The most important tool in DFIR that you must have...

One of the workstations I have ranks up there in the clouds insofar as hardware.  You name it, this machine has it.  Lots of it.  Crammed into a huge case with lots of lights and liquid cooling hosing.  I call it the “Monster”.  No matter what I throw at it, it chews it up, spits it out, and smiles asking for more.  Seriously.  It’s a dream machine of a forensic workstation.

One thing about it however is that no matter how fast it is, or how cool it looks, it doesn’t really do forensics.  You see, I have this other little computer (laptop).  It’s really really small and light.  No CD/DVD drive, one USB port, and stuffed with high-speed hardware, but not that you can stuff that much in such a small laptop.  I call this one my “Little Baby”.

When I go somewhere, I take my Little Baby.  It does everything I need for the most part.  I would not want to try to index a terabyte or more to index, or try to do any serious processing with it.   However, this Little Baby does forensics work.  I've done forensic work in the offices of lawyers, in front of judges, and in court.  Each time using my Little Baby (I have a few, but they are all my Little Babies).  

I mean this in the manner that it’s not the machine (such as my Monster or Little Baby), but the examiner, that does the forensic work.  If you forego “processing” and “indexing”, the forensic machine comparisons in speed become irrelevant and everything comes down to the examiner.  I mean everything.  The best examiner can use X-Ways or Encase or FTK or any open source forensic tool on practically ANY computer when it comes down to deep-diving into electronic evidence.  The machine allows the examiner to use a software to access the media.  That’s it.  A million gigs of RAM won’t let you examine the registry any faster than 4GB will.  Your eyes and the stuff between your ears will get the job done.

When I teach forensics, one of the things I try to get across is that it is the person that gets the job done.  Flashing lights are cool on a computer, but if the examiner doesn’t know how (or where) to find evidence on a hard drive, then the flashing lights are not going to help.  If the examiner does not have critical thinking skills to investigate (or now commonly being described as "hunting") threats or evidence, then the tools are useless.

Don’t get me wrong. I like fast machines.  I need fast machines for some work.  But that work isn’t typically “forensics” but rather automated processes like imaging, or indexing, or some specific processing or decryption. That type of work requires computing power to get done.  Once that part is done, it comes down to fingers, eyes, and brain to do the real work.

I’m not advocating to not have a Monster machine or two, but I am advocating to rely on your brain, not the machine to the analysis.

BUT.  There is always an exception to forensic machines.  If you choose to have a RAM-sucking, space-eating, and overly-hungry-system-resource software as your primary forensic software, you are going to need a Monster machine to run it.  And if you expect to take that resource-intensive software outside the lab for use, you’ll need a 15-pound laptop along with a small RAID box to bring along so you can use it.

Be able to do anything you need to do with anything you have at hand at anytime needed. I've been around a lot of people with a lot of excuses ("I can't do this without my particular workstation or my particular software or etc...").  The world of DFIR is similar to the military. Make do with what you got.  Excuses not accepted.

I’m sure Picasso could paint a masterpiece using peanut butter and jelly.   An effective digital forensics analyst could do worse than being able to run a forensic application on a little bitty laptop if she knows what she is doing.  The most important tool in DFIR work?  That's your brain.  Think critically.  Link inferences.  About hardware and software?  Those are just things to let your brain connect to the evidence.  

In short, become a Picasso of forensics.  

Rate this blog entry:
1
Brett's opinion on writing a DFIR book
Learn by drawing out the experiences of others
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Saturday, 18 November 2017
If you'd like to register, please fill in the username, password and name fields.