Saturday, May 29, 2010

My Big Fat CEIC 2010 Post

I attended CEIC 2010 last week and I think I’m still processing all that I took in during the week.  This was the first time that I attended the Guidance Software run conference and they did a magnificent job with it.  It was a very well planned and executed conference which was reported around 1300 people in attendance.  It was held at the Red Rock Resort which is a very modern and well run facility.  I still sort of miss the “disco elevators”.  Those of you who were there know what I’m talking about…

I don’t get out to as many conferences as I would like because of time and expense, but one of the reasons I like to travel to these conferences is that I get to meet people in person who I generally only get to communicate with via electronic methods like email, twitter and phone.  These conferences are also a great way to get a lot of information very quickly about the state of the industry which allows you to keep up on industry trends.  For example, I’ve used HTCIA conferences that I have attended in the past to ramp up on the state of mobile phone forensics.  This time I spent a lot of time learning and talking about timeline analysis and memory forensics.

I also was able to spend time speaking to various people inside of Access Data and Guidance Software.  It turns out that my previous “Don’t Panic” post circulated around Guidance Software and, fortunately, they took it in the constructive spirit it was intended rather than just someone else running them down.  One of the things that they were concerned about was that when I spoke about employees from Guidance who went over to Access Data , they didn’t want people to think that they had lost their developmental staff in that process.  They made a point to let me know that they didn’t suffer a developmental exodus and that with the addition of the Tableau developmental team, they are very excited about their prospects for future innovation.  Access Data also made a point to praise and promote their developmental team.  Given that team is responsible for FTK 3, they certainly deserve to take a victory lap.

Both Guidance Software and Access data are working on some exciting innovations that they were generous enough to talk to me about.  My purpose as a blogger is to positively contribute to the discussions of issues important to our community and to distribute my own research work.  My purpose isn’t to “scoop” other bloggers or to make announcements that disrupt a vendor’s communication and marketing strategy by revealing information before a vendor is ready.  Doing so wouldn’t serve any useful purpose and my contacts likely wouldn’t talk to me again which means I wouldn’t have access to their industry insights. Thus, this paragraph will just have to serve as a teaser of sorts.   Talking to both camps felt like talking to two championship class NFL football teams who were gearing up for the Super Bowl.  Both companies are hard at work innovating and creating good things for the community.

Of course, What I can talk about is the information that was made public such as what was discussed in the “EnCase Forensic Roadmap” session that was held at CEIC.  This is where Ken Basore and Ashley Stockdale discussed what we can expect in the next year or so with EnCase Forensic.  Some of the high points were:

1. Guidance is working on a new indexing engine.  They are not considering using a third party licensing engine and are sticking with in house development team’s effort. I originally thought this wasn’t a great idea because I could never understand why they just didn’t do something like licensing dtsearch, but it was explained to me that when you do that, you lose a certain amount of control over your product.  What happens if your third party tool (whether it’s indexing, file viewing, email parsing, etc, etc) causes software instability?  People will blame you for it when it’s an issue that needs to be addressed by the third party technology maker.

It also is obviously going to cut into profits compared to the financial benefits you reap when you develop your own tools. However, third party technology is appealing because you simply can’t expect your development teams with finite resources to be experts in everything. Thus, companies like Access Data and Guidance Software have difficult decisions to make when considering how use their resources. Do you develop in house? Do you license technology? Do you just purchase it outright?

So I find myself ambivalent on this decision to continue to develop an internal indexing engine.  Maybe it’s a good idea, maybe it’s not.  We’ll know soon enough and I hope that the next version of the index engine is successful.  I don’t use the current EnCase indexing engine (I use Access Data’s FTK for all of my indexing needs) because I gave up on it after they released it before it was ready.  I intend to give it a try the next time I do an examination so that I have a basis to compare it with whatever they come up with next.

2. Multi-threaded acquisition.  This innovation has already been introduced in version 6.16.  While I haven’t had a chance to test it, I did talk to at least one person who stated that the acquisition speeds rivaled the excellent Tableau TIM product.

3. Evidence Preprocessing innovations.  Guidance is working on an evidence preprocessor that will run in the background of EnCase. It will provide examiners with intuitive options and will present the examiner evidence in stages.  Thus, you will be able to access data as it’s processed rather than having to wait until all of the processing is over.  Since it’s going to run in the background, you’ll also be able to work on your case while the processor is running.

This is a great idea, but one of the biggest complaints that I hear from people and that I have myself is when you ask EnCase to do some sort of processing, you increase your risk of encountering the dreaded “White Screen of Wait”. This is where EnCase chugs away on something, but uses so much resources that you can’t actually do anything with the program until the resources are freed up.  Just this week I followed a twitter thread with some experienced forensic examiners who were lamenting this issue.  Thus, if this is going to be successful, it’s going to have to truly be able to run in the background and not prevent the examiner from working with their case.   The hopeful news on this front is item 4 which is…

4. Work product storage innovation.  This is my terminology rather than Guidance’s.  I forgot the language that they used but I have the phrase “transportable cache files” in my notes. To their credit, Guidance understands that we hate having to pay for the same real estate twice, so to speak.   One of the frustrations we all have with EnCase is that when you do something like parse a container file like a Zip file, you essentially have to do the same thing all over again when you open up a case.  What Guidance is going to do is get away from the model where all of your work product is stored in just the traditional EnCase evidence file.  There will be additional container files that will contain your work product so that you just have to do processing once and not have to repeat it again.

This is huge and this is clearly an attempt to keep up with Access Data’s FTK (1 and 3) where you just have to process things once and you’re done.  In fact, FTK 3 processes a lot of data very quickly and you’re done. 

So the innovation battle lines are drawn when it comes to indexing and work product storage.

5. Evidence File V2.  The new version of the EnCase evidence file will be faster, smarter, better looking and will have a lovely singing voice.  Okay, maybe that’s not what they said, but that’s essentially what I heard.  They are also going incorporate the option to encrypt evidence files.   The new format will still have the same metadata that we’re used to and will do MD5\CRC checks, but we’ll have the option to encrypt the data portion of it with a password.

Having the option to encrypt evidence files is nice because sometimes we don’t always have an encrypted container drive (You do encrypt your evidence when you ship it, right?)  available to ship images or the person on the other end might not have the decryption technology easily available.

6. More options for report creation. I didn’t take as many notes on this because unless Guidance tells me their reporting option will make bacon directly appear on my desk, I don’t much care. I long since gave up on using EnCase to make forensic reports.   That said, they are going to give us the option to put hyperlinks in reports and to resize/rotate pictures.   Don’t feel too bad, Guidance. I don’t use Access Data’s report function either.  I certainly like it better, but my customers don’t and they are the ones who matter.

7. Decryption.  They said that they will have the ability to decrypt Windows 7 Bitlocker soon.  This is good news and one of the things I’ve really appreciated about Guidance and Access Data is their aggressiveness in working with encryption vendors to incorporate decryption technology into their products.  It makes our lives as examiners so much easier because manual decryption processes can be long and painful.

8. Email Threading.  EnCase will have the ability to follow email threads across multiple email repositories.  This is a very nice option to have, but I suspect I won’t be using it since EnCase is pretty painful to use for email investigations compared to tools like FTK.  However, this signals to me that Guidance isn’t giving up on enticing it’s customers to use EnCase for email investigations and that’s a good thing.

9. Neutrino\mobile phone forensics.  Digital forensics is a very broad field with all sorts of devices, operating systems and file systems.  It’s hard enough being good at traditional hard disk file system forensics.  The innovation in the mobile device market is staggering which is why I think we haven’t seen one mobile device forensic vendor establish a dominant position in the market.  Guidance seems to understand that they just don’t have the developmental cycles to keep up on everything going on in the mobile device world so they have apparently decided to concentrate on digital forensics of smart phones like Android, iPhone, etc.

This makes good sense to me.  The market for smart phones is growing quickly and, as Guidance points out, they have a lot of experience with parsing file system artifacts. Trying to be a comprehensive mobile device forensic company and keeping up with their competitors like Access Data on the traditional disk forensics front doesn’t seem like a winning proposition.

One of the executives I was able to meet at CEIC was Robert Botchek.  Based on my discussions with him and others, I’m convinced that the Tableau purchase is a good move for Guidance and the community as a whole.  I found Rob to be very unique in that he has deep technical skills, an excellent business mind and is a very personable fellow who can communicate complexity in an understandable manner.   The Tableau name will continue to exist in some form, but Tableau will be a part of Guidance software.  The chain of command issues have already been decided and Robert is a direct report to Guidance’s CEO Victor Limongelli.  Thus, Victor and the rest of the Guidance senior executive management will get the benefit of Rob’s business background and keen insights into the digital forensics market.  The biggest issue will be the traditional one that you have in acquisitions like these which is integrating two different organizational cultures.  If Guidance can pull this off, this should be a good move for everyone involved.

Being able to finally meet Victor in person was also a treat.  He’s also a very smart and personable fellow and, along with all of the other Guidance executives and employees I spoke with, seems to genuinely want people to understand that Guidance doesn’t want to be the organization that we’ve all, unfortunately, grown to distrust if not actively dislike.  Essentially, they want people to understand that they are the new Guidance Software.  The Tableau purchase and the fruits that will hopefully come from it should help on that front.

I’ve been thinking about what companies like Guidance and Access Data can to do engage the community better. An obvious method would be to interact more with the community via social media (Access Data makes great use of Twitter, for example) and the various email lists that are popular with the community. As I thought on it more, it occurs to me that vendors who can afford it should take a page out of Guidance Software’s old play book and hire Directors of Customer Relations.   One of the darkest days of my digital forensics career is the day I learned that the great Bill Siebert had passed away.  For many years during the bad old days of Guidance Software, Bill was the face of the organization.  His title might have been Director of Customer Relations, but it was really Director of making-you-not-hate-Guidance-nearly-as-much-if-Bill-wasn’t-working-for-them.  If you had a problem with Guidance, you could go to Bill and you know he’d tell it to you straight and do whatever it took to get the issue resolved.  He wasn’t a company line type who just told you want you wanted to hear. He’d tell you if he thought Guidance was doing something silly and then do his best to fix it for you. Once Bill left Guidance, things really pretty rocky with my relationship with them and I think one of the biggest public relations mistakes they ever made was not filling that role.  You could never replace Bill, but they should have at least filled that role.   In my case, the relationship with Guidance was repaired through the herculean efforts of my Guidance Software sales representative.    He’s the few sales representatives that I’ll knowingly pick up the phone for when I think it’s him calling. I never thought I’d type that about a sale representative, but there it is.  However, I understand his role is to sell me more stuff rather than to engage the community at large.

What would that role look like today at a place like Access Data or Guidance? The person in that position would be someone that has instant credibility with the community because they were an experienced practitioner rather than someone in a sales or marketing role.  In fact, you wouldn’t have that person as part of the sales organization.  The best position on the organization chart for that person would be to report to a senior executive manager in an operations or developmental role.   This person’s skip level manager would be the CEO and would have access to senior executive management so that they could establish a two way communication between the company leadership and their current and potential customers.  They would be someone who would directly engage the community in the places they inhabit such as forums,  email lists, blogs, podcasts, conventions and social media. Because they were part of the extended senior leadership team they would act as a conduit between the community and senior executive leadership.

That’s enough organizational development pontificating, I think.  I also wanted to comment on some of the people I met and some of the presentations since part of what I love about conventions is meeting people in person and learning new things.

The first session that I attended was Dave Shaver’s “Defeating Advanced Hiding Techniques”.   I don’t know how he did it in 90 minutes, but the course was a comprehensive review of how an experienced digital forensics examiner such as Dave approaches doing an incident response investigation and discovering what sort of evil has been buried in the shadows of a computer.   The conference was also a treat for me because I was finally able to meet Dave and his co-conspirator from Army CID Ryan Pittman.  They’re both some of the nicest guys you’d want to meet and very sharp forensic gurus.   They co-authored the excellent chapter on Windows Forensics in Eoghan Casey’s most recent book.

I finally got to meet Rob Lee in person after countless emails, tweets and phone conversations.  It’s amazing how you don’t really know someone as well even after all of that until you just sit down and talk to them for awhile.  Rob is a big friendly well of digital forensic knowledge and energy. He looks like he played football at the Air Force Academy and he put that command presence to use in his “Super Timeline ” class at CEIC.  If you haven’t taken that class, you can get that content and a lot more by taking the SANS SEC508 class.  “Super Timeline Analysis” is where Rob instructs his students how to use tools like fls, Harlan Carvey’s Regtime.pl and Kristinn Gudjonsson’s log2timeline to make a timeline of activity on a system.  The resulting timeline is amazing at providing an examiner with a detailed view of what happened on a system. This is something that every digital forensic examiner needs to learn how to do.

I had the pleasure of having dinner with Larry and Lars Daniel of Guardian Digital Forensics.  They are both quality guys and excellent digital forensic examiners.  I really enjoyed talking to them about their experiences doing criminal defense work and their perspective on digital forensics in the legal system.

Adrian O’Leary of the Metropolitan Police gave a fantastic presentation on their ability to extract data from physical flash memory on mobile devices.  I don’t know how much information they want public, but I do highly recommend attending any presentations he does in the future.

I also discovered one of my new favorite conference presenters when I attended Joshua Gilliland’s “Textual Relations” presentation. Joshua is a very accomplished presenter and also sports a pretty sharp bow tie.  His presentation was an overview of legal issues involving text messages as well as illustrating how some people have scored massive legal own goals through texting things they really should not have.

Michael Webber’s memory forensic presentation was very educational and it’s been an area that I am very interested in from a research perspective.  He’s a very accomplished presenter who does a great job explaining complicated information in a short amount of time to a large amount of people.  Unfortunately, he only had 90 minutes, but he made good use of the time and I’d love to attend more training with him.

I know I’ll forget to mention all of the great people I finally got to meet in person, but it was a treat being able to connect with people like Eric Smith from Lockheed Martin and Greg Dominguez from Forensic Computers.

As you can tell, I had a wonderful whirlwind of a week at CEIC and I enjoyed the experience very much. I hope to make it CEIC 2011 in Orlando next year.  Great job, Guidance!