Brett's Ramblings

Cyber Health
Brett Shavers
Digital Forensics
I was a spectator to a conversation between a law enforcement DFIRer and corporate computer user this week, and it got interesting when the name-calling started.  The point of the conversation was about corporate computer users being ‘lazy’ with computer systems (whether it be managing the organizations website content or just basic cyber health su...
Making Ham Sandwiches in DFIR
Brett Shavers
Digital Forensics
Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR: 1: Write it up (or else your work didn’t happen) 2: Write it for your audience (or it won’t matter what you did anyway) If you follow those two tips, your writing will be fine. {source}<blockquote class="twitter-tw...
DFIR Case Studies #7
Brett Shavers
Digital Forensics
As I was going through Case Studies #7, I found several some reminders on tips for working a case.  The simple obstacles that make some investigators quit only make others drive forward with creativity.  One example is the suspect in Case Study #7 using open WiFi to be anonymous.  Sometimes, investigators quit once they find that the suspect used a...
How many exposure dollars do you need to buy a cup of coffee?
Brett Shavers
Digital Forensics
I am always flattered to be asked to speak in front of an audience on something that I know something about.  I have fun sharing information with great people about the ‘secrets’ on how to do neat things in forensics and investigations. However, I find it odd to be asked to speak at conferences out of the state or out of the country, with the sole ...
Rub some dirt on it.
Brett Shavers
Digital Forensics
Failing hurts helps. Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath.  I mean, this work is usually pretty difficult to do but easy to make a mistake.  Missing an important artifact or misinte...
Don’t look back.  Try to keep up.  This is #DFIR.
Brett Shavers
Digital Forensics
I do a lot of peer-reviews.  Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report.  Then reading it again, then again, and a few more times, all the while red-lining items of interest.  Basically, I am hired to read your reports and tear the...
X-Ways Forensics & eDiscovery
Brett Shavers
Digital Forensics
Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs.  Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts. I would even go as far to say that an entire eDiscovery matter...
When you think you know enough
Brett Shavers
Digital Forensics
If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work.  The reasoning is that we can never know enough, in the DF/IR field or any field.  Usually, there is something that kicks me right where it hurts and screams at me, "DUDE, YOU DON'T KNOW ANYTHING!  YOU...
DFIR Mentors.  You just might be one and not know it.
Brett Shavers
Digital Forensics
If you share information, openly discuss that which you can, and sincerely try to help others in the DF/IR field, you are probably someone’s mentor and do not even know it.   I have always understood the term of “mentor” seriously as it implies a responsibility to teach others, and also suggests that you know a lot more than you think you know. Whe...
Bitcoin Forensics | Investigating Cryptocurrency Crimes Online Course....it's coming...
Brett Shavers
Digital Forensics
You knew this was coming.  A course in cryptocurrency investigations.  There is no faster and comprehensive method to learn cryptocurrency investigations than to take a class in it and study a book about it.   As the book is being written, the course is being developed alongside the book as a companion to the book.  If you have not come across cryp...
Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.
Brett Shavers
Digital Forensics
I am very open on my opinions about writing books, specifically DF/IR books.  I encourage anyone who is thinking about writing a DF/IR book to write away and start right away!  The longer you wait, the more likely someone else will write the book you wanted to write. Over the years, I have been asked questions about writing and I posted a...
DF/IR Case Studies
Brett Shavers
Digital Forensics
I've made three case studies so far and will have a fourth up this week.  From the feedback I've asked in a short survey about the case study series, here are the results: The case studies are beneficial, useful, and job relevant.The presentation format works (weekly to bi-weekly case studies).Length is appropriate (between 30 minutes to 1 hour).Pr...
The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations...)
Brett Shavers
Digital Forensics
    As teenagers, we never liked rules growing up. Curfews. Chores. Homework.  But we know now that the rules were good for us.   It seems like nothing has changed for those of us in the DF/IR field.  We don’t particularly want to be regulated simply because, like when we were teenagers, we know what is best for us.      The DF/IR field, as it stan...
Sharing is caring
Brett Shavers
Digital Forensics
One thing about the DFIR blogs is that they tend to bounce off each other.   This is a good thing because tidbits of gold nuggets can be expanded upon with different perspectives and experiences.  Never in human history have we ever been able to instantly connect world-wide to increase our knowledge base, especially in the technology field (specifi...
A bundle of case studies and X-Ways Forensics Practitioner's Guide training
Brett Shavers
Digital Forensics
************UPDATE 10/29**************** Case studies 2 has been published.  It's the Mr Fuddlesticks case. ****************************************************** Out of the 100+ viewers of the case study I did last week, a bit more than half completed a survey with most of those including comments on the case study in regards to what they want to ...