Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
16 minutes reading time (3240 words)

What is the best way to get to Spokane from Seattle?

Digital Forensics
Brett Shavers
Saturday, 15 December 2018
4684 Hits
2 Comments

Stand by, here comes my opinion on forensic tools (software and hardware)

I tend to prefer having the option to pick among a large selection of tools to be highly specific in solving problems. The fewer options I have, the more likely I will be doing an “OK” job instead of doing a “good” job. Worse still, when not having the right tools, I may not be able to the job at all. With that, I say things like, “The more tools in your toolbox, the more problems you can solve.”

This doesn’t mean tools solve problems. It doesn’t mean that anyone with many tools can solve problems. It doesn’t mean that any tool can solve any problem. And it doesn’t mean that merely having lots of tools means you can solve lots of problems. I simply mean that by having a choice of tools that I am competent to use, I can pick the right tool for the right job.

 

To elaborate a little more, I do not believe that having every tool in existence is a reasonable plan. There are far too many tools available for any one person to be competent (even at the least level of competence!), or to keep updated, or to validate, or to use with any frequency to remember which button (or command) does what. It is just too much.  

Each person has their own sweet spot as to how many tools that they need for their job. For some, this may be a few. For others, it may be more. And for each person, the sweet spot is different. And over time, the sweet spot changes.  Even with different jobs, the sweet spot will change. You have to find your sweet spot and no one else can tell you what that is. Did I mention that your sweet spot of tools will change? 

Related experience on having too many things: In my younger life, days after I checked into 2/3, I was headed to the field for a month (PTA). What did I do to prepare for 30 days in the field? I went to the PX and bought a bunch of nicely packaged and enticing junk that was packaged and marketed as "the top 10 things that Marines need to bring to the field". I brought back this junk to the barracks and started packing and strapping junk to my ALICE pack. The old salts in my squad ribbed me pretty bad about me wasting my money on ‘junk’. The things I bought were promises of making field life easier for Marines in the field. The packages said as much!   Days after being in the field, I cursed every little junk item I bought because all it did was add weight to everything I was carrying, did nothing to make fieldwork easier, and I learned from the salty Marines on what works in the field based on hundreds of years of Corps’ existence, not some toy from the PX. Some of the NCOs that I mirrored were magicians in the field. Literally, they performed magic. The things I learned that a person can do with the right tools showed me that it is never just a tool, but the right person appropriately employing the right tool. I carried this lesson from that first month in the field through today with this blog post. 

"It's not the machine, but the examiner, that does the work" - Brett Shavers

Picking the right tool

Some questions have one answer. What is 2+2? Is fire hot? Is ice cold? Other questions have more than one answer. That is why this this blog post is titled, What’s the best way to get to Spokane from Seattle? No one can answer this question for someone else. There are too many variables involved for there to ever be one answer to the best way to get to Spokane from Seattle. Variables such as, how soon do you need to be there? How much are you willing to pay for travel expenses? Do you prefer to drive, fly, or ride a bus or train? Do you like a window seat or aisle? And hundreds of personal questions that affect the best way for you to get to Spokane from Seattle. Point being, best for you may not necessary be best for me.

 

So, when I hear “the best forensic tools” or “this is the best forensic tool”, I assume that the person stating or writing such a thing is speaking solely for themselves, as there is no way that they are speaking for me. It is impossible. The variables to choose a software tool are no different than choosing something to eat for lunch. It depends on everything.  Time to eat. Money to spend. Locations available. Type of food available. Allergies. Food preferences. Tastes. Desires for a certain food at that very moment. The person eating with you and their preferences. Any “top list” of anything is useless except for the person creating the list.

The point: You choose the best tool for you that can solve the problem.

How many tools?

I have written things about forensic software, but never stated that one tool is better than another, or that you only need one tool. The closest thing I have written that could be interpreted as such was in the X-Ways Forensics Practitioner’s Guide. And even then, I simply stated that if you are proficient in X-Ways Forensics, then you probably know your stuff and probably know how to use other tools too.

https://www.amazon.com/gp/product/0124116051/ref=dbs_a_def_rwt_bibl_vppi_i1

The appropriate number of tools is that number which (1) you can maintain competence and (2) those tools that you need. If you can’t maintain competence in a tool, get rid of it. If you don’t need a tool, why do you have it? Don’t overwhelm yourself with too many tools that you can’t use competently or don’t need to use at all.

Validation

I had an email recently asking my opinion on validation. I happened to be extremely busy at the time I saw the message on my phone, and didn’t have the time to appropriately respond. In short, the question was how do you validate tools and how often.  And do you use test images that are online. Wow. Tough question actually.

Without writing a book on forensic tool validation, all I can say is that I have spoken to many about this subject and I have found that it is a rare examiner that validates all of their tools, and at that, rarely does it regularly. The vast majority simply buy (or download) a tool and use it. Validation happens when they use another tool to check the work of the first tool on finding an artifact…in real cases. The result is that many of us use a tool (that we didn’t validate) to find evidence, and then we use another tool (that we also didn’t validate) to validate our findings. Hint: I test my tools against other tools against known data sets.

I’m not a software developer, but I am aware of what software testing is and how to do it. There are books on how to test software, with processes that range from simple to complex. I recommend picking up one or more of these books to get a handle on software validation before you get asked on the stand about it. Seriously. Check into it because it happens, or at least it happened to me.  At a minimum, I suggest taking advantage of Paraben's free ebook on validating forensic tools (https://paraben.com/validation/). 

As far as the online test images, I believe that they have their place if they were developed for testing. There are images that are freely downloadable for testing that were purchased from the private market. These particular sets of images are from discarded and used computer systems that we really have no idea what happened on the systems other than what the tools tell us. I find this to be very exciting, but only for the sake of curiosity to see what data did people throw out without knowing this risk? In my opinion, these are the worst images to use a test images, because we have to trust the tools to tell us what happened on the systems. How can you test a tool on data that you are trusting that a tool is correct in telling you if you can't validate the data? 

Test images should be images that you know exactly what data is on them, and know exactly how the data was created. If you don’t have the documentation of the activity that occurred on the image, then the only thing you are testing is your patience of time of running software. If you don’t know the fact of what happened on an image (prior to imaging of course), then how do you know your tool is performing correctly? You don’t, because you are trusting the tool to be accurate with the data that you can’t validate, in order to validate the tool you are testing…

**EDITED** 12/21/18

To clarify my initial thoughts on test images and tool validation, I think it better to state that the tools may be accurate in parsing the data on images on which you do not have assurance of the activity, but that the results may be incorrect or inconclusive. What I mean by this is by one example, is that the tool may parse the data correctly, but the data itself may have been anti/counter-forensics. To show this, I've created a trick-question in classes where I planted anti/counter-forensic data (user-created files) onto a drive purposely to throw off an analysis.  Tricks are unfair in teaching, but this sort of exercise makes several points, such as how to state conclusions in a report, to question why a file may or may not exist and its supporting metadata may or may not exist, and not to jump to conclusions at the first sight of seeing evidence.

The steps I took were simple:

  1. boot drive to winpe
  2. copy user-created files* (Word docs, etc..) onto the drive
  3. image the drive

The result was most of the class assumed that the files were created by the logged on user account, on the dates and times of the documents/files. Some of the class questioned how the files were created (not downloaded, no evidence of the applications being run, no USB connections, no LNK files, etc..). The tools were correct in pulling the data, but the conclusions were wrong about the data itself. The point being made was that finding the evidence is #1 important. Next is to validate the evidence (is it really evidence or not?). And come to some conclusion of how the evidence most likely was created supported by other corroborating evidence (other than the actual data file itself). The result was everytime the 'evidence file' was found in classwork, students really worked to make sure they grabbed as much supporting evidence on that file as possible.

*The user-created files were time stomped to match Internet activity dates/times on the drive.

My test images

I have a set of test images that I have created over the years. For each image, I have extensive documentation with everything I did on that image, with date and time. It is a lot of work. A serious amount of work, but I now have a library with different OSs and different types of evidence planted on the images.  When I run a tool on an image, I compare the result of the tool with my notes. It should match exactly, and if it does not, either I used the tool wrong or the tool doesn’t work. I know that because I planted the evidence and know exactly what the evidence is. I know how it got on the disk. I know when it was put on the disk. I know because I did it and documented it as I was doing it.  My test images are validated by me, for me. You can’t do that with an image you find online. You can’t even do it with an image someone gives you, because you are trusting someone else with validation of the data on the image! At best, you are trusting the creator of an image to not only give you accurate information about the image, but that they accurately documented the creation of the data on the image. Think about that a moment.

One question that I saw on Twitter a while back concerning the software listings on dfir.training, was something to the effect of “are all these tools validated?” This is a legitimate question because there are over 1,300 software listings. The only accurate answer is that none of the software is validated. Not a single one. Not a single tool on Github is validated. Nothing on SourceForge is validated. Not a single commercial suite that costs thousands of dollars is validated. No open source programs are validated either. None of them. Nada. Zip. 

The only tools that are validated are the tools that you personally test. Out of that 1,300+ tool listing, whatever you download and use is up to you to validate.  Out of that 1,300+ tool listing, you may ever only need 5 or 50 or 500 of those tools in your lifetime. Again, that is totally up to your situation and needs and validation falls upon you. Sorry, but that is the way it works.

How I choose forensic tools

Everyone is different because we are.  Every scenario is different, because they are.  Tools are different because they are developed by different people and for different scenarios. All of this adds up to an infinite number of solutions for each person to decide on which tools to pick for specific scenarios.

Here is how I do I pick tools (keeping it simple…):

  1. What is the problem?
  2. What tools do I know how to competently use and will any of these tools solve the problem?
  3. If I don’t have the tool, which tool can I become competent in to solve the problem?

That’s it. Every single scenario, I go through the same process. Some are quick and easy to figure out. If the job is imaging an easy-to-access single hard drive without any encryption in a desktop, then the choice is quick and simple. Scenarios beyond that will add a bit of complexity with each additional obstacle to overcome. This process covers every scenario from basic imaging to full-fledged network breach that is bleeding data like a stuck pig. There comes a point where I can’t handle a problem because it is way out of scope of what I know and time needed for me to learn what is needed. If I came across a problem that required me to be a program developer, I could do it if I had the time and the problem could wait while I got a degree in computer programming. But I know my limits, and I know how long it takes me to learn a new application to a competent level if that can be the solution.

Those pesky personal preferences

Back in the day, we didn’t really have much in the way of software choices. If you started back in the Norton Disk Editor days…you were really limited in choices overall. Today, we have many (too many?) to choose from. Then we have personal preferences. I know examiners who swear by one particular forensic suite (name any suite and I’ll show someone that swears only by it). Others won’t touch a suite because they prefer to use small tools to solve problems. By small tools, I mean those forensic tools that do one specific thing rather than a suite of functions. Some demand push-button only, others want CLI only. Some only use Windows-based, others only Mac, and believe it or not, some only use Linux-based forensic applications. Many use a combination of all of these, because it depends on the problem to solve coupled with competence in specific tools.

I never question someone’s preferences in tool selection or tool development, because preferences. As long as the problem can be solved, personal preferences don’t really matter.

It is only when personal preferences interfere with problem solving that it matters. When someone keeps trying to force a solution that keeps failing or is obviously inappropriate, then the problem is never solved and gets worse. If a tool is not working on a problem, and you can’t fix it, then quickly move to something that works.

You should be able to flow from tool to tool to solve problem to problem.

Reporting and tools

Accept now that one tool does not do it all.  This includes reporting. I have seen comments about forcing one suite to accept reports from other suites and tools because the examiner wants to press ‘print’ and have it all done in one.

In reality, each suite creates its own reports, and many (most?) small tools don’t even create reports at all. They will spit out the data, but not so much a report of the data like a suite will.  Unless you are only using one suite for a case, you will be hodge-podging a report from multiple suites of tools and creating output reports from small tools. Yes, some suites allow for easy importing of other reports, but as for me, I am combining small tool outputs with suite reports, adding software logs, pasting screenshots, and typing statements and summaries to form one report. When I take a course in a tool in which the provider is touting the reporting feature as the end-all be-all reporting feature, I kinda tune out because I heard that song before.

Trying to avoid the technical

I do my best to avoid technical writing, except for a few pieces that I want to put out that others may not be aware. The only reason I do not want to put out technical pieces is that so many others are doing fantastic work in publishing their research. David Cowen’s test kitchens are the most innovative that I’ve seen in the online forensic videos.  There are several on Twitch that have been doing the same sort of thing (hacking mostly), but Dave’s fits the area where I work in forensics, so I really appreciate what he is doing.  Others (too many to mention) are writing blog posts with some juicy technical forensic info. The thing I find missing is that of the investigative aspect, the principles and concepts of forensics, and the personal facets of forensic work.  That’s what I tend to focus on when teaching and writing. I believe we can all learn the technical aspects, particularly when we have some outstanding researchers sharing their knowledge! My objective is to push the other side of the coin, the side that focuses on using your brain to make decisions, to think things through, and solve any problem with multiple solutions derived on how to think.

Back to the best way to get to Spokane from Seattle

There are many ways. There are side roads, service roads, flight paths, and train tracks. Rather than think that you can drive to Spokane, evaluate the ways and pick the solution that fits your situation at that moment, because driving may be best today, but flying may be best next week. No different with forensics. Today’s solution may be different from tomorrow’s.a

Tweet
Share on Pinterest
0
Break dancing does not increase officer safety.
Digital Forensics is Really Easy

About the author

Brett Shavers

Brett Shavers

 

Comments 2

No comments made yet. Be the first to submit a comment
Guest
Saturday, 23 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

gmail University of Washington Windows Forensic Environment Bitcoin Forensics case studies presentations phishing Virtualization forensics windows forensic environment wiretap 4cast Registry Forensics investigation Volume Shadow Copy Hiding Behind the Keyboard tor browser RegRipper North korea imaging Placing the Suspect Behind the Keyboard writing X-Ways Forensics Practitioner's Guide bitcoin forensics expert bitcoin privacy windows fe email book Jimmy Weg dfir X-Ways Forensics Hacker winfe surveillance training investigations

Search Blog

Most popular posts

Brett Shavers
Brett Shavers
06 December 2015
RegRipper
RegRipper
Digital Forensics
The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)http://github.com/keydet89What is RegRipper?RegRipper was created and maintained by Harlan Carvey. ...
0
38743 Hits
3 comments
Read More
Brett Shavers
Brett Shavers
25 April 2019
Game of Thrones, DFIR Style
Game of Thrones, DFIR Style
Digital Forensics
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find trul...
0
37228 Hits
0 comments
Read More
Brett Shavers
Brett Shavers
10 September 2019
The Five Stages of the DFIR Career Grief Cycle
The Five Stages of the DFIR Career Grief Cycle
Digital Forensics
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerma...
1
36764 Hits
0 comments
Read More

Magnet Forensics Conversation

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!

More posts

Date
Date
  • When OSINT is turned into the Baseball Bat of Internet Mob Justice

    When OSINT is turned into…

    When OSINT is turned into the Baseball Bat of Internet Mob Justice

    We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…

    Thursday January 14

    by Brett Shavers

    5560 hits / 0 comments

  • I took a look at Instagram's Terms of Service so that you won't have to.

    I took a look at…

    I took a look at Instagram's Terms of Service so that you won't have to.

    Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…

    Saturday December 26

    by Brett Shavers

    8534 hits / 0 comments

  • White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    White Paper: The Susceptibility of…

    White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...

    Wednesday December 16

    by Brett Shavers

    4652 hits / 0 comments

  • How long does it take to get into the DFIR field?

    How long does it take…

    How long does it take to get into the DFIR field?

    Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…

    Thursday November 12

    by Brett Shavers

    14893 hits / 0 comments

  • An expert is just one page in a book ahead of you

    An expert is just one…

    An expert is just one page in a book ahead of you

    Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…

    Friday October 30

    by Brett Shavers

    5825 hits / 0 comments

  • Should you improve your DFIR skills on your personal time?

    Should you improve your DFIR…

    Should you improve your DFIR skills on your personal time?

    Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…

    Friday September 04

    by Brett Shavers

    28344 hits / 0 comments

  • TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    TikTok is like a big,…

    TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy,…

    Tuesday July 07

    by Brett Shavers

    24018 hits / 0 comments

  • Jessica Hyde and I talk about forensic stuff

    Jessica Hyde and I talk…

    Jessica Hyde and I talk about forensic stuff

    Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

    Thursday June 11

    by Brett Shavers

    10735 hits / 0 comments

  • Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    Facebook Spoofing: Your Reputation, Investigations,…

    Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue,…

    Sunday June 07

    by Brett Shavers

    2662 hits / 0 comments

  • You do not want to work in DFIR.

    You do not want to…

    You do not want to work in DFIR.

     The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…

    Thursday June 04

    by Brett Shavers

    3278 hits / 0 comments

  • COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    COVID-19’s Investigative Impacts on Digital…

    COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…

    Saturday April 25

    by Brett Shavers

    16858 hits / 0 comments

  • Mini-WinFE 10 and WinFE 10 Updated

    Mini-WinFE 10 and WinFE 10…

    Mini-WinFE 10 and WinFE 10 Updated

    The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for…

    Sunday April 05

    by Brett Shavers

    10816 hits / 2 comments

  • Eat your broccoli first

    Eat your broccoli first

    Eat your broccoli first

    Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…

    Saturday January 18

    by Brett Shavers

    30970 hits / 0 comments

  • The Second Decade of the 2000s is almost over!

    The Second Decade of the…

    The Second Decade of the 2000s is almost over!

    We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…

    Thursday December 26

    by Brett Shavers

    10720 hits / 0 comments

  • Public Records

    Public Records

    Public Records

    I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…

    Thursday December 12

    by Brett Shavers

    5221 hits / 0 comments

  • The Five Stages of the DFIR Career Grief Cycle

    The Five Stages of the…

    The Five Stages of the DFIR Career Grief Cycle

    I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…

    Tuesday September 10

    by Brett Shavers

    36764 hits / 0 comments

  • Our World is Going to Turn Upside Down with DeepFakes

    Our World is Going to…

    Our World is Going to Turn Upside Down with DeepFakes

    The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…

    Sunday September 01

    by Brett Shavers

    4455 hits / 0 comments

  • If you are comfortable in DFIR, you might be doing it wrong

    If you are comfortable in…

    If you are comfortable in DFIR, you might be doing it wrong

    I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…

    Thursday August 29

    by Brett Shavers

    4803 hits / 0 comments

  • Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    Everything I Needed to Know…

    Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits.  In fact, you can probably enjoy the…

    Saturday August 17

    by Brett Shavers

    6431 hits / 0 comments

  • Personality of a computer

    Personality of a computer

    Personality of a computer

    From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…

    Wednesday July 31

    by Brett Shavers

    5082 hits / 0 comments

© 2021 Brett Shavers