I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done). With that, I completely understand that the “IR” in “DFIR” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but still related, like cousins.
In a pure digital forensics (ie. legal) matter, attribution is key. Attribution is the goal. Attribution is what you are working towards. Otherwise, it is not literally forensics, but only mechanically forensics, in that you may be performing the same mechanics as with forensic processes and methods, but if you aren’t looking to pin a crime on the suspect in a legal matter, it is not really forensics by definition.
With IR, pinning the crime/breach on the criminal or nation-state isn’t the primary mission unless you work at one of the alphabet-soup government agencies. But, IR is no less important than DF, even as the goals are generally different. With DF, the work is targeted to give justice to a victim through a legal process. With IR, the goal is usually to quell the panic of data spewing from the network like a busted fire hydrant in the middle of summer. Attribution is maybe an afterthought, at best. Stopping the pain is the priority.
But here I go splitting a hair with attribution in IR work….
When you do IR work (outside of the alphabet-soup government agencies), sometimes you should think about attribution in what you are doing. In fact, sometimes you must think about it because you might not be working a pure IR job. You might be deep into the legal arena!
Fairly recently, I was asked to “look at” an employee’s email account for "hacking". Sure enough, someone other than the account holder had been in the account. Emails had been sent out from the employee’s account and some emails posted online by way of screenshots. Without getting into the weeds of what was happening, it clearly looked like internal drama in the organization.
The client/CEO wanted it stopped, but did not care about who did it because, “Nothing you can do about it if China is doing it.” This was the advice from IT to the CEO. Hackers can’t get caught, so don’t waste money on it when you can just prevent it from happening again. However, just by looking at the content of the emails that were being sent out and posted online, it was clearly an insider job or someone related to the employee in some manner. Seriously. It was so blatantly obvious that the employee was targeted and that most likely, it was probably another employee just by a quick glance of how it was happening. I gave an estimate of a day to be able to find out who it was, and still, the solution was to stop it from happening and not worry about catching the culprit.
Good grief.
My point is that sometimes you can catch the person because maybe the suspect is not in Iran or China or Russia or Timbuktu. Maybe s/he is in the next cubicle. In this example, the suspect was in IT, which took me a half day to figure out, without even having to skip lunch. End result was that everyone happy (the in-house attorney, the employee and the CEO). Except the IT person. He was not happy. But everyone else was.
Most anyone working in IR can fairly accurately tell where the hacks* come from. Maybe not to a specific person or nation-state, but at least be able to gauge whether or not the suspect is in the same building or down the street or related to the organization (generally!). There is nothing wrong with advising a client that although you can certainly stop the pain of a hack* (see the below definition..), you may also be able to solve a problem that is just as important which may actually have a positive ROI beyond dollars spent.
This is just an example of when a pure IR engagement can turn into pure DF gig, simply because IR can see typically be able to determine that not only can you identify the suspect, but that you should because in a case like this, the victim will keep being victimized by someone that can be caught and brought to justice.
*hacks, as in whatever you want to call unauthorized computer access.
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!
We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…
Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…
I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...
Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…
Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…
Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…
Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find. You know that the cheeseburger is unhealthy,…
Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics. In case you missed it, here it is!
A “new” article on imposter Facebook accounts was published today in the Philippines. I put “new” in quotes because this is not a new issue,…
The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
© 2021 Brett Shavers