Brett's Ramblings
-
Zombie-Cases: Did you ever have a case that just wouldn’t die?
I just finished up Case Study #8, with one of those types of cases that just won’t die. If you ever had a case like that, you know what I mean. If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to…
-
"I don’t want to learn. Just give me the answer."
Figure it out It’s been more than a few years since I was in the Marines, even though it still feels like yesterday. Although it has been decades (has it really been that long?), it seems that I am still learning lessons today that the Marine Corps exposed me to back then. I mean that…
-
5 Cool Things You Can Do with the Windows Forensic Environment (WinFE)
I’m a fan of WinFE. I’ve used it, written about it, helped develop it, taught it, and assisted others to teach it. The way that I talk about it, you’d think that WinFE is the best thing that ever came along, does everything you need in forensics, and nothing can out do what it does.…
-
Make DFIR easier to learn with visual aids (and teach students to share their work)
In my most recent course that I was teaching, the question of imaging speed came up during the hands-on imaging practicals (it's always the same question, "How can I make it go faster?"). My go-to illustration of imaging tests has been referring to Eric Zimmerman's imaging tests. However, I tried something different this time. I…
-
Dragnet: 2018
Definition of dragnet 1a : a net drawn along the bottom of a body of water b : a net used on the ground (as to capture small game) 2: a network of measures for apprehension (as of criminals) In Hollywood movies, citizens have virtually no expectation of privacy and no practically no protection from…
-
Some things about training, education, and learning in DFIR
In theory, if you know what you are doing and are competent, that is all you need. In practice, being competent is rarely enough. You probably need documentation.... The importance of documentation was hammered into me for years by my employers as a government employee (military and LE). Courts made sure that anything that I…
-
Windows Forensic Environment - Newest project is complete
Forensic Operating Systems The time has come! The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated. **COURSE IS CURRENTLY AT CAPACITY** However, send me an email (This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloak468d8203b49959ca5c86d0a79b2510cb').innerHTML = ''; var prefix = 'ma' +…
-
Cyber Health
I was a spectator to a conversation between a law enforcement DFIRer and corporate computer user this week, and it got interesting when the name-calling started. The point of the conversation was about corporate computer users being ‘lazy’ with computer systems (whether it be managing the organizations website content or just basic cyber health such…
-
Making Ham Sandwiches in DFIR
Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR: 1: Write it up (or else your work didn’t happen) 2: Write it for your audience (or it won’t matter what you did anyway) If you follow those two tips,…
-
DFIR Case Studies #7
As I was going through Case Studies #7, I found several some reminders on tips for working a case. The simple obstacles that make some investigators quit only make others drive forward with creativity. One example is the suspect in Case Study #7 using open WiFi to be anonymous. Sometimes, investigators quit once they find…
-
How many exposure dollars do you need to buy a cup of coffee?
I am always flattered to be asked to speak in front of an audience on something that I know something about. I have fun sharing information with great people about the ‘secrets’ on how to do neat things in forensics and investigations. However, I find it odd to be asked to speak at conferences out…
-
Rub some dirt on it.
Failing hurts helps. Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath. I mean, this work is usually pretty difficult to do but easy to make a mistake.…
-
Don’t look back. Try to keep up. This is #DFIR.
I do a lot of peer-reviews. Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report. Then reading it again, then again, and a few more times, all the while red-lining items of interest.…
-
X-Ways Forensics & eDiscovery
Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs. Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts. I would even go as far to…
-
When you think you know enough
If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work. The reasoning is that we can never know enough, in the DF/IR field or any field. Usually, there is something that kicks me…
-
DFIR Mentors. You just might be one and not know it.
If you share information, openly discuss that which you can, and sincerely try to help others in the DF/IR field, you are probably someone’s mentor and do not even know it. I have always understood the term of “mentor” seriously as it implies a responsibility to teach others, and also suggests that you know a…
-
Bitcoin Forensics | Investigating Cryptocurrency Crimes Online Course....it's coming...
You knew this was coming. A course in cryptocurrency investigations. There is no faster and comprehensive method to learn cryptocurrency investigations than to take a class in it and study a book about it. As the book is being written, the course is being developed alongside the book as a companion to the book. If…
-
Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.
I am very open on my opinions about writing books, specifically DF/IR books. I encourage anyone who is thinking about writing a DF/IR book to write away and start right away! The longer you wait, the more likely someone else will write the book you wanted to write. Over the years, I have been asked…
-
DF/IR Case Studies
I've made three case studies so far and will have a fourth up this week. From the feedback I've asked in a short survey about the case study series, here are the results: The case studies are beneficial, useful, and job relevant. The presentation format works (weekly to bi-weekly case studies). Length is appropriate (between…
-
The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations...)
As teenagers, we never liked rules growing up. Curfews. Chores. Homework. But we know now that the rules were good for us. It seems like nothing has changed for those of us in the DF/IR field. We don’t particularly want to be regulated simply because, like when we were teenagers, we know what is best…
-
Sharing is caring
One thing about the DFIR blogs is that they tend to bounce off each other. This is a good thing because tidbits of gold nuggets can be expanded upon with different perspectives and experiences. Never in human history have we ever been able to instantly connect world-wide to increase our knowledge base, especially in the…
-
A bundle of case studies and X-Ways Forensics Practitioner's Guide training
************UPDATE 10/29**************** Case studies 2 has been published. It's the Mr Fuddlesticks case. ****************************************************** Out of the 100+ viewers of the case study I did last week, a bit more than half completed a survey with most of those including comments on the case study in regards to what they want to see. With that,…
-
Case studies are more helpful than you may think
Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job… I first started doing case studies when I made narc detective years ago. I can’t lay claim to having had the worst training officer in the narc world,…
-
Drop the mic...please.
Well...that didn't work out so well, did it? I had a serious audio problem with the webinar today, from which I learned to mute attendees for the next time that someone doesn't mute their mic. My fault on the audio, but on to the positive with the webinar: I'm going to make another (two more)…
-
If you are a “Self-Proclaimed Hacker” looking for a job in LE…
We are almost fully into the computer-age. In nearly every aspect of our lives and jobs, computers* in some form or another, are integrated. This means that if you have the inclination and ability to work with computers, your time has come. The world is your oyster as the doors are not only open with…
About me
I find evidence buried deep in computer systems as a forensic analyst while blogging about DFIR, cybersecurity, privacy, hacking, and writing.
I've done a few other things too...
