Brett's Ramblings
Low-Hanging Fruit Report
Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge
When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked to develop a list of ISPs.
Here is my understanding of their proposal
Problem and Objective:
-Cops don’t know which ISP to ask for data
-Teach cops how to ask for data from service providers by creating a “New national digital evidence policy” that is also “going to require a dedicated office”.
Staffing needed for the new federal agency:
--10 to 15 technical experts
--10 to 15 additional support staff
--Director
--Deputy Director
--Administration assistant
--Part time administration assistant
--“Additional staff”
--“Additional expenditures” could include more staff and attorneys
--“Honorariums” to advisory board members
The cost? Hold on to your seat.
--$10 million for staff
--$100 million OR MORE for support
The part of $100 million that rubs me a little raw is that the amount was downplayed because it is so small compared to other government spending. That simply sounds to me like, ‘hey government, you spend so much money, how about I create a new agency and you give me a little off the top, like a cool 100 million?’ Even the staffing requirements are limitless with “additional staff”.
I’m not going into what I really feel about another federal government agency for $110+ million that is created to research the development of a spreadsheet of ISPs just so that law enforcement knows where to send a legal demand…
But I’ll get a little bit into the training that was referenced in the presentation. From their research/survey, they found that law enforcement only receives between 10-15 hours a year of digital evidence training. This was conflated with training related to legal requests (search warrants, etc…) and training in forensics. On top of that, I found no separation between “law enforcement officer” and “digital forensics examiner” in what training they referred. I would say that 10-15 hours a year in digital evidence training to first responders is more than sufficient, but for a forensic examiner, a wee bit on the low side of annual training in analysis, but certainly not insufficient.
Some points of digital forensics training in law enforcement, and the obstacles I have seen go beyond what ISP to send a legal request. In my experience, practically any detective or patrol officer can type up a legal demand and find out where to send it without having a bit of digital forensics training, yet it was the number one issue in this report.
It’s the individual
There are two types of forensic analysts in government service. One who does the minimum. The other who goes well beyond the minimum.
I have seen some who are assigned to the cyber unit (cyber as in whatever the name of the digital forensics unit is called by each agency), take not a minute more training than being paid to take by their employer. For some, learning a skill for the job is directly tied to being on-the-clock and not a second more. This also applies to law enforcement lifesaving skill training…
The expectation is that the agency must provide everything they need to do their job. I’m not agreeing or disagreeing, nor getting into guild contract issues. But I will say that some do go beyond that which is given them. I have certainly enjoyed the benefits of government provided training, spending months at FLETC and other out-of-state trips for training. I have also used vacation leave and spent my own money on training, books, and software when I was a government employee because I knew I needed more than what was going to be provided to me. Hearing statements like, “I haven’t read that book because my department won’t buy it” continues to amaze me.
The difference that I have seen in the skill level between both groups is that of night and day. One detective told me that he refused to go to a forensic conference that his agency agreed to pay because lunch wasn’t covered. He wasn’t going foot the bill for his lunch and turned down the conference. The same detective also simply exports lists of CP filenames in his cases without any analysis, and sends the reports for charging, specifically blaming his lack of analysis skills on a lack of department provided training. A different forensic detective in a different agency spent three months trying to image a hard drive that I had already imaged for him but couldn’t figure it out (errors of some sort, I have no idea), but lives by the same rule as the first example. You no pay me, me no learn.
I’ve seen other law enforcement forensic folks who are forensic gods. Their departments will be at a great loss when they retire or move into the private sector. This is not due to having higher IQs or the agency having a bigger budget but instead, they are putting forth the effort with a willingness to do better regardless of who pays.
Back to the $110+ million dollar agency
The main issue of this research was that cops don’t know which ISP to send legal demands. Their entire premise boiled down to one statement:
“Law enforcement needs to understand where to go to in order to ask for data.” - Low Hanging Fruit presentation
My solution: We just need to create a list to do that.
Another issue in the research was that current forensic programs don’t include legal demands in their training. Please, do not start doing this! Forensic training is forensic training. Legal demands (like search warrants), don’t need forensic training and many times, it is not even the analyst writing the warrants if there is a case detective/agent working the case. Don’t waste an examiner’s time on how to write a warrant when they need to know how to extract the evidence and interpret it.
On the training and skill side of things, I don’t see a federal agency fixing anything as detailed in the report. We already have tons of grants, more training from more vendors than ever before, more folks trying to get into forensics, and more work than can ever be done. I can see $110+ million being spent on more effective measures for law enforcement forensics than what is proposed in this report.
Internal agency specific problems
My suggestions to increasing competence in law enforcement digital forensics is that each agency needs to make changes in how they do business when electronic evidence analysis is concerned.
--Select those who can do the job to do the job (seniority does not equal potential competence)
--Pay for their training (to speed up the learning process)
--Stop rotating them out of the job (or competence in the unit will never be obtained)
--Create promotions within the unit rather than promote them out of forensics
--Remove those who can’t do the job and find someone who can
I make these suggestions only because I have seen it done opposite of what I am suggesting. This is not a federal agency’s responsibility to fix the state and local digital forensics issues, especially at $110+ million.
I’ve been on a few boards and committees at the local and state level at attempts to do something about the lack of LE forensic analysis, but mostly they resulted in lots of talk, lots of notes, and the creation of another committee or board to start over. It is good to see interest in trying to make it better, but sometimes someone just has to put their foot down, stop talking, stop researching, and plainly get things moving.
Check out the research video here:
About the author
Comments
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
14508 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
8974 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30154 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
9816 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
4689 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
34886 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
3038 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
3991 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
4933 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
3936 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her…
Monday June 24
14606 hits / 0 comments
-
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you probably…
Saturday June 08
13904 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
31811 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
5765 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner…
Tuesday April 09
5858 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
2305 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
3844 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
19018 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
21290 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html). I agree with everything he…
Tuesday March 05
3456 hits / 0 comments
© 2020 Brett Shavers