Brett's Blog

Just some ramblings.

Compiling Identity in Cyber Investigations

Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

...
Continue reading
1122 Hits
0 Comments

The Secret to Becoming More-Than-Competent in Your Job

The Secret to Becoming More-Than-Competent in Your Job

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

...
Continue reading
997 Hits
0 Comments

Behind the Keyboard - Enfuse 2016 Presentation download

I had the amazing honor of speaking before a full room at Enfuse this week.  This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well.  Kudos to poolside event coordinator.  Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool.  However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).

This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard).  I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books.  I was able to give a few good tips that I hope someone will be able to take the bank and boost case work.   I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.   

After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides.  However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases.  I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well.   Nonetheless, the meat and potatoes of the presentation is in the below PDF.

  

 

...
Continue reading
1191 Hits
0 Comments

I'm just a Tor exit node! I'm just a Tor exit node!

I'm just a Tor exit node!  I'm just a Tor exit node!

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

...
Continue reading
1417 Hits
2 Comments

Dude, just write the book.

Dude, just write the book.

I had a discussion with a peer of mine about writing a book, in that my peer has been thinking of writing a book but never gets around to doing it.  After about two years of listening to how he should write his book, my response was “Dude, stop talking about it and write the darn book.”

His book idea is a nonfiction technical book and is about **secret topic** (of course I’m not leaking the topic or title!).  He is an expert, or at least knows a heckuv a lot more about the topic than I do.  I would buy the book tomorrow.  I even said that if he had written this book when he first told me about it, we’d be talking about the next edition and I would have already bought the first edition.  "Dude, you’re two years and two editions behind now!”

Which brings me to my point. Years ago, I said the same thing.  “Hey, I think I could write a book.” I said it a few people and one of the guys told me, “Dude, just write the darn book.” And so I did.  Three times already. Started a fourth. Plans for a fifth.  All from one person telling me to stop talking about it and write the book.  I took the suggestion to heart because he had already published several books himself. Thanks HC.

Fair warning: It’s not easy.

If you can get a contract, you’ll have deadlines to meet, standards to keep up, and demands placed on you by the publisher. Worse yet, if you don’t have a contract and want to self-publish, you have to place those same demands on yourself.

...
Continue reading
784 Hits
0 Comments

Books written by practitioners are many times better than those written by those who 'never done it'

Books written by practitioners are many times better than those written by those who 'never done it'

Many of Syngress published books I’ve read are those written by people simply writing about how they do their job…while they are doing their job.   They are probably not writing while they are physically doing their work, but you know what I mean.

With my first book, Placing the Suspect Behind the Keyboard, I was consulting on a criminal cyber harassment case, two arson cases, and several civil litigation projects. In three of the cases during writing the book, the main goal was identifying users behind the keyboard (in one case, behind a mobile device).  In addition to doing what I knew from my law enforcement detective days, I conferred with experts for tips and tricks on tracking Internet users.  I was writing the book while doing the work.

My current book, Hiding the Behind the Keyboard, was virtually the same, however, this time with a co-author (John Bair). While writing the book, there were multiple interruptions of having to do work in the real-world outside of typing and testing theories. While John was working homicides and examining mobile devices in those cases, I was consulting on employee matters where unidentified employees were creating havoc with their company by being anonymous online. It is one thing to create a perfect scenario to test a theory and quite another to have actual evidence on an active case.  Again, this was another book of authors writing what they do on a daily basis.

I write about this only because I remind myself regularly of college courses I have taken in digital forensics where the required books not only cost an arm and a leg, but were written by academia, not active practitioners.  I’ve even taken a computer forensics course from a community college where the professor had not done one forensic exam…not a single one.  The professor did not even know how to connect a hardware write-blocker to a hard drive. I kid you not.  

I’m not a Syngress employee, but I do like their books. The cost may seem high for some of the books, but it is still about half the price of a college text in the same subject matter.  But the biggest difference is how the books read. I so much prefer reading a book that simply says, “This is how you do it in the real world”. I do not prefer books that speak in terms of an idealized theory.  Reminds me of my Field Training Officers in patrol telling me to forget what I learned at the academy because they were going to teach me what works on the street, in real life.  The best thing I like about the Syngress books is that I can read what the experts are using day-to-day in their own words.

...
Continue reading
775 Hits
0 Comments

I had a blast presenting for ICAC at Microsot

I had a blast presenting for ICAC at Microsot
b2ap3_thumbnail_ICAC.JPGI gave two presentations today at the NW ICAC conference hosted by Microsoft in Redmond, Washington on the same topic in two parts. I met some great folks in the field doing so really awesome work to protect children. Plus, I got to see some people that I have not seen in a long time. All the sponsors set up a great conference with Microsoft providing the venue. I was only there for the first day and I'm sure the next two days will be just as beneficial to attendees. b2ap3_thumbnail_book4.jpgThe first presentation (Part 1) was a broad overview of my first book, Placing the Suspect Behind the Keyboard. My primary goal was to give a ton of investigative tips in hopes that at least one will be able to save investigators hours (or weeks or months) of labor in their cases. I flew through the material like a firefighter putting out a house fire to make sure enough tips were given to fit as many investigators needed in their specific cases. Definitely covered a lot of ground in a short amount of time. Reading my book covers a lot more, but this was fun. http://brettshavers.cc/images/articleimages/book3.jpg      b2ap3_thumbnail_book3.jpgThe second presentation (Part 2) was a brief intro to one chapter in my upcoming third book, Hiding Behind the Keyboard. Probably the best tips came from how to identify Tor users along with how to explain Tor to the layperson, which is sometimes one of the hardest things to do in a courtroom setting. Both Part 1 and Part 2 presentations are independent of each other but the information is complimentary just like both books are. 

 If you are in law enforcement and would like a copy of both presentations, you can download them here for the next month or so before I update the presentations:

 

Placing the Suspect Behind the Keyboard-ICAC.  

Send me a message after you download the file and I'll e-mail you the password (the slidedeck will be available for short time).

640 Hits
0 Comments

Vote for the best book right away!

The deadline for the Forensic 4:cast Digital Forensics Book of the Year has been changed.

https://forensic4cast.com/forensic-4cast-awards/

 

[caption id="attachment_1218" align="aligncenter" width="708"] My personal favorite....Placing the Suspect Behind the Keyboard...it's the first and only writing on the subject manner incorporating investigative methods in and out of the (computer) box.


 
 

Xways-Cover http://amzn.to/1g5sfSX

 

]Placing the Suspect Behind the Keyboard http://amzn.to/1owuRmr


 

349 Hits
0 Comments

Free Course Materials - Placing the Suspect Behind the Keyboard

Do you teach cybercrime/forensics and use "Placing the Suspect Behind the Keyboard"?  Maybe you are considering using this book in your course?  How would you like to have ready-made PowerPoints for the chapters with additional student materials to go along with the book in your course?  PSBK

I have had a few people tell me that this book is being used in their classes, but can't recall all of the colleges.  If you have used this book in a class, send me the instructor's name or have the instructorThis email address is being protected from spambots. You need JavaScript enabled to view it. so I can pass along information on materials for the class.

I will be starting on the materials now and will give access to any instructors that want to lend a hand and get early drafts for use right away.  The materials will be freely available for instructors to use and modify in their coursework.  As someone that has taught forensics for a few years, it is very very helpful to have class materials available rather than reinventing the wheel every class...

376 Hits
0 Comments

Vote for your favorite book

Don’t forget to vote for the XWF Guide at http://forensic4cast.com/2014/04/2014-forensic-4cast-awards-meet-the-nominees/.  But of course, only vote if you liked it :)

And if you didn’t like it (which means you don’t have XWF…), vote for my other book, Placing the Suspect Behind the Keyboard.  But again, only vote if you liked it :)

And if you didn’t like that book either…give me your phone number.  We need to talk…

578 Hits
0 Comments

Vote for your favorite book.

Don’t forget to vote for the XWF Guide at http://forensic4cast.com/2014/04/2014-forensic-4cast-awards-meet-the-nominees/.  But of course, only vote if you liked it :)

And if you didn’t like it (which means you don’t have XWF…), vote for my other book, Placing the Suspect Behind the Keyboard.  But again, only vote if you liked it :)

And if you didn’t like that book either…give me your phone number.  We need to talk…

485 Hits
0 Comments