Friday, September 30, 2011

Lessons Learned

Having just finished a marathon case, one of the longest I have ever had, I have been taking some time to think over the progression of the case and adding the lessons learned to the other "hard ones" I have accumulated over the years. This is written from standpoint of a contracted forensic examiner, I think most of the points could be applied to internal exams as well.

1. Before you ever ACCEPT the engagement, have a very deep conversation with the party or parties that is going to pass judgement on your results and final report. Make sure you know what their expectations are, and if they are not reasonable or obtainable get this understood right up front. If these parties will not take the time to do this, or will not accept the realities of what your examination can accomplish, walk away, it's a losing proposition that will only damage your reputation in the long run.

The next two items go hand in hand.

2. Make sure you know the final result the client is expecting. This is a result of doing a good job at step 1. Make sure that you can put into words that are consistent with a good forensic examination what the result should be for the client. Here we have to remember our job is not to prove the case for the client, our job is to locate and present ALL possible evidence relevant to the matter.  That requires we stay in the ballpark dictated by the clients wishes, and find either the presence or the absence of items that pertain to that.

3. Make sure you know what YOUR final result is expected to be. I know you are asking isn't this the same as point 2? My contention is it is not. The client wants "proof" of some activity, you want items that are relevant to that activity. You need to be able to express both. The client's expected results are going to be matter concentric, yours are going to be artifact concentric. Make sure you can answer both 2 and 3.

4. Have a case outline and case preparation plan before you begin to examine anything. Develop your own style of case prep or adopt one of the many you can find in recent blogs. But have a written plan. You may, and often will deviate from the plan or change it as your case progresses because you go where the evidence takes you. Having the plan will help you answer the questions of why did you do A and not B during your examination.

5. Begin with the end of your case. I always start a case drafting a Summary like you will find in my final report. I know, I have nothing to report yet. But this is where I let my analytic forces run free. I picture what I am trying to find, the write out a "fake" finding of every type of relevant artifact, where I "found" it, what methods I used a how it is presented. I also "report" absence of artifacts and what steps were taken to show they didn't exist and why that's important. It also points out to me what research I may need to do to handle an artifact I have never dealt with or method I may need. Now I have a great picture of my examination. Without the pressure of having the image open in front of me and getting sidetracked or led down wrong roads by things that jump out in front of me, I can go find the things I know will yield the results I should end up with. Not proof for client mind you, that may not exist, but the truth of what does or doesn't exist.

So that is the beginnings of a case for me, and it saves me and my client headaches and tine and money. I look forward to hearing how everyone else does it.

Thursday, September 8, 2011

Explosions Explosions

A couple of nights ago I did something rare, I actually watched a television program. I had heard an interview on NPR with an author of "Top Secret America", and it was mentioned a documentary of the same name would be on Frontline on PBS that night. So, since the topic had been interesting I "tuned in".
The basic premise of the documentary and the book was that since 9/11 much of our intelligence effort has been given over to and is being performed by contractors. That in itself was interesting, but my real interest was piqued because digital forensics in many forms kept being alluded to.
Another important fact to the authors was that the "War on Terror" is not anywhere near a conventional war, but is a war fought over and with information. Hence the constant allusion to DFIR. At one point they talked about how the amount of hardware containing information was so vast, traditional intelligence agencies couldn't come close to examining it all, and this further added to the amount of contractors needed. Too much information in a war of information.

This made me consider my own practice of DFIR. In the "old" days of 40 or 80gb HDs, I could comfortably and within budget of most clients conduct a full comprehensive examination in every case. No sweat. Now, with most corporate desktops having 300gb to 1TB HDs, that is rapidly become a budget and time constraint. That explosion of information has hit down at the simplest CF levels.

More and more of my most efficient time is being used at the case planning stage. The sheer size of Hds I am getting requires me to adopt a new methodology, and to plan and "storyboard" examinations before I mount the first image. I spend more time with the client up front determining what I am looking for and what processes and applications could have been utilized.

I ask myself questions, determining ahead of time what type and location of artifacts I will be looking for, or looking for the absence. I no longer have the luxury of researching and investigating software, the registry entries, the artifacts, after I have found uses or traces, I now do this BEFORE I begin the actual examination.

Information has exploded right in our faces, and triage and planning have become one of the most important parts of our jobs. Narrowly focused forensics training is no longer enough, we truly must know everything from the hardware, the OS, the applications, the networks, and on and on.

And if the government wishes to throw me some of that burden of work, feel free!

Monday, August 15, 2011

Musings and Reading Notes

If you know me personally you know I am caught between two worlds. I work in a technology field that requires I know a lot of various hardware and software. At the same time, I like reading a real book in my leather chair with a Scotch poured neat and enjoy a fine cigar from time to time. Real books provide me a feel and comfort not afforded by electronic versions.

That said however, I do for most part read books related to Forensics and technology on my IPad with the Kindle app. It gives me access to a lot of information and reference in a small package wherever I am.

I am currently actively reading or rereading 3 such books. Mt method of "reading" was cultivated years ago from the book, "How to Read a Book" by Mortimer J. Adler and Charles Van Doren.  I have managed to "import" most of this method into Kindle reading. It is a book I would recommend for everyone who reads or wants to read seriously and deeply.

One of my current project books is "Perl Scripting for Windows Security" written by Harlen Carvey of blogging fame. I use Perl frequently for scripting and to write ProScripts to use with ProDiscover. Having used Perl for sometime, I am always looking for ideas and inspiration on HOW and WHEN to use it, not just how to write it. This book certainly fits that niche. Part II on Perl Scripting and Computer Forensic Analysis certainly fit the bill for what I need day to day, and I have experimented and learned some new things with SAMParse and I was surprised to see ProScripts mentioned in the book as well. This is a book I will use as a reference for a long time. I suggest it to anyone with a good grounding in Perl who wants to get unchained from or add to their commercial software. If you are a ProDiscover user it should be a part of your library because ProScripts can take your ProDiscover usage nuclear.

Harlen gets another nod, albeit secondary to Cory Altheide, for Digital Forensics with Open Source Tools. I made the "mistake" of reading an impression of this book this morning over at TaoSecurity and I'll try not to repeat it from familiarity. This book certainly fits the bill for unchained forensics.  I am in my third reading, and my deepest practical work through of the book. I have to say I find it not for the faint of heart. If you do not want to get dirty with Linux and Open Source this isn't for you. It's not in my opinion a book you can read through and pick up a few things that might interest you. This is a practical usage book that begs for practice and experimentation. I had some difficulties with the jumps it made, just like Richard, and I had to overcome the different paths my version of Ubuntu used from the book. That in itself was a great learning experience, but it set me up for a great ride through the rest of the book. I plan on a post in a couple of weeks to go through some of the examples and how i practiced and implemented them.

This past week I had the opportunity to implement for real RegRipper after practicing, benchmarking and testing it for a while. I was working on case where one of the underpinnings was showing the use of an external HD and a data cd written on a certain date when we knew a data theft had probably occurred. I had the registry viewer in ProDiscover, but time was against me since the legal firm wanted to file a quick motion. Using RegRipper, I found data I need very fast and accurately, which would have taken me many hours maybe parsing the data by hand. RegRipper allowed me to see Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder which showed last write time and MRUListEx with last write date on the day the employee left the company. Two of the items listed was a drive E: and a disk who's label was the date the theft had taken place. This enabled me to target the investigation and proceed with the knowledge the incident had probably taken place as believed and artifacts did exist. I have a lot of work to do yet with RegRipper before I understand its power and capabilities, but right now it certainly performs as a great triage tool.

On a last personal note, I have to pass along my prideful boasting on a couple of my children. Victoria just released her first EP of music she wrote, produced by Grey Revell. It is on SoundCloud. A great accomplishment to have before your 15th birthday. Another daughter Dorothy, competed this weekend in the Harmon Classics Hunter Jumper show at Latta Equestrian Center. She has won many ribbons before but this day got off to a rocky start. In her first event, her horse balked and stopped at the second fence, throwing Dorothy over head to the ground. She got up and dusted herself off and walked the horse back out. On the second event the horse refused to jump again and she was excused from the event. Most 12 year olds would have just quit, but Dorothy "talked" to the horse and on next 5 events made it jump. She placed in all 5 and in the last event won the Blue. Quite a growing up experience. I was infinitely more proud than I would be if she had one all her events. There's my bragging for the month.

Tuesday, August 9, 2011

A Computer Forensics Story without a Computer

I spent a little time at the Outer Banks last week, enjoying the surf and the fishing. One night standing on the Avon Pier, I discovered something about Digital Forensics. No, no one walked up to me with a netbook they wanted examined, this was about fishing, but it applied to forensics.

Now, I lived in eastern NC most of my life, and grew up fishing the banks inshore and offshore. So here I was leaning on the pier watching an enormous group of large skates go past. As I stood there I kept watching these sun burnt tourists go past me to the very end of the pier carrying brand new expensive shiny rods and reels purchased at the pier store, hands full of one of every kind of bait they sold, a 5 day NC fishing license that gave them the RIGHT to fish, and for the most part not even a tickle in their brain cells of exactly how to catch fish.

As I watched them go to the end of the pier, deeper is better they thought, and flop their lines in the water right next to the pilings, I knew what was going to happen. And it did, time after times. Their rod would bend almost in half, the crowd would hoot and holler at the enormous fish that must be on the end of the line. The more they would reel (paying no attention to the drag) the more the rod would bend. Finally some old salt would take pity and go over and tell them the tide had wrapped them around the pier and they had caught basically a big telephone pole. This would be followed by a long period of pulling, twisting and a lot of cussing as they tried to get their lines from the pier. Usually it ended with cut lines, and once in a broken rod.

Exactly what you are asking did this situation have to do with forensics? No, I wasn't drinking mass quantities on the pier. It made me think like this. Their shiny new techno rods and reels were great tools, but only if the hands that held them knew what to do with them. The pier is a great vehicle for getting out to the fish, If you understand where the fish could be. And then the water, ah, you have to be able to see below it! Here the light bulb flashes. Forensics is all about whats under the water, how the tide and currents are moving, where you will to use your tools and how.

FTK's, EnCases. ProDiscovers and all the other commercial tools are like those rods and reels, in the hands of someone who knows what is or has happened under the water (network, file system, malware etc) they are powerful. I you don't know the water, you can't use the tool. In the various forums and boards I always see "I am a newbie to CF, what tools should I get"?

My answer : Go to Walmart get a cheap rod and reel (free and/or Open Source tools, images) and spend countless hours learning the water (read, study and PRACTICE).

Monday, July 25, 2011

Why another Digital Forensics Blog?

Unchained Forensics, not a hit song by the Righteous Brothers. My humble attempt in this blog is to discuss and set a forum for getting examiners "unchained" from commercial forensics software. To express the need to feel the freedom of forensics outside of the button pushing and wait for results world of canned forensics, and to have the peace of mind that comes from knowing not only what you found, but why and how.

In rereading Harlan Carvey's "Windows Registry Forensics", I was struck by his comment "many analysts are consistently behind the power curve, learning from the bad guys...", a condition I believe results at least partially from waiting on your software vendor to supply the next upgrade with new tools.How about we develop the ability to write our own tools to tackle that issue before the vendor? A to take it a step further, how about we practice, test, and PLAY to locate and find the weaknesses and develop out tools even faster and in a more targeted fashion.

Remember Clint Eastwood in "Heartbreak Ridge", "Adapt, Improvise and Overcome". That should be our motto as Forensic Examiners.