Girl, Unallocated

Case Experience #2.1 - More About IP Theft Thought Process

2012-03-06T10:39:00.000-08:00

My last case experience included just some preliminary thoughts when starting an IP Theft case, so I've decided to follow up with some additional ramblings. And rather than talk in generalities, I thought I'd add a hypothetical scenario in this go-around.

Hypothetical Scenario

Kilroy Hankmins has been working as an Engineer at Horde Enterprises for a number of years. In the course of his duties, he had access to a lot of proprietary information. Then, a few weeks ago, Kilroy left Horde Enterprises for their fierce competitor, Alliance Inc., ostensibly for the better chicken package. Some of Kilroy's behavior prior to leaving raised a red flag with the upper management of Horde Enterprises. They have Kilroy's HE issued laptop and want it examined for any evidence that Kilroy took proprietary information when he went over to Alliance Inc.

Getting Some Context

I know I harp on this an awful lot, but getting context before you begin an exam can be helpful in targeting your investigation and mitigating costs for your client. (As a side note, Corey Harrell wrote a great post about understanding his customers when doing Fraud cases... I recommend checking it out.) Below are some examples of questions to ask the client that I have found helpful when starting an IP theft case of this sort. Note: These questions aren't aimed at finding additional data locations that may be of use (that's another set of questions altogether), but just focuses on narrowing down information for the system about to be investigated.

Pre-Investigation Timeline

When did Kilroy leave the company?
When did he last have access to the company laptop?
Was the laptop used at all after Kilroy's last access?
Are there any other dates of interest I should be aware of before the investigation?

Intellectual Property

What is the IP of interest in this case?
What format would the IP likely be in?
Do you have a set of search terms that would help identify IP?

Depending on your client, you may also want to find out more about their security protocols. For example, it could be pertinent to find out if USB ports are disabled on all company computers. I just want to make the point that the questions above aren't exhaustive. I recommend coming up with your own list and adding where needed.

Back to the Scenario

For the purposes of this scenario, let's assume that the client answered the questions as follows:

When did Kilroy leave the company? Kilroy submitted his resignation on 2/1/2012 at 12:00pm. His position was terminated that day.
When did he last have access to the company laptop? Kilroy had access to his laptop until 2/3/2012 at 9:00am when he came into HE headquarters to turn it in. (GU Notes: These last two questions are not always going to have the same answer, and when there is a discrepancy between the two answers this window of time can be especially interesting.)
Was the laptop used at all after Kilroy's last access? Oh, yeah. We had IT poke around to see if this was even worth pursuing. They fired it up a couple times and ran reports for me. (GU Notes: Sigh. In an ideal world, this shouldn't happen, but it can and does, so be ready for it. It also is possible that the computer will be in constant use after because it was simply assigned to another employee. Either way, you should know.)
Are there any other dates of interest I should be aware of before the investigation? Not that I can think of at the moment. (GU Notes: This is just covering your bases. Sometimes, there may be information that can shed additional light. Why not ask?)
What is the IP of interest in this case? We are especially concerned about schematics of our products, but, you know, anything proprietary. (GU Notes: Figuring out what is considered Intellectual Property is one of the big questions I face in any IP theft case, and it varies for each one. Sometimes it is contact information, sometimes it is pricing, and the list goes on. There's no golden answer for figuring this one out - or at least I haven't found one yet - but taking the time to discuss and listen to your client on this topic can really pay off.)
What format would the IP likely be in? We think it would be primarily images or Microsoft Office documents. (GU Note: This doesn't mean you should ignore everything that isn't in this format - this is just something that can be helpful to know. It can be especially interesting if the information is in proprietary or specialized software.)
Do you have a set of search terms that would help identify IP? We can do one better. We'll send you files that contain the information. (GU Note: Actually getting examples of real IP can be a great help. However, don't fall into the trap of just locating the files on the system. Especially in a case like this scenario, simply finding the files doesn't show IP theft - the custodian had a right to have them on his HE laptop. What he didn't have a right to do was take the information. So, if we had the AI laptop and found them, that's one thing, but it won't necessarily help here.)

So, now that we have some background information we can begin the investigation! Next time I'll follow up with more specific steps using this scenario.

Case Experience #2 - IP Theft Investigation Thought Process

2012-02-28T10:37:00.001-08:00

I've been reading some of the posts where people have discussed what they find useful in Case Studies, and in addition to unique problems encountered there has been a lot mentioned about the usefulness of discussing the thought process behind an investigation. Not all analysts are going to approach an investigation the same way, and as long as the evidence is found, that's grand. In fact, sharing the different approaches can only help others in streamlining their own processes. As Harlan Carvey stated, "None of us is as smart as all of us." So here's my offering to the collective consciousness.

Case Experience #2
IP Theft Investigation Thought Process

Standard disclosure: This represents a targeted investigation, and does not include every available scenario. Please don't take this as SOP, but rather a brief insight that may lead the direction of an investigation. Note: This thought process is assuming a Windows OS.

Tools:
EnCase v.6.18
RegRipper
NetAnalysis
Log2Timeline on SANS SIFT Workstation
VMWare

Background:
Possible theft of Intellectual Property.

Investigation Thought Process:
In the case of IP Theft, one of the major areas of interest is ways that data could have left a system. In my experience, this happens most frequently via external drives, e-mail attachments, FTP sites or other online repositories, so those are areas where I tend to begin looking. In these types of investigations, there are certain processes that can take some time to run, so it isn't uncommon for me to start running a supertimeline in a SIFT VM, carve for internet history in NetAnalysis, and (if the client has provided search terms or file names of interest) run search terms in EnCase and let those churn away while I start poking around in the registry and various other artifacts. Below are some descriptions of the items of interest I mentioned above:

External Drives - Information about external drives attached to a system can be found in the System and NTUser.dat registry hives. I like to run RegRipper and review the reports even if my timeline created in SIFT includes that information. Apart from getting an idea of the system while log2timeline is running, reviewing the registry helps me narrow down time frames and get an idea of if and what drives were connected. If the time frame of interest is further in the past, I can't emphasize enough the added value of analyzing Volume Shadow Copies or Restore Points (depending on the OS). If information of interest is found, I will look into other artifacts such as link files in the Recents folder and Jump Lists.

E-mail - When looking for e-mail I examine any local mail repositories, but it is important to also look for evidence of webmail being used to send information. This means that internet history can be an important aspect of an IP theft case. If you are lucky, there may be cached messages, or a snapshot of the inbox cached on the system. It isn't uncommon to find the webmail address, which may be of great use to your client and may lead to the ability to access and collect the webmail repository for further analysis. As a side benefit, internet analysis can also bring up gems such as search terms and websites visited that add context to what occurred on the system.

Online Repositories - Sometimes information about online repositories visited is found primarily in internet history. However, I have also come across instances where FTP software was installed, so it is a good idea to look for information about software installed, run, or present on the system as well as sites visited. Information about software can be found in the SOFTWARE registry hive, the NTUSER.DAT, and in software folders, as well as other locations.

Super Timeline - A super timeline can be a bit intimidating when you look at all the information that it contains. However, it is unsurpassed in the ability to immediately provide context from a wide range of data sources on a system. Usually, by the time my timeline is ready to analyze, I have some idea of items of interest, so that I can zero in on those time frames. The ability to filter and search within the timeline provides a great way to also look for other events that are similar in nature to the ones that you have already deemed of interest.

After looking in these initial locations, the investigation becomes more targeted to each specific system and investigation. Typically, I will keep notes as the investigation continues, but it is also common for me to create draft reports that I update as I go along. For me, this helps me get some of the information down in words that can then be modified when the investigation is complete, and I am never faced with the terrifying aspect of a blank page and all the information only in my head.

A Proposal

Just a thought - there are many people in the industry that have provided great insight via blogs, forums, and e-mail. From what I've heard, there are even more people who have insight to share, but don't know how or where to share the information. Blogging isn't for everyone, or there may be other reasons that have kept people from putting their thoughts out there. Because of this, I want to offer my blog as a forum to those who want to contribute, but don't have their own site (or for those that do, who just want a change of scenery). If you are interested in doing a guest blog post, feel free to contact me at girlunallocated@gmail.com. I'll give full credit to any authors who guest blog. So... no excuses now! If you've learned something from someone else in the industry, please think about sharing some of your own insight.

UPDATE: This post was just meant as a very basic outline of what I am thinking at the start of an IP Theft investigation, and is by no means exhaustive or even a complete picture (that would have made for a very long blog post, and who would read that much of me in one sitting?!). However, I don't want to leave it here as there are so many other aspects. I will follow up with Case Experience 2.1 soon, and hope to address additional areas of interest, for those of you who want to follow more of my thought process (you brave souls).

A Case Experience

2012-02-16T20:54:00.001-08:00

Last week I had the opportunity to go to Denver to present a CLE presentation I created called "The eDiscovery Roadmap: From Planning to Production." (Don't fear, fellow forensicators, I'm not changing the focus of my blog... this is just an exposition.) Overall, I think it was a success. The main metric to determine this was embarrassing moments divided by time spent on stage, and since I only tripped over my heels once, the math definitely works in my favor. But apart from getting to lecture to a crowd of lawyers and paralegals ~~trapped~~ enthralled for two whole hours, one of the most interesting experiences came after the presentation was over, when I got to read the feedback from attendees. Time and again, the "favorite part" of the presentation was listed as my "Tales From the Trenches," when I took a few minutes after each phase to tell applicable eDiscovery war stories.

"Tales From the Trenches"

Of course, I'd like to think that this was because of my impeccable story telling. Just look at some of the titles: "The Eager Attorney and the Hard Drive of Doom"; "The Search Term That Wouldn't Cull"; and, my favorite, "The Ineluctable Modality of the PDF". But once I finished fantasizing about adding "Master Storyteller" to my list of accomplishments, I had to acknowledge that there was probably more to it than my wordsmithing. Whatever you call them - war stories, case studies, investigation experiences - there is a lot of value to learning problems others have faced, and how those problems were dealt with.

Harlan Carvey (without whom I would likely never have new ideas for my blog) started another interesting discussion on the Win4n6 forums this week about sharing case studies within the field. I'll be the first to admit my reluctance in the past about inadvertantly disclosing sensitive material, but when I really thought about it, I feel that there are definitely ways to contribute without crossing, or even getting close, to that line. Corey Harrell coined the phrase "Case Experience" to differentiate these shorter, more sanitized communications from "Case Studies", which implies a more complete picture. Yes, I can share case experiences without guilt, and hopefully, I'll even pass on something. It may even be insight. Or knowledge. Or something good. No antibiotics needed.

And so, without further ado, I present GU's Case Experience #1.

Case Experience

Working Title: The Difference a Minute Makes

Standard disclosure: This represents a targeted investigation, and not all portions of the exam will be discussed. Please don't take this as SOP. Also, my set of tools has been evolving, but steps I mention should be able to be performed with a variety of different tools.

Tools:
EnCase v.6.18
RegRipper
PhotoRec
VMWare

Background:
Possible data spoliation. The client requested an investigation that looked into data deletion on a Windows XP system within a specific time frame. The system in question had been in use for a couple months after the time of interest. The end result was a report that detailed recovered files of interest and a timeline of events.

Investigation Plan:
Recycle bin analysis
File recovery using EnCase
File carving using PhotoRec
Analysis of carved files on system for context
Search for data deletion software
Registry and restore point analysis
Timeline generation

Actual Investigation:
The scene: Me smoking a cigar in a shadowy room with my feet on the desk, looking debonair. While recovering the deleted files was of great interest to the client, what makes this case stand out to me is what I found on the system regarding a program called CCleaner. Many of you are likely familiar with it, and have come across it in your cases (in fact, Cheeky4n6Monkey has some great posts about pulling artifacts relating to CCleaner using a RegRipper plugin) It seems to crop up an awful lot in certain types of cases. What made this one interesting was the reconstruction of events found in restore point registry hives. Luckily for me, though the computer had been in use for quite a while after the timeframe of interest, the restore points for the timeframe were still present.

I could see that the registry entries showed CCleaner being installed on the system a couple years before the timeframe of interest. Even better, after tracking down RPs for specific dates, and determining the proper user, the keys showed that CCleaner.exe had been run on the system by the user in the "hot zone". Bingo! But wait... it wasn't quite as clear as that. You see, a good minute after CCleaner.exe was run, a CCleaner installer file called ccsetup###.exe was run, with no indications that CCleaner.exe was run again after the installation. So, was CCleaner simply updated but not run? Or could it have been run after the installer without updating the registry entry?

I had come across CCleaner enough in the past to know that the program will check for an updated version of the software and ask the user if they want to download it if one is available. So it didn't come as a surprise that an installer file would be run soon after executing the program. The question became, after running the installer, if CCleaner was run what changes, or lack of changes, would occur in the registry?

It was time to stop speculating, and start researching. I used a Windows XP machine that had CCleaner already installed. Upon firing up the program, I was indeed prompted to update the software. Following the update, I used the default option to start CCleaner automatically, and then ran the default CCleaner process on the system. Following the run, I examined the test registry hives to see what sort of information was present. The test system registry hives mimicked the investigated system: though CCleaner had been run following the updated installer file, the registry just reflected the initial execution of the program.

Moral of the Story
Now, I don't expect that this is an earth-shattering revelation. I guess the real point that I want to make is the importance of testing when questions are raised or anticipated. In this case, there were questions, and I had the ability to confidently say "I tested the process and the data is consistent." There are so many variables on systems, testing should be common place. You don't need a plethora of extra equipment to do it, either. Run some virtual machines, have a few baseline setups you can use, and take the time to experiment.

Geolocation From Photos = Good Stuff

2012-02-13T09:22:00.000-08:00

One of the great things (there are so many, but this is one of them) about DFIR is that there are many different ways to uncover and analyze data. I was recently doing some research on pulling geolocation information from photos taken on an iPhone (mine, actually), and was led to some pretty great resources. In my continuing efforts to contribute, below is a simple layout of how to pull geolocation information from photographs and then map that information using all open source or free tools. Now, this method isn't the fastest, especially when dealing with a large data universe. What I like about the tasks, though, is that it gets you a bit closer to the data, and doesn't rely on "point and click" methods.

Pulling Longitude and Latitude

Download ExifTool at http://www.sno.phy.queensu.ca/~phil/exiftool/index.html.

Note: This tool can write as well as read Exif information. Make sure the data is write-blocked or you are working on a copy and not the original.

Extract the tool.

Rename to exiftool.exe (from exiftool(-k).exe) and place in the C:\Windows directory. This allows the program to run from the command prompt.

Open the CL window. Type

exiftool –csv sourcedirectory > outputdirectory\logname.csv

(or leave outputdirectory out to place file in same location as images).

If all the parameters are correct, the command will run and an output file will be created in the directory specified.

Of particular interest for this project are the Geolocation, or Longitude and Latitude.

Mapping Longitude and Latitude

Now that we have the coordinates, the next step is to map them. Download Google Earth from http://www.google.com/earth/index.html

Add placemark by selecting the yellow pin icon. Fill out corresponding information, i.e. Latitude, Longitude and any identifying information. Note: You will need to adapt the format of lat/long to reflect the format shown below, with “°” rather than “deg”.

Repeat for any additional locations. You should now be able to view the locations on Google Earth.

If people want to see other methods, let me know and I'll follow up with additional tools. For now, though, hope this is interesting!

UPDATE: I promised to follow up if people were interested, but the community has already done that for me - and far better than I could have done. For more information and tools, see comments below. Find a tool, and take the time to thank whoever it was that put up the time to make it, and even more, to make it available to everyone. Thank you to all those who created and posted links to more tools!

Another CL Tutorial

2012-01-19T11:23:00.000-08:00

My last tutorial met the usefulness requirements, so as promised I am following up with another video, this time about using one of my favorite commands - robocopy*! (I like it even more because it sounds like a bad B Movie spin-off.) I'll also show you how to automate commands, so you don't have to wait for one to finish in order to start the next one... just click and run. Enjoy!

Using the Robocopy Command

Forensic4Cast Awards

If the other excellent bloggers out there haven't convinced you to submit your nominations for the Forensic4Cast awards, I'm here to remind you that this is an excellent way to show your appreciation for the people and products that help make our jobs better, and the DFIR community great. Take a few minutes to nominate your favorites!

* I'm not going to argue whether robocopy is "forensically sound" or not... please don't take this tutorial as an endorsement that it is or isn't. Either way, it's a great tool for different situations.

Trying Something New - My First Instructional Video

2012-01-17T19:49:00.000-08:00

"Human beings make life so interesting. Do you know, that in a universe so full of wonders, they have managed to invent boredom.”

-Terry Pratchett (as spoken by Death)

There has been an interesting discussion in the Win4n6 group this week about what keeps examiners from learning more about our own field. A lot of thoughtful points and counterpoints have been made, and I find myself agreeing with both sides a lot of the time. I'm as guilty as the next examiner when it comes to occasionally picking up a fluffy fantasy book (see quote above) over reading "Log Parser Toolkit" into the wee hours.

In addition to reading up on the discussion about learning, there has been dialogue about community contributions. I've been more of a lurker than a contributor recently, and hearing the arguments made about the importance of everyone contributing made me think. Specifically, Harlan Carvey's excellent post was a real powerful motivator to get off my rump and do my part (or at least enough of my part for my conscious to freakin' lighten up on the guilt trip).

Trying to teach, or at least contribute, while you still feel like a learner yourself can be intimidating to say the least. But one thing that I have learned is that if you know a subject pretty well, one of the best ways to take your knowledge to the next level is to teach what you do know. Seriously. When you actually have to verbalize your thoughts and put together a cohesive study, the knowledge base solidifies and you may even find yourself researching aspects that you hadn't considered prior.

Inspired by one of the emails on Win4n6 list, I decided to try a basic Windows command prompt tutorial. No, it's nothing new, and yes, it's very basic, but I figure that I have to start somewhere. If it is useful, I'll follow up with a tutorial on the robocopy command and creating CMD batch files.

5 Side Benefits to Attending a DFIR Conference

2011-11-10T08:41:00.000-08:00

I got back from the PFIC in Park City yesterday afternoon. Harlan Carvey already posted a great account of the PFIC so I won't do a full redux. Instead, I have included some side benefits to attendence for those of you who are on the fence about going to future conferences.

Benefits You May Not Have Considered...

1 - If you lose your iPhone, it will get returned. However, it will also have been imaged and analyzed in depth by those who have yet to get the chance to work on one in their cases. To, you know, figure out who it belongs to and stuff. Yeah.

2 - The presenters are the DFIR equivalent of ~~Justin Bieber~~ ~~Twilight actors~~ someone actually good at what they do. And this is a way to meet them in a way that doesn't end with an inconvenient restraining order.

3 - After years of being avoided during parties when you start talking about your work, people you meet actually want to hear about the details of how you do your job. Extra bonus: Not being compared to a TV character on a crime procedural.

"Nerd Porn"
It's beautiful, isn't it?

4 - No one asks you if you can fix their computer. If someone does have a problem - like malware - they happily tell you what artifacts they examined and analysis insight gained as a result.

5 - Nerd Porn*. Because there is something strangely satisfying about watching hex in a room full of strangers.

* Phrase coined by @keydet.

But of course, the chance to meet up with other people in the industry is by far the biggest bonus to these events. Thanks to all who made the time fun and useful. I'll see you on the flip side...

UPDATE: For those who went to the conference and want to catch up with some of the people there, here is a list of attendees that I am aware of:

Journey Into Incident Response - Corey is as amazingly knowledgeable as his blog suggests, but is also incredibly approachable.

WriteBlocked - Mike will melt your brain with his knowledge of NTFS. True story. He is also a great resource for lost iPhones.

Forensic Methods - Seeing Chad present solidified my longing to attend a SANS course. Very, very good stuff.

Windows IR - I resisted the urge to bring my DFIR library in order to have Harlan sign each book. It was great to see him present, as he not only knows his stuff but is incredibly good at conveying the concepts.

Timelines and Tiaras... and a Broken Promise

2011-11-03T15:47:00.000-07:00

As I have done before with many a new venture, I started my Linux journey starry-eyed and not willing to bend on any of my self-imposed rules. Multiple people suggested the (Linux-based) SIFT workstation, but I demurred. Looking back, I don't know why I didn't jump on it right away... oh, wait. I remember... I was going to do this Old School. From scratch. Yeah. And then, last Wednesday, I joined in on the HTCIA and COINS "Super Timeline Analysis" webinar. And it hit me. Yes, really cool tools (like log2timeline) can be installed separately, but why reinvent the wheel when SIFT has them already preconfigured? And by using a virtual box it is so easy for SIFT and Windows to work together... well, I had an epiphany, followed closely by another epiphany (which apparently felt like I wasn't paying it enough attention and so was making itself known by metaphorically jumping on the couches and leaving presents in my shoes):

Epiphanies 

This is actually my
"nephew"... not an epiphany.
But you get the idea.

1) I have learned a lot about Linux in the past couple weeks, but I believe that SIFT will allow for continued learning in this area. Hey, it's still Linux. And I will be rocking that command prompt so hard it won't know what hit it. Okay, I admit it, I was getting sick of dealing with a dual boot. VMWARE hooray!

2) The end goal of testing new procedures is to make the "real" work better. By testing new open source tools with procedures I already use, my analysis process will be more streamlined when I integrate the tools into my investigations.

So, new plan: I will use a Windows machine, but will limit my usage to open source or free tools, wherever possible. Seems like a decent compromise, right? (You win, John Hodgman) Besides, I'm anxious to play around with RegistryDecoder.

On Starting With the End

The coolness of SIFT aside, one of the other things I really enjoyed about the webcast was how Rob Lee worked backwards in time as he demonstrated timeline analysis - starting with the finalized spreadsheet and then showing the steps he took to get there. As a learning tool, I thought that was excellent. If you start off on a journey, it's helpful to know where you are going. If you don't know the expected format, how will you recognize anomalies?

A similar line of thought can be used when writing reports. "Begin with the end of your case" - great words about report writing coming from a recent post on Unchained Forensics. The idea of writing the summary before the exam really got me thinking. On the issue of how familiar an examiner should be with a case prior to performing their analysis, I fall firmly in the category of "the more we know the better we can do our jobs." Context helps an examiner focus their efforts. Not only is it more cost effective, but things may be overlooked or misinterpreted if the background to the case isn't known. At this point in my musings, I found myself humming the following melody:

WARNING: This video should not be viewed by those who don't like extreme cheesiness, musicals, general cheesiness, Shakespeare, self-aware cheesy dialogue, and/or really cheesy choreography. Don't say I didn't warn you.

For those that don't want to torture themselves with my questionable musical tastes, the song is two characters comparing themselves - very happily - to Shakespeare's Romeo and Juliet.

"I bet Romeo marries his Juliet

They have a baby

And make lots of friends!

That's probably the way the play ends."

I can't help thinking that if the characters in the song had a bit more context (i.e. that Romeo and Juliet is a tragedy) they would have been less apt to tempt the powers of Literary Device by comparing themselves to the star-crossed lovers. Lucky for us examiners, there is nothing wrong with going through a few different hypotheses during an examination. In fact, I think it is beneficial to the process to explore both expected and unexpected data. That doesn't mean we should try to force the data where it doesn't fit, but knowing how and why it doesn't fit can be important as well. I may just have to try out this idea of pre-examination summaries. It is certainly intriguing... once I've tested it for myself I'll let you know how it went.

Playing around with timelines!

Sure as I am breathing

You can make command-line prompting

Language fun

My Tale... Now Told

2011-10-31T14:16:00.000-07:00

I was interviewed by Michael Kassner for an article on TechRepublic. The article focuses mainly on my time in Iraq and how I "broke in" to the field. Hopefully people find it an interesting read - Michael did a great job translating my rambling into a cohesive article.

And lest you think I have forgotten about my Linux quest, know that a post about timeline analysis is coming soon. Spoiler Alert: I am going to try to tie it in to a musical number. Those who know my taste in music may well consider that a threat.

This Break in Your Regularly Scheduled Linux Posting is Brought to You by Musings

2011-10-27T12:23:00.000-07:00

Guess which one my brother is?
Hint: He's the one that looks like a
younger brother.

Though not a language guru myself, I have two younger brothers that have gone through the DLI (Defense Language Institute) as part of their training in the Army. Never having been myself, it appears to be a pretty intense study (Arabic and Korean aren't the easiest languages to learn, either). As an older sister, I feel that it is my right to be proud of what my baby brothers have accomplished. It is also within my rights (according to subsection II b of the Elder Sister Contract) to rib them for the fact that I've been to Iraq and they haven't. Learning a new language is hard biscuits, especially if you haven't been exposed to the situation before to know its best to dunk them in your drink of choice.

Luckily, my research (from watching 13th Warrior) shows that immersion is a great way to become conversant in Old Norse. My own attempts to sit down with Linux next to a roaring fire have been less successful, but I'm getting there. Learning to operate a command line or learning a programming language really is learning another language, and some of the same tactics used to learn one may well help in learning another. An hour course in a language may well teach you how to put together the syllables to say "where's the bathroom" or how to run a specific script in a certain environment, but what then? And why bother in the first place?

I get it (I really, really do) - it can be intimidating. The "native speakers" set a pretty high bar. And we've spent so long working on the language we know now. And this language sure works for the people we need to talk to right now, right? In his post on learning Perl Programming, Corey Harrell gives great reasons on why learning a new language was important to his work: deeper understanding, extending current capabilities, and a baseline that will allow for the expansion of future capabilities. Yes, it's hard, but worth it. As examiners, it behooves us to have a variety of tools at our disposal, and then to use all the tools appropriate for any given exam. It's a digital Arms Race out there, and there is no end goal. We need to keep moving - not just as an industry, but as individuals.

The good news is that, just like spoken languages, the more digital languages you learn the easier it is to pick up new ones. And Korean or Arabic, DOS or python, there is value to each (check out Command Line Kung Fu to glimpse the possibilities). So get out there, eat a biscuit/sit around a fire/practice high kicks. I'm doing it too... and would love the company.

Paying the Boatman - Escape Across the River Linux

2011-10-24T16:34:00.000-07:00

Close as I am to the stuff of legends </sarcasm>, surprises have lurked around every corner as I quest for a completely open source exam. However, those adventures require another telling, at another time. The chants have been spoken, rites performed, and my computer is now excised from the commercial shores.

Troubleshooting aside, I have also been spending time downloading additional tools. The great Hal Pomeranz (of Linux and dancing fame) provided me with an expanded list of Linux tools for the exam. I have also been loading my system with old favorites like regripper and a command-line FTK imager. I'm not going to go through the full list now, but I will include which tools I am using for each exercise as I move forward.

After giving much thought (i.e. a couple minutes while nomming a biscuit), I haven't decided what to actually examine. My thoughts are as follows: 1) there's no way I want to examine my own drive... there's just some stuff no one needs to know; 2) if I created the image I'd know what I was looking for and that kind of defeats the purpose. So, if anyone has a recommendation for a test image to use, please let me know. We can play Show-me-your-method-and-I'll-show-you-mine. Until then, I'm going to just do a couple generic steps to keep me moving forward in my task.

A Short Step in a Long Journey

I've made no secret of my love affair with RegRipper, and since it was the first tool that opened my eyes to the wonders of Open Source tools, it seems only appropriate that I use it as a starting place for this exam. No installation is required to run RR, and since Perl comes pre-installed on Ubuntu, all that is needed is to download the code and you are ready to go.

Navigate to the folder that contains the extracted contents of the download. In my case, the account is called "work" and I have been placing all of my programs in a folder called "tools", so to navigate to regripper I type "cd /home/work/tools/regripper". Once at the prompt I ran the corresponding plugins across each of the five hive types. The command line version is really just like the windows GUI I was utilizing previously, just without the browsing option.

perl rip.pl -r /home/work/Desktop/OSExam/OSExamRegistry/SAM > /home/work/Desktop/OSExam/SAMRip.txt -f sam

I interpret this script as saying "Hey, you. Yeah, you. Perl. I came all the way out to your directory, so I need you to do something, see? What I need you to do is go out to this SAM file... yeah, here's the directions... and put the information you get into a file. Yeah, yeah, here's a map. Oh, you want to know what information to get? Here's this list that the Boss made. 's called sam. It has everything you need to know." To me, this script has a Jersey accent.* This script can then be altered for each of the remaining hives: SECURITY, software, system, and of course, NTUSER.DAT. In fact, if the hives have been exported to the same location, a simple replace function can make it quick and painless.

And voilà! Triage can begin by looking over the information found in the registry.

Stay tuned for the next installment.

*It may also belong to the mafia, but you didn't hear it from me.
** As Hal noted, the plugin is usually given prior to the output. For reasons as yet unknown to me, it works find in my system to do it before or after. So, if you try to run my command and it doesn't work for you, change the plugin location!

Crossing the River Linux

2011-10-20T14:40:00.000-07:00

For as much as I profess to love open source, I have a confession to make: up to this point in my career, Windows has been my OS of choice. Oh, I'd do my time with MAC OSs when needed, but then it was straight back. Well, I've decided to break that cycle. It's time for rehab. My goal is to undergo a self-imposed Open-Source/Free Tool immersion program, the end goal of which is to conduct a comprehensive (practice) forensic exam using only open source tools. So... Let's do this! Lerooooy.....

Rehab Day 1

This first entry could alternatively have been called Ubuntu for the Absolute Beginner. Beyond forensic boot CDs like Helix and Raptor, I have very limited experience in a Linux environment. I decided to use Ubuntu as my OS because it is the distribution used in the examples found in Digital Forensics with Open Source Tools. But on a personal level, they had me at Oneiric Ocelot. Oh, you non-commercial guys are adorable.

After burning the ISO to a CD and installing on a spare 500GB HD, I was ready to go. The Terminal was eventually found by selecting Dash Home and searching for "command."
I am pretty comfortable using a command prompt, so I figured that this wouldn't be too much of a stretch, but I have come away with some lessons learned:

1. Linux is sensitive to caps. You can't just type upper and lowercase without regard like you can in DOS/Windows. Remember this. I can't tell you how many times I typed a path before I remembered that one of the directories needed to be capitalized.

2. The directory slash is opposite than it is in Windows. Windows = \ Linux = /

3. Putting a / at the beginning of a path denotes an explicit path (you need to write out the full path), whereas leaving it out is a relative path (the path starts in the directory you are currently in).*


It's like pg 12 of DFwOST... except its on my computer!

Installing Software

All of the software that I downloaded comes with installation instructions, but just in case it saves someone the time of going through them, here's the instructions for what I installed today.

Perl and Python were pre-loaded with the OS.

Installed Python 3 (as recommended in DFwOST) by typing "sudo apt-get install python3-minimal" into Terminal.

Installed Ruby by typing "sudo apt-get install ruby" into Terminal

Installed The Sleuth Kit by downloading and extracting the tar.gz. In terminal I navigated to the extracted folder and typed "./configure" followed by "make" followed by "sudo make install".

Installed log2timeline by downloading and extracting tgz. In terminal I navigated to extracted folder and typed "perl Makefile.PL" (note capitals!) followed by "make" followed by "sudo make install".

What's Next?

Now that my system is up and running, I will start the examination and keep you updated. I know that I may be late to the Linux party, but hopefully this proves helpful to someone out there. And if nothing else, at least I got chicken.

* This realization (which was immensely helpful!) came from reading "The Beginner's Guide v3.78" at http://linuxleo.com/. If you are interested in Linux for forensics, check it out. Lots of interesting tips.

FE Side 4 - And a Poll... Just Because

2011-10-17T14:28:00.000-07:00

UPDATE: The voters have spoken... "Stats" won by one vote. Thank you for your input!

Digital Park

2011-10-13T10:31:00.000-07:00

I bought Digital Forensics With Open Source Tools as soon as it was available, but I have to admit that I haven't been able to really sit down and test the procedures until recently. I am one of those "lucky" DFIR folks that works for a company that has the budget that allows us to purchase and maintain licenses in the major forensic suites as well as software for specific areas of analysis (i.e. internet analysis, portable devices, etc). However, I've noticed a recent trend in the way I conduct my own examinations. While I still use the commercial software for the "big picture," more and more I am turning to open source tools for certain processes and for validating my findings within the suites. This could be because I've leveled recently and a new Talent Point was available. (In which case, booyah. I think I'm close to a flying mount.)

But my situation got me thinking. So put safety belts on your brain - I'm about to start analogizing...

If I hadn't already convinced you of my complete lack of cool, I have another confession to make: I love dinosaurs. Well, the love extends beyond dinosaurs to any number of prehistoric, now-extinct animals (limiting my research of natural history to the Mesozoic would leave out gems like the Leptictidium and Panthera atrox). And like any amateur dino hobbyist, I visit museums, dig sites, and dino parks. And, of course, watch the shows. Hollywoodized adventure, educational, even cartoons at times. Granted, sometimes I just watch so I can roll my eyes and explain why that is totally wrong... but I still watch them. I'll get back to DFIR eventually... I promise. This brings me to the two shows for this discussion: Jurassic Park and Prehistoric Park.

"We spared no expense."

"We spared no expense" is a phrase repeated many times by the character John Hammond (aka Old Guy). He had teams of scientists, Paleontologists, and what I can only assume was a proto-Crocodile Hunter. And Jeff Goldblum can wail all he wants about Nature having it's way, but I see the whole fiasco as an information and systems breakdown. Much of the problems encountered in the show revolve around the idea that the dinosaurs are genetically altered (with the frog DNA), and apparently no one really took the time to figure out what the changes would be. If more attention was paid to the small details, and additional research done on the processes used, the outcome of the show could have been drastically different (i.e. not as entertaining).

Wooden fence? Check. Does the job.

By contrast, Prehistoric Park never mentions a large budget. And the wooden handmade fences and small staff suggest it isn't very large. (Maybe they spent it all on the time machine) Also, by contrast, no changes are made to the dinosaurs. Nigel simply goes back in time and gets them. And because he is a paleontologist and adventurer (and The Man!) he knows enough about them to escape injury. Being chased by a T-Rex? No problem. He just heads for covered ground. And since the T-Rex is bottom heavy and not very nimble, it doesn't chase him there. (I guess that frog DNA really increased the nimbleness of the T-Rex in Jurassic Park... that thing crashed through undergrowth like nothing else). Of course, Nigel got away with it because he knows a lot about the creatures he would be encountering. So... do you see where I'm going with this?

And finally to my point. Using forensic software is great, especially if you have the budget. But be wary of not understanding the processes used to present the data that you are seeing. (See questions raised during the Casey Anthony trial regarding search terms) A big budget isn't everything, though. If you have the knowledge and willingness to get in and "get your hands dirty" (digitally speaking), you don't need the big budget. Plus, that method helps you understand the data on a deeper level, and puts you in direct contact with your data. Booyah.

On Writing

2011-09-19T16:03:00.000-07:00

Every now and then, I see requests for sample reports from people in the field. And while I can't share reports I've written due to confidentiality issues, I thought it might make for an interesting post to write about some of the guidelines that I like to follow when writing.

I did hesitate just a bit on posting about this, mostly because it shouldn't be taken as DFIR Gospel (actually, nothing I write in this blog should be taken as such, but I believe you are savvy enough to know that). The following guidelines are just some things I've learned along the way that I try to adhere to in my own reports. A lot of it will probably just sound like common sense. Many of you are probably doing what I lay out, or something much better. That said, if you want to add any ideas of your own, please feel free!

Girl, Unallocated Presents:

Report Writing Guidelines

Resist the Urge to Use Comic Sans

... or any other distracting font. Times New Roman is your friend. And whatever you do, absolutely no Wing Dings.

Balloons explode. They explode suddenly, and unexpectedly. They are filled with the capacity to give me a little fright, and I find that unbearable.

Be Cautious of Absolutes

There are a few times when you can say with certainty that something is always true, or never occurs. Even if you are very sure of a statement, be careful about using absolutes. (Unless you have tested every eventuality and are sure there will be no subsequent research with opposing conclusions... these situations can create havoc during cross-examinations) Useful phrases include: "This leads me to believe..." "It is my professional opinion..." "The evidence indicates...". I'm not saying that you should be wishy-washy. This language is a means of presenting the information as what it is - a professional opinion. Being able to express opinions is what seperates an expert witness from other kinds of witnesses.

Break it Up

Reports can get long and are often very detailed. For the reader, they can seem (le gasp) dry. Also, it seems to me that with almost every report I write, the intended audience tends to focus in on one or two items out of the entire report as the items of real interest to them. And while I would like to think that they marvel over every word as a manifestation of genius, I know that what they really want to do is to zero in on the really juicy bits, and be able to navigate easily to other points as needed. So, like many before me, I oblige by breaking my report up into sections. A few sections that are frequently used by myself and others in the industry are as follows:

Title Page - Include case name, date, investigator name and contact information.
Evidence - This should include serial numbers, hash values, custodian information, etc.
Objectives - Especially important to include if you were asked to perform a targeted investigation. Also a good idea to include any specific search terms requested.
Steps Taken - Be detailed here. Remember, your results should be reproducible.
Relevant Findings - Subcategories will depend on purpose of the exam. They can include: timeline; deleted data; encrypted/password protected; search terms; malware; etc., etc.
Conclusion - Tie it all together.
Exhibits - I reserve exhibits A and B for my CV and Chain of Custody, respectively. Certainly not necessary, but it makes it so I always remember to include them in my reports.

An additional touch that I like to include is hyperlinks within the report to make navigation easier. Some places where hyperlinks prove useful is within the Table of Contents and to referenced exhibits. For example, I will usually include a hyperlink to the Chain of Custody form somewhere in the Evidence section. And if you are now shaking your head and wondering why I make extra work for myself, wonder no more. With a little bit of effort up front, it is fast and easy. If you haven't been introduced into the wonderful world of Report Hyperlinking, please read on...

Create a Template

Templates are easy to create and will end up saving you many hours of work down the road. The template doesn't have to be anything crazy, but just having one will make report writing easier, if for no other reason than because you won't have to remember to include things that are already built-in. Templates can also make your life easier by automating or simplifying boring things like page numbers, footnotes, and hyperlinks.

Speaking of hyperlinks, the steps below are a simple outline of how to create sections within your report that will allow for quick and easy hyperlinking.

On the References Tab, select "Add Text." Add top level sections using Level 1.

Add subsections below the main section using Level 2.
Any content should be added in regular text underneath a Section or Subsection.

Add a Table of Contents. Also located on the References tab.

Your TOC includes page numbers and is automatically hyperlinked to each of your sections.
Note: You will need to update the TOC if changes are made to the report.

Added bonus for hyperlinking elsewhere within your report!
Select item/text to be hyperlinked and choose "Place in The Document."
You will be given your Sections as hyperlink location options.

Note: Though hyperlinks don't work if you print out the report (obviously!), they will still work if you convert the report to PDF within MS Word. Awesomesauce all around.

Confidentiality/Draft Language

Additional benefits to a report template include consistent formatting and standardized language. Use Confidentiality language whenever appropriate. Also, I recommend having the word "Draft" in a header, footer or watermark on every page until the report is finalized. Those of you familiar with the recent changes to the FRCP may recall that drafts of expert reports have additional protection from discovery, but it behooves you to make your drafts easily recognizable as such.

Conclusion

I hope that this information may help someone out there is some small way. Obviously, reports are something that could be discussed for much longer. Again, feel free to share any of your own little tidbits.

すべての魚に感謝 (Thanks for all the fish)

2011-09-10T00:18:00.000-07:00

One of the many things that I love about my job is the opportunities I have for travel. Most often the travel is just a few cities or states away, but this summer has been especially eventful in that area with trips to the UK, Germany and, most recently, Japan. In Europe, I found it more or less easy to fit in. I have become fairly adept at matching my wardrobe to those around me and as long as I didn't speak too much I would sometimes even be taken as a local.

Naturally, I assumed that it would be more difficult to fit in while in Tokyo, so in the weeks leading up to my departure I read books on the culture and business practices in Japan (offer and recieve business cards with both hands, then take time to study them thoroughly), listened to an audiobook of Japanese phrases (eigo o hanasemasu ka being an important one), downloaded translation apps, and made sure to memorize the Kanji for the subway stations I would be frequenting (品川 for hotel). And I did this with only a touch of self-importance. Seriously. I was only a bit smug about how easily I would fit in and how I would impress those around me as a Westerner who got it.

And then I actually arrived in Japan.

All those phrases I had so carefully practiced while driving simply abandoned my brain at the first indication that they would actually be needed. And while I managed to get the business card thing right, I was politely ignored by fellow travellers as I talked on my blackberry while I walked to work. Silence being encouraged on public transport (including elevators), or in public in general, was something I hadn't heard about. A Westerner who "got it" I was not. Luckily, most of the people I interacted with seemed, if not pleased, at least conscious of my poor attempts and were helpful.

But being so wrapped up in trying to prepare for cultural differences caused me to overlook something that should have been apparent: the most frequently used computers in Asia are often different makes and models from those I have run across in the US and Europe. And while there was certainly nothing disasterous, it would probably have been a good idea to have done some research on computers in the region (particularly laptops and how to get to their hard drives in case their specs don't allow them to run from a bootable CD).

I fly out of Japan in a couple days. It has been an amazing experience and one I won't forget soon. In the meantime, I'll leave you with a picture I snapped with my blackberry this afternoon. It was too surreal a moment not to capture:

That's right, my friends. What you are seeing involves a Japanese man, a Sea Lion, and a naked doll doing a high kick. Sometimes, life is almost too beautiful.

Catch-10110

2011-09-06T23:51:00.000-07:00

I have a strange background for someone who has made DFIR my career choice. My major in college was English Literature. I guess if nothing else it explains why I enjoy writing reports, and why I liken the analysis process to uncovering a story. Fellow literature geeks inside the field may well recognize the following passage:

There was only one catch and that was Catch-22, which specified that a concern for one's safety in the face of dangers that were real and immediate was the process of a rational mind. Orr was crazy and could be grounded. All he had to do was ask; and as soon as he did, he would no longer be crazy and would have to fly more missions. Orr would be crazy to fly more missions and sane if he didn't, but if he were sane he had to fly them. If he flew them he was crazy and didn't have to; but if he didn't want to he was sane and had to. Yossarian was moved very deeply by the absolute simplicity of this clause of Catch-22 and let out a respectful whistle.

Artistic approximation.

But for those starting out in this field, the situation may seem all too familiar, and the recognition is far more personal than reading a novel. In DFIR, we have Catch-10110: you can't get hired without experience, but you can't get experience until you are hired. For the geeky out there, it's like trying to level without being able to get XP from quests. And we all know the outcome of not getting XP from quests. You have to spend the entire time in the forest killing boars and that takes forever.

The other side of the coin, and a very valid one at that, is the concern of sending people out in to the field unprepared. If a first responder or investigator gets something wrong, the worst case scenarios are pretty grim - including contaminating evidence that cannot be used in court (evidence that could have convicted or exonerated someone) or, if you need a more personal reason, getting sued. It's pretty heady stuff. With that much at stake, it's no wonder that employers are looking for people who are tried and tested in the field.

The middle ground for many has become skill-based certifications with a practical portion. The idea being, if you know it and can do it and can prove that, you get a piece of paper saying so. Personally, I love certifications. I may, in fact, have a slight addiction to seeing official-looking pieces of paper with my name on them. However, it seems to me (and please prove me wrong, if there is something you know that I don't!) that most of the certifications out there: a) cover the basics wonderfully, but don't branch out into other areas of expertise OR b) have a layered approach to the other areas, but are vendor specific. Of course, the lack of a certification doesn't mean that the knowledge isn't out there for the learning. The DFIR community has amazing resources from books, blogs (many of which are written by the book authors!), and online networking galore. Not to mention the whole personal research aspect.

But in My Perfect World* a vendor-neutral certifying board would have levels of certifications based on content, experience, difficulty, maybe even exam score. Specialized certifications would also be available once certain prerequisites were achieved. Think of the possibilities! To know offhand that you could tell a client that you are Level 49 DFIR Certified with a First Responder spec would be awesome. You could even assemble a ~~raid~~ team with ~~tank~~ Investigator, ~~DPS~~ Developer, and ~~healer~~ Incident Response specs.

*I have a lot of perfect worlds. This one just applies to the world of DFIR certifications.

The FE Side 3

2011-08-30T15:51:00.000-07:00

All new FE Side for your viewing pleasure.

Let me know if you want to see more.

Part 3 of 3 - What My Time In Iraq Taught Me

2011-08-26T12:04:00.000-07:00

Much of what I learned from my time in Iraq had nothing to do with forensics. For example, I learned that if everyone else in a room stands up when a General walks in the room, it's best if you do too. Also, comments regarding military uniform should never involve certain words, "adorable" being foremost among them. I learned the importance of humor and friendship. I learned which days it was best to show up early at the DFAC, and why it is sometimes best to wear a hat, even in 115 degree weather.

I also learned things that I believe make me a better examiner today. One thing that I must stress is that Media Exploitation is a different beast from Digital Forensics. Oh, a lot of the hardware and software are the same, but the end goals are different. Where forensics focuses on evidence to be used in a court of law, exploitation is looking for actionable intelligence. And while the nature of digital data doesn't change, how you approach the analysis may. With that caveat, here are some lessons learned that I came away with.

What I Learned

Triage - What a hard lesson this was. Coming from a legal background, I had a terribly hard time coming to grips with the fact that I couldn't leave every byte unturned. Every time I turned over a report, the thought nagged at me - "What if I didn't find everything?" When lives could be at stake, this fear can eat away at you if you let it. Conversely, holding on to data in an effort to find everything could be just as dangerous, if not more so. A report that may have been of vital importance may be too late just hours later. Naturally, the solution was to triage. Certain file types, specific keywords, and known programs had been found to hold the most "low-hanging fruit" (man, I hate that phrase). I learned, eventually, that in a "boots on the ground" capacity it was my job to get out the most data I could in the fastest manner possible. The media would be more fully investigated later - something I held on to in those moments of doubt.

Context - Many times, especially in the early days, I would come across something that I was sure showed nefarious activity. Immediately jumping into action, I would excitedly call over one of the native interpreters and ask them to take a look. More often than not, they would answer my eager questions with a dismissive hand gesture and explain that what I had found was nothing more than a well-known yearly battle reenactment/religious event/local cuisine. Eventually, I learned enough that I could spot these on my own, and thereby spend more time on what could actually be of value. Conversely, there were many times that something would appear to be completely innocent or of little consequence, but when put in context with other pieces of information proved to be very important. These were harder to spot. Staying as up-to-date as possible with local happenings proved to be the most valuable way to identify these. Some I didn't know the importance of until long after the fact. Either way, context helped to reduce time spent on trifles, and allows for identification of those items that are not.

Ingenuity - "Necessity is the Mother of Invention." Perhaps the most useful skill I learned in Iraq was problem solving. There is always a certain amount of problem solving in DFIR, but my time there helped me take mine to a new level. When presented with media that was involved in an IED explosion, you quickly become aware of the advantages of soldering irons, replacement parts, and some good, old-fashioned MacGyvering.

Living, or Something Like it, in Iraq (part 2 of a 3 part series)

2011-07-20T17:44:00.000-07:00

I have gone digging through the archives again to find a few moments I captured in writing after actually arriving in theater. Below are excerpts from different times, so hopefully they make sense. All pictures are mine, and should only be used for the Powers of Good.

The transport day is over! I have had a shower and a good 12 hours of sleep, so I am feeling amazingly refreshed. I am now in Kuwait in what is fondly called Tent City (the name is so apt no further description is needed). And hovering just over the skyline of tent tops... the golden arches themselves! We may be living in tents out in the desert, but that is no reason we shouldn't get our daily intake of golden fries and McFlurries.

Every place I have lived for any significant period of time has been able to get a hold on my heart in some way. I love California for the ocean, Utah for the towering mountains. Wales for the intense green and castles so old they are almost a part of the earth itself. The Phillipines for the lushness and exotic feel. If I was to guess now what part of the Middle East would impact me, my first impression would be the sky at sunset. Evening fading into night here is truly breathtaking.

Me in Iraq. With all my gear.
Never could get my helmet on straight.

Greetings from Baghdad! I have been in Camp Slayer for the last few days, and should stay here for a few more until the trip to Tallil – my final destination. So far Baghdad has been different from what I had imagined. There are lakes and canals – yesterday before work I took a few minutes to sit at a little area by a pond surrounded with palm trees and other exotic vegetation. Little birds were flying in the rushes. It looked, more than anything else, just how I’ve always pictured an oasis. Of course, this isn’t the natural state of the land - Saddam had all of these waterways artificially built. There are whole hills made of the dirt from their excavation. There are also many beautiful buildings that are now a part of the base. Just yesterday I had to get some administrative stuff out of the way at the Perfume Palace (this is where Saddam housed his “Female Companions”), and, for the first time in my life, someone said “Have fun at the palace”… and meant it.

CHU, sweet CHU. (Really mine)

I packed pretty light, so there isn't much to decorate with. The bedding was something I scavanged from someone else leaving (yes, I washed it). The walls definitely need some sprucing up so I am on the lookout for pictures, posters etc. Also scavanged is my mini fridge (I also use it as my desk), complete with Skoal stickers (you all know how much I loves me some chewing tobacco), and a very dusty chair which, when covered with a blanket, is quite comfortable.

The Number One survival mechanism that I have come up with thus far is staying busy. Work does a pretty good job of that for a large portion of the day, but the hours just before sleep are always the worst. So now that I am settled in to one place I have had to make an effort to keep myself busy (thereby not sliding into self-pity on a regular basis). That is why, on two nights a week, I make my way to the library for two different book clubs. One is doing the works of C.S. Lewis and the other is more thematic it its choices - it started with Dante's "Inferno", now is on Virgil's "Aeneid" and is moving next to "Purgatorio" (perhaps too apt for our situation, but I guess it does put some perspective on things). I am also considering joining the salsa dancing lessons that take place a couple times a week too. Apparently quite a few people do it. Isn't that what Iraq is all about? Salsa lessons?

It's been a hectic week here for the team, so our OIC offered us a chance to get out of the office and spend some time relaxing at the pool. The experience was so invigorating I had to take pictures to remember the event. Below is a shot the Lieutenant dunking the Airman.

I'm the one behind the camera.

Listen: Girl, Unallocated Has Become Unstuck in Time

2011-07-20T03:16:00.000-07:00

I am doing research for a future post. In the meantime, it has been suggested I could write about my MEDEX experience in Iraq. And what better way to do this, than to go directly to the source? Below is something I wrote not quite two years ago as I prepared to head out...

EDIT: A bit of background is probably warranted. The following was written while I was going through CRC in Georgia, a five-day process which includes some training and lots and lots of paperwork. Anyone who has been deployed as a civilian has likely gone through it.

Today was rough. We had formation at 0530 - that's 3:30 am my time... and this is a girl who likes her full eight hours of sleep at night - where we formed up and marched to the tent for powerpoint presentations that lasted until 1730. Now, I'm a huge fan of the slideshow presentation format. Just ask anyone who I've forced to sit through my own powerpoint creations (only certain really geeky lawyers find them interesting, but that doesn't keep me from subjecting my near and dear to obscure industry jokes). Even as a self-proclaimed aficionado, twelve hours of having slides read (yelled) verbatim dampened even my enthusiasm. So, in an effort to help those who come after me, I have created

A List to Surviving CRC TSIRT

1. A good sense of humor. This is number one on the list for a reason. It is the most effective weapon in your arsenal. When everything is looking bleak, you might be surprised at how much morale can be improved with a Christopher Walken impression. And if you can't bring yourself to pull out the good humor...

2. A good attitude is a nice second. Sure, you could pick out the spelling errors or get angry that there are too many or too few breaks, but that really does no one any good. Remember that you are being paid to learn. And how well you absorb this knowledge may not only save your life one day, but someone else's as well. That's quite a sobering thought.

3. Bring a book! This cannot be overstated. Just do it.

4. Get to know the people around you. I am amazed at the caliber of the people in our military and in other positions going over to serve their country. And the life stories alone are fantastic! There are very few other places I can think of where so many people from all over the country (and world) meet in one place. Maybe all military bases are like this, but I thought it was fascinating to hear about everyone's background.

5. Don't chew tobacco and spit it out in a cup ALL day. The girl sitting a couple seats over from you will get really grossed out. Just saying.

Tomorrow should go a little easier. Even so, we are forming up at 0600 for H1N1 testing, so I best be off for the night.

As you probably know, the Army uses last names a lot. Recently, I have been having many conversations that invariably follow this basic script:

Army: Last name?
Me: Kelley.
Army: (with a long-suffering sigh for silly contractors who don't get how things in the military work) No. I need your last name.
Me: That is my last name.
Army: (general backtracking and checking of paperwork to verify... once someone asked if I was sure it was my last name)

And so it is I have joined the select ranks of those with two first names (watch out, John Stewart). It only really becomes an issue where last name only is used, but with six months ahead of me surrounded by the military, it's a good thing I've already memorized my lines.

I was asked earlier if I could describe how civilians go about formations, and that is a very good question, since we really don't. Oh, we give it a go. We form up in rows (in civilian gear - military gear isn't allowed) and generally meander in the direction we are supposed to go. It looks pretty sad compared to the neat, compact rows of the Army personnel ahead of us. For a while we had a Sergeant calling commands to us, but seeing what little raw material he had to work with, I think he figured some groups are beyond help. By the end of the week all he could manage was a vague arm wave and a pained expression.

Stay tuned for more insights about what it was actually like doing DFIR work in Iraq!

Girl, Unallocated in Tapeland

2011-07-11T15:41:00.000-07:00

Backup Tapes

No, I haven't disappeared. I have merely moved on to another plane of existence. And by that, I mean that I have fallen down the rabbit hole and landed in Tapeland. Also known as London. Of course, those two places are not really mutually inclusive - they just are in this particular instance. I am in London, and surrounded by backup tapes. Outside of work I am surrounded by posh-sounding, fast-walking, neutral-color-wearing Londoners... while in work I am inundated with DLT and LTO tapes. It's a strange, strange world.

Randomness

If you haven't listened to the "Independent Women" podcast on Forensic 4Cast, head over and listen now. Revel in the amazing amount of "ums" I am able to fit into a single sentence. Added bonus: make a game of it. Put your best ideas for a 4Cast game in comments and win an exclusive FE T-shirt!*

*This does not actually promise any FE merchandise, exclusive** or otherwise. I just thought it sounded cool.
**There is no such thing as exclusive FE merchandise. Although, maybe I should see what I could do with some puffy paint. Would probably be on par with quality of originals.

The FE Side... cont.

2011-06-23T20:00:00.000-07:00

Credit for another cartoon goes to Greg Pendergast, for mentioning FE in his blog post. Thanks for the props! Happy to oblige with yet another badly drawn episode from the life of Frustrated Examiner...

I should also mention that this particular cartoon was inspired by painful memories dredged up while reading comments on happyasamonkey's blog. Does that deserve thanks? I can't decide...

EDIT: It seems the FE Side comes in twos... here's another:

I'm Going Legit! Also, Girl-Power

2011-06-21T10:42:00.000-07:00

I knew when I came to Hollywood I'd make it big. That's right, my gentle readers... I'm going to be on the media. And by media, I mean a podcast. (Which is much better than anything video-based. This way I can eat as many pre-show eclairs as necessary to calm my nerves) What's even better is that I am making history. Years from now, when my daughter is studying the history of DFIR, she will have a test question along the lines of "What were the twitter handles of the participants in the first all-female Forensic 4cast podcast?" The essay question may ask her to detail the repercussions in the industry that originated with this very podcast.

In honor of this event, I have decided to expand my earlier script pitches to include plots that are based around a group of female forensicators. Enjoy!

The Sisterhood of the Traveling Pelican Case

Four female forensicators in disparate parts of the world work for a company that has a small forensics budget. Because of this they can only afford one forensic kit contained in a single pelican case. The pelican case is therefore shipped to each investigator as the need arises. To make it easily recognizable, the case is bedazzled within an inch of its life. Remarkably, whatever equipment is needed for the investigation can always be found in the case. The big question at the end... what did the case actually hold?

Spoiler alert: there was a thumb drive with open source tools, a bootable CD, write-blockers, and a bag of peanuts.

The (Digital) Craft

Ha! Wait until the cheerleaders see this!

Young, budding forensicators at an all-girls college get tired of being picked on for being "nerds." Instead of using their investigative powers for good, they join a hacking collective and get up to all kinds of mischief. At first, they are thrilled by their ability to get the attention of those in power. But things quickly begin to change for the worse, as the FBI is on their trail. And since we now know that 1 in 4 hackers is an FBI informant, they instantly begin to suspect that one among them is passing information on to the authorities. After an exciting network war, the girls eventually come to realize the error of their way and take the oath of the Digics Paladin.

EDIT: Random Zombie Comment Inspired by Twitter and "Pride and Prejudice and Zombies"

I didn't like the book, but I absolutely love the idea. The dichotomy of the original work with the idea of the new is original - and jarring. One of my theories is that zombies are a social commentary; not nearly as nuanced, perhaps, but a metaphor nonetheless. It is suggested in the book that zombies represent the author's idea of marriage: "an endless curse that sucks the life out of you and just won't die." But when you look at the legend of zombies as a whole - all the terrible B movies included - they represent so much more. Zombies are, essentially, the fear of ourselves, the fear of the mob, the fear of what we can become when reason is forgone. So what better way of highlighting this aspect than placing it in a work that values reason and sensibility above almost any other virtue? Indeed, zombies would have seemed almost too at home in works about the French Revolution, but serve as a stark contrast in the world of manners that was Regency England.

Next installment - "A Critical Look at the Undead in Popular Culture: Where the Vampire Myth Went Wrong."

Sherlock and the Un-Scientific Method

2011-06-14T11:52:00.000-07:00

Hi. My name is GU, and I'm addicted to British TV Dramas.

Whew. That was tough. The first step is to acknowledge that you have a problem. In the past it was BBC America that fueled my addiction, but Netflix is fast replacing it as my dealer of choice. So, imagine my glee when I log into Netflix and see a recommendation for Sherlock, a "modern-day refresh of Sherlock Holmes." Yes please! Everything was there: accent-rich voices, scarves and wool coats, and enough significant looks and pauses to keep fan-fic writers in a frenzy for weeks. I should have loved it, but I can't say that I did.

I have come to grips with the fact that my profession has ruined a large majority of digital-based dramas... but since Sherlock was more investigative, and less digital, I thought I was safe to sit back and enjoy. Maybe if I had turned off my inner skeptic it would have been more of a pleasant watch. After taking some time to think about what frustrated me so much, I've come to realize that the real mental block was caused by Sherlock's hypotheses always being taken as fact - no testing, no alternate explanations for what was observed put forth. He never got beyond the third step of the Scientific Method. Yes, I've read all Sir Arthur Conan Doyle's works, and didn't have as much of a problem with the concept when set in Victorian England. The only justification that I can offer for my annoyance when set in present day versus the original timeframe is the fact that when the books were written, forensics was an emerging science. Now we should know better.

Now, I know there is some debate over whether digital forensics is a true science. And I'm not going to argue one way or the other. What I would argue, though, is that regardless of whether we are a Science or not, following the Scientific Method should be a part of every investigation we do. Most likely, many of us already do this, just not in so many words. Below are the basic steps of the Scientific Method, with brief explanations to how this fits in a DFIR investigation.

The Scientific Method... I recommend it.

Question - Some questions can be very broad, but the more defined a question, the more defined an answer. Some investigations will have many questions.

Observation - This step could also be known as "gathering information." This is where a lot the time during an investigation is spent.

Hypothesis - The hypothesis should be explanatory and based on information obtained during the Observation stage.

Test - Do Not overlook this step. DFIR is not the place to make assumptions without corroborating evidence.

Results - Take time to analyze.

Contradict Hypothesis - If your results contradict your hypothesis, it's time to come up with a new one that is supported by the facts. You can also take this time to analyze your testing process to make sure that it is testing the right kinds of information.

Support Hypothesis - If your results support your hypothesis, congratulations! You aren't done, though. Look for data that refutes it as well. You can be sure the other side will be looking for this information as well.

Report - Your report should contain the results, as well as the steps taken to come to your conclusions. As Harlan Carvey so perfectly stated, "If you didn't document it, it didn't happen... If you can't explain what you did, to the degree that another analyst can do the same things with the same tools and same data...did it really happen?"

The FE Side

2011-06-07T20:54:00.000-07:00

Original comic, featuring my very own FE (Frustrated Examiner).

EDIT: I am sure you are all deeply impressed by my skillz of an artist. As it happens, I went to the StrongBad School of Design (he makes drawing FUN). And since I was having so much fun, here's one more.

POST EDIT: As you may have observed, it appears FE has no arms. This explains a lot. Mostly, it explains the fact that I can't draw. If she is brought back for more editions, I'll see if I can grant her at least one arm. Warning: it may be beefy... or it may just be a wing.

Grudging Praise

2011-06-06T08:42:00.000-07:00

I am about to commit forensic blasphemy. Brace yourselves before reading on.

There is something we can learn from CSI.

Put down the pitchforks, and let me explain. You there, with the scythe and torch... please put those down too. The brilliance inherent in CSI and its many incarnations is its ability to enthrall millions of people - most of whom would otherwise have no interest in science or technology. Think about that. Millions of people tune in every week of their own free will to get a dose of pseudo-forensics. Think: How many jurors actually want to be there? I will be the first to admit to being visually geared... Like a magpie, shiny always gets my attention (the browncoat in me likes it too).

One skill that I rarely hear mentioned in the DFIR community is that of good instruction. And that's a shame, in my opinion. It is our job to be technically adept, to know how to find the information on a system and to interpret what it means. But that knowledge doesn't do us much good if we aren't able to communicate our findings - whether it be to our boss, a client, judge or jury. And even if we can communicate that information, getting our audience to understand and remember is yet another hurdle.

But what does this have to do with CSI (or NCIS or Bones or any other of crime-procedural television lineup)? Their purpose is to entertain, not educate. And that is absolutely true. But I realized recently that the tactics they use to captivate their audience are often the same things that I have found to be the most useful ways to convey concepts to my clients; namely, graphics and analogy. Take another scenario from Frustrated Examiner (still completely made up). FE's Lawyer Client (LC) wants to understand a process that played a part in a recent investigation. FE knows that LC is very intelligent, though not very technical. To help educate LC, FE creates a detailed description of the process, being careful to limit techese. The write-up includes a glossary and multiple references to white-papers (all helpfully included). But at the end of the day, what actually helps LC understand the process is a brief analogy and simple animation in powerpoint.

LC: Why didn't you just show me that first?
FE: ...

Words of Caution:

No amount of amazing graphics can compensate for a lack of substance. Read that last line a few times until it sinks in. Even if the shark had laserbeams on its forehead, it still wouldn't negate any argument (no matter my own prejudice on the subject... that raptor looks pretty convincing to me).

Digics Paladin

2011-06-02T00:12:00.000-07:00

A DFIR Paladin Manifesto

Me, amed with my shield of write-blocking.

We are paladins. Unlike hackers (warlocks) and criminals (death knights), we follow a strict code of ethics. Whether working for plaintiff or defense, our search is for Truth, or as close to the truth as we can reconstruct with the data available to us. Though opinions or interpretations of data may vary, we conduct examinations without intentional bias.

Our armor is made of pelican cases and our arsenal is varied and ever-growing. We acknowledge that constant training and staying informed about new tools and techniques is essential to keep us viable in any raid.

Those new to the field may find that no amount of solo questing compares to having a mentor to guide them through the pitfalls and help them level up where needed. Those well-established acknowledge that we were all n00bs once, and share their hard-earned knowledge. In return, they receive appreciation, recognition and maybe even gain new insights themselves.

Our motto (from the ever-relevant Eric Cartman) is proudly proclaimed to all: "You can just hang around outside in the sun all day, tossing a ball around, or you can sit at your computer and do something that matters!"

Also, I Am A Geek.

Musings on Structured Analysis

2011-05-31T12:43:00.000-07:00

Starting a new investigation is always exciting for me. What goodies will this image contain? After popping the drive in a write-blocked bay, my fingers itch to start running as many processes as my poor little machine can handle: NetAnalysis; RegRipper; PhotoRec (my new favorite carver); and enough encripts to make any CPU gnash its teeth and long for the day it can retire to the far less challenging world of high-performance computer gaming. Like many other techies, I have had to fight my inherent nature to start mucking about immediately without a care for a structured process. The problem is, once an investigation gets underway, we analysts can get so caught up in the minutiae of the exam that things we have done many times as a matter of course may slip the mind. Take the following (completely made-up) scenario between Frustrated Examiner (FE) and Calm Reason (CR):

FE: Why is xyz not in the registry?!
CR: Well, did you check the restore points?
FE: *crickets* Um... one moment. *Furious mouse clicks* Uh... never mind.

The problem here, as many would point out, could be solved simply by following a list that includes a bullet-point along the lines of "Restore Point Analysis Performed." Check. There is a lot to be said for the checklist method of analysis. It can focus even the most hex-centric mind. Checklists save the day. And there is much rejoicing. So why is it that my own experience with checklists has been checkered with resentment that occasionally leads to drawing unflattering facial hair on its typeface?

Where comprehensive checklists go wrong is in being, well, comprehensive. With skyrocketing data storage and efforts to mitigate costs in litigation, it is very rare that I am asked to perform a complete examination of any media larger than a thumb drive. Usually, a DF investigation is performed with a specific question in mind that the analysis is supposed to answer. And the steps taken to answer one question, while perfectly valid in that instance, may be completely extraneous in the attempt to uncover answers to a different question.

While in Las Vegas at the ADUC, I attended a lecture by Jesse Kornblum with the intimidating title "Statistical Validation and Data Analytics in eDiscovery." It is a testament to his devotion to his work that a presentation with that title was one of the most fun and entertaining lectures of the conference. And to prove that I did indeed have some cognitive functions on my third day in Vegas, I have decided to create my very own decision tree for targeted checklists.

A flow chart, while pretty and impressive to upper management, is great but it still does not solve all investigative ills. Checklists are great tools - but like any other tool in DFIR, they are just a tool. Sticking rigidly to a list of procedures takes the investigator out of the investigation. While I wouldn't argue that analysts should dump the binary content of a drive out of the box and just pick up random bits without any sort of structure, neither would I recommend blinders. Follow the white rabbit! Just remember to take notes along the way.

Reminiscing About Iraq

2011-05-27T13:56:00.000-07:00

In one week it will have been a year since I left Iraq. And I have realized, with growing horror over the past twelve months, that I am becoming one of Those People. The ones with never-ending stories about the good old days in a combat zone. But given that it is the anniversary of my departure (though not of my return home - it took another week or so what with waiting for a flight in Kuwait and debriefing at Fort Benning), I am going to indulge my reflective side just this once. Of course, I have no desire to lose my security clearance (even though I don't use it for my current job, it makes me seem so much more interesting and exciting), so I won't be reminiscing about methods used or data found, etc. Below are simply some random observations, in no particular order.

The Good Ol' Days In Iraq

Terminology - The military is very fond of acronyms, as I am sure many are aware. It always amazes me how long and/or inventive some acronyms can be. Some even take longer to say than the word or phrase of which they are a shortened version. Ironically enough, Hollywood has started using similar strategies for their naming of celebrity couples. For example, the particular brand of digital forensics I did in conjunction with the military was called Media Exploitation, which was shorted to MEDEX. Compare this to "Bennifer" and draw your own conclusions. As a public service to the DFIR community as a whole, here is my suggestion for our very own celebrity supercouple name:

Digital Forensics = "Digics" Tell your friends.

Incident Reponse = This is a hard one to come up with. Most ideas sound like a company from Office Space. I think IR is just going to have to stick around.

Weather - I had heard about how dusty and sandy it could be. And for a while I felt like I had seen all the dust I could possibly see. Then came Easter 2010. The team was heading to the DFAC for our special Easter meal when we saw an honest-to-Gates wall of sand approaching. We stopped and stared. It was amazing. None of us had the foresight to capture the moment, but luckily someone else on base did and posted it to YouTube for posterity.

As you can well imagine, we were finding sand in places you wouldn't imagine for days afterwards.

Work - Speaking of sand everywhere... computers were no exception. Epic amounts of dust and/or sand could be found in every piece of electronic equipment used or analyzed at any given time... even if they had just been cleaned. No amount of crusty keyboards and cat hair-plugged chassis witnessed since can compare. I also learned the immense importance of gloves as a matter of personal hygiene in addition to preservation of evidence. Timeframes for report turnaround were tight. Knowing there is a possibility that you have information that may save lives does tend to put those 12 hour days in perspective.

Time out for a rare moment devoid of sarcasm: despite the weather that felt like a hair blow dryer blasting in your face all day, the long hours and distance from family, I wouldn't trade the experience for anything. I have never worked with a finer group of people. They welcomed this civilian geek with open arms and became my second family. Thank you, for what you did for me personally, but more importantly for what you did and continue to do for our country. Happy Memorial Day, troops!

Anti-Forensics Strategies

2011-05-24T09:41:00.000-07:00

I always get a thrill when I examine a system where a user tried to cover their tracks. To paraphrase Craig Ball's point on the matter, "sometimes the gaping hole where data should be is the most incriminating evidence." That said, a lot of the tools out there that your average computer user uses to "clean house" still leave an awful lot of artifacts behind (I'm looking at you, CCleaner). Yes, there are anti-forensic techniques that can certainly make push-button examinations more difficult. But at the end of the day, it's not a program that does an investigation - it's the investigator. And as Harlan Carvey has observed, "As far as analysis is concerned, the 'best' tool is that grey, goopy gunk between your ears."

So what does this mean? Well, I'm switching sides for a moment to give you bad guys out there some ideas to mess with any examiner that may end up digging through your cess-pit of a computer. Yeah, they'll probably still find the dirt that's there, but the least you can do is make it interesting for the poor guy/gal who has to turn over your digital midden heap in the course of their work. So, without further ado:

Investigation Slowing Strategies

Funny Videos - This is probably the very best way to slow down any investigation. Have lots and lots of funny videos stored throughout your drive (Tip: this is especially useful if your nefarious misdeeds are video based). Now, don't get lazy and just download the most popular funny vids - we've seen them all. Get creative. Really look for those out-there, maybe a bit geeky gems that will keep any investigator enthralled, despite the clips' complete lack of relevance to the case. Extra marks if you create your own.

File and Folder Names - Investigators are well aware that there usually isn't a folder entitled "All My Illegal/Unethical Stuff" on a drive that will hand them the investigation on a platter. But why not throw out a red herring? Create folders with sinister names that contain pictures of bunny rabbits and clips of Dane Cook comedy routines. Something along the line of Tobias' business cards (from Arrested Development) is a perfect example.

Internet Search Terms - One of my favorite things in any investigation is to see the progression of search terms people use on their computers. The sequence leading up to generating that perfect term to get the search engine to spit out whatever website they so desperately want to find can be an incredible insight into how the human mind works. Bearing that in mind, try to create as many assinine and unintelligible search terms and then run them. Hey, maybe you'll end up being surprised by what you find.

EDIT: After seeing some well thought-out responses to this post, I have to come clean. The intent was pretty much a tongue-in-cheek reference to my own foibles doing exams (i.e. having way too much fun with some of the funny videos... btw, have you seen this one? Brilliant!...), and a bit of forensic humor inspired by comments found in happyasamonkeys blog. This is my Screwtape Letters. I actually feel a bit humbled by the responses. Maybe I need to go legit and leave all this satire behind!

Forensics and Load Files in Las Vegas

2011-05-23T10:46:00.000-07:00

I got to go to my first conference last week. While I lusted after a chance to hit the CEIC in Florida, alas, I had to settle for the closer Sin City. Much knowledge was imparted and epiphanies abounded - not least of which was the realization that while I can rock sequins like none other, feather headdresses aren't really the best look for me. I guess I don't have the cheekbones to pull off that particular look (curse you, Vegas Showgirls, and your impossible standards).

The conference was an interesting mix of digital forensic folks, corporate eDisco types and law firm paralegals. And because I am now entrenched in the most Materialistic and Judgemental place on earth, I just had to go all Joan Rivers on the proceedings. Mic in hand (perhaps it was just the rolled up agenda booklet... after a while everything in Vegas seems to go hazy) I hit the lecture halls prepared to release strings of vitriolic comments and thinly disguised personal jibes.

Definitely not me, BTW

Maybe it was the Law Firm element, but I had markedly few easy targets. Oh, there were a few black-socks-with-sandals scandals to be seen, but they were the exception. The women there managed to easily straddle the line between professional and stylish (Honorable Mention for a girl who wore a fetching lavender blouse with light cascading ruffles, a plum pullover and the most adorable shoes - no, it wasn't me, but how I wish it had been). They guys didn't fare quite as well on the overall fashion spectrum, but nothing was atrocious enough for me to get that reality show pilot I was scheming. Forensic Fashion Makeovers, if you must know. (But just FYI - I'm watching you, men. No easy rides from here on out.)

To be somewhat serious, I actually had a great time and came away feeling like the days (no... probably more like the evenings when the real fun began) were well spent. Not really because of the lectures and labs (although there were a couple fantastic presenters), but because of the profound joy of mingling with my own kind. I even got to meet a couple of those shadowy personas I follow on 'tinterwebs. End result: I'm hooked. Must get to more conferences in future. Withdrawals from being back in the corporate world are already taking effect. I miss Candy Mountain!

Artistic Interpretation of my Physical State Following the Conference

Script Pitches

2011-05-17T13:32:00.000-07:00

Google, you are dead to me. Perhaps I shouldn't have been surprised by the blogger site crash, but it still feels like a betrayal. We are still so early in our relationship and already you go offline and even lose my most recent (and for anyone who didn't read it, most brilliant) post. You twisted the knife further by removing some reader comments. Maybe this is a sign that our union just wasn't meant to be. Luckily for you, I'm a sucker for second chances. Bring flowers and some bubbly by and we may just be able to reconcile. Besides, everyone knows that making up is great for chemistry. I'll be waiting.

A Tribute To The Greatest Blog In The World

What follows is not the greatest blog in the world - this is just a tribute. I cannot fully reconstruct the post that seems to be lost forever, but I will do my best to remember what phrases and witticisms I can.

There are other great posts out about TV and movie plot ideas that incorporate the world of digital forensics. Some of my favorites include happyasamonkey (I admit that I outright snorted at How Clean is Your Computer) and faintingchicken. So, in an effort to throw out my two cents way too late to be cool, here are my ideas for Hollywood.

Pitch 1 - Forensic examiners are actually a subspecies of undead. This premise works nicely to explain why we tend to work in dimly-lit lairs and have an aversion to the "normal" populace. I haven't decided yet if we would dissolve, explode or sparkle in the sunlight, but I expect the latter would go far enhancing the perceived "sexiness" of the industry.

Pitch 2 - Two innocent young adults are stranded in the woods without cell phone reception and come across an ill-maintained mansion populated with a cast of outlandish characters (a la Rocky Horror Picture Show). In a surprising twist at the end, it is revealed that grounds is populated entirely with former forensic analysts that were so warped by what they viewed on computers that they were deemed unfit to remain in mainstream society and were banished there by a shadowy branch of The Government.

Pitch 3 - An All-Singing, All-Dancing Forensics Extravaganza! While this may initially be relegated to Broadway, I anticipate a movie would soon be in the works (musicals are hot right now, see?). To add an air of authenticity, the chorus should be cast entirely of real computer forensic analysts. Start working on you high kicks, boys.

Geek and Gamer Gurlz

2011-05-05T11:23:00.000-07:00

Yet another departure from my original intent... but had to share this musical shout-out to all my fellow geeky girls out there.

***Warning: Not kid friendly. Maybe not work friendly. You decide.***

Circumventing Safesearch with Reno 911

2011-05-02T15:29:00.000-07:00

The clip below doesn't really have anything to do with digital forensics, but I chuckled a bit, so I'm including it anyway. I did mention in a previous post that it is common practice to remove hard drives when performing acquisitions - a process that will usually require the examiner to open the chassis in order to access the drive. Opening the chassis is the pivotal part of the scene below:

RENO 911!

Safe Search

www.comedycentral.com

Lt. Jim Dangle's Sex Tape

Terry Time

Thomas Lennon and Ben Garant Review RENO 911! Porn Parody

What They Got Right

Nothing. Seriously. But then, I think that was the point.

What They Got Wrong

Where to start? Safe search is not hardware or even firmware. Opening the computer case and playing with the wires (or any other physical hardware) would have had no effect on the filtering functionality. As far as I can tell from watching the video, the only thing that was done within the computer chassis was exchanging molex power connectors. And unless one of the molex connectors was bad, the exchange should have no effect. Even then, the only effect would be a loss of power to whichever drive was given the bad power connector.

Safety is always a concern when working with electronic equipment. Yes, there is always the chance of electrocution, etc. if proper protocols are not followed. That being said, it is much more common for computer components to "fry" from static electricity if the person is not properly grounded - disturbing if you ruin your motherboard or RAM, but not a process that involves explosions and smoke. The most unbelievable part of this skit is the fact that multiple computers that weren't even messed with are the ones that experienced the explosion. In no situation that I could begin to imagine would switching molex power connectors cause this kind of action.

I guess if nothing else this can act as a cautionary tale for playing with components you are not familiar with. Always play safe!

Hacking Makes for Good Scripts

2011-04-27T09:02:00.000-07:00

Okay, I know this is a bit of a departure (already?!) from the intent of this blog. I really am working on a post about a Castle episode, so stay tuned. However, with everything going on in the news about Sony being hacked, I wanted a chance to share a video that is NOT Hollywood scripted, but maybe should be. It's a little long (about 10 minutes), but worth every second. Spoiler alert: someone gets hacked during the interview.

Disclaimer: I do not agree with either side, though there is definitely more crazy on one end than on the other.

I do have some small education with intrusion analysis and incident response, and I am starting to think this is an area I should seriously consider investing more time in as an area of expertise.

Also, I'm very proud of the pun in the title. Please take a moment to appreciate.

Just Enhance!

2011-04-21T10:27:00.000-07:00

The clip says it all. I wake in terror awaiting the day I am asked to "just enhance" a reflection off a grimy window in a grainy surveillance video.

"The Whistleblower" cont.

2011-04-20T12:29:00.000-07:00

As I mentioned in my last post, the representation of digital forensics on "The Whistleblower" was actually fairly accurate. That said, there were some things that were wrong.

What They Got Wrong

Timeline

The timeline is incredibly inaccurate. Not only were the hard drives of 10+ employees imaged (ostensibly one at a time!) in one day, all of them were apparently analyzed before end of business. Even if IT Guy had a DF lair with multiple super computers running throughout the day, there simply would not have been enough time to parse and analyze all that data. From the information that was gathered, it seems the investigation wasn't even targeted to specific types of data. So, while the condensed time frame makes for a more exciting script, it simply doesn't mesh with reality.

There are many different variables that play into the amount of time it takes to image and analyze data. On the imaging side, it depends on the hard drive size, the connection type, if there are bad sectors on the drive, etc. If the image capture is done via a sata to sata connection, it will be faster than if the connection utilizes USB. Also, what many people may not realize is that a forensic (or bitstream) image captures the entire drive. So, even if there is only 30GB of active data on a 500GB hard drive, all 500GB will be collected.* On the analysis side, timeframes can vary depending on if the analysis is targeted, and how wide of a target area is being looked at. For example, simply locating all active images on a computer takes much less time than recovering deleted data or recreating activities that took place on the machine.

Personnel

In this episode, IT Guy plays a pivotal role throughout the entire process of collection and analysis. Now, I would not say that IT personnel (they aren't always IT guys... some of pretty awesome IT gals) should never be a part of a collection effort - in fact, one of the best bits of advice I got about going onsite to perform imaging was to be friendly to the IT staff. They know more about their specific systems and setup than any outside digital forensics expert, and can provide valuable background and assistance. That said, there are situations where IT personnel should not be used - and instances with legal ramifications almost always fall into that category. Especially - and I can not stress this enough - when it comes to the investigations themselves. You can look here for an example of what can happen when someone with an IT background, but no forensics training, performs an investigation. For those of you with background in forensics, I apologize in advance for any damage you cause yourself while reading this report. For those without the background, at least note the Final Result: the evidence that this "expert" said was not present was indeed found, and the report was NOT submitted as evidence.

* There are few absolutes when it comes to digital forensics. The field is ever-changing and circumstances can vary widely from case to case. Because of this, I will not be detailing all the possible circumstances and outcomes unless they are specifically mentioned as a part of the scenario I am analyzing. General concepts described will be best practices, as I understand them at the time of the writing.

"The Whistleblower" from The Office

2011-04-14T11:17:00.000-07:00

Oh, The Office. I truly love you. It was your humor that got me and my second DOMEX team through the time in Iraq. In fact, a subsequent OIC observed during transition that no conversation went by without a quote from either The Office or Stepbrothers (we may have been going a bit crazy at that point, but please don't judge). The 6th season finale ranks as one of my favorites. Not because it had the best office pranks or a gratuitous musical number (love those, too!), but because - of course! - it involved computer forensics.

If you haven't seen this episode, you can check out the synopsis on wikipedia here. For my purposes, the salient point is simply that employees' computers are being collected and searched for data about an information leak to the media. ***Disclaimer: I Am Not A Lawyer, so I won't be discussing the legalities of the situation.***

What They Got Right

Collection Method

Unfortunately, we don't get to see the exact steps IT Guy used to collect the data from the drives. Did he use write blockers? Were bitstream images created? What software was utilized? However, we do know that he pulled the physical hard drives - a very common collection method. There are ways to create forensic images without pulling the drives, such as using a live boot cd. However, pulling the drive can result in faster acquisition times.

Reactions

I have yet to collect data from a thrilled custodian. This is usually for perfectly valid reasons. It can be inconvenient or downright impossible for someone to do work without their computer for the time it takes to image. Of course, there are other reasons that people have negative reactions, as evidenced by Kevin's mad dash (ostensibly to delete something he didn't want found... not that the deleted information couldn't have been recovered, but we can talk more about that later). This leads very nicely into the next category...

Data Found

The climax of the episode involves IT Guy revealing some of the information he found on the hard drives (computer forensics is a field that appeals to the inherently nosy). Web history (Darryl's facebook account), pictures (Ryan's attempt at being a photographer), e-mails (is this how Nick found out Kelly thinks she's a size 2?) are all there for analysis on almost any computer. In fact, the only slightly unbelievable thing about this is the lack of salacious material. Anyone who has been in the industry long knows how much personal information people have on their work computers: online shopping, porn (yes, even on work computers), dating sites, more porn... the list goes on. Although, come to think of it, IT Guy didn't mention what he found on Creed's computer - that I would like to see.

All in all, this was a fairly accurate depiction. Next post I will be going over what was NOT accurate in the episode.

Hollywood and Computer Forensics

2011-04-12T20:56:00.000-07:00

Hollywood is not accurate. This concept is well understood by most at this point. A historical reconstructionist doesn't turn to The Tudors for clothing concepts, just like lawyers don't do case research on Law and Order. None of the Special Agents I know (I don't know any) would take notes from James Bond. There may be something to this whole zombie thing, though. I hope someone in the pharmaceutical industry is looking into that.

In college I took a class in forensic science. This wasn't the digital forensics I do now... this was the "glamorous" kind - complete with fingerprint dusting and luminol. I came to class prepared with oversized sunglasses and pithy quotes. The professor was a veteran in the forensic science field and had recently seen an explosion of interest following the release of CSI and other crime procedurals. He showed how well he knew his audience (this was an undergraduate class after all), when he gave us the assignment to watch one episode of CSI - any episode - and document ten things done by the team that were incorrect. Easy, right? You bet. But then he drove home the point when we were also assigned to find five things on the show that were done correctly. He said finding the five would be the more difficult task. He was right.

Digital forensics doesn't get as much time in the Hollywood limelight, though it does seem to be cropping up more and more. We industry professionals now have quirky characters people can use as a reference when we tell them what we do ("Oh! You're like Abby on NCIS" is a common one). In some ways, this is great. Computer forensics is interesting! And what better way to find the next generation of tech gurus than to show them the career path in an exciting format? In many other ways, it can really be a pain. Like the criminal lawyers who bemoan the CSI un-education of jurors, digital forensics practitioners find they have to educate (or de-educate and then re-educate) clients on what amazing things we really can do and what amazing things are frankly impossible (or so cost-prohibitive they might as well be).

I recently relocated to Southern California for my job as a forensic consultant (before this I was in Iraq, so it was quite the scenery change). Doing forensic investigations with Hollywood literally a few minutes' drive away, I can't help but think about that college assignment. So I'm going to take the assignment a step (or side step) further by applying it to computer forensics and looking at whatever shows I happen to see. Stay tuned for the next installment on "The Whistleblower" episode from The Office.