Forensic 4:cast awards.... VOTE FOR MY BOOK!! (pretty please)

Forensic 4:cast awards.... VOTE FOR MY BOOK!! (pretty please)

I am humbled again as my book,.Hiding Behind the Keyboard, has been nominated for the Forensic 4:cast Digital Forensic Book of the Year.  It would be my honor if you would vote for the book. 

The two competing books are also great books, but this one is mine ?

I wrote this book primarily as a follow up to my first book, Placing the Suspect Behind the Keyboard, by adding more topics and material.  John Bair of Tacoma Police Department, helped immensely with the mobile forensic material for which he is an amazing expert.

For both Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard, the intention is to put the reader into the mindset of a detective in order to close a case.  “Closing a case” means to thoroughly

  • investigate (both in the physical world and the digital world)
  • find and evaluate evidence
  • put together inferences
  • draw reasonable suspicions and conclusions
  • eliminate potential suspects
  • identify the real criminals, and
  • build such a great case that the defense chokes on the evidence

In short, the books are intended to show how an investigator can make a case and close it.  In both books, I have practically littered the pages with tips and tricks of the trade gained from personal experience and the experiences of the fantastic investigators I have been paired up with, from small state task forces to many federal task forces. Most of what I learned, I learned the hard way, fought through it, and kept improving on each investigation.  These books give the good stuff up front, the time saving tips spread throughout, and no nonsense in how to physically do the job.  If you work cases, I wrote the book for you.

If you investigate crimes (including civil matters, like corporate issues), you will find more than enough nuggets of gold to make your cases easier and more solid.  That was the intent of what I wrote, for you to close cases and put the criminal behind bars.

By the way, if you don't do real investigations, but write about them in fiction work...you'll find some pretty neat information on the way cyber (forensic) investigations work on the street.

Be sure to vote before May 31, 2017.  I would be grateful for your time to cast your vote and again, humbled even at the nominiation.  Note...you don't have to have bought the book to vote for it.   If you agree with the purpose of the book, your vote is most welcome.  You even can leave the entire voting selections empty except for the one best book category and just vote for my book. That would make me happy :) 

Tags:
345 Hits

Reviewing a tech book technically makes you a peer reviewer…

    If you have been in the digital forensics world for more than a day, then you know about peer reviews of analysis reports.  If you have ‘only’ been doing IR work where forensics isn't the main point (as in taking evidence collection all the way to court), then you may not be reading reports of opposing experts.  Anyway, the opposing expert peer review is one of the scariest reviews of all since the reader, which is again, the opposing expert, tries to find holes in your work.  The peer review is so effective to push toward doing a good job that I think it prevents errors by the examiner more than it does help opposing experts find errors of the examiner.  Peer reviews take different shapes depending on where it is being done (review of a book draft, review of a report, etc...) but in general, a peer review is checking the accuracy of the written words.

    Academia has always been under the constant worry of peer reviews.  One professor's journal may be peer reviewed by dozens of other professors in the same field, with the end result being seen by the public, whether good or bad. Peer reviews are scary, not for the sake that you made a mistake, but that maybe you could have missed something important that someone else points out to you.

    If you read a tech book and write a review of it (formally in an essay/journal, or informally on social media), consider yourself a peer reviewer of tech writings.  That which you say, based on what you read, is a peer review of that material.  Think about that for a second.  If you are in the field of the book you are reviewing, you practically are tech reviewing that book for accuracy (so make sure you are correct!).  That is a good thing for you as it boosts your experience in the field.  Always be the expert on the stand who can say, “I’ve read x number of forensic books and have given x number peer reviews on social media, Amazon, essays, etc….”.  If for nothing else, this shows more than that you just read books.  You read for accuracy and give public review of your findings. Nice.

    There is some stress in writing a peer review because you have to be correct in your claims.  Sure, maybe some things in the book could have been done a different way, but was it the wrong way?  The manner in which you come across in a peer review is important too.  Crass and rude really doesn't make you look great on the stand if you slam a book or paper.  You can get the point across just as well by being professional.

    Writing books takes no back seat to peer review stress, especially when it comes to technical books.  Not only does the grammar get combed by reviewers, but the actual technical details get sliced and diced.  Was the information correct? Was it current and up-to-date?  Is there any other information that negates what was written in the book?

    So, to get any positive reviews makes for a good day.  Not for the sake of ego, but for the sake of having done it right so others can benefit from the information.  Writing is certainly not about making money as  much as it is putting yourself out there to share what you have learned at the risk of having your work examined under a microscope by an unhappy camper.

    b2ap3_thumbnail_HBTK.JPGWhich brings me to my latest reviews for Hiding Behind the Keyboard.  This is my third tech book (more to come in both nonfiction and fiction) and with each book, I have always cautiously looked at Amazon book reviews each time.  Not that I have written anything inaccurate, inappropriate, or misleading, but that I just want to have written something useful in a topic that I wish existed when I started out in the digital forensics field.  My best analogy of what it is like to write a book is to walk outside to your mailbox nude and then check Facebook to see what people say about you…then do it again.  At least I don't have a Facebook account...

    So far, the reviews for my latest book show that I did a good job (my gratitude to the reviewers).

And that brings me to another point of this post. 

    One of the social media reviewers is actually in a case study in the book.  Higinio Ochoa read and reviewed my book in a Tweet (as seen below).   

 

    You will have to check the Internet to get Hig’s story, or read it my book…  Suffice to say he was a hacker who was caught, and then ended up as one of the case studies in my book.  Positive reviews from forensic experts are great, but so are reviews from former hackers that can double-validate the work.  Like I said, it takes a lot of guts to write a book and almost as much guts to peer review it in public.  That’s what we are doing when we write a review of a tech book.  We are all peer reviewers.

 

732 Hits

Dude, just write the book.

Dude, just write the book.

I had a discussion with a peer of mine about writing a book, in that my peer has been thinking of writing a book but never gets around to doing it.  After about two years of listening to how he should write his book, my response was “Dude, stop talking about it and write the darn book.”

His book idea is a nonfiction technical book and is about **secret topic** (of course I’m not leaking the topic or title!).  He is an expert, or at least knows a heckuv a lot more about the topic than I do.  I would buy the book tomorrow.  I even said that if he had written this book when he first told me about it, we’d be talking about the next edition and I would have already bought the first edition.  "Dude, you’re two years and two editions behind now!”

Which brings me to my point. Years ago, I said the same thing.  “Hey, I think I could write a book.” I said it a few people and one of the guys told me, “Dude, just write the darn book.” And so I did.  Three times already. Started a fourth. Plans for a fifth.  All from one person telling me to stop talking about it and write the book.  I took the suggestion to heart because he had already published several books himself. Thanks HC.

Fair warning: It’s not easy.

If you can get a contract, you’ll have deadlines to meet, standards to keep up, and demands placed on you by the publisher. Worse yet, if you don’t have a contract and want to self-publish, you have to place those same demands on yourself.

So now you know the secret. Just write the darn thing.

      

898 Hits

Books written by practitioners are many times better than those written by those who 'never done it'

Books written by practitioners are many times better than those written by those who 'never done it'

Many of Syngress published books I’ve read are those written by people simply writing about how they do their job…while they are doing their job.   They are probably not writing while they are physically doing their work, but you know what I mean.

With my first book, Placing the Suspect Behind the Keyboard, I was consulting on a criminal cyber harassment case, two arson cases, and several civil litigation projects. In three of the cases during writing the book, the main goal was identifying users behind the keyboard (in one case, behind a mobile device).  In addition to doing what I knew from my law enforcement detective days, I conferred with experts for tips and tricks on tracking Internet users.  I was writing the book while doing the work.

My current book, Hiding the Behind the Keyboard, was virtually the same, however, this time with a co-author (John Bair). While writing the book, there were multiple interruptions of having to do work in the real-world outside of typing and testing theories. While John was working homicides and examining mobile devices in those cases, I was consulting on employee matters where unidentified employees were creating havoc with their company by being anonymous online. It is one thing to create a perfect scenario to test a theory and quite another to have actual evidence on an active case.  Again, this was another book of authors writing what they do on a daily basis.

I write about this only because I remind myself regularly of college courses I have taken in digital forensics where the required books not only cost an arm and a leg, but were written by academia, not active practitioners.  I’ve even taken a computer forensics course from a community college where the professor had not done one forensic exam…not a single one.  The professor did not even know how to connect a hardware write-blocker to a hard drive. I kid you not.  

I’m not a Syngress employee, but I do like their books. The cost may seem high for some of the books, but it is still about half the price of a college text in the same subject matter.  But the biggest difference is how the books read. I so much prefer reading a book that simply says, “This is how you do it in the real world”. I do not prefer books that speak in terms of an idealized theory.  Reminds me of my Field Training Officers in patrol telling me to forget what I learned at the academy because they were going to teach me what works on the street, in real life.  The best thing I like about the Syngress books is that I can read what the experts are using day-to-day in their own words.

And year after year, I check to see the new titles that come out and hope that Syngress changes their book covers from the previous year.  This year, there are more than a few titles that I have already pre-ordered and will have on hand for the next conference to have signed by the authors.  The cover design change was probably a bit overdue, but glad it has changed.

The discounts are nice too when you have more than a few books you want to buy...

 

 

868 Hits

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

1320 Hits

Book Review: Windows Forensic Analysis Toolkit, 4th Edition

WFAI’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review.  Also, Harlan has a post on updated book contents here: http://regripper.wordpress.com/2014/04/14/regripper-download-2/

Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…

The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more.   Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.

The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software.   Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.

Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.

Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences.  Those topics are my personal favorites.

Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.

I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.

The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information.  (nudge..nudge...feel free to share...no one will bite you).

That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share.   To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.

Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.

The best personal example I can give to prove this point is with WinFE (http://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.

The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.

My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it...but that's what we have the XWF Guide for..

My suggestion on WFA/4…buy the book. You will not regret it.  My other favorite books are here http://winfe.wordpress.com/books/.

 

Tags:
848 Hits

Vote for your favorite book

Don’t forget to vote for the XWF Guide at http://forensic4cast.com/2014/04/2014-forensic-4cast-awards-meet-the-nominees/.  But of course, only vote if you liked it :)

And if you didn’t like it (which means you don’t have XWF…), vote for my other book, Placing the Suspect Behind the Keyboard.  But again, only vote if you liked it :)

And if you didn’t like that book either…give me your phone number.  We need to talk…

680 Hits

Humbled and honored

[caption id="568" align="alignleft" width="150"]4cast Forensic 4cast Awards


I just saw that the book of the year nominees at the Forensic 4cast Awards include both the X-Ways Practitioner's Guide and Placing the Suspect Behind the Keyboard.  For those that made the nominations, that was very kind.  For those that vote for either book, I thank you in advance.

Both books are pretty good.  Each gives plenty of tips and information to save you hours of frustration, and more importantly, close some cases.  There is a sample chapter of Placing the Suspect Behind the Keyboard here: http://searchsecurity.techtarget.com/feature/Placing-the-Suspect-Behind-the-Keyboard  There are reviews at Amazon for both books that may be helpful if you were thinking of getting either book.

If you use X-Ways.....you need the X-Ways Guide, no matter how long you have been using X-Ways.  When I asked Eric to help me write this book, he ran with it and did a super job of helping create an easy to read guide to using a very powerful forensic tool.  I have more than a ton of emails of how the book converted Encase/FTK primary users into XWF primary users.

As for the Placing the Suspect Behind the Keyboard, that has also helped more than a few examiners close a case with a simple (yet elusive) tip, trick, method, or process that saves hours, if not days, of work.  Again, even if you have been doing forensics for a long time, nothing says you can't learn or relearn something you may not know or have forgotten.

Thanks again to everyone.

Brett

 

527 Hits

Hey look! Now there is a book on FTK.

FTK http://amzn.to/O38eWh


I previously posted that a book on FTK is sure to come along, since we have the best book of X-Ways and the other book on Encase.  Now comes a book on FTK.  Just like the XWF Guide or the upcoming Encase guide, I wouldn't see any reason for a FTK user to not have a book on FTK.

It makes sense to have "the" book on X-Ways, "the" book on Encase, and "the" book on FTK.  By having books on your major forensic suites, it is easier to compare what suite "A" does compared to tools "B" and "C" as well as how to get from point A to B using each tool.

So....how about that book on ProDiscover?  Anyone?  Grab the opportunity before someone else does.  I promise to buy it, as I have already ordered the FTK and Encase books.

I have brief reviews on my favorite DF books at http://winfe.wordpress.com/books/

--------------------------------------------------------------------------







 



[caption id="attachment_547" align="aligncenter" width="170"]FTK http://amzn.to/O38eWh


[caption id="attachment_549" align="aligncenter" width="169"]encase http://amzn.to/P9XxCl


[caption id="attachment_347" align="aligncenter" width="173"]Xways-Cover http://amzn.to/1gfx0t5
Tags:
450 Hits

Not X-Ways, but of interest to Encase users

Computer Forensics and Digital Investigation with EnCase Forensic


encase http://amzn.to/1eY02wn


 

I know, this has nothing to do with X-Ways Forensics.  But hey, the X-Ways Practitioner's Guide was first...

Practically, this seems like a good book for Encase users to park on the shelf (while the X-Ways Practitioner's Guide sits on your desk next to your keyboard).

So, when is that book on "FTK" coming out....and who is going to write it?...And if you do want to write it, give Syngress a shout.

Tags:
445 Hits

Cloud Storage Forensics

Image http://www.amazon.com


I have a detailed review of this book at http://winfe.wordpress.com.  In short, it's a really good book and of all tools to choose for the research in the book, the authors picked X-Ways Forensics.  But then, that should not come as any surprise.

There's still time to ask Santa to put this in your stocking...

Tags:
434 Hits

Cloud Storage Forensics and XWF

Cloud Storage Amazon link to order

I recently finished tech editing a book soon to be published on Cloud Storage Forensics.  One of the main tools used was....wait for it...X-Ways Forensics.   Without giving anything about the book away, I was really impressed by the level of detail documented on the amount of research conducted in cloud storage forensics.

The book goes to print in January, but available for preorder.  I'll be writing a review of the book once it is made available, but in short, I give it a high grade of technical accuracy and research on the most commonly used cloud storage services and the connected machines.  The authors documented testing of various cloud services as if it were scientific examinations (which by the way, digital forensics testing is...) and their methods can be used by anyone as can their results.  I'll give a small tidbit that there are many instances of "holy smokes!" on some of their findings that I have not seen anywhere else.

The authors could have chosen any major forensic tool, but they chose XWF.  This is just another example of how X-Ways Forensics is used to validate scientific theories and tests over all others.  The reason is simple:  XWF works.

This book, along with a few others that I know are coming out fairly soon, should be quick sellouts for the first printing.  For anyone that buys books from Amazon, preordering is a good way to go and Amazon price matches books, even after you have already ordered.  Just saying...

Tags:
445 Hits

Last day for the 40% discount on the XWF Guide!

This is one of those times that procrastinating will cost you money....

 

What will you tell yourself when you have to spend twice as much for the XWF Guide after tomorrow?

 

 

 

 

40

 

 

 

 

http://store.elsevier.com/product.jsp?isbn=9780124116054&_requestid=665676

 

 

And shipping is free?  Wow.  Doesn't get much better than that. 

 

474 Hits

Table of contents updated!

Chapter 4 is wrapping up! We each have one more chapter to go and then we start the case studies.

The table of contents page is updated to reflect the topics of each chapter and, for the completed chapters, the page and word count of each.
Tags:
472 Hits

X-Ways Forensics Practitioner's Guide is coming!

Eric Zimmerman and Brett Shavers have started writing the "X-Ways Forensics Practitioner's Guide", due out toward the end of year 2013.

Check back as to when the guide will be available.   This guide intends to be the source of using X-Ways Forensics.

629 Hits