FREEZE! Busted by the Fridge. The ways that tech influences writing fiction, making movies, and busting criminals.

One interesting investigation I had was that of a murder-for-hire in one city that the suspect used a Google search to find the victim’s home address in another city.  Simple enough crime to plan.  Google the name, find the address, do the hit.  Except in this particular case, although the suspect Googled the correct name, there were two people with the same name in the same city and he picked the wrong one.  I called this case my “Sarah Connor” case.

Fortunately, we intercepted the hit before it happened and prevented a random murder on the wrong person (as well as preventing the murder of the ‘right’ person).  In a basic sense, the suspect used the technology of one of the most advanced computer systems in the world (Google….) to attempt a murder only to choose the wrong name in a Google search hit.  This type of criminal incompetence and carelessness is commonplace.  It is also the way that most get caught. 

On the other end of the spectrum, we have Hollywood’s version of high tech crime fighting.  Minority Report with Tom Cruise showed us that not only can crimes be solved with technology, but that crimes can also be prevented with technology.  As for the technology used in the movie, it could have only been more accurate had a predictive analysis computer system been used in place of the fortune-telling humans (“Precogs”) in a big bathtub.

In a turn-key surveillance system, no person is anonymous.  Whether it is a private business or government agency, no one is immune from potentially being watched, tracked, or reported.  Private businesses use facial recognition for both improving customer service by detecting your mood through facial expressions as well as preventing crime.

“…faces of individuals caught on camera are converted into a biometric template and cross-referenced with a database for a possible match with past shoplifters or known criminals.” https://www.theguardian.com/cities/2016/mar/03/revealed-facial-recognition-software-infiltrating-cities-saks-toronto  

Criminals who try to avoid using technology are severely limited on the type of crimes they can commit.  That’s a good thing.  A drug dealer without a cell phone is like a taxi cab driver without a taxi.  It is part of the business and can be tracked, traced, monitored, intercepted, and forensically examined.  Technology is a natural and required part of any criminal’s operations.  Criminals not using technology are ineffective as criminals, for the most part.

Criminals who try to avoid surveillance technology in public, such as license plate readers and facial recognition are also extremely limited in the crimes they can commit since they would have to remain in their homes to commit crimes outside of public surveillance methods.  Even then, committing a crime in a home is not without the risk of being monitored, either by a government agency, a private corporation, or an electronic device plugged into an outlet.  If you own a Vizio television, consider yourself tracked, hacked, and sold to the highest bidder. http://www.theverge.com/2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings

From Amazon’s Echo to an Internet-connected fridge, data is collected as it happens, and stored either locally on the device or on a remote server (or both).  Depending on how ‘smart’ a home is, every drop of water usage can be tracked, every door opening logged, and every person entering and leaving the home gets recorded.  This does not even include cell phone use that is tracked within the home by providers.  And the computer use!  The things we do on the computer leave traces not only on the hard drive, but also on the servers we touch with every www typed.  Criminals in their home are no more protected from being discovered than on the street.  This is a good thing.

As to the significance of some of these high tech smart home devices, consider that water usage can give inferences as to what was done in a home, such as cleaning up a crime scene…

 

https://arstechnica.com/tech-policy/2016/12/police-ask-alexa-did-you-witness-a-murder/ 

During all the years of being a detective, I did trash runs.  Lots and lots of trash runs.  I hated the trash runs until I found good evidence.  Garbage smells really bad, especially during the summer.  Digging through garbage bags in a dumpster in the middle of a hot day can make the toughest person gag or puke.  But you can get some really good information on the criminals you seek. Did I mention it can smell really bad?

That is one of the reasons I really enjoyed moving into digital forensics.  Digging through the garbage of data on a hard drive is a lot easier on the nose than digging through a dumpster.  Plus, the information you get is sometimes a lot better than what you can find in a garbage can.  There are exceptions…you won’t find the murder weapon in a folder on the C:/ drive of a hard drive unless the murder weapon was a computer program. 

You would think that with the amount of technology available and already in place that police would be able to uncover more crimes, find more criminals, and be more effective.  When a smart home can email the home owner a photo of someone ringing the doorbell, newer cars come with pre-installed GPS tracking systems, and a fridge can record a live stream of residents in the kitchen, the ease of finding evidence should be easier…right?

Not quite.

That brings us to the biggest hurdle to crime fighting: incompetency and laziness.  Government agencies are not immune to the same human fallacies found elsewhere. There are hard workers in government just as there are hard workers in the private sector.  Same holds true for laziness and incompetence, which criminals take advantage.

In any case where electronic devices are not being seized for examination, evidence is intentionally being left behind.  I am not referring to the electronic devices that are difficult to find, like a camouflaged USB device hidden within a teddy bear. I’m talking about the cell phone sitting on the car seat of the suspect arrested for burglary.  Yes. I’ve seen it happen.  Part of the reason is that unless lead is flying, most criminal cases and dispatched calls are boring to the responding officer.  As an example, with a residential burglary, the suspect is usually gone and the victim is lucky if the officer even tries to recover prints from the scene.  Stolen car?  Oh well. Fill out the report and call your insurance company.

I have been out of police work for about 10 years and I had hoped this lack of urgency in police work has changed.  But apparently not.  I recently helped someone with their stolen purse from a gym.  I got the call first instead of 911, but that’s another story.  Anyway, I showed up to give some guidance and eventually the district officers arrived.  Even after being told that video cameras faced the parking lot, and that the suspect/s went inside another victim’s car, the officers said, “The cameras probably didn’t get it”. The manager of the gym even offered up the video and said the cameras face the victim’s car... but the officers they left without even asking to see the video.  After telling the officers that the suspect/s just used the stolen credit cards in a store less than 5 miles away and that the store surely must have cameras, one of the officers said, “We can’t get much from a store’s security cameras.  You just need to call your bank to cancel your cards.” End result: File a report.  Call the banks. Get a replacement driver’s license.  Yes.  This still happens.  And criminals thrive on it.

The irony with a lack of seizing electronic evidence is that for most of the forensic examiners in law enforcement, they love to dig and dig and dig and dig through data to find the smoking gun.  It is the lifeblood of what they do.  If only the devices were seized and given to them.  Case in point:  I was called to exam a laptop of a missing teenager, six months after she was reported missing.   The detective simply did not put any reliance on a laptop, in which the teenager was religiously using for social media, as a source of important evidence.  The teen’s body was later found buried less than 5 miles from the police department where this detective drank coffee at his desk, with the laptop sitting downstairs in evidence for months.  I would have loved to examine that laptop ON THE SAME DAY the teen was reported missing.  It was virtually useless by the time I got it.

Seeing that tech should make it easier for police work, it should make it easier for writers of fiction.  It doesn’t.  I read (and write) a lot.  Technology can ruin good fiction.  No longer can a fictional criminal live his or her life under the radar.   Even the good guys can’t avoid ‘the radar’.   The Jack Reacher series should have been set in the 80s, because there is no way that Jack Reacher can roam the country without ever ringing some bells in surveillance tracking technology and live only with the technology of a single ATM card.  I was lucky that my undercover work was before the Internet really took off.  Backstopping an ID today requires way more than it did when I was undercover.

Writing fiction set in today requires knowing technology, because any scene that should have technology but doesn’t simply makes that scene unbelievable.  Same with Hollywood. Seriously.  It gets harder and harder to watch a movie that intends to be realistic without realistically using technology.   Show me a movie where no one is texting anywhere in a scene and I’ll show you a movie where technology is selectively ignored for the sake of simplicity at the cost of plausibility.

I can hear it now.  Police work is hard.  It’s not easy to get search warrants.  Not every department has a forensic unit.  We are too busy to solve crimes.  We are short-staffed. We don’t get enough training.  Blah blah blah.  I’ve heard it before and proved it can be done time and time again.  I have always believed that 10% of law enforcement do 90% of the work while 90% of law enforcement try to pawn off the remaining 10% of the work (while fighting over taking credit for it).  If just another 10% of law enforcement suddenly got a sense of urgency to require high tech investigations be a part of every crime scene, we’d reduce crime stats in half and solve twice as many crimes.

Now if only I can find a book or movie that doesn’t pretend technology doesn’t exist..

 

1044 Hits

Want to know how to break into DF/IR?

I see the digital forensics training market reaching a saturation point in some aspects.  Most, if not all, forensic software companies provide training, govt agencies provide internal training, individuals provide training, every college looking for a new revenue stream is adding forensic programs for training, and a new forensics book comes out every few weeks or so.  Add that to those who can teach themselves and you have DF/IR training market that is fat.  By the way, if you can teach yourself forensics by gobbling up every crumb you can find, you will have a long career in this field. 

There have been a lot of blog posts, articles, forums, and opinions posted online about how to break into the field of DF/IR.  Here are a few decent links, and of course, a Google search will find dozens more. You will see by the dates that it has been years of the same question being asked...

https://digital-forensics.sans.org/blog/2010/08/20/getting-started-digital-forensics-what-takes/ 
http://www.techrepublic.com/blog/it-security/breaking-into-the-digital-forensics-field-melia-kelleys-path/
https://www.reddit.com/r/computerforensics/comments/1o2s5x/looking_to_get_into_computer_forensics/
http://www.techexams.net/forums/jobs-degrees/99839-looking-enter-into-digital-forensics-field-need-advice.html
http://smarterforensics.com/2016/08/so-you-want-to-break-into-the-field-of-digital-forensics/
https://www.thebalance.com/how-to-become-a-digital-forensic-examiner-974633
https://articles.forensicfocus.com/2011/10/07/advice-for-digital-forensics-job-seekers/

The common theme is asking, "How do I get into digital forensics?" when the better questions to ask are, "Which college program will work best for me?", "Which discplines in DF/IR should I focus on?", "Which programming languages are relevant?", "Which software should I learn?", "What are hiring managers looking for?".  

You won’t usually find this topic constantly being brought up in other career fields. For example, if someone wants to become a doctor, there isn’t much to the answer other than, “go to a medical school.”  If someone wants to become a lawyer, the answer is typically, “to go a law school.”

To become a digital forensics analyst, there isn’t an answer like “go to a digital forensics school” because there are more than a few ways to get into the field depending upon your individual and unique situation.  On top of that, simply getting a degree in digital forensics doesn’t automatically make you qualified.  Many forensic analysts fell into the job while working another job, like a police detective suddenly having to do computer-related crime cases, takes lots of training, and works major cases.  The rest have to fight to get into the job or to at least get through the door.

My brief opinion on getting into the field is that a new person needs one or more (sometimes all) of these:

  • Certs and/or degrees
    • Helps check the boxes on the job application
    • Shows that you sat in a chair and passed tests
    • Shows that you paid lots of money (or may have lots of student loans)
    • Shows that you can complete a system of training/learning
    • Implies you should know what the paper says you should know
  • Experience in a close-enough-related-job
    • Shows that you have been doing the job, or close-enough-related-job
    • Implies that you have competence, since you were being paid
  • Competence
    • Hardest way to get in without something else (experience and/or education)
    • Difficult to get past the application if blindly applying to jobs if you can’t check the required boxes
    • Have to prove yourself beforehand (write a software program, discover something useful for the field, etc...)
    • Nothing is implied, because you need proof of competence.

Each of these require time.  If you want to get into a good digital forensics job within a year, and the only thing you have ever done is read a blog about forensics, then consider that it might not happen as quick as you would like.  If you don’t want to spend any money (on tuition, tools, books, training courses), then you must be able to learn open source forensics…and teach yourself.  Lastly, you need capability.  Not everyone can or wants to spend the time and money to become competent.  You have to put in your dues to get the potential rewards.  If you don't work on being able to do the job, simply wanting to do it is not going to be enough.  A lot of people want to be a cyber hero, but not a lot of people want sacrifice for what it takes to get there.

A brief note about the exceptions and exceptional people: I have met some exceptions to the rules of getting through the DF/IR door. I am referring to those who are mostly self-taught and have no education to speak of (insofar as a technical education).  If you are one of those, then you go through the back door.  You just need to find someone to show you where the back door is.  If you are an exception, that means that you can be given a desk and computer and from Day – One, you can do magic.  If you are not an exception, you will be knocking on the front door.

So, to be able to at least submit an application, get qualified enough to check the boxes.  One of the things I have never understood is that some (many?) jobs require a bachelor’s degree in virtually anything in order to apply for a job that clearly does not require a college education.  If that is the kind of job you want, which is a considerable amount of federal jobs, get the degree or you will not even be able to check the one box that is required to apply, no matter your experience (for exceptions, refer to the previous note). 

On picking a training path, be choosy because it’s not only money you are spending. It is also your time.  I started a college program once, only to quit because I could have taught it since the ‘professor’ never ever never even imaged a hard drive, nor did a forensic exam ever.  It was clearly a new revenue stream for the college.  I’ve taken a few private courses that had the effect of me trying to forget what I learned because so much of it was incorrect or out-of-date.  I’ve been "taught" how to testify in court by someone who never testified in court…or tried a case…or ever practiced law.  Conversely, I have taken some outstanding training, college courses, and attended superb conferences that made all the difference in the world.  The trick is sorting through which is which.  Those are the questions to ask.

Disclaimer: I am but a lowly forensic guy, not the end-all-be-all or know-it-all (I learn something every day).  These are just my opinions.  I have hired and fired employees, passed and failed students, taught and been taught forensics.  But like everyone, experiences, perceptions, education, and opinions vary.

Tags:
1719 Hits

Reminder for the last discount for the X-Ways Forensics Practitioner’s Guide Online and On demand course.

If you were thinking of doing it, this is the best time since the $599 online course will only be at a discount of 60% for less than two weeks (until Dec 31, 2016) for only $235.  PLUS, registering before December 31, 2016 gets you a print copy of the book, the X-Ways Forensics Practitioner’s Guide shipped to you. Unfortunately, the book is only included for US/Canada registrants since shipping a book outside the USA or Canada costs more than the book.  Shipping to some countries costs more than the entire X-Ways online course costs.  I’m happy to ship a copy, but the shipping fees must be added.  Best bet is to order a book online that delivers locally without extreme duty fees.

Register with the 60% discount using this URL: 

Just a few notes on the online XWF course based on emails I have received:

Time limit:  You have a year to view the course as often as you want.

Software: Not included.  You don’t need it for the course, but I think you’ll want to have a license.  If you want to know how XWF compares to other tools, you can get 12 hours of instruction showing how it works and much of what it can do.  Once you start using XWF, you’ll begin to see that it can do a lot more than what the manual or any course can teach. 

About forensics: The online course doesn’t teach forensics, except to demonstrate features of XWF.  Don't expect to learn 'what is the registry' in this course.  It's all about X-Ways Forensics, to get you up and running right away.

Competence: If you go through this course (and you have a foundation of digital forensics knowledge), you’ll have enough knowledge to use XWF on a real case.

Students: If your school uses XWF, you’ll be much better off learning XWF online away from class to get the full benefit of using XWF.   School programs can only teach so much with software in courses where they must teach everything.

The book:  Through Dec 31, 2016 the X-Ways Forensics Practitioner’s Guide book (print copy) is included with your tuition (USA/Canada shipping only).   There is no other book on X-Ways Forensics available.  The next edition may not be for another year or two.  Get your copy as part of the course.  The cost savings of a book + 12 hours of X-Ways Forensics training at $235 is the best deal you can find anywhere.

Course updates: The course may be updated throughout the year when XWF has enough smaller updates to add up to a new course or updated lessons.  You get that as part of your registration.  Revisit the course throughout the year, anytime you want, from anywhere online.

XWF as a primary or other forensic tool:  If you currently use or plan to use XWF in your work, get some training.  Either this course or a course from X-Ways AG, or somewhere.  XWF is not a tool for self-learning when you need it for casework tomorrow.  Especially for a primary tool, get some training.  This course gives you the information to use it either as your primary tool or secondary tool.

If you have any questions, hit me up J

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

2070 Hits

Brett's opinion on writing a DFIR book

Brett's opinion on writing a DFIR book

Let me disclaim a bit.  I don’t know everything about writing or publishing.  All I know is what I have done.  With that, I have been asked about writing books (computer/digital forensics topics) over the past few years.  Let me give my experience to anyone considering writing a forensic book.

To start, I have written three books so far, meaning that I am writing more.  Two of the three published books have had co-authors.

I’ll go through some of the questions I have been asked already.  First off, I have been flattered and humbled each time someone asks for my opinion on writing books, and each time I have answered questions about the process, I have realized that I could have done things differently or better.  Not everyone asked the exact same questions, but they are very similar.

What made you decide to publish a book?

I considered any person who wrote a book to be an ultimate expert in their field and did not feel I was at any level of credibility to write.  But, I asked someone I respected in the field who had written several books already and he said, “DO IT!”.    I’ll leave out the name of who convinced me to go for it, but suffice to say that I took his advice seriously. 

Unfortunately, all I asked was, “Should I write a book?” and didn’t ask anything about the process.  That was Mistake #1.

How did you come up with a topic to write about?

This was easy.  I thought of a book topic that I wanted to read about; a book that I would buy right then if it were on Amazon.  Of course, if the topic was already written and in print, I would not have written a book on the same thing as I just would have bought it. 

I thought about the topic of my first book (Placing the Suspect Behind the Keyboard) when I was a narcotics detective, years before I got into digital forensics.  The reason came about due to drug cases where I had a ton of cases where providing drug possession was difficult due to each incident (multiple persons in a car and a bag of cocaine under one seat, third party owner of a car, etc…).  Getting into forensics later in my police career, I came across the same issues in proving who was behind the keyboard in child exploitation cases and so forth.  So, that topic was in the making for about a decade.

My second book (X-Ways Forensics Practitioner's Guide) was written out of personal necessity. I wanted a book on how to use the forensic tool I use everyday.  I have never appreciated the X-Ways Forensics manual.  I find it hard to read, difficult to find the information I need, and would prefer something tell me exactly how to use X-Ways Forensics.  I had written a few things about X-Ways and posted online but figured a book on X-Ways Forensics would be best.  The manual does what it is intended to do: give information 'about' X-Ways Forensics, but not tell 'how' to use X-Ways Forensics.

My latest book, Hiding Behind the Keyboard, was written mainly as a follow up to my first book in order to add some updated information including some related mobile forensics information.  Both Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard complement each other and I wrote both to be long lasting with concepts that can be used with evolving technology.

Which publisher should I go with?

For me, I choose Syngress.  I have a lot of Syngress books and always check for latest releases from Syngress. There are a few other publishers that print digital forensics topics, but I just like the Syngress titles and formats.  I did not consider other publishers but should have (Mistake #2) as it makes better sense to know what other publishers offer instead of just one.

I suggest go with whichever publisher publishes books that you like and would like to write in the same manner.  What I mean by this is, some publishers have strict guidelines on how you write and what your write.  If you go with a publisher that wants your book to be a college textbook, be prepared to forego a lot of your creativity.  You may have to write at a 10th grade reading level, segregate the book into sections that can fit into a college course year or semester, plus other requirements that will make your book into a textbook.

For me, Syngress is different.  I have found that the author has so much leeway in writing that the book can be written to fit practitioners’ needs.  I enjoy forensic books that get right to the point with the author giving ‘war stories’ of how the techniques worked in real life.  I also like that Syngress books seem to speak directly to you, examiner to examiner, and not as if you are a student following a syllabus.

So, the answer is go with what fits you, and if they won’t take you, go with someone else.

Did you think about self-publishing?

I get this one a lot.  I did think about it and still do.  In fact, I will be self-publishing a book just to see how well it works.  Since I haven’t done it yet, I can’t recommend it.  What I can say about self-publishing is that you own the work.  That is a major point.  With a publisher, you don’t own the work; the publisher owns it.  That means if you want to write a 2nd edition, you can’t unless the publisher approves it.  That might be a major issue if you are writing about your own software or something you ‘own’ or ‘discovered’ on your own.

Publishing through a reputable company gives you many benefits that can outweigh ‘owning your work’.  For example, Syngress has distribution channels set up already.  Their name is heavy.  They handle everything.  Cover design, editing, payments, sales, reprints, marketing, and author support is all covered with a publisher.  That does not mean there isn’t a cost.  The author gets a piece of the pie after everyone else is paid.  That is the price to pay and if you are working cases full time, then it most likely will be a price well paid.  If you want the least amount of hassles, find a publisher.  There are always speed bumps in a book publishing process, but when you are self-publishing, those speed bumps can turn into brick walls if you don't know what you are doing.

Should I write the book first and then find a publisher?

Oh my, don’t do that.  You can if you want.  Several people that asked me had already written most of their book or finished it.  In my opinion, I think it best to have the outline and propose the outline to a publisher.  Most publishers have a form that you can fill in the blanks and submit for a book.  If they like it, you are good to go.  If not, you can try again with a different outline to fit what they believe would be a good book.  Take a look at Syngress as an example of writing and submitting a book proposal.

One thing to think about if you are planning to write first is that you might be too late.  As one example, I had considered writing about a topic, thought about it for a few weeks, put together an outline, thought about it for a few more weeks, and by the time I decided to propose the topic, I found that someone had just said they were going to write the exact same book. I took too long (Mistake #3).  I tossed my outline and learned that it is better to propose a topic as soon as you think about because if you don’t, someone else will.  If you write a book before even letting the world know about it, you risk someone else getting a contract to write the same book when they didn’t do anything other than submit a proposal.   In theory, since your book is complete, you could publish well before the other book comes out, but that is not something I would want to do.

Why did you have a co-author on some books and not another?

Well…on the first book, I had asked a few people to co-author the book with me and was turned down.  Being my first book, those rejections hit kinda hard.  I didn’t ask anyone else for fear of more rejections, so I wrote the book myself and in the end, glad that I did.  I recommend that if you are going to write several books, write at least one by yourself.  It is well worth the experience.

On the X-Ways Forensics Practitioner’s Guide, I took the chance to ask someone to be a co-author because I did not feel that I could cover the software well enough.  I had been using X-Ways Forensics since its first version (over 10 years!) but still felt I may miss something.  On a whim, I asked Eric Zimmerman and he accepted to co-write the book.  Mind you, I never met Eric, and I asked him with an email that we communicating on a separate topic.  Basically, out of the blue, I asked and he accepted.  Much easier than my first book….and of anyone in forensics to help write a book on X-Ways Forensics, Eric is the man.  I lucked out on that one.  As a side note, X-Ways Forensics has gotten a LOT MORE traction as a forensic tool due to the book, which was what I wanted.  The more people that use X-Ways Forensics, the more R&D that goes into it, and the better tool I get in the end J

For the third book, when I talked about writing it, I had several people ask to be a co-author, including some of who turned me down on my first book.  But, I had my mind set on a mobile forensics expert, who happened to be local to me.  John Bair was my first pick and I had to drive down to his office and practically con/vince him to do it, for which I am grateful he accepted.  John is one of those cops who are busy because they work and barely have time for writing a book.  I sincerely appreciated him taking time to help with the book and hopefully set him on a path of writing books in the future.

So, write one by yourself and write others with a co-author.  It just depends if you have enough expertise in a topic to write an entire book yourself, or if you need help to meet deadlines. As far as how to ask someone…just ask.  Send an email.  Call.  Mail a letter. Anything.  Just ask.  Don’t be surprised at what you get when you ask.  Those who turned me down with my first book…I know them personally, some for almost 20 years, but they turned me down.  With Eric and John, I never met either but both agreed.  You just can’t tell who will say yes and who will say no.  I recommend ONLY asking someone you really want to be a co-author.  If you asked someone the B-team because you think someone the A-team will say no, you will get what you get for a co-author. I say, go straight to the A-team.  The worst that can happen is that they say no.

How long does the process take?

I gauge the time from the date of the signed contract to the date of printing.  Anything before that day doesn’t really count.  Thinking about writing and talking about it doesn’t do much until you sign your name to get it down.

Remember that I am only talking about Syngress and my experiences, but generally expect that your book won’t be on a shelf (or Amazon) for about a year.   Most likely, you will be sending in a chapter a month until done.  Then it takes a month or so to edit it (by the publisher to fix grammar and spelling), and then maybe two or three months to print it. 

If you write faster, the book gets printed faster. If you write on time, the book is going to take time to finish.  With a co-author, you can cut the time in half.  Seriously.  You can cut the time in half.  There were several times that I thought Eric Zimmerman didn’t need sleep.  Eric is a machine.  He writes at the speed of light and I think his first drafts were practically final drafts.  John was on spot too.  When you have authors like that, your book is going to be available fast/er.

But no matter what you do, when you publish through a company, there is extra time needed than if you did it yourself.  I am certain that if Eric and I self-published, the book would have hit the stores within 5 months.  If you realize that putting a PDF on the Internet does not compare to publishing a book, you will have patience for the process.

Would you do it again?

Yep.  Doing it again already.

Do you have any suggestions on getting started?

Yep.  Go to a publisher’s website, download the book proposal form, and fill it out right now.  Then share it with trusted peers to get their opinion.  Find a co-author if you need. Then submit your proposal.  Start now because I promise you, someone is thinking about that very same topic right now.

Who pays everyone?

If you self-publish, you do.  You pay everyone.  You pay the co-author, editor, cover designer, printer, etc…

If you go through a publisher, you will have no out-of-pocket expenses, other than what you spend for your book materials (may need to buy and test software, etc…).  Everything else is taken care of by the publisher.  Part of being paid a small piece of the pie is that the finances are not your responsibility. 

How much money can I expect to make?

This is a difficult question, because Harry Potter made JK Rawlings into a billionaire and there are more books that anyone can guess that didn’t make enough to buy a cup of coffee.  The answer, like anything in forensics, is that it depends.  If you write a popular book, it will sell.  For example, the X-Ways Forensics Practitioner’s Guide sold out before the first printing was even started. It went into a second print before the book was even available.  It just all depends.  I will say that if you intend to retire off a digital forensics book, you better write something like “Harry Potter and the Cyber Criminal.”

To get a little closer to an answer, I would say that if you really are thinking about making money with this kind of book, you can make some.  At least enough for a nice vacation every year or maybe buy a new car with one of the checks.  

Any tips on the process?

Plenty. 

Co-authors: You can cut down the process if you have a co-author in a few ways. First off, share the writing and write at the same time.  For example, if you are due one chapter a month, rather than each co-author write their chapter every other month, both can write a chapter every month.  That will cut the process time in half.

Have your co-author review your chapter, and review your co-author’s chapter before submitting them each month. That cuts the tech editor’s time down to almost nothing.  It also cuts the final editing down as well.

Tracking changes: Use a file sharing program to keep track of the chapters.  DO NOT email drafts between authors and your publisher until they are FINAL.  When you email a draft to your co-author, and then you receive a draft from your co-author, then another, then one gets crossed in an email, you will all be confused to which draft is the current draft.  Some changes may even be missed.  Use something like SpiderOak or Dropbox.   Edit the files there so that all changes are tracked.  Which brings up tracked changed. Use MS Word and turn on tracked changes.  If you have never used tracked changes before, research it and you will see that it is the only way to go to keep track of changes. 

Timeliness: Get your chapters done early.  A month may seem like a long time, but I promise you that you will have one or more days that get too close to the deadline.  Procrastination is not an author’s friend.  If you are a procrastinator, don’t self-publish because it won’t happen.

Contributors, helpers, co-authors: There are a lot of people you can call upon to help with your book, and you need some of these regardless.  A co-author is optional, but like I mentioned, can be beneficial.  If you are thinking of a co-author, go straight to the A-team.  Don’t be shy.  Be prepared for a rejection, but such is life.

A tech-editor is a necessity in this field to make sure that what you think is correct is.  You don’t want to profess a forensic method to work when you are wrong.  Have your work peer-reviewed by a tech-editor.  The good thing is that you can usually pick your tech-editor.  As with going for the A-team with a co-author, the same theory applies to your tech editor.  Look at books you read, courses you attended, experts you see listed online, and pick who you want to review your work.  Ask and cross your fingers.  Then keep asking until someone says yes.  And if no one says yes, ask your publisher to find one, which they usually can if needed.

Contributors work the same way.  If there is just a single topic in a single chapter that you need help with and want a contributor, just find one and ask.  That’s all there is to it.  Add their name to the book as a contributor, the publisher takes care of the contract and payment. 

Errors: You will do your best to not make grammatical errors.  Your tech-editor will try to catch grammar errors (even though they focus on the accuracy of information more than grammar), your co-author will try to catch your errors, and the final editor (from the publishers, who I assume have PhDs in English…) will try to find any remaining errors.  BUT, there will still be a grammar, spelling, or sentence error of some sort that happens.  I have a book on my shelf that has the author’s name MISPELLED on the back cover.  These happen.  It is expected. Just do your best to minimize them.

Opinions: Before and during the process, ask opinions from those you respect, about what you are writing and intend to write.  If you hear a lot of, ‘that’s not something I would want to read or buy”, take it to heart.  You are writing for people to read it, otherwise, stick to a diary.   This doesn’t mean to forego your ideas and creativity, but be sure to write something that people want to learn about too.

Complimentary books: You will most likely get a set number of books from your publisher as complimentary copies to do with as you wish.   I suggest that instead of sending a book to mom, a book to your brother, and some to your friends who nothing to do with forensics, send them to someone who will write a review.  Your mom is going to love your book, but most likely, she isn’t going to understand what you wrote unless she does forensics.  Sure, keep one for your shelf, but give away the others to those who would have bought it.

Here comes the strange part about the comp books.  I’ve given all of my comp books away and politely asked for public reviews (on Amazon or their blogs).  Of the 99% I sent (I kept one of each book…), less than half wrote a review anywhere. I could have given the other half to family and friends and gotten a better response. Oh well.  Apparently, this seems to be the case across the board as I’ve asked and heard the same thing from other writers.  As a kind suggestion, if you ever get a comp copy of a book, write a review on Amazon.  It will be appreciated greatly.

One more thing on the comp copies.  After the comp copies are gone (maybe there were 10 or 20), they are gone.  The author does not have a never-ending supply of ‘free’ books.  If you get a book from an author that is not a com copy, that means the author bought it, usually at full price.  With bulk orders, there is a discount, but the discount is usually not better than what can be found on Amazon.  A friend of mine (in forensics) was over to visit one day and saw one of my books on my shelf.  I asked if he wanted to look at it and he thought I said, “do you want to have a free copy of my only copy left of the book I wrote?”.  And he took it…..so when a book cost $59.95, that is the price the author pays too….for the book that s/he wrote…therefore…reviews are a nice way to say thanks for book.

Practice first: I wrote a few PDFs that were put online.   Some call these “white papers”, but in reality, when we write these, they are essays that may or may not be peer reviewed.    However, they hold weight in (1) experience in writing that publishers will look at, (2) as in informal surveys in how readers respond to your writing and ideas, and (3) testing the waters of putting yourself out there.

The scariest thing is putting yourself out in the public eye.  Most of us in this field are hyper-paranoid of everything.  Few of us jump into the water without putting our toes in first.  Those who do are not any braver than you.  They just say to themselves, “screw it, I’m doing it”.   Our paranoia comes from the risks of being doxed online because we put our names online (take a look at Brian Kreb’s experiences and you’ll see what I mean).  Others are afraid of having their written words used against them in court on a case by an opposing expert or opposing counsel.   And some are just too shy or embarrassed.

My opinion on public exposure is that when you publish something, you are reputable.  For example, if you publish a book through a noted publisher, such as Syngress or Cengage, your book has been peer reviewed to the max.  It has been professionally published, reviewed, printed, marketed, and will be used as citations around the world. If you don’t want your words used in a students graduate thesis, or as fodder in a court case as a citation, or cited in other books, then don’t write.   But if you want your name to be in the same sentence as ‘expert’ or ‘reputable’ or ‘published’, then write.   Sign your name and jump into the water.  It will be either warm or cold, but jump in.

If you are curious if any of your past works (white papers/PDFs) online have been cited by others, check out https://scholar.google.com/.   You may find that your works are already being touted by others as cited works.

For the readers out there, this is for you.

Dude, when you review books, be kind.  If you didn’t really the book, there isn’t a need to slam the author.  Simply say that you didn’t enjoy the book because of a, b, and c.  I’ve seen reviews of some books (thankfully not my own!) that were down right cruel.  Let’s be nice people.  No one writing a digital forensics book will be retiring off that book and really took a risk of jumping into the public eye.

These are just my opinions.  I would suggest checking out some older posts from Harlan Carvey’s blog (https://windowsir.blogspot.com/2014/05/book-writing-to-self-publish-or-not.html) on publishing.  He has written some good advice on publishing, and like I mentioned, everyone is going to have different experiences.

Lastly, if you have read this entire blog post, that talks about writing a book on some topic in digital forensics, that means you have thought about doing it.   And reading this post to the end means you even have a topic or two that you believe would make a good book.  That means I am speaking directly to you at this point and suggesting that you DO IT!

 

 

1579 Hits

The most important tool in DFIR that you must have...

One of the workstations I have ranks up there in the clouds insofar as hardware.  You name it, this machine has it.  Lots of it.  Crammed into a huge case with lots of lights and liquid cooling hosing.  I call it the “Monster”.  No matter what I throw at it, it chews it up, spits it out, and smiles asking for more.  Seriously.  It’s a dream machine of a forensic workstation.

One thing about it however is that no matter how fast it is, or how cool it looks, it doesn’t really do forensics.  You see, I have this other little computer (laptop).  It’s really really small and light.  No CD/DVD drive, one USB port, and stuffed with high-speed hardware, but not that you can stuff that much in such a small laptop.  I call this one my “Little Baby”.

When I go somewhere, I take my Little Baby.  It does everything I need for the most part.  I would not want to try to index a terabyte or more to index, or try to do any serious processing with it.   However, this Little Baby does forensics work.  I've done forensic work in the offices of lawyers, in front of judges, and in court.  Each time using my Little Baby (I have a few, but they are all my Little Babies).  

I mean this in the manner that it’s not the machine (such as my Monster or Little Baby), but the examiner, that does the forensic work.  If you forego “processing” and “indexing”, the forensic machine comparisons in speed become irrelevant and everything comes down to the examiner.  I mean everything.  The best examiner can use X-Ways or Encase or FTK or any open source forensic tool on practically ANY computer when it comes down to deep-diving into electronic evidence.  The machine allows the examiner to use a software to access the media.  That’s it.  A million gigs of RAM won’t let you examine the registry any faster than 4GB will.  Your eyes and the stuff between your ears will get the job done.

When I teach forensics, one of the things I try to get across is that it is the person that gets the job done.  Flashing lights are cool on a computer, but if the examiner doesn’t know how (or where) to find evidence on a hard drive, then the flashing lights are not going to help.  If the examiner does not have critical thinking skills to investigate (or now commonly being described as "hunting") threats or evidence, then the tools are useless.

Don’t get me wrong. I like fast machines.  I need fast machines for some work.  But that work isn’t typically “forensics” but rather automated processes like imaging, or indexing, or some specific processing or decryption. That type of work requires computing power to get done.  Once that part is done, it comes down to fingers, eyes, and brain to do the real work.

I’m not advocating to not have a Monster machine or two, but I am advocating to rely on your brain, not the machine to the analysis.

BUT.  There is always an exception to forensic machines.  If you choose to have a RAM-sucking, space-eating, and overly-hungry-system-resource software as your primary forensic software, you are going to need a Monster machine to run it.  And if you expect to take that resource-intensive software outside the lab for use, you’ll need a 15-pound laptop along with a small RAID box to bring along so you can use it.

Be able to do anything you need to do with anything you have at hand at anytime needed. I've been around a lot of people with a lot of excuses ("I can't do this without my particular workstation or my particular software or etc...").  The world of DFIR is similar to the military. Make do with what you got.  Excuses not accepted.

I’m sure Picasso could paint a masterpiece using peanut butter and jelly.   An effective digital forensics analyst could do worse than being able to run a forensic application on a little bitty laptop if she knows what she is doing.  The most important tool in DFIR work?  That's your brain.  Think critically.  Link inferences.  About hardware and software?  Those are just things to let your brain connect to the evidence.  

In short, become a Picasso of forensics.  

1353 Hits

Learn by drawing out the experiences of others

I have taught digital forensics at the University of Washington (on and off) for the better part of a decade.  I have also been a guest speaker at several universities for longer than that.  One thing that I learned from the continuing education courses is that most of the students are already working adults with many already working in the IT industry, and I take advantage of their experience by incorporating it into the classroom.

For example, I have had attorneys (prosecutors, public defenders, and civil attorneys), police officers, federal agents, software developers (some were founding members of commonly used software), and a few ‘white hat’ hackers in my courses.  Students who did not fit in any of those categories sat right next to them.
 

Can you imagine what you can learn being a student sitting next to the developer of a major Microsoft program for 10 weeks? Or next to a federal agent who was involved in well-known national security investigations?  Or a homicide detective of a large police department?

That was the benefit to the students: being able to absorb information from fellow students with years, if not decades, of experience.  On the first day of every course, I stress this to the students.  Take advantage of the 10-minute breaks, not by checking your email, but by talking.  Those 10-minutes breaks produce more relevant information than can be gained from a Google search, because you can talk to the people who have done it, do it every day, and want to share.  Rather than 'read' about a case, speak directly with someone who does those cases.

As for me, you better believe I took advantage of the students with experience, all for the betterment of the courses and myself.  In my prior law enforcement career as a city cop, I was a detective that worked undercover and was assigned to state, local, and federal task forces as well as investigated cyber-related crimes that spanned the planet.  I also investigated multi-national organized crime groups (drug trafficking organizations, gun trafficking, outlaw motocycle gangs, street gangs, human trafficking, counterfeit goods, etc…), terrorist cells in the United States, along with a few other crimes that took me across several states.

I give my brief background not to brag, but to show that even with my experience, I gained something from every class from nearly every person and I asked for it directly.  When I found that I had a software developer from a major software company in class, who worked on a program that I use daily…I used him for discussions in class on incorporating that program into forensic analysis reporting and visualization.  Every student in the course may not have recognized the value of speaking with someone instrumental in that one program, but we all learned new ways to use something in forensics that we would not have learned otherwise.  

Courses with law enforcement and attorneys as students also created a great amount of material and discussion based on how they do different aspects of the same job, in their different positions, titles, and agencies.  Hearing from a federal public defender talk about how forensics fits in with her work alongside a prosecutor talking about the same information but applied differently really gives the entire room a wide spectrum of knowledge.  Throwing in the investigator perspective rounds it all out. 

Granted, I’m only talking about continuing education programs.  I’ve taken and spoken at a few college degree programs where the students are students and not yet even in the workforce.  That type of class is an entirely different animal where the instructor had better know what she is talking about.  And yes, I’ve taken courses where a professor had never connected a write-blocker to a hard drive, ever…not in real life or in the classroom…never testified…never created a forensic image…yet teaches the students to do this by reading a book.  That is not the case with most schools, but certainly a few.  

In the course I teach at the University of Washington (I will call it “my” course…), I give students maximum hands-on, maximum time on the keyboard, maximum time working with the tools and maximum real-life information so that they are not only near-competent to competent, but marketable.  I call my course, “Brett’s Digital Forensics Bootcamp” (without the yelling). I don’t like wasting time and I want to teach a course that I wish I could have taken when first starting out.  That means getting your hands on data as much as possible.

One last point about continuing education programs (for higher education courses)

A conversation I had last week about DFIR certifications ended with me talking about continuing education and college degrees as perhaps a better route over certifications for certain people.  For anyone already in the IT field, I find that a continuing education certification from a major university to be ‘better’ than a vendor certification, or if not better, certainly worthwhile.  I say ‘better’ in the sense that most people in IT already have some certs on their resume.  They may not be digital forensics certs, but technology-related certs nonetheless.  Certs also expire, or are discontinued because a business goes out of business or decides to create a new cert.  Having a continuing education cert from the University of Name Your College doesn’t expire, has more clout (or is that now called klout?) through regional accreditation, and is most times considered graduate-level instruction. 

Another benefit of a continuing education course is that since the courses are not vendor specific, the whole gamut of tools can be explored along with the SPECIFICS OF THE JOB.  Vendor courses focus so much on the sale and function of their tool, little time is left to the other aspects of the job that are just as important, if not more important.  I’ve taken well over a dozen vendor courses and I cannot remember any of the courses teaching forensics, other than what their tool does for forensics.

Not knowing how to collect, analize, and present defensible evidence effectively makes the examiner ineffective, incompetent, and can ruin a case.  Especially when someone has not been taught "what is evidence", finding the elusive evidence is near impossible if you don't know what it is.  Even police officers must know the elements of a crime in order to know what a crime looks like.

Yes, you must know how software works, but you also must know the job.  It’s like driving.  You may know how to drive a car, but if you don’t know the rules of the road, you will end up getting ticketed or worse.

1408 Hits

Jimmy Weg's blog archive

Most people in the DF field know or know of Jimmy Weg.  His blog was one of the most popular in the community, but like anyone, Jimmy has retired and will be retiring his blog.  

However, he has offered the blog to be used by anyone until the domain expires.  I know that one DF association (IACIS) will be archiving the blog for its members and Jimmy graciously has allowed me to archive it as well for anyone to use as reference.

Over the next weeks or so, I will be adding each of Jimmy's posts onto my blog, with Jimmy as the author.  You will be able to find all his blog posts on my blog, but under the JustAskWeg category (http://brettshavers.cc/index.php/brettsblog/categories/justaskweg).  Some of the posts are old, as in 2 years which can be old in the tech world, but the information from those posts, especially those concerning virtualization should be relevant for more years to come.  Jimmy's blog is one of those blogs that are valuable to many folks working in the DF field, and it is my pleasure to host his blog while it is still useful. Thanks to Jimmy!

About Jimmy Weg

1388 Hits

Ye ol’ Windows FE

Not to get into the long history of WinFE, but rather focus on the course I created about 2 years ago…it’s time for an update to the course.  There have been almost 5,000 people that signed up for the online WinFE course since 2014.  WinFE has been taught everywhere since its inception, from colleges to federal forensic courses to everything in between.  

Technology changes and with that, WinFE needs to be updated along with a second related topic to be included in the course.  In the next few weeks, I am updating the WinFE course and adding Linux distros to the mix (only the most current Linux forensic distros, not the outdated and non-maintained systems).  The new course is tentatively titled,

"Bootable Forensic Operating Systems"

or something to that affect of having both Windows and Linux forensic boot systems.

The intention of this new course is the same as the previous course: Give forensic analysts additional options in collection, preview/triage, and analysis.

On a side note, I have had about a dozen or so emails about WinFE telling me that;

  1. You have to use a write-blocker

  2. You can’t trust bootable media to be forensically sound

  3. No one does it this way anymore

  4. Today’s computers don’t allow booting to external media

Each time, I have said, “You’re right.  Feel free to use what you want.”  I really don’t see a need to argue with anyone set in his or her ways in the DFIR field.  My opinion is simply that if something works, use it.  If something doesn’t work, don’t use it.  This applies to WinFE, a Linux forensic boot disc, or a write blocker as much as it applies to X-Ways, EnCase, or FTK.

Seriously, if WinFE works for you in a given situation, and you have a choice, feel free to use it.  It’s been battle-proven more than enough.  Same with the Linux distros. If you like it, and it works, and it fits to your needs, why not use it.

With that, I still believe forensically sound bootable media still has its place in the forensic world.  The upcoming course will talk all about it, including building a WinFE and perhaps even putting together your own Linux distro.

2095 Hits

X-Ways Forensics Sucks….

…only with decryption, and even at that, it does everything else superbly.

I probably caught your attention if you are an X-Ways Forensics user.  The only thing that sucks about X-Ways Forensics is that it doesn’t do encryption.  By “doing encryption”, I mean that it doesn’t decrypt encrypted files or systems.  Besides that one aspect of forensic work, X-Ways Forensics rules.

**UPDATED X-WAYS FORENSICS PRACTITIONER’S GUIDE ONLINE COURSE**

I completely updated and extended an online course based on my book, the “X-Ways Forensics Practitioner’s Guide”.  It has taken some time to create a course that has 95% of what you need to use X-Ways Forensics without being an overly long instruction of the software.  The remaining 5% changes every week or so with new features and updates added by X-Ways.  This course covers X-Ways Forensics up to version 19, but know that X-Ways will be adding new features every week that aren’t included in this course yet.  After enough ‘little’ features and improvements have been added, more content to the course will be added as well.

Here is the gist of this post

Register before November 8, 2016 to get both 50% off tuition and a printed copy of the X-Ways Forensics Practitioner’s Guide.  Use this link for the discount: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course?pc=blog

Personal anecdote: While sitting in BCERT at FLETC years ago, I brought my trust X-Ways Forensics v13 to class.  FLETC issued FTK and Encase as the forensic suites during this time, and also issued a license for WinHex. The Winhex instruction was probably 30 minutes long.

I had already been using X-Ways Forensics and the FLETC instructors allowed me to use my license alongside their issued tools.  With a FLETC provided image that was given to every student in the course, X-Ways data carved hundreds of pornography pictures from my image while both FTK and Encase did not.  The instructors thought I had been surfing porn in class until I carved from someone else’s image.  Encase and FTK, for some reason, did not carve up the pictures that X-Ways did.  In about 5 minutes after seeing that X-Ways carved up porn that other tools missed, every image was collected from class by the instructors….

I emailed Stefan Fleischmann of X-Ways during lunch to let him know that his X-Ways Forensics program works pretty good.

My personal experience with X-Ways Forensics started because I was a curious about a ‘new’ forensic program based off of Winhex. I only tried X-Ways Forensics because (1) it was cheaper than anything else, (2) looked kinda cool, (3) and got deep into the actual files like a hex editor.  However, I tried to figure it out and the best way to do that was to host a course.  The only reason I gave X-Ways Forensics a chance was because X-Ways agreed to give a training course in Seattle if I would arrange it, their first course ever.  After seeing how X-Ways worked in that one course, I was hooked using X-Ways Forensics as my primary forensic tool for well over a decade.

I have met many examiners who have tried to use X-Ways Forensics and have nearly always gone back to their other tools, like Encase or FTK.  Mostly, I see this to be because of fear of change and lack of information to use X-Ways Forensics.  There were no books about X-Ways Forensics.  The manual was (is) clearly lacking in giving instruction in using X-Ways, the courses were (are) expensive and not typically where you’d like them to be.  Compared to Encase, as one example, books on using Encase have been around for some time, Encase has been taught in government forensic courses for well over a decade, and courses have been planted everywhere around the world for so long that it seems strange to not have a course local to you every year or so.  Plus, the other tools throw parties, like huge beer fests poolside in Vegas or somewhere neat.  X-Ways? No parties.  No beer fests.  It’s all down and dirty with hex, which is just the way I like it.

The manner in which this online course works is similar to the book that Eric Zimmerman and I wrote on X-Ways Forensics.  We wrote, and titled, the book for practitioners.  The manual is not for practitioners.  Do not start reading the manual hoping to find the ‘how to use X-Ways’.  Do read the X-Ways Forensics Practitioner’s Guide to find out.  Unfortunately, books and manuals simply do not fill the remaining gap of instruction and demonstration.  Short videos on Youtube won’t do it either.  You need a course to learn what you need to learn as fast as you can learn it in order for you to be able to use it right away.

If you cannot attend the official X-Ways Forensics course due to time/money, or maybe you want a refresher to the course you took five years ago, or maybe you are in a forensic course in college that uses X-Ways, this online course is the least expensive you can find (the only one currently in the world) that fills that need.

I can promise that after you complete the course, you will have a different perspective of X-Ways.  You most likely will use X-Ways Forensics as a secondary or validation tool.  Many of you will move completely over to X-Ways Forensics and turn your other tools into secondary tools.  Some of you will turn your entire lab into an X-Ways Forensics lab that uses the “other tools” as validation.

One thing the online course does not do is teach forensics.  You might learn a little something since the course uses publicly available forensic images and gives suggestions on workflows (based on case types, such as picture intensive or user document intensive cases), but don’t expect this course to teach everything about forensics.  For that, you need to take a digital forensics course to show what a “lnk” file is, or how to examine the registry.  The X-Ways Forensics Practitioner’s Guide course teaches you how to plug the X-Ways Forensics dongle into your machine and push all the buttons you need to push to get what you are looking for.  That’s more than half the battle for any forensic software: what button do I push to get forensic artifact “x”, “y” and “z”?

Watch the introductory video (free) to get a handle on why you should take this course.  Whether you have been using X-Ways Forensics for more than a day, new to X-Ways Forensics, or thinking about trying it out, this course is the fastest, least expensive, and easiest method to learn. Bar none.

 

Recent Comments
Brett Shavers
Sorry, but the promo expired.
Saturday, 02 September 2017 16:04
2633 Hits

Virtual Machines, like anything else in technology, can be used for bad

Virtual machines have always been one of the neatest aspects in computer technology.  My first exposure to a virtual machine was in a digital forensics courses I took at FLETC and I knew that this would be the coolest thing ever.  The coolness factor of being able to run one operating system (the virtual machine or VM) inside another operating system (the host) has not grown old for me especially because of the forensic and security implications that exist more so today than that day of first exposure.

It has been 10 years since I wrote the first of two papers on virtualization and forensics.  The first, “vmware as a forensic tool” and subsequentlyVirtual Forensics: A Discussion of Virtual Machines Related to Forensic Analysis”.  Some of the information has been outdated, but most of the information and certainly the concepts are still in play today.  I recommend looking at these two papers to get started on thinking about VMs as it relates to your cases.

Skip forward some years after those first papers; I began to find VM use occur more often on forensic cases in civil litigation matters.  In the majority of the cases, the VMs I found were not used to facilitate any malicious activity, but did result in longer examination time of each hard drive with VMs.  In one case of my cases, a single hard drive contained over 50 (yes, FIFTY) virtual machines and each one VM had multiple snapshots and practically all were being used with malicious intent.  After that case, I made sure to include virtual machine investigative information in two books I wrote (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard) to make sure investigators consider VMs as a source of evidence.

There was a time when computer users, including criminal using computers, were oblivious to the amount of evidence a forensic analysis can recover.  Those days are virtually gone since most anyone with a computer knows for the most part, that a ‘deleted’ file can be recovered.  In addition, with Hollywood producing movies and TV shows showing forensic analysis of computers, common criminal knowledge now includes knowing about electronic evidence that is created on computers and forensics recovers it.  Every push of a button, click of a mouse, and click of a link litters the system with evidence.  The litter (creation/modification/access/deletion of files) is everywhere in the system, spread out among various locations from the registry to free space to system files, and most can be attributed to a user’s activity.  Getting rid of every bit of the electronic litter is practically impossible, even as certain amounts can be wiped securely.

However, with a VM, all of that electronic litter, aka evidence, is kept within one file that stores the virtual machine.  The user need only wipe that one file to destroy all the electronic litter and evidence that was created during the malicious activity.   The only evidence able to be found will be on the host, and usually that will just show a VM had been started.  The malicious activity/user activity…gone.    Going a step further, a VM booted to a Linux bootable OS (even to an .iso file), will have no evidence saved in the VM to begin with.

I am not discounting other important evidence, such as network logs, captured traffic, or the evidence that can be recovered on the host machine.  That is all good evidence too, but when the actual user activity is contained in a single file that can be wiped securely, digital forensics gets harder if not downright impossible.

A recent article I read on malicious use of VMs goes one-step further.  In the article (https://www.secureworks.com/blog/virtual-machines-used-to-hide-activity), an attempt to remotely start a VM inside a compromised system failed only because the compromised system was also a VM.  Considering that scenario, a hacker starting a VM on a compromised machine can effectively hide nearly all activity within that VM by subsequently wiping it after the hacker is finished.  Incident response just got harder.

Not only are virtual machines used to facilitate criminal activity, but can also be used as a tool to compromise systems.  One creative example of malicious VM use can be read here: https://www.helpnetsecurity.com/2016/08/18/compromising-linux-virtual-machines/  where virtual machines in the cloud can be used to attack another virtual machine if hosted on the same server.  Now that is clever.

Virtual machines are here to stay for all the good uses they provide, which also means they are here for all the bad uses too.  In the world of cyber-cop vs cyber-criminal, every day is another day where each side tries to out-MacGyver the other side with something new, unique, and sometimes pretty cool.

 

 

 

 

1355 Hits