Friday, September 30, 2011

Lessons Learned

Having just finished a marathon case, one of the longest I have ever had, I have been taking some time to think over the progression of the case and adding the lessons learned to the other "hard ones" I have accumulated over the years. This is written from standpoint of a contracted forensic examiner, I think most of the points could be applied to internal exams as well.

1. Before you ever ACCEPT the engagement, have a very deep conversation with the party or parties that is going to pass judgement on your results and final report. Make sure you know what their expectations are, and if they are not reasonable or obtainable get this understood right up front. If these parties will not take the time to do this, or will not accept the realities of what your examination can accomplish, walk away, it's a losing proposition that will only damage your reputation in the long run.

The next two items go hand in hand.

2. Make sure you know the final result the client is expecting. This is a result of doing a good job at step 1. Make sure that you can put into words that are consistent with a good forensic examination what the result should be for the client. Here we have to remember our job is not to prove the case for the client, our job is to locate and present ALL possible evidence relevant to the matter.  That requires we stay in the ballpark dictated by the clients wishes, and find either the presence or the absence of items that pertain to that.

3. Make sure you know what YOUR final result is expected to be. I know you are asking isn't this the same as point 2? My contention is it is not. The client wants "proof" of some activity, you want items that are relevant to that activity. You need to be able to express both. The client's expected results are going to be matter concentric, yours are going to be artifact concentric. Make sure you can answer both 2 and 3.

4. Have a case outline and case preparation plan before you begin to examine anything. Develop your own style of case prep or adopt one of the many you can find in recent blogs. But have a written plan. You may, and often will deviate from the plan or change it as your case progresses because you go where the evidence takes you. Having the plan will help you answer the questions of why did you do A and not B during your examination.

5. Begin with the end of your case. I always start a case drafting a Summary like you will find in my final report. I know, I have nothing to report yet. But this is where I let my analytic forces run free. I picture what I am trying to find, the write out a "fake" finding of every type of relevant artifact, where I "found" it, what methods I used a how it is presented. I also "report" absence of artifacts and what steps were taken to show they didn't exist and why that's important. It also points out to me what research I may need to do to handle an artifact I have never dealt with or method I may need. Now I have a great picture of my examination. Without the pressure of having the image open in front of me and getting sidetracked or led down wrong roads by things that jump out in front of me, I can go find the things I know will yield the results I should end up with. Not proof for client mind you, that may not exist, but the truth of what does or doesn't exist.

So that is the beginnings of a case for me, and it saves me and my client headaches and tine and money. I look forward to hearing how everyone else does it.

Thursday, September 8, 2011

Explosions Explosions

A couple of nights ago I did something rare, I actually watched a television program. I had heard an interview on NPR with an author of "Top Secret America", and it was mentioned a documentary of the same name would be on Frontline on PBS that night. So, since the topic had been interesting I "tuned in".
The basic premise of the documentary and the book was that since 9/11 much of our intelligence effort has been given over to and is being performed by contractors. That in itself was interesting, but my real interest was piqued because digital forensics in many forms kept being alluded to.
Another important fact to the authors was that the "War on Terror" is not anywhere near a conventional war, but is a war fought over and with information. Hence the constant allusion to DFIR. At one point they talked about how the amount of hardware containing information was so vast, traditional intelligence agencies couldn't come close to examining it all, and this further added to the amount of contractors needed. Too much information in a war of information.

This made me consider my own practice of DFIR. In the "old" days of 40 or 80gb HDs, I could comfortably and within budget of most clients conduct a full comprehensive examination in every case. No sweat. Now, with most corporate desktops having 300gb to 1TB HDs, that is rapidly become a budget and time constraint. That explosion of information has hit down at the simplest CF levels.

More and more of my most efficient time is being used at the case planning stage. The sheer size of Hds I am getting requires me to adopt a new methodology, and to plan and "storyboard" examinations before I mount the first image. I spend more time with the client up front determining what I am looking for and what processes and applications could have been utilized.

I ask myself questions, determining ahead of time what type and location of artifacts I will be looking for, or looking for the absence. I no longer have the luxury of researching and investigating software, the registry entries, the artifacts, after I have found uses or traces, I now do this BEFORE I begin the actual examination.

Information has exploded right in our faces, and triage and planning have become one of the most important parts of our jobs. Narrowly focused forensics training is no longer enough, we truly must know everything from the hardware, the OS, the applications, the networks, and on and on.

And if the government wishes to throw me some of that burden of work, feel free!