Sunday, November 25, 2012

AFoD Interview With Carlos Cajigas

I have spent the last several months working on relocating from the New York metropolitan area to Tampa, Florida. Now that I’m starting to get settled into Florida, I will be blogging on a more consistent schedule. Carlos Cajigas is one of the many sharp Florida-based digital forensics people that I have had the privilege to meet in my travels around the state. Carlos is an accomplished digital forensics examiner as well as a bit of an entrepreneur. He’s very passionate about the use of Linux in digital forensics and it didn’t take talking to him for very long to realize that he would be a great interview subject for the blog.

Carlos Cajigas Professional Biography

clip_image002Carlos, a native of San Juan, Puerto Rico, is the Training Director and Senior Forensic Analyst for EPYX Forensics. Additionally, he is employed by the West Palm Beach Police Department (FL) as a Detective/Examiner assigned to the Digital Forensics Unit with over 9 years law enforcement experience. He has conducted examinations on hundreds of digital devices to include computers, cell phones, and GPS devices to go along with hundreds of hours of digital forensics training. His training includes courses offered by Guidance Software (EnCase), National White Collar Crime Center (NW3C), and the International Association of Computer Investigative Specialists (IACIS).

Carlos holds B.S. and M.S. degrees from Palm Beach Atlantic University (FL). In addition, he holds various certifications in the digital forensics field to include EnCase Certified Examiner (EnCE), Certified Forensic Computer Examiner (CFCE) from IACIS, and Certified Digital Forensic Examiner (CDFE) from Mile2. Carlos is a Florida Department of Law Enforcement (FDLE) certified instructor with experience teaching digital forensic classes. He is an active member of both the International Association of Computer Investigative Specialists (IACIS) and Miami Electronic Crimes Task Force (MECTF).

Most recently, Carlos has endeavored in writing a blog for EPYX Forensics that would assist other digital forensic examiners in using free open source Linux-based tools to do their jobs. He hopes to develop and implement course training in this area in the belief that there are alternatives to expensive commercial software and training.

A Fistful of Dongles Blog: What led you into becoming a law enforcement officer?

Carlos Cajigas: Although police work has always appealed to me, the decision to join law enforcement didn’t enter my mind until late in my 20’s.  At the age of 17, I moved from Puerto Rico to Palm Beach County, Florida to pursue a career in baseball. At that time my priorities were anything baseball and my responsibilities were simple: keep making good grades and go to practice. Although I was a fairly talented baseball player, I also knew that I wasn’t the most gifted. From an early age, I learned that hard work could make up for the areas where one lacks talent. That is a lesson that still holds value even to this day. So the answer was simple, I played and practiced as much as I could while working hard every day. Subsequently, I received a baseball scholarship to Palm Beach Atlantic University. 

I continued to work hard and had some success on the field. I broke a few records and became an MVP. It truly was a great experience that I will always remember. Unfortunately, my collegiate baseball career ended after 4 years of eligibility. So there I was - 22 years of age with a decision to make unsure of what I really wanted to do.

On September 11th 2001, halfway through grad school, the events of that day changed many lives forever. The impact that day had on me, led me to join law enforcement. Although law enforcement work always appealed to me, that day I decided that I wanted to make a career out of giving back to the community. I wanted to be part of another team with similar interests and values of mine. Baseball in many ways prepared me for that jump. I finished grad school and applied to the West Palm Beach Police Department. I have been a police officer now for nine years. Throughout my career, I have been part of multiple units and many teams. I have been given opportunities to do some good and have taken advantage of them. Our city is a great city and our Department is top notch. Joining law enforcement is another decision that I am glad I made. 

AFoD: What happened once you joined the West Palm Beach police? What was your initial training like and how did you end up doing digital forensics work?

Cajigas: After completing the Academy and once at the Department, I went through an initial series of stages that I had to pass before being allowed inside of a patrol car. They included training in defensive tactics, driving, and firearms, among others. These were the core primary skills that were taught to trainees. The department was very strict about their minimum qualifications. 

I then progressed into a multi-month field training program that required me to go on patrol while a qualified senior officer sat next to me and evaluated me. My trainers were very good, no-nonsense, seasoned officers.  Learning at this stage was done at a very fast pace. I was taught radio procedures, report writing and everything else.  Every new call brought about a new challenge. On-the-fly problem solving skills were a must have and strict emphasis was given to safety. 

Upon graduation from the field training program, I began responding to calls by myself. I completed a one year probationary period and remained as a road patrol officer for about four years. I then joined a specialized unit created to reduce crime in a specific area of our city. Our team was made up of 6 officers and we were responsible for just about any crime or issue in this area. This unit provided me with an opportunity to conduct investigations from beginning to end. Some investigations required travel to neighboring cities and others undercover work. 

When a position opened up for the Digital Forensics Unit, I interviewed.  After a few months, I was notified that I had been awarded the position.  That was a very exciting day. I have always had a passion for computers and now I was being given the opportunity to combine police work with that passion. A few years later with a few hundred hours of digital forensic training under my belt, I enjoy computers even more.   

AFoD: What is life like working on the Digital Forensics Unit?

Cajigas: Life in the Digital Forensics Unit is full of activity. Our unit is part of the Palm Beach County Internet Crimes against Children (ICAC) Task Force and the Palm Beach County Regional Forensics Task Force. The task forces are made up of investigators and examiners from different participating agencies in the county. Our ICAC task force has a very proactive approach towards pursuing individuals who hurt children. As a result, we conduct an average of one search warrant every other week involving child exploitation. 

The operations that we conduct can take us from one side of the county to the other with very short notice. We travel in our mobile forensics van, and we triage and preview devices on location. In most cases, we can retrieve the necessary evidence that the investigator needs to make an arrest on scene.

As part of our duties to the Regional Forensics Task Force, we provide assistance to neighboring agencies without forensic units. The cases that we assist with can range from simple thefts to homicides and everything in between. On any day, it is quite common that we might get a request to process ten phones and five computers. The amount of devices that we see at the lab daily poses challenges and opportunities to learn something new every day. This is the part of the job that I enjoy the most - the process involving identifying a problem, looking for a solution and then implementing that solution.

Recently during a case, we came across a 3TB hard drive with a corrupt GPT. Once the drive was imaged, our tool of choice was unable to see the directory structure of the volume. We needed specific files, and we wanted to be able to access the volume inside of the drive without restoring the image or editing the image. After a little bit of research, we ended up accessing the volume by mounting the E01 image in Linux and using the program ‘Testdisk’ to point us to the starting sector of the volume.  The mount command then mounted the volume, and the volume became accessible.    

I have learned that Linux can be a little complicated; however, it is powerful and free. In this instance, once we got past the complicated part, we were left with powerful and free. I see the usefulness and versatility that Linux has when used in forensics. On the days that we have time to catch up, I dedicate a few hours to learning Linux in the hopes that it can become another tool in our tool belt in the battle against online criminals.  

AFoD: So how did you discover that Linux could be a powerful tool for digital forensics examinations?

Cajigas: I first got introduced to Linux back in 2007, before learning forensics. I stumbled across Ubuntu version 7.04 out of curiosity and necessity. During those years, I used to spend a lot of time building and fixing computers. I decided to try Ubuntu when a friend requested my help with recovering family photos from his BSOD’d Windows PC.  I burned the ISO to a CD and booted his “dead” computer from the CD drive. Ubuntu loaded and his computer “magically” came back to life.  His drive was still healthy and the directory structure was intact.  All of his family photos were there waiting to be copied. My friend was happy and I was hooked. To this day it still amazes me how the entire OS can run from a CD, just for the cost of the CD.

I began testing and installing as many variants of Linux on as many computers as I could just to see what I could learn. For instance, it took me about a week of testing different distributions before finally getting the right version of xubuntu working on a PS3. As a result, I installed Ubuntu on a flash drive and carried it with me, just in case of a “dead PC” emergency. 

Fast forward a few years and after some forensics training, I decided to try Linux for forensics. I did it out of curiosity and necessity. I saw that great tools like the SIFT workstation were already out there, so I was curious as to how to use them. I needed a second method of doing forensics, so that at the very least, I could use them to validate procedures. I downloaded as many of the forensic distributions as I could and began testing the programs. Just like with any tool, there is always a learning curve.  Unfortunately when it comes to Linux, that learning curve can sometimes be curvier. Just learning the commands for a specific program could take hours of research and trial and error. But once you learn the program, the results can be very rewarding.

There are programs in Linux for just about every action needed in forensics. Some of the smarter minds in forensics build these programs and release them for free for the benefit of the community. Unfortunately, the documentation on how to use programs in Linux can sometimes be difficult to find. I have found myself reading blog after blog gathering bits from one site and pieces from another, while teaching myself how to use these tools.  As a result, I have decided to document procedures on how to use forensic tools on your own standalone Ubuntu 12.04 machine. My intent is to help other digital examiners in using open source tools during the course of their investigations for free.

I started documenting these procedures at the beginning of the year, and I plan on adding many more. So far, I have documented procedures on how to recover Win7 passwords, using Testdisk, acquiring and mounting E01’s, recovering IE history, file carving, extracting files by record number, registry analysis, and parsing the MFT with analyzeMFT. My attempt is to outline the procedures from beginning to the end for users new to Linux, while explaining every step with screenshots. You can find them at http://epyxforensics.com/blog

AFoD: What can Linux-based tools do for a digital forensics examiner that the increasingly wide range of Windows-based tools can't do?

Cajigas: They might just save you some money! Windows based tools like EnCase, FTK and X-Ways are simply excellent tools.They combine the  processes of acquiring, indexing, parsing, searching, recovering, and reporting all into one suite. In my opinion, there is no equivalent single program available in Linux that can compare to these great suites. Every lab should have at least one of these tools. What is available in Linux is an accumulation of different tools that when put together can accomplish almost all of the same things that these suites do. Some of the tools can do some tasks better, others, not so well. 

But the tools will always accomplish their tasks for free, and they might help you when you don’t have the commercial tool needed for the job. 

Let’s say for example that you and your case could benefit from an analysis of a timeline and you do not have the tool of choice to build that timeline.  Log2timeline is an excellent open-source framework for automatic creation of super timelines. Log2timeline received the 2012 Forensic 4cast, computer forensic software tool of the year. 

Every examiner that I have talked to can remember that time when their Windows forensic tool of choice crashed and failed to accomplish some sort of task. I can personally recall instances in the lab when Windows based tools failed to image devices, and I reverted to using Guymager in Linux with absolute success. And best of all, these tools can all be run from a ten cent DVD. I recently participated in a Rob Lee webcast were he so accurately described the SIFT workstation as your own mobile computer forensics lab.

Linux-based open-source tools alone can be used to complete forensic examinations. Many of these tools have helped me during my investigations.  They were released free to the community, and I believe that we can all benefit from them.  

AFoD: Let's pick out a couple tools to use as examples. I've sung the praises of log2timeline here on the blog and will continue to do so in the future. Let's focus on a tool that might not be as well known. What is Guymager and why should someone consider using it over a Windows-based tool?

Cajigas: Guymager is an open source forensic imager with an easy to use graphical user interface (GUI). The tool, created by Guy Voncken, was designed to be fast especially on multiple processor machines. It produces DD, E01, or AFF images and conducts verifications upon completion. In addition, it creates an .info file that stores acquisition details to include hashes, bad sectors, and SMART data. Because it runs on Linux, it often succeeds at acquiring those pesky drives that make Windows freeze and/or have trouble showing up in Disk Management.

Since acquisition is the one process that has to be done in 99% of examinations, Guymager is a tool I find myself using a lot of the time. Guymager can be downloaded from the Ubuntu Software Center.

Another open source Windows analysis tool with an easy to use GUI is the Forensic Registry EDitor (FRED). FRED is a registry hive editor created by Daniel Gillen. It can navigate the directory structure of a hive and has a built in hex viewer and data interpreter. Another cool feature built into the tool is that it has automated reporting functions that can give you the “RecentDocs” and the “TypedUrls” out of an NTUser.dat registry hive. FRED can be downloaded from penguin.lu.

For their ease of use, these two tools are a good start and a must try for those interested in using Linux based tools.  

AFoD: What do you recommend for someone who wants to learn Linux and get to a point where they can comfortable leverage it for digital forensics examinations?

Cajigas: There will be a lot of reading involved, but these three steps will get you going in the right direction. The first step towards becoming familiar with Linux is to begin using it. As simple as it sounds, installing and using your favorite distribution will teach you a lot about how the OS works and how the directory structure is laid out. Once you know the layout, you are now able to spot the things that look right and the ones that don’t.

The next step is to become familiar with manipulating the shell commands. This is the stage where you learn commands like “cd, cp, rm, mv” and terms like input/output redirection. To redirect the results of one command into a second command and get only one set of results is the linux equivalent of killing two birds with one stone. Redirection is one of the most useful features of the shell. A well written website on learning the linux shell can be found at linuxcommand dot org.

The last step in the familiarization process is to start playing with the forensic tools. This is the fun part. I have written some articles to get you started with the basic forensic tools, and many more can be found on the web. Just like with forensics, in Linux there is something new to be learned every day with tools that are available for just about any task.

The more you play with the tools, the more comfortable you get. Figure out what your need is, and learn how to accomplish that task with Linux. Chances are the next time that you need the same task completed, you will revert back to accomplishing it in Linux.

AFoD: Are their any Linux distros that you recommend over others for the beginning Linux user?

Cajigas: In my opinion, before using any of the forensic live distributions, anyone starting on Linux should start with Ubuntu. Ubuntu was first released in 2004 by a UK based company called Canonical. Canonical provides support, patches, bug and security fixes for a period of eighteen months on each of their new releases, keeping Ubuntu up to date. 

Ubuntu was designed with ease of use in mind and comes with GUI based tools for installation, updating, personalization of the OS, and many more. It has built in support for a lot of different hardware, which translates to a good chance that it will boot and recognize the hardware in your computer. Due to its popularity, a web search will often point you in the right direction towards solving most of the problems you may encounter.

During basic Ubuntu use, mandatory interaction with the terminal is minimal. This gives the user time to get to know the OS before being forced to use the terminal for non-GUI tools. Ubuntu has been selected as the platform for popular live DVD distributions like the SIFT and DEFT. After you become comfortable using your installed version of Ubuntu, graduating to using live distributions no longer feels like unfamiliar territory.  

AFoD: Is there anything else that you'd like people to know?

Cajigas: Open source (Linux) forensic utilities are very useful as a supplement to commercial tools. However, there is the good and bad when it comes to open source. The good - tools are free and they are just as, if not more powerful than commercial tools. The bad – there is a learning curve, and they are harder to use. With that said, as part of EPYX Forensics, my colleagues and I want to bridge that learning curve gap so that forensic examiners are able to take full advantage of open source forensic tools. As I spoke about earlier, I have begun doing this by posting tutorials through the EPYX Blog. We are also currently putting together training courses for law enforcement, government and private sector personnel that we are planning to launch in early 2013.

The world of digital forensics is constantly evolving, and I believe there is a shift towards increased usage of open source forensic utilities, especially with the expenses that come with commercial tools. My hope is for all forensic practitioners to sit down and at least try the open source passage – you just might like what you find.

No comments:

Post a Comment