Brett's Ramblings
Yes, you can place the suspect behind the keyboard, even if Tor is used.
Earlier this year, I was asked to give a talk to a small group of investigators on putting together a case on anonymous criminals on the Internet. Right out of the gate, from the back forty (ie..the back of the room), I was told that it can’t be done, that only the NSA can do it, and that this was going to be a waste of time. No kidding. I never met that guy before in my life, didn’t even start the talk yet, and he instantly reminded me of someone I worked with before, who was affectionately known, “the dinosaur” before he retired. Within five minutes, I regretted doing this presentation.
Four hours later, the “dinosaur” apologized to me after I gave a dozen tips to try in his cases and gave a demonstration of how some of them can work in just a few minutes.
I bring this up because I know what this detective has gone through, having been given cases where there is no suspect information, or little-to-no evidence, and even uncooperative victims, yet, it’s your case to work. After a few years, you either get burned out from failures or you learn to beat the technology by using your brain.
One of the demonstrations I did in the talk was to deanonymize a Tor user. One person created a Tor account in class and sent me an email. In 5 minutes, I had her IP address, which was verified as her agency’s IP address.
I didn’t use magic. I didn’t use a top-secret government hack. And I didn’t disclose something that wasn’t already known how to do. But what it showed was that it can be done on some occasions, and that it can disclose by physical location of where the suspect’s device was being used at a given time. The recent FBI case of “booby-trapping” a video is an example of this method.
I am not the world’s best investigator, or a most famous hacker, or a super-forensic guru. But I am someone that will chip away at a problem until I crack it open. I search and experiment and search and experiment until I find something that works. I quickly toss aside anything that slows me down or leads me in the wrong direction. I want tools that work as I want them to work because I believe every case can be solved given the right circumstance.
When I wrote Placing the Suspect Behind the Keyboard, I truly meant every word in the book. You can do it. You can not only find criminals who are attempting to hide behind technology, but you can tie them to activity on a computing device. It may take longer than you want, but you can do it, and when you do, the impact on the lives of others is immense.
For anyone thinking that I give away the ‘secrets’ for the world to see, I am not. The secrets are already out there, except the problem is that only the bad guys know them. On top of that, you can tell a criminal exactly how you are coming for him, step-by-step, and you will still be able to catch him just as you warned. Investigative methods work regardless of the preparation to defeat them, as long as you do it right. Sloppy work doesn’t work.
As the simplest example, I once did a knock-n-talk for a marijuana grow operation with my partner. I knocked on the door and asked the owner for consent to search. I told the owner that he had the right to refuse consent, right to restrict the scope of a search, and the right to rescind the consent at any time. He let the two of us in and of course, we found hundreds of marijuana plants. My point….at the front door on a table was a book on cultivating marijuana, which was laid open to a chapter titled something to the effect of, “When the police ask for consent to search, just say no”. Either the grower skipped that chapter or didn’t get to it yet, or politely asking for consent worked. I’ve worked computer cases with the same story, where books on ‘how to get away with computer crime’ didn’t help the criminal.
The Internet is not evil. Computers are not evil, (except many Artificial Intelligence robots, but that’s another story). Even the Dark Web is not evil. However, anything can be used for evil and criminals have exploited everything from a screwdriver to a smart phone for evil. Your job, and I am sure your personal mission, is to find them.
With technology becoming easier to use every day, including using for bad intent, it is your duty to know how to use the same technology to defeat criminal use of technology. Crimes will continue as they have for as long as humanity has existed, with the only difference being the tools used. With the Dark Web, I foresee more cases of kidnappings, rapes, and murders being facilitated in the physical world because of it.
http://www.thedailybeast.com/the-case-of-the-kidnapped-model-exposes-dark-corners-of-the-deep-web
You can solve these hard to solve crimes. Trust that you can, because you can. Here are some of Brett’s Tips:
- Don’t quit.
- Don’t close a case that should never be closed.
- Try and try again.
- Learn how you can do something you didn’t know before.
- Know that if a device is connected to the Internet, it can be tracked.
- Know that if a device has been used to commit a crime, you can tie it to the criminal.
- Know that you don’t need superpowers or the Patriot Act to find criminals on the Internet.
I feel so strongly about the importance of this that I wrote two books about it. I didn’t write the books to be famous, but to give some glimmer of hope for those investigators who only need to see how to do something to make their cases which they didn’t know before.
For the investigators that would rather listen and watch how it can be done, I created an online course. I taught the course for a year in rooms full of investigators and solved a few of their cases IN CLASS. All it takes is a spark to get your brain on the right track at full speed and no brakes. All it takes is that ‘one thing’.
The course I teach (Placing the Suspect Behind the Keyboard) is expensive when I give it in a classroom ($1895 a person). It’s less expensive online ($799). It’s even less expensive when you find and read blog posts like this ($95). I feel that if you are reading these types of posts on the Internet, you must be looking for something to help close your cases. That means you have the drive to do better and be better at your job. And..I want to help. Imagine spending a few hours to learn something that will affect the rest of your cases for the rest of your career.
There really isn’t any reason to not learn how to work computer-facilitated cases when $95 can give you a whole box of “one things” to spark your investigations. If you put forth the effort detailed in my books or courses, you can run circles around your peers and close the hell out of cases. Who knows, you may even make the news. More importantly, you may be saving someone's life. What could be more important?
Use this link to register for Placing the Suspect Behind the Keyboard for $95 instead of the listed price of $799 (books not included in this promo). http://courses.dfironlinetraining.com/placing-the-suspect-behind-the-keyboard?pc=blognb
About the author
Comments
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
14518 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
8975 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30154 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
9816 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
4689 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
34886 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
3038 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
3991 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
4934 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
3936 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her…
Monday June 24
14607 hits / 0 comments
-
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you probably…
Saturday June 08
13904 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
31813 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
5765 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner…
Tuesday April 09
5858 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
2306 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
3844 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
19018 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
21290 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html). I agree with everything he…
Tuesday March 05
3456 hits / 0 comments
© 2020 Brett Shavers