Brett's Ramblings
Kicking in the wrong doors
I like reading Brian Krebs’ blog. Brian is awesome at tracking hackers and writing about it. While reading his latest post, Blowing the Whistle on Bad Attribution, my internal response was to keep repeating, “yes yes yes”.
I’m not going to get into his blog post other than recommend it as a good read about attribution. Now…about kicking in the wrong doors….
My #1 concern as a police officer and detective was arresting the right bad guy. The last thing I ever wanted was to arrest the wrong person (aka.. an innocent person). I took more steps to verify that probable cause existed than was probably legally required to arrest the right person, but arresting the wrong person is way worse than missing the right person. Police work was my entry into attribution.
I experienced the effects of wrongful attribution in police work by other investigators. On one occasion, a detective in a task force I was assigned had worked a drug case that was at best described as a disaster. This detective that I shall not name typed up an affidavit, swore to it, had the judge sign the search warrant, and gave that search warrant to the SWAT team to serve on an early morning. After the SWAT team secured the house, I went in to help with the search. Guess what. Wrong house. Wasn't even close. I could tell as soon as I walked inside. The ‘right’ house was a block away.
This particular case was due to a single and sole factor of not doing a good job. The detective never visually identified the right house (and never even looked at the wrong house either). The work was lazy; the detective assumed that she had the right house because the informant told her it was the right house. The funny thing was…the informant gave the correct address but the detective even got that wrong and never corroborated the right address or the wrong address. Didn’t even check any records to see who lived at the address to which the affidavit attested or even the right address.
And yes, a friend of mine who was in a different drug unit presented me with a sarcastic, yet humorous, certificate for the detective’s work in the drug case…I still have it as a reminder to never let this happen to me.
Oh well…that doesn’t happen much..right?
Turns out that I saw this happen on more than a few occasions, where the wrong door was kicked in, or the wrong person was arrested, or evidence that was seized and used against someone actually turned out not to be evidence at all. It happens, but it really shouldn’t. I know a prosecutor who had been chilling after work in her living room when her door was kicked in by police error...whups. Bad attribution with a quick legal settlement.
On the cyber aspect of attribution, the job is way harder than a traditional criminal case such a bank robbery or burglary. Traditional crimes require the physical person to be physically present to physically commit the crime on a physical person or physical item of property. The amount of evidence left behind ranges from fingerprints to security camera videos that captures the entire crime as it happens. With digital crimes, not so much. With digital crimes, we get deep in guesswork without the benefit of getting our hands on the tools used in the crime, other than the electronic data we can find.
Let’s get to the point.
Wrongful attribution is more than just wrong; it is dangerous. Attribution of digital crimes is also easy to get wrong, because not only is there less evidence, but the evidence left behind can be intentionally or inadvertently misleading. A malware that looks Russian does not mean that Russia did it. Maybe "Russia" did, maybe they didn’t. Even then, to broadly state that a nation-state, organization, group, or specific person did it, cannot be taken as totally accurate without a lot of corroborating evidence. Maybe the allegation is correct. Maybe it is not.
Even if attribution is spot on (in that you guessed correctly), unless you have the actual devices used and the person in cuffs admitting to it, you really only have assumptions that are difficult at best to prove or disprove. IP addresses can be misleading or intentionally deceptive. MAC addresses can be spoofed. Caller ID can be spoofed. Malware can be modified to appear to originate from a specific person or organization. Online claims can be false (where someone else takes the credit to get ‘street cred’ or fake online accounts can be created to point to innocent persons taking the blame).
At best, we can only say things like, “Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”. Proving a crime was committed by a specific suspect is a leap beyond believing that a specific suspect did it if you don't have enough direct and circumstantial evidence that can convince a judge or jury of peers.
I don’t fault anyone making bad attributions as long as everyone knows that without hard evidence, we are only making assumptions. It’s only human nature to assume, especially if emotions and bias is involved. I can’t remember the number of times where a victim told me that he knew who victimized him but in actuality, the victim was only assuming who did it based on his emotion of who he thought did it, not on any evidence. If police officers ran out and arrested people based on their feelings or mere suspicions, we’d be living a way different country. We shouldn’t be doing that in the cyber cases either.
About the author
Comments
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
14525 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
8976 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30155 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
9817 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
4689 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
34886 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
3038 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
3991 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
4934 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
3936 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her…
Monday June 24
14607 hits / 0 comments
-
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you probably…
Saturday June 08
13905 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
31816 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
5765 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner…
Tuesday April 09
5858 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
2306 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
3844 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
19018 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
21290 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html). I agree with everything he…
Tuesday March 05
3456 hits / 0 comments
© 2020 Brett Shavers