Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

DEC
26
0

The Second Decade of the 2000s is almost over!

Posted by Brett Shavers
in  Digital Forensics Books
The Second Decade of the 2000s is almost over!

We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.

We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”.  Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).

Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few of the major highlights to emphasize the growth and changes.

Books

The number of books in a certain field is generally a good indication of that field’s growth and development. The digital forensics field of books is no different.

2001       Warren Kruse tested the waters with Handbook of Computer Crime Investigation.

2007        Harlan Carvey waded in with Windows Forensics Analysis (the FIRST edition).

 

2010     Into the second decade, many others jumped in headfirst writing books (including me!).

2019       Before the end of the second decade of the 2000s, we had amazing flood of great books on practically every topic and sub-topic in the DFIR world, in the form of ebooks, print books, guidebooks, and textbooks. There is almost no book that you cannot find that focuses on a specific subtopic of DFIR.

  Software

The forensic software that started in the last two decades is incredible. Practically anything in use today has only been around for less than 20 years, with not too many choices in the beginning of the century. Many of these tools used today have only been around for less than 10 years!

2000        Computer forensics was mostly DOS based, command-line tools, like those from NTI and Maresware !

2002        Belkasoft opens its door with a forensic suite and continues to grow!

2003        You could buy Accessdata’s FTK (version 1) for $795!

2004        Encase version 4, and it was about $2500!

2004      X-Ways Forensics was born from WinHex (and was less than $350!).

2008        Troy Larson developed the Windows Forensic Environment ( WinFE ) and it remains free today.

2011      Magnet Forensics sprouted from a small forensic tool (Internet Evidence Finder) and company (JADSoftware) into a full-fledged forensic company.

2019        Over a thousand shareware, freeware, open source, and commercial DFIR tools available today, with most of them listed on DFIR Training .  Developers are creating and releasing forensic tools on an astronomical basis, like Eric Zimmerman ’s constant showering of amazing forensic applications!

Degrees & Certifications

From having no degrees in “digital forensics” to being able to choose from any level of degree in Cybersecurity, Digital Forensics, etc… across the globe.  We’ve also created more “cyber/DFIR” certifications than any one person could ever hope to earn in a single lifetime.

2004        The University of Washington launched a computer forensics certificate program.

2019        Practically every major university and college offers now one or more degrees in cybersecurity, digital forensics, network forensics, cyber security management, and security. Many are listed here: https://www.dfir.training/educational-map

Law enforcement & Military

Sure, there were some forensic cases in the 80s and 90s, but the forensic investigation world didn’t really pick up in law enforcement until this century. Where digital forensics in criminal cases was the outlier before, it has been a central focus now for many investigations.

2000        FBI creates Regional Computer Forensic Laboratories.

 

2009        The United States Cyber Command was created! The military branches each created their own cyber units under the US Cyber Command!

2019       Virtually every federal, state, and local law enforcement agency adds digital forensics processes to cases involving electronic evidence (whether conducted in-house, by cooperating agencies, or contracting work to private analysts). Rarely does any case not consider electronic evidence as part of the investigation process.

Famous cases

2000     Michelle Theer: E-mails documented a conspiracy to murder her husband

2002     Scott Tyree: Kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. Case solved via a Yahoo screen name and IP address.

2003       Zubulake v. UBS Warburg: This case set the stage for electronic discovery cases!

2005     Dennis Rader , the "BTK" Serial Killer: Case broke by the metadata of a deleted Microsoft Word document on a floppy disk!  Software used: Encase!

2011       Capture of Bin Laden: Who knows what intelligence came out of all the collected electronic evidence items (10 hard drives, 5 computers, and over a hundred storage devices) from the Bin Laden operation?  Certainly something!

2019       Digital forensics has solved more cases than ever before, sometimes being the only evidence in a crime. It may be fair to say that more crimes are solved in 2019 that have been solved in the entire first decade of this century.

Malware and Ransomware

Cybercrime is regular crime on nitrous. Where one criminal can physically only victimize one or a few people in real life, connected computers and devices make it easy for one criminal to remotely victimize hundreds or millions of people. The past two decades proves this to be true much more than ever before.

2004       Virus.Win32.Gpcode: Early type ransomware that scanned and encrypted a user’s documents, and then deleted the original files.  Had a short life due to being easy to detect and crack.

2011       Trojan WinLock: Locked users out of their Windows computers until they called a scam line that racked up a large phone bill to ‘reactivate’ Windows.

2017       Wannacry: Yes, this one made you want to cry. It affected hundreds of thousands of computers in dozens of countries with losses in the hundreds of millions of dollars!

2017       LeakerLocker: Not to ignore mobile devices, here is one which targeted Android devices and threatened to share the phone contents with all the user’s contacts, unless a fee was paid…

Websites

The Internet, for all its faults in facilitating cybercrime, also has been the primary means of investigators sharing information to fight cybercrime. From humble beginnings of one or two digital forensics forums to now an endless supply of websites, the DFIR Internet has grown into a worldwide force of sharing powerful weapons against crime.

2002        Forensic Focus begins! The most popular digital forensics forum is still growing strong!

2003     e-evidence.info curates a massive amount of PDFs and forensic news links. Sadly...it went offline..

2005       Forensicswiki.org opens its doors! Although it has disappeared and reappeared over the years, the wiki is back.

2016        DFIR Training lets loose with the most comprehensive list of DFIR software and grew into one of the most popular DFIR websites on the Internet curating “All Things DFIR”.

2017        AboutDFIR.com gets a website!  From a Google Docs spreadsheet to a website, another resource of DFIR curated content goes online.

2019        The Internet became plush with DFIR resources with website, forums such as Reddit , Github, Slack, and Discord .

Magazines

This is one area where I have unfortunately not seen much growth….I suspect it is due to the number of online resources, but still, DFIR became important enough in these two decades to warrant magazines!

2007        The Digital Forensics Magazine (Website) goes online.

2012        eForensicsMag , another magazine focused on digital forensics.

Operating Systems

Just a high-level overview of the systems that are interrogated with DFIR processes, we have come a long way. Many of those working in DFIR judge their time in the field by the OS version that they first examined.

2000        Windows ME and Windows 2000. Oh my!

2001       Mac OS X 10.0 (Cheetah) and Windows XP.

2015       Windows 10

2019       Mac OS 10.15 (Catalina) and Windows Server 2019.

Mobile Devices

In 2001, I sat in a briefing at CRIMES in Portland, Oregon, about how cell phones would play a major a part of crime and forensics in the coming years. The speaker (from ATT?) said that he believed cell phones to be the most prevalent, most used, and most valuable pieces of criminal evidence for the next 25 years. To be honest, as looked at the Nokia in my hand, I took those words lightly. Now, I wish that I paid more attention in that briefing…

2000       The Nokia 5110. It made calls and you could play Snake on it. Forensics was not a thing with this mobile device.

2007       The iPhone was introduced. A computer in your pocket, meaning a new world of mobile forensics.

2019       Mobile devices spanning a range of operating systems, styles, designs, storage capacities, Internet connections, unlimited data, and virtually the same applications as on a consumer desktop computer are now the norm. Mobile device forensics is practically its own field in digital forensics.

Hard Drives

The storage of hard drives directly impacts a forensic analysis, as the larger the harder, the more likely it will have more data to sift through in order to find evidence. Of course, high end computers and efficient forensic software minimize this impact, but then again, massive amounts of data is still massive amounts of data.

2000       The size of most common hard drives in consumer PCs was than 50GB.

2003       Seagate produced the first serial ATA

2005     Hitachi developed the first 500GB drive

2010       When the terabyte barrier broke, for around $100 you could get a 1.5 terabyte drive.

2013       Solid state drives are out and cost less than $100 (but that’s only for about 128GB drive).

2019       You can grab an 8-terabyte HDD for less than $200.

Jobs

From practically few jobs (outside law enforcement) in 2000 to now having an entire field of DF and IR where positions are unfilled due to shortages of applicants. The degrees of specialty have gone from being simply working as a ‘computer forensic specialist’ to now being able to specialize in the field by operating system, type of device, or type of work (forensics, incident response, electronic discovery, etc…).

The next decade and beyond

My intention with this post was not just to show how amazingly the DFIR field grew in just two decades, but also that the next decade will most certainly dwarf the previous two decades in terms of new software, processes, discoveries, and information shared in books and online.

My other intention in this post is to ignite a spark in the new generation of DFIRrs (age irrelevant!) into developing these future improvements, developments, and inventions! Anyone, and I mean anyone, can change the course of direction in this field by a seemingly small piece of information or by a huge deviation in the way things have been done.

We are still in the heyday of DFIR with lots more to figure out. Fortunately, we have outstanding people in DFIR who break new ground, blaze trails, share discoveries, and help all of us move forward.

 

  12187 Hits
Tweet
Share on Pinterest
12187 Hits
DEC
12
0

Public Records

Posted by Brett Shavers
in  Digital Forensics

I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I haven't received any public records yet from the request. I have been hired by government agencies as a consultant to help the agency find and produce response records on occasion. Mostly, I was hired because the agency did such a bad job in producing records that a court ordered the agencies to hire a third party.

In those instances, I won't talk about what the agencies specifically did wrong, but it was enough to justify a court order to do it right. The interesting thing about working on a public records engagement versus a civil litigation is that the rules are somewhat different, especially the part about a citizen's right to request public records without a need to show damage. Citizens who are curious as to what their governments are doing can simply make a request for specific records. That is pretty cool. Being in Washington (State), the MRSC website is packed with everything anyone ever needs to know about public records requests and laws.

So, back to my public records request...

Well, this request isn't part of an engagement where I have been hired as a consultant, but the subject of the request is surely important to me and should end up being important to others too. I most likely will detail the trials and tribulations of this request as soon as I am provided the start of a rolling production of records. Then I will be able to blog about records requests from the perspective of the requestor as compared to the view of the insider. One personal benefit is that I plan on learning what I can as the requestor and compare the results with what I know from being on the inside of these types of cases/records request. I am expecting that this experience will make me better when hired to search and provide records due to an entirely different perspective.

Yes, I've done public records before

I have helped clients and friends file public records requests, but that was simply helping to fill out forms, craft the request, and tips on what to look for (missing threads or attachments in emails, modified documents, withheld documents, etc...). I have testified on the search for records that were claimed to be 'too difficult', and I have gone through more than enough emails to find where an email was missing. But this time, it's actually me asking for records and me having to make sure everything is done correctly, and making sure the agency stays true to the records law for my sake.

This should be a good learning experience with a hopefully good resolution. I may make the records available online to illustrate some points if I find errors, omissions, or egregious government behavior in the records (hopefully not!).

As far as the timeline...

12/2/2019    Records requested

12/9/2019     Agency replies with no date of completion or start date to produce any records but instead gives me a date of 12/23/19 just to tell me when they can give me a date that they will start producing records.

***UPDATE***

The agency gave me a production date for the year 2040. It may be a long time before I write about this experience. Yes, it's not a typo. It is the year 2040 when this request will be completed. This agency uses the Barracuda Email Archiver, which you would assume that having pre-indexed (instant search hits!), single-instance storage (no duplicates!), simple search feature (as easy as using Google!), and quick exporting of emails would not take this long...but apparently, it does.

So now the timeline of this public records request looks like this:

2019: Requested public records

2020: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2021: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2022: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2023: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2024: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2025: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2026: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2027: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2028: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2029: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2030: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2031: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2032: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2033: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2034: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2035: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2036: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2037: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2038: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2039: Jan > Feb > Mar > Apr > May > Jun > Jul > Aug > Sep > Oct > Nov > Dec

2040: Final records expected to be produced.

  6421 Hits
Tweet
Share on Pinterest
6421 Hits
SEP
10
0

The Five Stages of the DFIR Career Grief Cycle

Posted by Brett Shavers
in  Digital Forensics

I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerman and I wrote. It stands to figure that I have followed his blog for many years because I learn something every time he writes something.

Well….

His latest blog post was more than I typically expected, and I had to read it several times because Craig bared his soul with something that every single one of us would be fortunate enough to experience.  I tried to search for another way to say, “bared his soul” because that is what Craig said in his post. However, there is no other description that fits better, because that is what he did.

https://craigball.net/2019/09/09/who-am-i-if-im-not-that-guy-anymore/

I’ll let you read Craig’s blog post before reading further, and you should read it regardless of what point of your DFIR/infosec/ediscovery career point you currently sitting.  Then come back for my thoughts on the “Five Stages of Grief in a DFIR Career”.

Welcome back*

You may have already read a Swiss psychiatrist’s model detailed in a book, On Death and Dying. I’ve used that book on many occasions as a reference for teaching response to traumatic experiences to others and as a tool for coping with my own traumatic incidents. *I know you didn't read Craig's post and kept reading, but seriously, read his post.

https://www.psycom.net/depression.central.grief.html

The above visual describes the grief cycle succinctly. No need for me to add to it to describe it. But then again, I’ve done a lot of personal and professional research as well as teaching on the topic in a past career. I recommend digging further into it if this is the first time that you have seen this.

In my own life, I have gone through this grief cycle many times. Sometimes, it has taken me years to complete, and other times, seconds. Many of us are going through this now, and if not now, we will at some point in our lives. Police officers, especially those forced into deadly force incidents, will go through the entire cycle in a few seconds during an encounter and can spend years going through it after a deadly force encounter, regardless if deadly force was applied. They tend to go through this cycle a lot...same with those in combat.

Bringing this back around to you and your DFIR career

Since you read Craig’s post, you saw where it sounds that he feels his relevance has faded into a crisis of lost confidence.  If you didn’t read the post yet, do not fret; there’s a party at the end. 

This is where I see a direct resemblance to the grief cycle and a DFIR career, at least to where we will eventually feel that our relevance waned. Perhaps it will. Probably it will not.  Certainly, that which we did good, especially good for others, will never wane. The good that we did selfishly for ourselves will be forgotten faster than a long-tailed cat in a room full of rocking chairs. But the good for others is another story.

Bonus Lesson: I taught police use-of-force for about a decade and put my heart and soul into it. I taught military tactics with the same intensity in a career before police work. Here’s the bonus lesson in a nutshell: you can’t fight the grief cycle no matter who you are, which training you’ve taken, or what you ‘plan’ to do in the event of being forcibly handed the grief cycle after an incident or near the end of your career. You can move through it and get to the end of the cycle in order to grow from it. You can't win by fighting it. But you will be better because of it.

Go to work for money. Then you can do for yourself what you couldn't do before and do for others what they cannot do for themselves.

That’s what I tell my kids. Do your job, but do not be your job. The job didn’t miss you before you got there, and it won’t miss you when you are gone. But the job can help you to make this a better place by being a positive force on others.

<I’m getting to the point on the DFIR Career Grief Cycle, so bear with me>

When you create a ripple of positive change in a person’s life, you also spark a chain reaction of a tidal wave of good far past what you will ever have the fortune to see. The difference in a newcomer doing well or failing is in direct relation to your interaction with the newcomer.  Their failure or success in this field is directly tied to you. This is the point to know that the DFIR Career Grief Cycle is not a negative, but a positive in your career growth if you do it right. 

My suggestion is to push through the DFIR Career Grief Cycle as quickly as possible when it comes. Don’t be stuck at Anger, because you’ll be that ‘grumpy old person’.  And try to fly through Depression by knowing you are almost done with the cycle. Acceptance doesn’t mean the end. It means that your path has evolved, as it will for all of us, if all of us are lucky enough. The DFIR Career Grief Cycle is simply an evolution from doer to mentor or role model. Or maybe a not-so-subtle hint to move to a different job or position with a more instrumental role because your experience is incredible.

Our goal should be to be able to look back at the seeds that we planted, the good that we did, the bad that we prevented, and the positive guidance that we gave newcomers for them to grow.

We live our lives day-to-day knowing that tomorrow will never come, and that we have plenty of time to do something good for someone else tomorrow. When we accept that every new morning means that we have one less morning when we will not wake, then we can focus on what matters at home (and at work to make someone else’s life better). You have a fixed number of sunsets. A fixed number of sunrises. A fixed number of days to make a difference. Don't make the DFIR Career Cycle a Grief be one of regret, but one of satisfaction.

Craig Ball has nothing to worry about in regard to imposter syndrome, crisis of confidence, or whether or not he made a difference. I have followed his career for more than a decade. He has made a difference across the board in the forensics and electronic discovery fields as well as in the careers of many. We will all do better if we do better by others; then the grief cycle will not be feared as much as it will be welcomed.

  39401 Hits
Tweet
Share on Pinterest
39401 Hits
    Previous     Next
4 5 6 7 8 9 10 11 12 13

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2022 Brett Shavers