective simply did not put any reliance on a laptop, in which the teenager was religiously using for social media, as a source of important evidence.  The teen’s body was later found buried less than 5 miles from the police department where this detective drank coffee at his desk, with the laptop sitting downstairs in evidence for months.  I would have loved to examine that laptop ON THE SAME DAY the teen was reported missing.  It was virtually useless by the time I got it.

Seeing that tech should make it easier for police work, it should make it easier for writers of fiction.  It doesn’t.  I read (and write) a lot.  Technology can ruin good fiction.  No longer can a fictional criminal live his or her life under the radar.   Even the good guys can’t avoid ‘the radar’.   The Jack Reacher series should have been set in the 80s, because there is no way that Jack Reacher can roam the country without ever ringing some bells in surveillance tracking technology and live only with the technology of a single ATM card.  I was lucky that my undercover work was before the Internet really took off.  Backstopping an ID today requires way more than it did when I was undercover.

Writing fiction set in today requires knowing technology, because any scene that should have technology but doesn’t simply makes that scene unbelievable.  Same with Hollywood. Seriously.  It gets harder and harder to watch a movie that intends to be realistic without realistically using technology.   Show me a movie where no one is texting anywhere in a scene and I’ll show you a movie where technology is selectively ignored for the sake of simplicity at the cost of plausibility.

I can hear it now.  Police work is hard.  It’s not easy to get search warrants.  Not every department has a forensic unit.  We are too busy to solve crimes.  We are short-staffed. We don’t get enough training.  Blah blah blah.  I’ve heard it before and proved it can be done time and time again.  I have always believed that 10% of law enforcement do 90% of the work while 90% of law enforcement try to pawn off the remaining 10% of the work (while fighting over taking credit for it).  If just another 10% of law enforcement suddenly got a sense of urgency to require high tech investigations be a part of every crime scene, we’d reduce crime stats in half and solve twice as many crimes.

Now if only I can find a book or movie that doesn’t pretend technology doesn’t exist..

 

  1464 Hits
  0 Comments

Want to know how to break into DF/IR?

I see the digital forensics training market reaching a saturation point in some aspects.  Most, if not all, forensic software companies provide training, govt agencies provide internal training, individuals provide training, every college looking for a new revenue stream is adding forensic programs for training, and a new forensics book comes out every few weeks or so.  Add that to those who can teach themselves and you have DF/IR training market that is fat.  By the way, if you can teach yourself forensics by gobbling up every crumb you can find, you will have a long career in this field. 

There have been a lot of blog posts, articles, forums, and opinions posted online about how to break into the field of DF/IR.  Here are a few decent links, and of course, a Google search will find dozens more. You will see by the dates that it has been years of the same question being asked...

https://digital-forensics.sans.org/blog/2010/08/20/getting-started-digital-forensics-what-takes/ 
http://www.techrepublic.com/blog/it-security/breaking-into-the-digital-forensics-field-melia-kelleys-path/
https://www.reddit.com/r/computerforensics/comments/1o2s5x/looking_to_get_into_computer_forensics/
http://www.techexams.net/forums/jobs-degrees/99839-looking-enter-into-digital-forensics-field-need-advice.html
http://smarterforensics.com/2016/08/so-you-want-to-break-into-the-field-of-digital-forensics/
https://www.thebalance.com/how-to-become-a-digital-forensic-examiner-974633
https://articles.forensicfocus.com/2011/10/07/advice-for-digital-forensics-job-seekers/

The common theme is asking, "How do I get into digital forensics?" when the better questions to ask are, "Which college program will work best for me?", "Which discplines in DF/IR should I focus on?", "Which programming languages are relevant?", "Which software should I learn?", "What are hiring managers looking for?".  

You won’t usually find this topic constantly being brought up in other career fields. For example, if someone wants to become a doctor, there isn’t much to the answer other than, “go to a medical school.”  If someone wants to become a lawyer, the answer is typically, “to go a law school.”

To become a digital forensics analyst, there isn’t an answer like “go to a digital forensics school” because there are more than a few ways to get into the field depending upon your individual and unique situation.  On top of that, simply getting a degree in digital forensics doesn’t automatically make you qualified.  Many forensic analysts fell into the job while working another job, like a police detective suddenly having to do computer-related crime cases, takes lots of training, and works major cases.  The rest have to fight to get into the job or to at least get through the door.

My brief opinion on getting into the field is that a new person needs one or more (sometimes all) of these:

  • Certs and/or degrees
    • Helps check the boxes on the job application
    • Shows that you sat in a chair and passed tests
    • Shows that you paid lots of money (or may have lots of student loans)
    • Shows that you can complete a system of training/learning
    • Implies you should know what the paper says you should know
  • Experience in a close-enough-related-job
    • Shows that you have been doing the job, or close-enough-related-job
    • Implies that you have competence, since you were being paid
  • Competence
    • Hardest way to get in without something else (experience and/or education)
    • Difficult to get past the application if blindly applying to jobs if you can’t check the required boxes
    • Have to prove yourself beforehand (write a software program, discover something useful for the field, etc...)
    • Nothing is implied, because you need proof of competence.

Each of these require time.  If you want to get into a good digital forensics job within a year, and the only thing you have ever done is read a blog about forensics, then consider that it might not happen as quick as you would like.  If you don’t want to spend any money (on tuition, tools, books, training courses), then you must be able to learn open source forensics…and teach yourself.  Lastly, you need capability.  Not everyone can or wants to spend the time and money to become competent.  You have to put in your dues to get the potential rewards.  If you don't work on being able to do the job, simply wanting to do it is not going to be enough.  A lot of people want to be a cyber hero, but not a lot of people want sacrifice for what it takes to get there.

A brief note about the exceptions and exceptional people: I have met some exceptions to the rules of getting through the DF/IR door. I am referring to those who are mostly self-taught and have no education to speak of (insofar as a technical education).  If you are one of those, then you go through the back door.  You just need to find someone to show you where the back door is.  If you are an exception, that means that you can be given a desk and computer and from Day – One, you can do magic.  If you are not an exception, you will be knocking on the front door.

So, to be able to at least submit an application, get qualified enough to check the boxes.  One of the things I have never understood is that some (many?) jobs require a bachelor’s degree in virtually anything in order to apply for a job that clearly does not require a college education.  If that is the kind of job you want, which is a considerable amount of federal jobs, get the degree or you will not even be able to check the one box that is required to apply, no matter your experience (for exceptions, refer to the previous note). 

On picking a training path, be choosy because it’s not only money you are spending. It is also your time.  I started a college program once, only to quit because I could have taught it since the ‘professor’ never ever never even imaged a hard drive, nor did a forensic exam ever.  It was clearly a new revenue stream for the college.  I’ve taken a few private courses that had the effect of me trying to forget what I learned because so much of it was incorrect or out-of-date.  I’ve been "taught" how to testify in court by someone who never testified in court…or tried a case…or ever practiced law.  Conversely, I have taken some outstanding training, college courses, and attended superb conferences that made all the difference in the world.  The trick is sorting through which is which.  Those are the questions to ask.

Disclaimer: I am but a lowly forensic guy, not the end-all-be-all or know-it-all (I learn something every day).  These are just my opinions.  I have hired and fired employees, passed and failed students, taught and been taught forensics.  But like everyone, experiences, perceptions, education, and opinions vary.

Tags:
  2160 Hits
  0 Comments

Reminder for the last discount for the X-Ways Forensics Practitioner’s Guide Online and On demand course.

If you were thinking of doing it, this is the best time since the $599 online course will only be at a discount of 60% for less than two weeks (until Dec 31, 2016) for only $235.  PLUS, registering before December 31, 2016 gets you a print copy of the book, the X-Ways Forensics Practitioner’s Guide shipped to you. Unfortunately, the book is only included for US/Canada registrants since shipping a book outside the USA or Canada costs more than the book.  Shipping to some countries costs more than the entire X-Ways online course costs.  I’m happy to ship a copy, but the shipping fees must be added.  Best bet is to order a book online that delivers locally without extreme duty fees.

Register with the 60% discount using this URL: 

Just a few notes on the online XWF course based on emails I have received:

Time limit:  You have a year to view the course as often as you want.

Software: Not included.  You don’t need it for the course, but I think you’ll want to have a license.  If you want to know how XWF compares to other tools, you can get 12 hours of instruction showing how it works and much of what it can do.  Once you start using XWF, you’ll begin to see that it can do a lot more than what the manual or any course can teach. 

About forensics: The online course doesn’t teach forensics, except to demonstrate features of XWF.  Don't expect to learn 'what is the registry' in this course.  It's all about X-Ways Forensics, to get you up and running right away.

Competence: If you go through this course (and you have a foundation of digital forensics knowledge), you’ll have enough knowledge to use XWF on a real case.

Students: If your school uses XWF, you’ll be much better off learning XWF online away from class to get the full benefit of using XWF.   School programs can only teach so much with software in courses where they must teach everything.

The book:  Through Dec 31, 2016 the X-Ways Forensics Practitioner’s Guide book (print copy) is included with your tuition (USA/Canada shipping only).   There is no other book on X-Ways Forensics available.  The next edition may not be for another year or two.  Get your copy as part of the course.  The cost savings of a book + 12 hours of X-Ways Forensics training at $235 is the best deal you can find anywhere.

Course updates: The course may be updated throughout the year when XWF has enough smaller updates to add up to a new course or updated lessons.  You get that as part of your registration.  Revisit the course throughout the year, anytime you want, from anywhere online.

XWF as a primary or other forensic tool:  If you currently use or plan to use XWF in your work, get some training.  Either this course or a course from X-Ways AG, or somewhere.  XWF is not a tool for self-learning when you need it for casework tomorrow.  Especially for a primary tool, get some training.  This course gives you the information to use it either as your primary tool or secondary tool.

If you have any questions, hit me up J

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

  2494 Hits
  0 Comments

The most important tool in DFIR that you must have...

One of the workstations I have ranks up there in the clouds insofar as hardware.  You name it, this machine has it.  Lots of it.  Crammed into a huge case with lots of lights and liquid cooling hosing.  I call it the “Monster”.  No matter what I throw at it, it chews it up, spits it out, and smiles asking for more.  Seriously.  It’s a dream machine of a forensic workstation.

One thing about it however is that no matter how fast it is, or how cool it looks, it doesn’t really do forensics.  You see, I have this other little computer (laptop).  It’s really really small and light.  No CD/DVD drive, one USB port, and stuffed with high-speed hardware, but not that you can stuff that much in such a small laptop.  I call this one my “Little Baby”.

When I go somewhere, I take my Little Baby.  It does everything I need for the most part.  I would not want to try to index a terabyte or more to index, or try to do any serious processing with it.   However, this Little Baby does forensics work.  I've done forensic work in the offices of lawyers, in front of judges, and in court.  Each time using my Little Baby (I have a few, but they are all my Little Babies).  

I mean this in the manner that it’s not the machine (such as my Monster or Little Baby), but the examiner, that does the forensic work.  If you forego “processing” and “indexing”, the forensic machine comparisons in speed become irrelevant and everything comes down to the examiner.  I mean everything.  The best examiner can use X-Ways or Encase or FTK or any open source forensic tool on practically ANY computer when it comes down to deep-diving into electronic evidence.  The machine allows the examiner to use a software to access the media.  That’s it.  A million gigs of RAM won’t let you examine the registry any faster than 4GB will.  Your eyes and the stuff between your ears will get the job done.

When I teach forensics, one of the things I try to get across is that it is the person that gets the job done.  Flashing lights are cool on a computer, but if the examiner doesn’t know how (or where) to find evidence on a hard drive, then the flashing lights are not going to help.  If the examiner does not have critical thinking skills to investigate (or now commonly being described as "hunting") threats or evidence, then the tools are useless.

Don’t get me wrong. I like fast machines.  I need fast machines for some work.  But that work isn’t typically “forensics” but rather automated processes like imaging, or indexing, or some specific processing or decryption. That type of work requires computing power to get done.  Once that part is done, it comes down to fingers, eyes, and brain to do the real work.

I’m not advocating to not have a Monster machine or two, but I am advocating to rely on your brain, not the machine to the analysis.

BUT.  There is always an exception to forensic machines.  If you choose to have a RAM-sucking, space-eating, and overly-hungry-system-resource software as your primary forensic software, you are going to need a Monster machine to run it.  And if you expect to take that resource-intensive software outside the lab for use, you’ll need a 15-pound laptop along with a small RAID box to bring along so you can use it.

Be able to do anything you need to do with anything you have at hand at anytime needed. I've been around a lot of people with a lot of excuses ("I can't do this without my particular workstation or my particular software or etc...").  The world of DFIR is similar to the military. Make do with what you got.  Excuses not accepted.

I’m sure Picasso could paint a masterpiece using peanut butter and jelly.   An effective digital forensics analyst could do worse than being able to run a forensic application on a little bitty laptop if she knows what she is doing.  The most important tool in DFIR work?  That's your brain.  Think critically.  Link inferences.  About hardware and software?  Those are just things to let your brain connect to the evidence.  

In short, become a Picasso of forensics.  

  1784 Hits
  0 Comments

Learn by drawing out the experiences of others

I have taught digital forensics at the University of Washington (on and off) for the better part of a decade.  I have also been a guest speaker at several universities for longer than that.  One thing that I learned from the continuing education courses is that most of the students are already working adults with many already working in the IT industry, and I take advantage of their experience by incorporating it into the classroom.

For example, I have had attorneys (prosecutors, public defenders, and civil attorneys), police officers, federal agents, software developers (some were founding members of commonly used software), and a few ‘white hat’ hackers in my courses.  Students who did not fit in any of those categories sat right next to them.
 

Can you imagine what you can learn being a student sitting next to the developer of a major Microsoft program for 10 weeks? Or next to a federal agent who was involved in well-known national security investigations?  Or a homicide detective of a large police department?

That was the benefit to the students: being able to absorb information from fellow students with years, if not decades, of experience.  On the first day of every course, I stress this to the students.  Take advantage of the 10-minute breaks, not by checking your email, but by talking.  Those 10-minutes breaks produce more relevant information than can be gained from a Google search, because you can talk to the people who have done it, do it every day, and want to share.  Rather than 'read' about a case, speak directly with someone who does those cases.

As for me, you better believe I took advantage of the students with experience, all for the betterment of the courses and myself.  In my prior law enforcement career as a city cop, I was a detective that worked undercover and was assigned to state, local, and federal task forces as well as investigated cyber-related crimes that spanned the planet.  I also investigated multi-national organized crime groups (drug trafficking organizations, gun trafficking, outlaw motocycle gangs, street gangs, human trafficking, counterfeit goods, etc…), terrorist cells in the United States, along with a few other crimes that took me across several states.

I give my brief background not to brag, but to show that even with my experience, I gained something from every class from nearly every person and I asked for it directly.  When I found that I had a software developer from a major software company in class, who worked on a program that I use daily…I used him for discussions in class on incorporating that program into forensic analysis reporting and visualization.  Every student in the course may not have recognized the value of speaking with someone instrumental in that one program, but we all learned new ways to use something in forensics that we would not have learned otherwise.  

Courses with law enforcement and attorneys as students also created a great amount of material and discussion based on how they do different aspects of the same job, in their different positions, titles, and agencies.  Hearing from a federal public defender talk about how forensics fits in with her work alongside a prosecutor talking about the same information but applied differently really gives the entire room a wide spectrum of knowledge.  Throwing in the investigator perspective rounds it all out. 

Granted, I’m only talking about continuing education programs.  I’ve taken and spoken at a few college degree programs where the students are students and not yet even in the workforce.  That type of class is an entirely different animal where the instructor had better know what she is talking about.  And yes, I’ve taken courses where a professor had never connected a write-blocker to a hard drive, ever…not in real life or in the classroom…never testified…never created a forensic image…yet teaches the students to do this by reading a book.  That is not the case with most schools, but certainly a few.  

In the course I teach at the University of Washington (I will call it “my” course…), I give students maximum hands-on, maximum time on the keyboard, maximum time working with the tools and maximum real-life information so that they are not only near-competent to competent, but marketable.  I call my course, “Brett’s Digital Forensics Bootcamp” (without the yelling). I don’t like wasting time and I want to teach a course that I wish I could have taken when first starting out.  That means getting your hands on data as much as possible.

One last point about continuing education programs (for higher education courses)

A conversation I had last week about DFIR certifications ended with me talking about continuing education and college degrees as perhaps a better route over certifications for certain people.  For anyone already in the IT field, I find that a continuing education certification from a major university to be ‘better’ than a vendor certification, or if not better, certainly worthwhile.  I say ‘better’ in the sense that most people in IT already have some certs on their resume.  They may not be digital forensics certs, but technology-related certs nonetheless.  Certs also expire, or are discontinued because a business goes out of business or decides to create a new cert.  Having a continuing education cert from the University of Name Your College doesn’t expire, has more clout (or is that now called klout?) through regional accreditation, and is most times considered graduate-level instruction. 

Another benefit of a continuing education course is that since the courses are not vendor specific, the whole gamut of tools can be explored along with the SPECIFICS OF THE JOB.  Vendor courses focus so much on the sale and function of their tool, little time is left to the other aspects of the job that are just as important, if not more important.  I’ve taken well over a dozen vendor courses and I cannot remember any of the courses teaching forensics, other than what their tool does for forensics.

Not knowing how to collect, analize, and present defensible evidence effectively makes the examiner ineffective, incompetent, and can ruin a case.  Especially when someone has not been taught "what is evidence", finding the elusive evidence is near impossible if you don't know what it is.  Even police officers must know the elements of a crime in order to know what a crime looks like.

Yes, you must know how software works, but you also must know the job.  It’s like driving.  You may know how to drive a car, but if you don’t know the rules of the road, you will end up getting ticketed or worse.

  1825 Hits
  0 Comments