Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
4 minutes reading time (745 words)

Don’t totally discount attribution in Incident Response work

Digital Forensics
Brett Shavers
Monday, 19 November 2018
1706 Hits
0 Comments

I’m big on attribution in crimes. It is my personality and attitude, which you can probably tell from the things I write and say (and have done).  With that, I completely understand that the “IR” in “DFIR” is not primarily about attribution, if it ever is. The IR (Incident Response) is a different job than the DF (Digital Forensics), but still related, like cousins.

In a pure digital forensics (ie. legal) matter, attribution is key. Attribution is the goal. Attribution is what you are working towards. Otherwise, it is not literally forensics, but only mechanically forensics, in that you may be performing the same mechanics as with forensic processes and methods, but if you aren’t looking to pin a crime on the suspect in a legal matter, it is not really forensics by definition.

With IR, pinning the crime/breach on the criminal or nation-state isn’t the primary mission unless you work at one of the alphabet-soup government agencies. But, IR is no less important than DF, even as the goals are generally different. With DF, the work is targeted to give justice to a victim through a legal process. With IR, the goal is usually to quell the panic of data spewing from the network like a busted fire hydrant in the middle of summer. Attribution is maybe an afterthought, at best. Stopping the pain is the priority.

But here I go splitting a hair with attribution in IR work….

When you do IR work (outside of the alphabet-soup government agencies), sometimes you should think about attribution in what you are doing. In fact, sometimes you must think about it because you might not be working a pure IR job. You might be deep into the legal arena! 

Fairly recently, I was asked to “look at” an employee’s email account for "hacking". Sure enough, someone other than the account holder had been in the account. Emails had been sent out from the employee’s account and some emails posted online by way of screenshots. Without getting into the weeds of what was happening, it clearly looked like internal drama in the organization.

The client/CEO wanted it stopped, but did not care about who did it because, “Nothing you can do about it if China is doing it.”  This was the advice from IT to the CEO. Hackers can’t get caught, so don’t waste money on it when you can just prevent it from happening again. However, just by looking at the content of the emails that were being sent out and posted online, it was clearly an insider job or someone related to the employee in some manner. Seriously. It was so blatantly obvious that the employee was targeted and that most likely, it was probably another employee just by a quick glance of how it was happening. I gave an estimate of a day to be able to find out who it was, and still, the solution was to stop it from happening and not worry about catching the culprit.

Good grief.

My point is that sometimes you can catch the person because maybe the suspect is not in Iran or China or Russia or Timbuktu. Maybe s/he is in the next cubicle. In this example, the suspect was in IT, which took me a half day to figure out, without even having to skip lunch. End result was that everyone happy (the in-house attorney, the employee and the CEO). Except the IT person. He was not happy. But everyone else was.

Most anyone working in IR can fairly accurately tell where the hacks* come from. Maybe not to a specific person or nation-state, but at least be able to gauge whether or not the suspect is in the same building or down the street or related to the organization (generally!). There is nothing wrong with advising a client that although you can certainly stop the pain of a hack* (see the below definition..),  you may also be able to solve a problem that is just as important which may actually have a positive ROI beyond dollars spent.

This is just an example of when a pure IR engagement can turn into pure DF gig, simply because IR can see typically be able to determine that not only can you identify the suspect, but that you should because in a case like this, the victim will keep being victimized by someone that can be caught and brought to justice.

 

*hacks, as in whatever you want to call unauthorized computer access.

Tweet
Share on Pinterest
0
On ransomware, my advice is different from that ot...
What is this thing called "Patreon?"

About the author

Brett Shavers

Brett Shavers

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Saturday, 23 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

surveillance training 4cast email presentations Hiding Behind the Keyboard phishing investigations book forensics Registry Forensics North korea Virtualization X-Ways Forensics investigation Volume Shadow Copy Hacker Windows Forensic Environment Placing the Suspect Behind the Keyboard dfir windows forensic environment winfe gmail RegRipper Jimmy Weg imaging writing Bitcoin Forensics University of Washington X-Ways Forensics Practitioner's Guide expert case studies bitcoin forensics privacy tor browser wiretap bitcoin windows fe

Search Blog

Most popular posts

Brett Shavers
Brett Shavers
06 December 2015
RegRipper
RegRipper
Digital Forensics
The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)http://github.com/keydet89What is RegRipper?RegRipper was created and maintained by Harlan Carvey. ...
0
38743 Hits
3 comments
Read More
Brett Shavers
Brett Shavers
25 April 2019
Game of Thrones, DFIR Style
Game of Thrones, DFIR Style
Digital Forensics
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find trul...
0
37228 Hits
0 comments
Read More
Brett Shavers
Brett Shavers
10 September 2019
The Five Stages of the DFIR Career Grief Cycle
The Five Stages of the DFIR Career Grief Cycle
Digital Forensics
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerma...
1
36763 Hits
0 comments
Read More

Magnet Forensics Conversation

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!

More posts

Date
Date
  • When OSINT is turned into the Baseball Bat of Internet Mob Justice

    When OSINT is turned into…

    When OSINT is turned into the Baseball Bat of Internet Mob Justice

    We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…

    Thursday January 14

    by Brett Shavers

    5556 hits / 0 comments

  • I took a look at Instagram's Terms of Service so that you won't have to.

    I took a look at…

    I took a look at Instagram's Terms of Service so that you won't have to.

    Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…

    Saturday December 26

    by Brett Shavers

    8534 hits / 0 comments

  • White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    White Paper: The Susceptibility of…

    White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...

    Wednesday December 16

    by Brett Shavers

    4652 hits / 0 comments

  • How long does it take to get into the DFIR field?

    How long does it take…

    How long does it take to get into the DFIR field?

    Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…

    Thursday November 12

    by Brett Shavers

    14893 hits / 0 comments

  • An expert is just one page in a book ahead of you

    An expert is just one…

    An expert is just one page in a book ahead of you

    Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…

    Friday October 30

    by Brett Shavers

    5825 hits / 0 comments

  • Should you improve your DFIR skills on your personal time?

    Should you improve your DFIR…

    Should you improve your DFIR skills on your personal time?

    Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…

    Friday September 04

    by Brett Shavers

    28344 hits / 0 comments

  • TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    TikTok is like a big,…

    TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy,…

    Tuesday July 07

    by Brett Shavers

    24018 hits / 0 comments

  • Jessica Hyde and I talk about forensic stuff

    Jessica Hyde and I talk…

    Jessica Hyde and I talk about forensic stuff

    Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

    Thursday June 11

    by Brett Shavers

    10735 hits / 0 comments

  • Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    Facebook Spoofing: Your Reputation, Investigations,…

    Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue,…

    Sunday June 07

    by Brett Shavers

    2662 hits / 0 comments

  • You do not want to work in DFIR.

    You do not want to…

    You do not want to work in DFIR.

     The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…

    Thursday June 04

    by Brett Shavers

    3278 hits / 0 comments

  • COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    COVID-19’s Investigative Impacts on Digital…

    COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…

    Saturday April 25

    by Brett Shavers

    16858 hits / 0 comments

  • Mini-WinFE 10 and WinFE 10 Updated

    Mini-WinFE 10 and WinFE 10…

    Mini-WinFE 10 and WinFE 10 Updated

    The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for…

    Sunday April 05

    by Brett Shavers

    10816 hits / 2 comments

  • Eat your broccoli first

    Eat your broccoli first

    Eat your broccoli first

    Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…

    Saturday January 18

    by Brett Shavers

    30970 hits / 0 comments

  • The Second Decade of the 2000s is almost over!

    The Second Decade of the…

    The Second Decade of the 2000s is almost over!

    We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…

    Thursday December 26

    by Brett Shavers

    10720 hits / 0 comments

  • Public Records

    Public Records

    Public Records

    I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…

    Thursday December 12

    by Brett Shavers

    5221 hits / 0 comments

  • The Five Stages of the DFIR Career Grief Cycle

    The Five Stages of the…

    The Five Stages of the DFIR Career Grief Cycle

    I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…

    Tuesday September 10

    by Brett Shavers

    36763 hits / 0 comments

  • Our World is Going to Turn Upside Down with DeepFakes

    Our World is Going to…

    Our World is Going to Turn Upside Down with DeepFakes

    The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…

    Sunday September 01

    by Brett Shavers

    4455 hits / 0 comments

  • If you are comfortable in DFIR, you might be doing it wrong

    If you are comfortable in…

    If you are comfortable in DFIR, you might be doing it wrong

    I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…

    Thursday August 29

    by Brett Shavers

    4803 hits / 0 comments

  • Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    Everything I Needed to Know…

    Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits.  In fact, you can probably enjoy the…

    Saturday August 17

    by Brett Shavers

    6431 hits / 0 comments

  • Personality of a computer

    Personality of a computer

    Personality of a computer

    From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…

    Wednesday July 31

    by Brett Shavers

    5082 hits / 0 comments

© 2021 Brett Shavers