Learn by drawing out the experiences of others

I have taught digital forensics at the University of Washington (on and off) for the better part of a decade.  I have also been a guest speaker at several universities for longer than that.  One thing that I learned from the continuing education courses is that most of the students are already working adults with many already working in the IT industry, and I take advantage of their experience by incorporating it into the classroom.

For example, I have had attorneys (prosecutors, public defenders, and civil attorneys), police officers, federal agents, software developers (some were founding members of commonly used software), and a few ‘white hat’ hackers in my courses.  Students who did not fit in any of those categories sat right next to them.
 

Can you imagine what you can learn being a student sitting next to the developer of a major Microsoft program for 10 weeks? Or next to a federal agent who was involved in well-known national security investigations?  Or a homicide detective of a large police department?

That was the benefit to the students: being able to absorb information from fellow students with years, if not decades, of experience.  On the first day of every course, I stress this to the students.  Take advantage of the 10-minute breaks, not by checking your email, but by talking.  Those 10-minutes breaks produce more relevant information than can be gained from a Google search, because you can talk to the people who have done it, do it every day, and want to share.  Rather than 'read' about a case, speak directly with someone who does those cases.

As for me, you better believe I took advantage of the students with experience, all for the betterment of the courses and myself.  In my prior law enforcement career as a city cop, I was a detective that worked undercover and was assigned to state, local, and federal task forces as well as investigated cyber-related crimes that spanned the planet.  I also investigated multi-national organized crime groups (drug trafficking organizations, gun trafficking, outlaw motocycle gangs, street gangs, human trafficking, counterfeit goods, etc…), terrorist cells in the United States, along with a few other crimes that took me across several states.

I give my brief background not to brag, but to show that even with my experience, I gained something from every class from nearly every person and I asked for it directly.  When I found that I had a software developer from a major software company in class, who worked on a program that I use daily…I used him for discussions in class on incorporating that program into forensic analysis reporting and visualization.  Every student in the course may not have recognized the value of speaking with someone instrumental in that one program, but we all learned new ways to use something in forensics that we would not have learned otherwise.  

Courses with law enforcement and attorneys as students also created a great amount of material and discussion based on how they do different aspects of the same job, in their different positions, titles, and agencies.  Hearing from a federal public defender talk about how forensics fits in with her work alongside a prosecutor talking about the same information but applied differently really gives the entire room a wide spectrum of knowledge.  Throwing in the investigator perspective rounds it all out. 

Granted, I’m only talking about continuing education programs.  I’ve taken and spoken at a few college degree programs where the students are students and not yet even in the workforce.  That type of class is an entirely different animal where the instructor had better know what she is talking about.  And yes, I’ve taken courses where a professor had never connected a write-blocker to a hard drive, ever…not in real life or in the classroom…never testified…never created a forensic image…yet teaches the students to do this by reading a book.  That is not the case with most schools, but certainly a few.  

In the course I teach at the University of Washington (I will call it “my” course…), I give students maximum hands-on, maximum time on the keyboard, maximum time working with the tools and maximum real-life information so that they are not only near-competent to competent, but marketable.  I call my course, “Brett’s Digital Forensics Bootcamp” (without the yelling). I don’t like wasting time and I want to teach a course that I wish I could have taken when first starting out.  That means getting your hands on data as much as possible.

One last point about continuing education programs (for higher education courses)

A conversation I had last week about DFIR certifications ended with me talking about continuing education and college degrees as perhaps a better route over certifications for certain people.  For anyone already in the IT field, I find that a continuing education certification from a major university to be ‘better’ than a vendor certification, or if not better, certainly worthwhile.  I say ‘better’ in the sense that most people in IT already have some certs on their resume.  They may not be digital forensics certs, but technology-related certs nonetheless.  Certs also expire, or are discontinued because a business goes out of business or decides to create a new cert.  Having a continuing education cert from the University of Name Your College doesn’t expire, has more clout (or is that now called klout?) through regional accreditation, and is most times considered graduate-level instruction. 

Another benefit of a continuing education course is that since the courses are not vendor specific, the whole gamut of tools can be explored along with the SPECIFICS OF THE JOB.  Vendor courses focus so much on the sale and function of their tool, little time is left to the other aspects of the job that are just as important, if not more important.  I’ve taken well over a dozen vendor courses and I cannot remember any of the courses teaching forensics, other than what their tool does for forensics.

Not knowing how to collect, analize, and present defensible evidence effectively makes the examiner ineffective, incompetent, and can ruin a case.  Especially when someone has not been taught "what is evidence", finding the elusive evidence is near impossible if you don't know what it is.  Even police officers must know the elements of a crime in order to know what a crime looks like.

Yes, you must know how software works, but you also must know the job.  It’s like driving.  You may know how to drive a car, but if you don’t know the rules of the road, you will end up getting ticketed or worse.

1038 Hits

Never a shortage of examples

I have given 20 presentations this year and that was only in the first half of 2016 (although, I have not scheduled anything for the remainder of the year to finish some projects).

In each of the presentations, whether the attendees were parents, children, law enforcement, or digital forensics analysts, I have always been able to give really good examples of compromises.  On the day of the presentation or day before, I search for a recent breach and will most always find a good one.  If I search a day after the presentation, I sometimes find a new breach that would have also been a good example of a hacking incident.

So for the cybercrime preventation talks, I tell everyone that anyone can be a victim no matter what you do.  Sometimes you are specifically targeted and other times, you fall into a group of victims from a third party breach.  And the more 'third party' accounts you have, the more risk of having your personal data exposed.  For example, if you have a T-Mobile phone, Premera for health insurance, applied for a government security clearance, shop at Home Depot, and ate at Wendy's, you potentially have had your personal data or credit card information compromised five times by doing absolutely nothing wrong.

If you are targeted, even if you do everything right, you can have your personal information breached.  This applies even to CEOs, like the CEO of Twitter....and Facebook...and the CIA...Most likely, as the Internet of Things heat up and everything gets connected to the Internet, our risk will skyrocket to the point that the only people who don't have their personal information compromised are have been living on a mountain all their lives...with no electricity...and no credit cards...or car...or phone...  For the rest of us, it is probably just a matter of time.    As for me...my ID has been stolen once and I seem to get notice letters from services about a new breach on a regular basis. The good news is that I always have plenty of great examples to talk about.

 

719 Hits

When everyone's talking about it

When everyone's talking about it

The King County Library System asked me to present on cyber safety topics in a very neat program they have (“When everyone’s talking about it..”).  I have been giving two separate, but related presentations and both have been well-received by those who have attended.  Mine is but a small part of the KCLS program.  I have even attended presentations that I had interest  (like the presentation on drones!).  

For the most part, I have skipped over the basics in my presentations. There really isn’t much need to talk about “what is email” or “the Internet is a bunch of computers connected together”.  We all know that kind of information.  Rather, I have been giving practical advice on what to do right now to reduce the risk of having your devices compromised by hackers and reducing the risk of predators accessing your children online.  Every bit of information I talk about is real time applicable, from reducing your digital footprint to surfing the Internet while maintaining your privacy.  I even show how to use the Tor Browser and encrypted email!

In every presentation, I am seeing parents take notes furiously, ask serious questions, and show a genuine interest in online safety for their families and themselves.  For me, this is easy stuff.  I have already raised two kids in the digital age of Facebook and cell phones (hint: they survived, but still not easy).  And I have investigated cybercriminals (hackers, child pornographers, and others who have used technology to commit crimes).  That is the biggest benefit to attendees I try to give.  Cram as much pertinent information from what I know into an afternoon or evening presentation that can be put to use right away.  Free to anyone.

This is one of the few presentations you can step out the door and put the information to use before you get home.

But if you think this is just another Internet safety program, you are mistaken.  I go through how to use social media to help get (or keep) a job, get into (or prevent getting kicked out) of school for families and individuals, and reduce the risk of cyberbullying.  I show how easy it is for anyone to be a victim by clicking the wrong link or opening the wrong email along with ways to identify the dangerous links and emails. The term "Third party provider" takes on a whole new meaning to attendees when they are shown the ways their personally identifiable information (PII) can be stolen when stored on third party service providers such as their health insurance company or a toy company.

Most importantly, I answer tough questions. Although I give some guidance on creating family rules and personal use of technology, I leave it up to the invididual and family to decide what is appropriate. My guidance is to show how to create rules on the foundation of safety. Everything else is up to personal morals and values.

I’d like to credit the King County Library System for adding these presentations to their program this year because cyber safety is probably one of the most important topics today.   Everything comes down to cyber.  Whether it is personal information being leaked or hacked online or a child being lured from home, cyber is serious.  You can use technology safely and still enjoy the benefits but to ignore safety is like betting the farm on the Roulette wheel.  You never know when your number will come up, but when it does, it will hurt and hurt for a long time.

As far as this program (When everyone's talking about it) goes, KCLS nailed it.  I have organized more than a dozen training events and several conferences over the past decade.  I know exactly the effort needed to put something like this together and KCLS did it right.  If you are in King County, Washington, you really should check out the programs.  They do a fantastic job at a price you can't beat anywhere.  

As for me, I only have two more talks left.  All you need to do is show up.  No RSVP.  No charge.  Free parking.

Again, kudos to KCLS for putting this great program together.  Let's do it again next year.

----------------------------------My next talks----------------------------------

Cell Phones in the Family

Woodmont Library

26809 Pacific Hwy S, Des Moines, WA 98198

April 30, 2016      2PM – 3:30PM

 

Cell Phones in the Family

Newport Way Library

14250 SE Newport Way, Bellevue, WA 98006

June 23, 2016       7PM – 8:30PM

1217 Hits

I had a blast presenting for ICAC at Microsot

I had a blast presenting for ICAC at Microsot
b2ap3_thumbnail_ICAC.JPGI gave two presentations today at the NW ICAC conference hosted by Microsoft in Redmond, Washington on the same topic in two parts. I met some great folks in the field doing so really awesome work to protect children. Plus, I got to see some people that I have not seen in a long time. All the sponsors set up a great conference with Microsoft providing the venue. I was only there for the first day and I'm sure the next two days will be just as beneficial to attendees. b2ap3_thumbnail_book4.jpgThe first presentation (Part 1) was a broad overview of my first book, Placing the Suspect Behind the Keyboard. My primary goal was to give a ton of investigative tips in hopes that at least one will be able to save investigators hours (or weeks or months) of labor in their cases. I flew through the material like a firefighter putting out a house fire to make sure enough tips were given to fit as many investigators needed in their specific cases. Definitely covered a lot of ground in a short amount of time. Reading my book covers a lot more, but this was fun. http://brettshavers.cc/images/articleimages/book3.jpg      b2ap3_thumbnail_book3.jpgThe second presentation (Part 2) was a brief intro to one chapter in my upcoming third book, Hiding Behind the Keyboard. Probably the best tips came from how to identify Tor users along with how to explain Tor to the layperson, which is sometimes one of the hardest things to do in a courtroom setting. Both Part 1 and Part 2 presentations are independent of each other but the information is complimentary just like both books are. 

 If you are in law enforcement and would like a copy of both presentations, you can download them here for the next month or so before I update the presentations:

 

Placing the Suspect Behind the Keyboard-ICAC.  

Send me a message after you download the file and I'll e-mail you the password (the slidedeck will be available for short time).

762 Hits

Talking about XWF in the CTIN Digital Forensics Conference

XWF was presented in two sessions of the 2013 CTIN Digital Forensics Conference.  Pete Donnell of the Washington AG Office spoke on XWF Basics and I spoke on XWF Advanced Tips.  There was more than one person that decided to now use XWF as a bigger part of their forensic tools set.

You can see the XWF Advanced slidedeck here:  XWF
569 Hits

WinFE Presentation

I'll be giving a presentation at the CTIN Conference in Seattle, March 2013 on forensic boot systems (Linux), with a strong emphasis on WinFE.   I'll be showing off Colin's light WinFE, WinBuilder's build, and Troy Larson's original build.  Hope to see you there.
602 Hits