Wednesday, December 22, 2010

Thank You

I want to thank everyone from the bottom of my heart for their generous support of the blog this past year. From about the time I first started in digital forensics, I've been active in communicating with my peers through forums and all of the great email lists that we have available to us. I decided to start this blog so that I could have a more permanent place to store things that I  wish to share with the community. When I started it, I didn't know how well it would be received given the number of excellent blogs in the information security and digital forensics space. I've been amazed and humbled to see the blog’s metrics in areas like monthly page views increase from being counted in the dozens to the thousands.

My hope is that I will continue to meet and exceed your expectations in 2011. To that end, I have some excellent interviews that I’m hoping to accomplish including ones that are almost complete with people such as Hal Pomeranz and Ryan Pittman. I will to use next year’s interviews to do things like introduce to you people in the community who you might not know and to promote the excellent work of others. I will continue to blog about the issues of the day that impact our community such as regulatory issues. I will also use the blog to share my research efforts. For example,  I am hoping to start on a memory forensics project next year.

I will also start using the blog to periodically post book reviews that I will be placing on the Amazon website. For example, I expect to get a proper review completed for Hacking Exposed Wireless, Second Edition early next year. I’m finding writing book reviews to be a new challenge that I’m happy to pursue. A good book review needs to be pithy, but also provide the reader with more than simply saying, “This is a great book. You should buy it.” 

As always, I’m particularly grateful to those who take the time to leave comments on the blog or to contact me privately. It means a great deal to those of us who blog to get feedback and suggestions from our readers. Thank you very much for your support this year. Merry Christmas and Happy New Year to you all!

Saturday, December 11, 2010

Standing Athwart Information Technology

I read a discussion recently where a group of very sharp information security professionals were discussing the topic of deploying mobile devices in an enterprise environment. The discussion quickly turned to a variety of “what if” scenarios that we love do to in information security. During this discussion someone made the excellent point that we could “what if” almost any bit of technology to death and come up with reasons why adopting that technology is a bad idea.

One of the classic faults of information security people is to automatically look for reasons to tell our customers not to deploy new technologies or to greatly limited their usefulness if deployed. Security people are fantastic for coming up for reasons not to do something and creating sometimes elaborate doomsday scenarios that could come to pass if our advice is not taken. While it is understandable that a community of people who spend their careers thinking about and responding to serious security incidents would think like this, it is not an attitude that is in the best interest of our customers.

Our job as trusted advisors is to facilitate the secure use of technology. As information security professionals, we should not to be standing athwart information technology yelling stop. It is not good for our customers and it is not good for our careers. We are in a time of rapid and exciting technological advances whether it is something such as “Cloud Computing”, social networking, or mobile device technology. We should be technology enablers rather than preventers.

The invaluable Mike Cloppert wrote a fantastic piece recently where he argued that we should be working to enable “Cloud Computing” for our customers rather than working against it in the name of fear of the unknown. We should take this same attitude with mobile device technology. It’s here now and it is a very powerful tool for our customers to utilize in advancing their objectives. As digital forensics and information security professionals, we should be continuously looking over the horizon to discover and understand technological advances early so that we can work with our customers to adopt, secure, and maximize their potential.

In the digital forensics community, we have been paying a lot of attention to mobile devices because they are playing an increasingly important role in our investigations. Because we’ve spent so much time studying this technology, we are in an excellent position to not only work with our customers to secure it, but to encourage them to adopt it.

We live in an era where powerful mobile devices are cheap and accessible to large numbers of people. We’re also entering an era of widely available high speed data connections for these devices. For example, Sprint has had their high speed mobile network up for some time now and Verizon’s LTE network just came online. This means there are going to be millions upon millions of people around the world with inexpensive, portable, and powerful devices that will be connected to increasingly fast and affordable data networks. We should be encouraging our customers to quickly embrace this technology so as to obtain an advantage over their competitors. As Margaret Thatcher might advise us, this is no time to go wobbly.

Saturday, December 4, 2010

Did We Make a Mistake?

The comments from my last blog post were excellent and you can read them hereTroy and Neil are quite correct. There is another accreditation issue looming over the digital forensics community other than digital forensic certification.  The accreditation of digital forensics labs is something that we need to start talking about more as a community.  As it stands right now, accreditation of digital forensic labs is voluntary and relatively rare. There are a small percentage of labs that have become accredited through organizations like ASCLD/LAB.  I’m curious about what others think about this issue.  Neil makes a very articulate argument, but I find myself sympathetic to Troy’s position.

My initial thought is that voluntary accreditation against a standard that is specifically tailored to digital forensics labs sounds reasonable enough.  However, I have concerns about the concept of mandatory accreditation. For example, it could easily be used to establish a guild system similar to what we see with some state licensing standards.  I am also concerned that mandatory lab accreditation standards could stifle innovation.  The way we do things in digital forensics changes so quickly that standards would almost certainly not keep up. Remember it wasn’t all that long ago where we were automatically pulling the plug from the back of Windows machines as a best practice. Now we’re in the age of live response and the tools and methods available have changed rapidly.

I wonder if we have made a mistake in the digital forensics community by calling our work areas “labs”. I started in traditional law enforcement where crime labs were places that forensic scientists tested all sorts of very perishable evidence that could easily be destroyed or contaminated if great caution wasn’t taken.  For example, it makes a great deal of sense to have strict controls in place when you are working with blood samples.  Improper storage and handling are likely to result in destroyed or tainted evidence.  

While there are very valid concerns relative to tainting digital forensics evidence that need to be continuously addressed, we’ve got it a lot easier than our colleagues in traditional crime labs.  We can easily create digital storage containers like forensic images with free and widely accessible tools that can be safely used outside of a controlled environment such as traditional crime lab.  One of the greatest gifts to digital forensics examiners is the simple hash value.  You can’t hash a blood sample, but you certainly can hash an image of a hard drive.  I can make an unlimited amount of identical copies of my digital evidence.  You can’t do that with blood. 

You can also put a forensic image of a hard drive on your laptop, bring the laptop down to Starbucks, and do a proper and defensible digital forensics exam while sipping your Gingerbread Latte.  Do that with a blood sample and you’re going to have a very uncomfortable court experience in your future. With digital evidence, I can take my evidence, put it on a external hard drive, leave it unsupervised on the floor of a busy shopping mall for days on end, and I can still show that nothing was altered by using hash values.  Blood? Not so much.

Consider an independent digital forensics consultant who works out of his house while traveling most of the time doing incident response work. Does he need to have his “lab” accredited?  Does that make any sense? What exactly constitutes his “lab”? His laptop where he does most of his forensics work in some hotel room? His home office where he spends less time than on the road?

How does this sort of thing scale into the future? What if a digital forensics lab uses some sort of Software-as-a-Service type provider for some of its examination work? Does that outside provider also need to be an accredited digital forensics lab?

I understand why traditional crime labs need to have very strict standards and why ASCLD/LAB accreditation style standards are embraced.  What I’m having a problem with is equating what we do with digital evidence to what these traditional forensic science labs do with their evidence.  If we adopt artificially stringent standards that weren’t originally intended for digital forensics, we could put a lot of private entities and smaller law enforcement organizations out of business at a time when we need more capacity to keep up with the increasing demand for digital forensics.

Saturday, November 13, 2010

Certification, Licensing, and Accreditation in Digital Forensics

Considering the subject matter that I’m going to be wading into with this blog post, I want to start off by doing some full disclosure.  I’m a member of the Board of Directors for the Consortium of Digital Forensics Specialists (CDFS) and I’m also in the orbit of the SANS Institute. I’ve done both volunteer and paid work for SANS and the Global Information Assurance Certification (GIAC). I’m hoping to teach my first Community SANS class for them sometime in 2012 which would be a paid engagement.  As always, I speak only for myself on this blog and what I write does not necessarily reflect the views of any organizations that I’m associated with such as CDFS or SANS.

Some of the hottest topics of discussion in the digital forensics community are the issues of certification, accreditation, and  licensing.  In fact, one of the most common errors that I see in these discussions is confusing the terms and their goals.  In the digital forensics community, these terms have specific meanings that I would like to try and define up front.

Certification takes the form of an outside entity who certifies that an individual has met some sort of minimum standard of competency in an area of digital forensics.  The entities that do this inside of the digital forensics community are legion and include organizations such as the International Society of Forensic Computer Examiners (ISFCE), the International Association of Computer Investigative Specialists (IACIS) and GIAC.

Accreditation, for the purposes of this discussion, is an outside entity such as the Forensic Science Accreditation Board (FSAB) or American National Standards Institute (ANSI) who through an accreditation process validates that  a digital forensics certification or organization meets its minimum standards.  For example, GIAC has several of it’s certifications accredited by ANSI including the GIAC Certified Forensic Analyst (GCFA) certification.  There are several entities such as the Digital Forensics Certification Board (DFCB) and IACIS who are interested in pursing FSAB accreditation.

Licensing is a government entity regulating a particular profession in such manner where it becomes unlawful to engage in certain professional activities without a license. There are a whole host of professions that are regulated in this manner to the extent that a person needs government permission to engage in activities such as private investigation, practicing medicine, cutting hair, giving therapeutic massages, and a long list of other activities.

Two out of the three of these things are good ideas for the digital forensics community.  Certification of practitioners and the accreditation of the bodies that certify them are vital to professionalizing the industry and helping us progress as a community.  The licensing of digital forensics practitioners is a bad idea regardless if digital forensics practitioners are required to be licensed as private investigators or specifically as digital forensics examiners.

I’m not an absolutist when it comes to licensing.  I understand that in certain limited cases pertaining to critical issues such as public health and safety, there is an important role for government to play in regulating certain activities.  However, it’s important that we as community understand that the history of professional regulation has not been a rosy one.  Much of what we see here in the United States relative to professional licensing is just a modern day version of the guild system where professions use licensing  to keep out competition and control the market.

The common case that is made by those who support the licensing of digital forensics is that it will somehow increase professionalization by weeding out those who are unethical or incompetent.  This gets into a common mistake that is made by supporters of licensing which is to assume that licensing is a measure of competency.   While it’s true that, licensing arrangements frequently mandate some sort of training in the professional area, this is not necessarily a measure of professional competence. In the cases when testing is performed as part of the process, it is generally used to validate regulatory knowledge rather than professional competency.  It’s that mandatory training requirement (if one exists) that allegedly insures professional competency. Not coincidentally, it’s also what is used to establish modern day guilds that we see in professions like law, medicine, and even massage therapists. 

Because digital forensics is a convergence of technology and law, we already have measures in place that protect the public from unethical and incompetent examiners and methods.  We have standards like Daubert and an adversarial legal process that has well established methods of vetting those who would act as expert witnesses during legal proceedings.  Licensing of digital forensics people is unnecessary in the face of well known and accepted gatekeeping processes for legal proceedings. 

Not only is it unnecessary, but it’s harmful for both the profession and the public.  This is because licensing will likely result in a digital forensics guild system where the government will decide who can practice digital forensics and who can’t.  It will do this without much serious thought to the issue of professional competency which is the banner in which proponents of digital forensics licensing frequently rally under.

One argument is that a digital forensics licensing system can be established that would provide for competency assurance by requiring that licensees have a certification in digital forensics from an approved entity.  This is unhealthy for the community because it could very well result in the various certification organizations having to put a lot of time and money into lobbying the various government entities to allow their certification to be one of the approved certifications.  It gets worse if a government regulatory body were to decide that they were only going to accept one digital forensics certification as the standard for licensing.  That will put the certification bodies in direct adversarial competition with each other to make themselves the standard for that regulatory body.

There also is the issue of law not keeping up with technology which is a frequent occurrence in the digital age.  Even if I were to allow myself to be swayed by some siren song of licensing, how does state specific licensing work here in the United States?  Licensing systems are generally done at the state level.  Digital forensics is very much an interstate and international issue.   What if you have a case that requires you to engage in regulated activities in many states where a license is required for each one?  What if each of those states not only requires a license, but they also require different digital forensics certifications as part of that licensing process?

We don’t need a modern day digital forensics guild system.  We are capable as a community to regulate ourselves through collaborative efforts like the CDFS, the various well established and respected organizations like ISFCE and IACIS, and through the legal system’s standards in vetting people who provide testimony in legal proceedings.

Just say no to digital forensics licensing.

Certification and accreditation are something that we should embrace as a community in part to help ward off any licensing efforts by the government.  This should be an area of common ground between those who support licensing and those who support industry self-regulation.  For example, if one supports licensing of digital forensics professionals as a way to ensure basic competency, there has to be some sort of competency testing component to that process. That component can be achieved by professional certification through the various digital forensics certification bodies.

If we are going to be taken seriously as a profession, we ourselves have to take our profession seriously.  That means coming together as a community to establish minimum standards of competency for digital forensics examiners and providing methods in which examiners can show that they have met these standards.  We have many respected organizations who have spent a lot of time and effort doing that very thing and judging by the amount of people I see who hold digital forensics certifications, we have embraced those efforts as a community.

It’s important to understand that certification does not mean mastery.  It just means that an outside organization has validated that an individual has met the minimum standards as defined by the organization.  In fact, certification doesn’t necessarily even mean professional competency.  Ask any digital forensics hiring manager and they will be able to provide you with stories of certified applicants who failed their hiring process because of a lack of technical competency.  Doing a week of digital forensics training and then obtaining a certification doesn’t mean that someone is necessarily a competent digital forensics examiner, but it’s a start especially someone who is interested in getting into the field.

Accreditation is a key component of certification.  It’s essentially the certification bodies being certified themselves by a trusted outside entity such as the FSAB or ANSI. As a community, we should be pushing the various certification organizations to advance the cause of digital forensics professionalism by pursing accreditation.   We should do this because our professional organizations and their associated certifications will be taken more seriously if these organizations can show that they are following industry standard practices when it comes to the credentialing of digital forensics practitioners.

GIAC went the ANSI route and I think that means that the GCFA certification might be the first digital forensics certification that has achieved accreditation from a well recognized standards organization.

I know IACIS (I’m an associate member) is interested pursing FSAB accreditation.  That’s great to see because IACIS has spent a lot of time and effort into making their CFCE certification into a well respected certification in the digital forensics community.  They recently made the decision to open up that certification process to those who aren’t members of IACIS which is part of what needs to happen for FSAB accreditation.  The FSAB prohibits membership in an organization as a requirement for certification.  I’m not sure when the certification will be available to the public, but IACIS is working on getting that done.

One of the primary premises behind the DFCB is to establish an industry standard digital forensics certification that would achieve FSAB accreditation.  This effort hasn’t gone all that smoothly, unfortunately.  The “Founders” Digital Forensic Certified Practitioners (DFCP)  process that I went through to achieve my DFCP certification was disorganized and understaffed.  Since that time, I haven’t seen much in the way of improvement when it comes to communication and organization on the part of the DFCB.   They haven’t been very good when it comes to communication of what is going on with the organization and what progress is behind made towards their ultimate goals. Transparency hasn’t been a hallmark of the organization.   For example, I would like to know who makes up the various committees.  The website lists who leads their committees, but not who are members, what the committee goals are, and what progress has been made towards those goals.  Early in their history they posted some documents of this nature pertaining to early organizational meetings, but that has not occurred in some time. I’ve yet to find a DFCP certified person who is happy with the organization. They mean very well, but they’ve clearly had some trouble when it comes to communication and execution. I’m hoping things will get better for them as they pick up some momentum because their stated goals are laudable. I would also like to see at least one digital forensics organization achieve FSAB accreditation.

Saturday, October 23, 2010

Interview with Dr. Gary Kessler

Future of Digital Forensic Tools Follow Up

Thanks for all of the comments both in public and private relative to my last post about the future of digital forensic tools. In a nutshell, we’re going to be approaching the point where digital forensic leaders like myself are going to have to make hard choices about where we spend our limited resources.  If I have five head count available to me, do I really want to devote the equivalent of one FTE to the care and feeding of increasingly sophisticated and complex enterprise sized digital forensic tools? That is going to cost me twenty percent of my analytical productivity.  Outsourcing the administration of my enterprise level tools through a Software-as-a-Service (SaaS) model in a cost effective manner will be a compelling option and I think it’s one that will be coming relatively soon.

CEIC 2011

‘Tis the season to start thinking about 2011 digital forensics training conferences and Guidance Software has worked very hard to make CEIC a very compelling choice.  I attended my first CEIC last year and enjoyed it immensely. The CFP period is open with a November 15th deadline.   I will be putting into present on a couple of different topics.  Hopefully, one will get accepted and I’ll see you there in Orlando.

SANS Forensics and Incident Response Summit 2011

Rob Lee has done an absolutely fantastic job turning this event into an amazing offering.  Because he is so well known in the community and has so many relationships with the A list digital forensics and incident response people, he has the ability to put together the best lineup of presenters that you’ll find at any digital forensics conference.  I’m hoping that I’ll be able to attend this event which will be held in Austin, Texas.

Dr. Gary Kessler Interview

I decided one of the best ways to follow up the “Take Vienna” blog post was to interview someone who has a background as both an academic and a practitioner in the field. I’m a big Gary Kessler fan and since he is both a skilled academic and sharp digital forensics examiner he was the clear choice.  It’s hard not to like him and he’s done a considerable amount of work over the years advancing the cause of digital forensics as a science, including being heavily involved with the creation of the digital forensic program at Champlain.   While Gary is no longer with Champlain, he continues to contribute to the digital forensics community through through a variety of ways which you can read about at his website.  Gary is a very active in several efforts to organize and professionalize the practice of digital forensics.

AFoD: What attracted you to the field of digital forensics?

GK: I have been involved with information security, in general, since the late-1970s. Computer forensics, as a form of infosec incident response, seemed to come into vogue in the late-1990s.

Meanwhile, the Internet Crimes Against Children (ICAC) Task Force was being formed in VT and the leadership all knew me and thought that having a computer techie (my M.S. is in Computer Science) helping out might be useful. So, in 1999 or so, I was asked to join the VT ICAC as a pro bono consultant.

As I got more involved with the DF community -- in 2002, it was mostly law enforcement -- I found myself meeting some of the finest folks I have ever worked with professionally. And I like investigative work, problem solving, working puzzles, and helping others understand what the computer has to tell you...

AFoD: What lead to you to getting involved in digital forensics in the academic world?

GK: I joined the faculty at Champlain College as an adjunct in early 2000 and full-time in the summer of 2000. I was already involved with the ICAC and participated in training activities.

In late 2001, the Task Force commander and I thought that it would be interesting to teach a course at the college in CF. The course was offered in the fall 2002 semester and filled during preregistration. During that semester, we became aware of a variety of NIJ studies that, among other things, suggested a gap between what LEOs actually knew about CF and what
they needed to know. At the same time, we were getting questions about our CF "program" -- yet we only had one course!

That lead to the development of an undergraduate CF program that started in 2003 and the online undergrad program in 2004. CC started a graduate program in CF management in 2009.

This all said, there is work afoot to come up with curriculum guidelines for DF. The project started about five years ago, sponsored by NIJ. For some reason, the output from that group never got published. After the AAFS adopted DF as a forensic science, the work started again and should be adopted/published, I would guess, within the next six months.

AFoD: What was your role at Champlain college and what makes that program unique from other digital forensics programs?

GK: I was the program director of the undergrad CF programs at their inception. Eventually, the online division took over the online CF program (in about 2007) and then I moved into managing the graduate program (2009). I was the
program director of the M.S. in Digital Investigation Management when I left the college in the summer of 2010.

I think the thing that made our undergrad program unique in 2003 was a) I don't know of another undergrad program that existed at the time and b) it combined computer courses, criminal justice courses, and CF courses.

AFoD: What makes up an ideal digital forensics academic program?

GK: This is hard to answer because it depends so much on the goals of the program. At the undergraduate level, I think that academia needs to prepare students for life-long learning. The undergrad of today might well have three or more *careers* -- not merely *jobs* -- in their lifetime so higher ed.'s first responsibility, IMO, has to be to make sure that students know how to learn.

Second, the curriculum should prepare the student both to enter the workplace or graduate school. So this is a bit long but I think that a CF/DF program needs to teach some general education to round out a student, and a broad spectrum of computer science (including fundamentals of operating systems), law, networking, and, of course, CF (processes, file systems, mobile devices, cyberlaw, cybercrime, e-discovery, testimony, etc.).

Graduate programs are a bit harder to nail down. At the graduate level, a technical program, IMO, is advanced, specialized computer science. This is a program for individuals who will be next generation tool creators, process
developers, tool testers, etc., etc. A management program, such as the one at CC, is designed for those aspiring to manage CF labs and people, and understand the business aspects of such activities.

In either case, DF students need to know how to write well, speak well, and *read*!

AFoD: What should the end goals be for an academic digital forensics program?

GK: Pretty much as stated above. Produce generalist learners, specialists in DF as a multidisciplinary science, and prepared for life, the universe, and everything!

Since I got this far, *I* have never taken the posture that CF graduates could be able to immediately walk into a CF shop and be able to work on exams unsupervised. I have always felt that the programs should concentrate on the process and introduce a plethora of tools rather than produce a student who is expert in one tool. The latter is the purpose of training. I observe that students getting a CJ degree still go to a police academy and
then get additional on-the-job training prior to pushing a cruiser on their own. A CF graduate should be able to quickly get up to speed but will still need some training.

AFoD: Other than teaching, what role should academic digital forensics program play in advancing digital forensics?

GK: I think that academicians can play a critical role in advancing the science. They should also be practitioners so that they are aware of the real problems faced by people in the field. They can then be in a good position to help work with the practitioner community to advance standards, tools, research, legislation, local training efforts, and more.

AFoD: Is digital forensics a science? Is it an art? Both?

GK: DF had better be a science now that the AAFS has adopted Multimedia and Digital Forensics as a new branch! :-) Sure, there is some art to the practice but we *MUST* define and adopt processes for DF that are, in fact, based upon science. For this, it's worth reading Fred Cohen's books and learning about information physics!

AFoD: You mentioned the American Academy of Forensic Science (AAFS) has added a Digital and Multimedia Sciences section.  Why is that significant for the digital forensics community?

GK: If the DF community wants to be taken seriously as a forensic science, then this nod from the AAFS is incredibly important. DF is the only forensic science that has been largely driven by the practitioner community rather than the computer science community. But the examination of computers is,
fundamentally, computer science.

That is *not* to say that one needs to be a formally trained computer scientist in order to practice computer forensics. Not only do I not believe that but it would fly in the face of the reality of the profession today. But DF needs to become more of a science and less of an art!

AF0D: What digital forensic programs other than Champlain could you recommend to students who are interested in studying digital forensics?

GK: There are now a bunch of program depending upon where you want to study and what approach you'd like to take to your studies. Certainly the undergrad programs at Daytona State, Defiance College, Bloomsburg University, University of Rhode Island, Utica College, Univ. of Alabama Birmingham, Univ. of Mississippi, Johns Hopkins, Fountainhead College of Technology, and Univ. of Advancing Technology are well-known and worth
investigating. There are others, too: see

There are also grad program worth looking into... programs at
Daytona/UCF, Purdue, John Jay, Univ, of Maryland University College, and California Sciences Institute leap immediately to mind.

And these are just the programs in the U.S.!

AFoD: Is there a career path for people interested in digital forensics,  but who want to practice it as a full time academic discipline?

GK: Yes, I believe so... but accreditation requirements of colleges and universities will demand that anyone with a full-time job in academia hold at least a masters degree and, preferably, a doctorate.

AFoD: What should be the role of the scientific method in digital forensics?

GK: Well, that couples with the question above. The Daubert and Kumho Tire rulings guide the introduction of scientific and technical evidence in federal courts and about half of the state courts. We need to have a science that answers the tests. One Daubert requirement is that the procedures have a known, or knowable, error rate. It is unclear that we even know how to
calculate the error rates in DF practices.

Again, I am *not* saying that DF work is sloppy or error-prone or anything like that. I am suggesting that we know that we're not seeing 100% of everything and we have no way to prove that what we're misisng doesn't change the bottom line.

We need more science and more research.

AFoD: What is your view on the role of digital forensics certifications?

GK: I think that certifications are ONE part of professional credentialing but, in the end, speak to one's training. I also think that academic credentialing is important, as well. Unfortunately, an academic degree may not demonstrate one's practical knowledge/skills and certifications don't demonstrate a person's fundamental and theoretical knowledge -- things that
I believe are essential for life-long learning and professionalism.

GK: I think that professionals need to demonstrate a combination of appropriate training and education. Certification is a part of that.

AFoD: Should the digital forensic community standardize on just one digital forensics certification or continue to have multiple
certifications from different organizations?

GK: Even if I felt that one standardized certificate was the right thing to do, I don't see how we could choose which one, given that the barn door is already open! (If I can mix the metaphors.)

I would like to see some standardization is what the generic industry certs actually show. In response to the NAS report from 2009 about forensics, I think it imperative that any DF certification include a practical portion. I think that being able to communicate one's findings in a report need to be a part of the certification. I think that for our own credibility, the certs that are respected demonstrate experience and practical competence and NOT be ones that you could read a book for and pass. Vendor neutrality, IMO, is key as well as being available industry-wide.

I also see different levels of cert coming. A general DF cert is
great. I see specialty certs also coming, such as mobile forensics and e-discovery.

AFoD: What advice would you give to those who want to break into the digital forensics field?

GK: Well, it would depend up the age of the person and the area where they live. DF is no easier a profession to break into than information security; you can't just get some training, hang up a shingle, and start working. If I were 40 years younger, I would say go to school. If making a career change, I would survey the local practitioner landscape and try to find a mentor. So many people say, "I want to learn CF and volunteer with local police and
catch child perpetrators." Well, that may be noble but it is very hard to find in practice! It's easier to find a private firm. Look for local DF organizations, such as a local HTCIA chapter; it's a great way to learn and to network. In some cases, it means thinking about moving; there are a lot of CF jobs but they are not equally distributed geographically.

Saturday, October 9, 2010

The Future of Digital Forensics Tools?

Access Data released the newest version of it’s popular FTK Imager tool this week which incorporates a variety of new features including the ability to mount images as a drive or physical device.  A key feature of FTK Imager is that it can be used as a very basic file system analysis program.  By adding the mounting feature, Access Data has taken another step in moving this tool beyond being just a nice acquisition tool towards something that will commonly be used in examination work.

I think this small event could signal the beginning of the end of forensic software manufacturers charging high prices for comprehensive digital forensics suites such as EnCase and FTK.   This doesn’t mean that digital forensics tools are going to be cheap in the future, but I think the future is starting to become clearer.

The way I see the evolution of digital forensics tools goes something like this:

The Zero Generation: The Mesozoic era

In the beginning, there was nothing.  Seriously, nothing. This was before I entered the field, but I know enough people who started in this era to have a good feel for it.  Examiners during this time had to use tools like hex editors and system administration type tools because of the lack of tools specifically designed for digital forensic purposes.  As the market expanded for digital forensics tool, we entered…

The First Generation: The Enhanced Hex Editor Era

We had tools like Expert Witness (which later became known as EnCase) created in this era that were designed to be digital forensics tools.  The dominant tool of this era was EnCase.  The core of EnCase was the ability acquire forensic images in a court defensible manner and to examine the resulting images. When being used for analysis, EnCase was essentially an very specialized read-only hex editor that could parse file systems.  Guidance Software’s innovation path was to increasingly add useful features that parsed different types of artifacts.  Users had the ability to create their own features through the EnScripting language. 

Access Data’s FTK became a very popular tool to use alongside of EnCase because it handled email very well and also incorporated the DtSearch indexing engine.  However, FTK was generally not considered to be as good as EnCase when it came to disk level examination functions so it tended not to be used as replacement to EnCase.   This was fine for tactical level digital forensics work, but for eDiscovery and for larger data set digital forensics cases, the hex editor model didn’t scale well which brought us to…

(Okay, I have to stop here because I know I’m going to have people screaming at their monitors shortly if they haven’t already started.  I know I’m grossly oversimplifying this, but I don’t intend for this post to be a comprehensive history of digital forensic and eDiscovery tools.  Sleuth Kit rocks and the price is right, you also have great tools from this era like ProDiscover, X-Ways, and SMART. However, at high level, they all are essentially the same type of forensic software. I’m also assuming that the people reading this blog post have a working knowledge of how all of these tools work.)

The Second Generation: The Database Era

The eDiscovery people really pushed this and were the first people to develop tools that used databases to manage data and allow for scalability. On the digital forensics side, Access Data was the first traditional digital forensic company to really embrace this by releasing Oracle based FTK 2.  As we know, FTK 2 was an abomination (it didn’t actually work), but FTK 3 followed shortly and has become a dominant second generation digital forensics tool.  There are plenty of eDisco tools that aggressively use database technology as well as other unique technologies such as concept analysis, but most digital forensics companies are still largely in the first generation era.

Access Data and Guidance Software have been aggressively involved in the enterprise level eDiscovery and digital forensics market for quite some time.  Guidance still appears to approach things from a first generation view which I think is one the reasons why Access Data has gained so much traction recently.  Access Data has embraced the explosion of innovation in the eDiscovery market up to and including merging with CT Summation.  They understand that scalability is going to be a key issue that digital forensics companies will have to face and they clearly understand that first generation digital forensics tools are not the future.

This is why I think the release of FTK Imager 3 is a small, but key event.  If a company like Access Data can be profitable with second generation tools and enterprise focused strategies, they may decide to put downward pressure on their first generation-centric competitors by offering up their own first generation technology tools for free or very low cost.  We may very well be seeing the beginning of the end of paying thousands of dollars for first generation style hex editor tools because…

The Third Generation: Digital Forensics Software as a Service

The eDisco people have already been here for awhile so it’s logical that the digital forensics world will follow.  I bet you see Access Data start moving to this model at some point in the near future.  They’re already pushing the limits of what a database layman can do and one of the consistent complaints I hear about FTK 3 is that it’s very resource intensive.  Access Data already sells expanded versions of it’s FTK suite to customers who need more horsepower and capabilities, but this requires additional hardware resources and personnel to administer it.

The next logical step will be for a company like Access Data to embrace the cloud based SaaS model for digital forensics tools.  In this model, Access Data would manage all of the hardware and software and also act as the custodian of the data for a case.  The customer’s analysts would work with the data remotely without having to manage forensic hardware or software.

I’m not saying third generation digital forensics tools will replace first and second generation tools.  For example, I think we will have the enhanced hex editor type tools with us for a very long time because they work well for cases with small data sets.  However, the increasing size of data sets coupled with the need for advanced features like data analytics and more powerful forensics software will usher in this generation of digital forensics tools.

Access Data gained a competitive advantage by beating Guidance to the second generation. If were Guidance Software, I’d be working on third generation of digital forensic tools so that I could return the favor.

Wednesday, October 6, 2010

Work For Lenny

I had the good fortune to attend Lenny Zeltzer’s introductory malware analysis presentation at the HTCIA Northeast chapter meeting today.  I have been looking forward to attending this presentation ever since I learned about it.  Lenny is an accomplished instructor and did a remarkable job explaining a complex topic like malware analysis in terms that made it very approachable for the layperson.

Lenny breaks down malware analysis into two main parts. The first part is behavioral analysis.  This is where the examiner works with the malware in a safe environment to learn about it through interaction and observation.  The second part is code analysis which involves using tools like debuggers to examine malware at an assembly language level.  It’s important to note that knowing assembly language is not a prerequisite  to becoming a malware analyst or attending Lenny’s training.   That said, if you want to be excellent at it, you’ll need to add knowledge of assembly language to your skill set. 

Lenny is going to be teaching his SANS malware analysis course in New York this month and there are seats still available. COINS-LZ is a discount code that will reduce the cost of the class by ten percent. 

Lenny is also in the market for a security architect to come to work for him. If you are interested in a great job in the NYC metro area, this is a fantastic opportunity.

Saturday, October 2, 2010

SANS Network Security 2010

I had the pleasure of being Rob Lee’s Teaching Assistant for Computer Forensics Essentials (AKA FOR408) last week at SANS Network Security 2010 in Las Vegas.  It was more than a surreal experience for me.   About six years ago I took my first SANS class taught by Ed Skoudis. Ed showed how great information security training could be when you match a fantastic instructor with great material. I’ve been a SANS fan ever since.   Part of what made it a surrealistic week was that the event was held at Caesars Palace in Las Vegas.  Factor in a high level of excitement on my part, minimal sleep, the almost cartoon like Vegas surroundings and interacting with all of the great SANS instructors, students, and staff and it’s quite a difference from my normal work week.

One of the nice things about being on the instruction staff, even just as a TA, is access to the speaker’s ready room where the instructors eat breakfast and lunch together.  I essentially got to act as a fly on the way watching how the instructors abused interacted with each other.  They clearly spend a lot of time together during the year at these conferences and outside of them and have a high sense of camaraderie.   Being able to hear what people like Stephen Northcutt, Lenny Zeltzer, Ed Skoudis, Mike Poor, Kevin Johnson and the rest talk about when they’re together was worth the trip alone. I was finally able to meet Lenny Zeltzer, Hal Pomeranz, and Kevin Johnson in person for the first time and enjoyed their company immensely.

If you’re at a SANS conference or any other venue where Kevin Johnson is speaking, I highly encourage you to attend one of his “Social Zombie” presentations.  Kevin is not only a very sharp fellow, but it’s more than a little bit of a showman.  His material is excellent and he’s an innovator when it comes to the convergence of social networking and penetration testing.   I enjoyed not only the content of the presentation, but watching how Kevin works a room. He provides a very high energy presentation and is almost constantly in motion when he’s talking.  The audience was very engaged with his presentation because of how well he can connect with a large group of people.

I also finally got to meet Scott Moulton in person.  His hard drive repair class was in the room next to where Rob was teaching FOR408.  Scott’s class is nothing short of awesome.  He brings an amazing amount of equipment with him and it looks like an outrageous amount of fun.  If you were were the kid who liked to take things apart just to see how they worked, this would be the class for you.  I saw legions of hard drives in various states of assembly and watched at least one student trying to solder his way into bringing a drive back to life.  The class room looked like a hard drive civil war had occurred there.  It was hard drive Gettysburg.

Being a Teacher’s Assistant  for Rob was a great experience.  We had around 50 students in the class and I enjoyed helping Rob introduce them to the world of digital forensics.  I was surprised by how many of the students were new to digital forensics.  One of the things I found most fulfilling  was being able to share my own experiences learning digital forensics with the students.  It was a long time ago that I started on this path myself and it quite a bit of fun watching people start on the same path with so much enthusiasm.  We even had a student destroy their first hard drive (complete with “magic smoke”) while trying to image it. I felt like a proud father watching his son score his first touchdown. If you do digital forensics long enough, you’re going to kill your fair share of hard drives.  Imaging can be really rough on a drive and if you have one that is already on death’s door knocking loudly, the imaging process is more than capable of opening the door.  Now that I think about it, we should have rushed it next door to Scott’s class…

Coming Soon

The interview with Richard Bejtlich was very well received and I’m grateful for all of the positive comments that were sent in response.  One of the positive things that came out of the interview is that I have been approached by several really high caliber people who liked the interview and who I will be using as future interview subjects.

Wednesday, September 15, 2010

Great Digital Forensics Job Opportunity

I don’t normally do this, but I want to bring to the reader’s attention a great job opportunity in digital forensics.  The United States Department of Agriculture’s Office of the Inspector General (USDA OIG) has a GS-13 position open in their digital forensics lab in Kansas City, Missouri.

This is a great opportunity because you’d get to work on a team lead by Mike “Jake” Jacobson.  Jake is a former local law enforcement officer who has had a distinguished career in digital forensics including being assigned to Heart of America RCFL.  He’s a very sharp fellow who is passionate about digital forensics and he’s finalizing his team over at the OIG.  This is a high paying job in a low cost area with a great team.

I have nothing to do with this process and any questions should be directed to Jake at mike.jacobson a/t/ oig.usda d0t gov.  You’ll want to act fast if you are interested because the application period is only open for two weeks.

Sunday, September 12, 2010

Interview with Richard Bejtlich

I had been working on a “guru post” for the longest time where I examined backgrounds of top tier digital forensics people in an attempt to find common trends on how they got to where they did in the field.   I found common paths like obtaining technical degrees from good universities and getting direct job experience in the military or law enforcement. However, no matter how I wrote the post up, it just didn’t work well.  Telling someone to get an electrical engineering degree from the US Air Force Academy and then trying to get assigned to the Air Force Office of Special Operations is an interesting bit of advice, but it’s only going to work for a limited amount of people and it doesn’t provide any broadly applicable lessons for the rest of us.

What I decided to do instead is to just interview some selected gurus and focus on how they decided to go into digital forensics and what paths they took to get there.  I took a page from the British Special Air Service and went with the “Who Dares Wins” approach by asking Richard Bejtlich to be my first interview subject.  Richard was kind enough to agree and what follows is the result. 

Richard went well above and beyond the call of duty with this interview and I’d like to thank him publically for putting up with what essentially turned out to be a beta test of the concept.   He salvaged more than one bad question for me (the Hoover institute one was a dog. I knew what I wanted to do with it, but setting up a question with content unfamiliar to the interview subject is a bad idea) and was very patient with a process that I’m going to make much shorter in the future.

Richard’s bio is available here and it briefly documents his career progression during his Air Force service and into the private sector.  You should also follow his Taosecurity Blog which is a must read for anyone involved in digital forensics.  Lastly, Richard was recently interviewed by Gary McGraw of The Silver Bullet Security Podcast.

The Interview

AFoD: Like many leading digital forensic and information security experts, you chose the United States Air Force as your starting point. Can you describe what motivated you to become an Air Force officer?

RB: After seeing Star Wars in the theater in 1977 I decided I wanted to be an astronaut.  Once my eyesight failed I realized I couldn't be a pilot, so I decided to be a Mission Specialist who designed spacecraft.  I looked for programs in astronautical engineering.  I told my parents I would put myself through college.  An Air Force ROTC program appeared to be my best option.  I wanted to attend MIT and have the Air Force help pay for the program.

AFoD: What was your path to the Air Force Academy?  Did you participate in any programs like Air Force JROTC or anything similar?

RB: I am an Eagle Scout, but I did not participate in JROTC.  My family had very little prior military experience and no awareness of the service academies.  I learned about USAFA while attending an Air Force ROTC event at Hanscom Air Force Base.  Some USAFA recruiter earned his or her pay that night!  The USAFA video they showed hooked my attention, and I applied to USAFA.  I also participated in the "Summer Scientific Seminar," a pre-Academy summer event to recruit cadets. Although MIT accepted me and the Air Force provided a ROTC scholarship, my USAFA acceptance arrived first.  I accepted the appointment and sealed my fate!

AFoD: What was your Eagle Scout project?

RB: A high school friend succumbed to childhood leukemia while we were freshmen in high school.  To honor her memory and to raise awareness and funds for childhood leukemia I organized a road race in 1989 as a high school senior.  I believe 4 to 6 more happened during the 1990s; I helped with a few but was away in Colorado for most.

AFoD: What was it about that USAFA video that so attracted you to the institution?

RB: The tennis courts.  I saw something like 30 of them and thought, "Wow."  On a serious note, USAFA seemed like THE place to go if you wanted to be an officer, and especially if you wanted to be an astronaut.  I didn't apply to any other military academy.  People asked "what if you don't make it?  Shouldn't you apply to West Point and Annapolis too?"  I replied "I don't want to be in the Army or Navy."

AFoD: You're one of the leading digital forensic and information security thought leaders in our community.  Many of your peers who became similarly prominent obtained degrees in disciplines like electrical engineering and computer science from top quality schools like the Air Force Academy, VMI and MIT.  Why did you decide to study history rather than a technical discipline?

RB: I was ready to study astronautical engineering at USAFA.  My placement tests landed me in Calculus 243 with juniors and seniors.  However, my freshman history teacher, Captain Ruffley, made a big impression on me.  He was an intelligence officer who focused on the Soviet Union. His work sounded a lot more interesting.  I also met professors who were officers and who hoped to be astronauts, but they seemed so *old*.  I could do military intelligence right out of the Academy. When we started bombing Iraq during the first Gulf War in early 1991 I knew intelligence was the right role for me.  I selected history as my
major, and later added political science as a second major and French and German as minors.  I was a little too ambitious back then.

AF0D: Can you describe how your studies in history and political science at the USAFA prepared you for your future roles in the Air Force and  the private sector?

RB: These are three of my favorites: 1) People now are NOT smarter than anyone who live before.  People who think they are smarter will likely assume they can overcome history's lessons.  Their hubris enables failure. 2) Writing is very important.  Solid writers often prevail. 3) Nation-states are not monoliths.  Read Essence of Decision: Explaining the Cuban Missile Crisis by Graham Allison.

AFoD: Hoover Institute Fellow Peter Robinson recently conducted an Uncommon Knowledge interview with Ambassador Charles Hill.  The interview was an exploration of Hill's idea that academic institutions are failing to teach "grand strategy" to our future leaders.  He states that students are disappointed when they undertake studying a discipline like political science expecting to be taught how to tackle big problems, but wind up being presented with small problems such as voting trends for a particular congressional district.  Hill also thinks that one can not learn "Grand Strategy" without an appreciation of literature. You are a proven leader who clearly understands how to tackle "grand strategy" type problems.What taught you how to think about how to attack a large problem such as information warfare in a corporate environment? Did learning history at the Air Force Academy and your graduate work at Harvard lay the foundations of where you are today or was is something after your formal education?  Would you recommend the Air Force Academy to a high school student who wants to become a future leader
in private industry?

RB: As a history and political science double-major I confronted lots of "big problems" in school.  After graduation in 1994 I was thankful to be selected to attend the Harvard Kennedy School (as it's called now) to work on a Master's degree in public policy.  As a lieutenant I shared the class with colonels and enjoyed instructors who were former National Security Council advisors, generals, and so on.  My USAFA and Harvard experiences contributed to my development, but everything I needed to know about leadership I learned as a Patrol Leader.

AFoD: Your experiences in the Boy Scouts mirror my own a bit in that one of my formative experiences was as a Police Explorer (which is a  program that is part of the Boy Scouts). I learned a lot about leadership early by being exposed to a program like the Explorers. What would you recommend to someone who is reading this interview while they are in college and doesn't have the opportunity to join an organization like the Scouts or the Explorers, but wants to learn  about leadership first hand?

RB: Lead something, anything -- say, organize an event.  If you're a  security person, organize a group or a con.  There is no substitute  for being on point!

AFoD: The Kennedy School is one of the nation's most prestigious schools of government and public policy. Graduate school tends to come much later in the career process of the average US military officers.  How did a junior officer such as yourself get selected to attend that program?

RB: Since the 1970s USAFA and Harvard have shared an arrangement whereby they accept 4 or 5 graduates each year.  I applied and won a slot.

AFoD: You have a passion for reading, writing and reviewing information security books with Amazon being your chosen platform for your book reviews. What constitutes a five star book?

RB: Five star books 1) change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference; 2) have few or no technical errors; 3) make the material actionable; 4) include current research and reference outside sources; and 5) are enjoyable reads.

AFoD: What causes you to remove stars from a review?

RB: Failure to meet the previous. I also subtract for plagiarism, poor production quality, and repetition of previously published material.

AFoD: Anyone who follows your blog or your Twitter feed knows that you are less than enthusiastic about Power Point based presentations.  What sort of presentations do you advocate as a replacement?

RB: Focus on the message not the medium.  Don't think "I need to create slides on topic X."  Think "how best can I communicate topic X to the audience?"

AFoD: What advice would you give to someone who is going to give a presentation before a large audience on a technical subject like information security?

RB: Consider using handouts instead of slides.  Attend a class by Edward Tufte.

What I Learned From The Interview

Richard is clearly a very smart and driven person.  I knew that going into the interview, but I really wanted to learn how that manifested itself in his formative academic years.  If you are smart enough and driven enough where you end up with the US Air Force Academy and MIT offering you an opportunity to study with them, you’re clearly someone who will be successful in your chosen field.  That’s an obvious lesson.  Apply yourself and utilize the gifts and opportunities that are available to you and you maximize your chance for success in any field. 

I was also taken by how flexibility was a theme with his professional development.  He didn’t set out to be an information warfare leader, but when presented with setbacks and new opportunities, he readjusted and continued on his path. This is something you’d expect from our war fighters, but it’s a lesson that all of us can learn from and apply to ourselves.

The leadership aspect of the interview was something that resonated with me because of my own experience in law enforcement and police exploring. One of Richard’s most early formative experiences with leadership was his experience in the Boy Scouts.  There are fundamental qualities of leadership that can be learned early in life and do not necessarily require formal training in a service academy to obtain.  While these are qualities that are drilled into those of us who served in the military or law enforcement, they are also attainable by learning from proven leaders like Richard.

Another thing that stands out from both this interview and his professional life is passion.  If you aren’t passionate about something, you are unlikely to reach the top of that profession. Richard shares a quality that appears to be universal with the top tier people in digital forensics and that’s passion for the field.  The top players in our field aren’t people who just punch a time clock and then forget about digital forensics when they go home. Richard is as an excellent example of this.  Not only does he direct the incident response function for one of the biggest corporations in the world, but he reads, writes, and reviews information security books.  He conducts research and teaches.  He also finds time to frequently update his blog and indulge people like me when we ask him to do an interview.

Lastly, his perspective on book reviews is a natural progression of what he spoke about early in the interviews and what I learned from him.  He approaches his book reviews as a learning experience where you can see his intellectual flexibility on display when he speaks about how a good book can change the way he looks at a problem.  This ties into his comments about the study of history earlier in the interview where he stated that “People now are NOT smarter than anyone who live before.  People who think they are smarter will likely assume they can overcome history's lessons. Their hubris enables failure.” This is an important lesson in digital forensics because our field has so much technological complexity.  An open mind and a healthy degree of intellectual honesty will go a long way in allowing one to remain open new ideas and methods in this ever changing field.

Thursday, September 9, 2010

NYC4SEC Meetup

The next NYC4SEC Meetup is next week on Thursday at Pace University in NYC.  The special guest for this event will be Ovie Carroll from the SANS Institute.  Ovie will be teaching FOR408 next week in New York.

The response to the “Take Vienna” blog post was very positive and I’m grateful to all of the comments that were posted on the blog and sent to me privately.  I’ll be doing a follow up blog post where I expand on the subject a bit more. I will also provide some examples of excellent digital forensic scientists who have devoted their lives to becoming digital forensics professors and teaching others to become lethal forensicators.

Saturday, September 4, 2010

Take Vienna

Napoleon once said that if you start to take Vienna – take Vienna.  This is the same advice that I give people who are interested in obtaining an academic degree in digital forensics. If you start to study digital forensics – then study digital forensics.  If you are passionate about digital forensics and you want to break into the field by obtaining a digital forensics degree then do it properly.

With the increasing popularity of digital forensics, we are seeing an explosion of academic programs that claim to prepare students for a career in the field. Some of these programs are well suited for this task and others appear to be a great waste of time and money. 

For example, I have observed quite a few programs that label themselves as computer forensics programs, but offer very little in the way of a proper computer forensic education.  Many of these programs are nothing more than classic computer science programs that offer a handful of computer forensic classes by instructors whose CVs don’t indicate a mastery of the field.

It’s not that students won’t benefit from academic programs that teach foundational  information technology skills such as networking, programming and databases as they prepare for a career in digital forensics.  Some of our greatest digital forensic gurus studied disciplines like electrical engineering (Harlan Carvey), computer science (Jesse Kornblum) and mechanical engineering (Eoghan Casey).  However, we live in a time where those who are passionate about the field have many opportunities at the academic level to build a strong foundation in digital forensics early in their careers. 

If you are going to get a degree in digital forensics then get  a proper degree in digital forensics.  The digital forensics program at Champlain is a good example of what appears to be solid program. I have heard very good things about this program from at least one of my trusted peers who has hired their graduates.  Champlain offers a bachelor’s level degree in Computer and Digital Forensics.  Instead of a handful of token computer forensic classes layered on top of a traditional computer science curriculum, this degree program appears to be specifically designed to prepare students for a career in digital forensics. It is also offered online and at the Champlain campus.

If you look over the curriculum, you will see that they offer nine specifically branded forensics courses including an internship.  These courses include content specifically geared towards digital forensics such a pair of foundational computer forensics courses, but also courses in areas such as anti-forensics and network forensics.  A nice bonus is that students can get some training in areas such as white collar crime, forensic accounting, criminal law and criminal procedure.  This program also provides students with the opportunity to obtain grounding in general information technology skills such as networking.

A critical consideration when making the decision on what degree program enroll in is not only the strength of the material, but who is teaching you that material.  I like to review the CVs of professors who teach computer forensic courses to get a feel whether these are people who actually have experience in the field or if it’s just a side thing for them.  A lot of the people I see teaching digital forensic classes are people who appear to have very strong backgrounds in computer science, but look very weak when it comes to digital forensics. It’s a bad idea to get a computer guy, even a highly skilled one, to act as an expert witness in a legal case instead of an actual digital forensics expert. It strikes me as an equally bad idea to have that same computer guy teach people digital forensics.

With a program like Champlain, you get an instructor like Jonathan Rajewski teaching some of your classes.  Jonathan might not have a PhD, but he has real live experience in the field and has worked as a full time digital forensics practitioner before he became a professor at Champlain.  In fact, according to his biography, he continues to work in the field as part of the Vermont ICAC Task Force.

The rub with a program like this is that it comes at high price.  The online program costs $540 dollars a credit hour.  The campus based program is going to cost you over $27,000 a year.  Student loans can be a horrible burden if you borrow more money than your degree is ultimately worth.

Another interesting looking program that I don’t have much familiarity with is the Bachelors of Science Program in Technology Forensics at the University of Advancing Technology.  If you look at their online course content, it has a similarly strong focus in actual digital forensics just like the Champlain program does.

Network Security 2010

SANS Network Security 2010 in Las Vegas is mere weeks away.  Get your seats if you haven’t done so already.  The seats at these events can sell out before the event.  For example, Jonathan Ham’s FOR558 Network Forensics class already has a waiting list.

I’ll be acting as Rob Lee’s Teacher’s Assistant for FOR408 Computer Forensics Fundamentals. This class has been expanded to a sixth day because of all of the new forensic goodness that has been added.  I can’t wait to meet all of the students and help Rob turn them into lethal forensicators.

Saturday, August 28, 2010

Kristinn Gudjonsson’s GIAC Gold Paper Released

Kristinn has announced that his GFCA gold paper entitled “Mastering the Super Timeline With log2timeline” has been released. You can get it here.

Kristinn and I are also back at work on the Adobe Flash Cookie research and tool development project and we hope to have it wrapped up relatively soon.  The release of Flash Player 10.1 set my portion of the research back a little bit since there was some changes to how things work, but the fundamentals remain the same.

I have completed the file system tunneling research portion of the project and that will be part of the final paper since it’s critical to understanding time and date issues with these artifacts. The universal response when I have approached various forensic gurus on the issue has been unfamiliarity.  It’s appears that file system tunneling is something that was esoteric enough where it hasn’t appeared on anyone’s file system research radar until Kristinn and I ran into it during the course of our research.

Sometimes you just get lucky.


There have been a lot of interesting items that I have run across recently that I’d like to share with the group.

The first is an EFF article on Apple’s efforts to patent spyware and what EFF terms “traitorware”. Your spider senses should start tingling when you read the article.

The second is a fantastic Brad Garnett SANS Blog post on report writing.  Report writing is an area that is critically important for digital forensic examiners to learn and master, but it’s a very neglected topic when it comes to digital forensic training.

Lastly, Brandon Gregg has an excellent article over at CSO Online on free and cheap tools to help manage investigations.  I found the last segment on “hypothesizing your investigation” to be particularly intriguing. 

Sunday, August 22, 2010

Horse Then Cart

I usually have a couple blog posts in some sort of draft form at any given time.  This thread over at Forensic Focus allowed me to flesh out one of those drafts enough where I essentially wrote the core of what I’d like to write about today. 

I’m frequently approached by people who are either putting together a forensic team or just preparing to get into forensic work on their own.  One of the first question that I am almost invariably asked is what tools I recommend that they obtain.  That’s not a question that I can intelligently answer unless I have some idea of what purpose the team is going to serve.  In the business world, customer requirements should drive tool selection, team recruitment and process development.  One of the classic mistakes that one can fall into is allowing your processes to be driven by your tools.  Vendors are very keen to sell you their tools regardless of whether they are a good fit for your organization or customer requirements.  If you allow the vendors to drive your team development by making you dependant on their tools and processes, you can end up with a team that isn’t much more than a group of glorified tool drivers.

It’s important that to understand the customer requirements first and then craft a team to meet those requirements.  A team that is intended to do a lot of eDiscovery work will not have the same tools, people and processes as a team that is primarily tasked with incident response forensics.  The eDiscovery focused team, for example, won’t have as keen of a need for memory forensics and malware reverse engineering compared to the incident response forensic team.

Team selection and training will also be driven by customer requirements for the same reason.  There are quite a few subdisciplines in digital forensics and team selection will be driven in part by how mastery of selected subdisciplines will accomplish the customer requirements.  For example, if a team is going to be engaging in eDiscovery, that team will require people with backgrounds in areas such as software development and database management.  There are many fine eDiscovery tools out there, but they aren’t necessarily going to be tailor made to meet your requirements right when you take off the shrink wrap.  I’m still amazed when I run across firms that are doing eDiscovery work who don’t have anyone on staff that can do development work.  That tells me that their processes are probably being dictated by the tools and they almost certainly lack the flexibility of other firms that have a robust developmental capability.

By the same token, it’s hard for me to consider a team to be a world class incident response team if it doesn’t have a robust malware reverse engineering capability.  Sure, you can do incident response without having malware gurus on staff, but it’s a hard sell to claim that you’re somehow on the cutting edge of incident response work if you can’t study the tools of an attacker in detail.

Lastly, it strikes me as a mistake to disqualify otherwise excellent forensicators because they aren’t familiar with a particular tool that your team uses.  While it’s certainly something to take into account, a candidate’s fundamental knowledge is more important than their ability to drive a tool. It’s much harder to pick up the fundamentals than it is to learn to drive a tool.

Sunday, August 8, 2010

Tweeting Forensicators

During a recent episode of the Inside the Core Podcast, Joe Garcia of Cybercrime 101 spoke about how he uses Twitter to tap into the collective knowledge of the community.  I held out against using social media for a very long time and it has only been within the last year that I’ve come to embrace at least some of it.

I say some of it because I briefly experimented with Facebook and decided it was wretched.  Its business model is designed around the concept of users being a commodity rather than a customer.  The users gladly input their personal data into the system and Facebook diligently works at turning that personal data into cash for Facebook.  Factor in all of the noise from the games, a mediocre user interface and annoying ads and I’m more than happy not to use it.

Twitter, on the other hand, has turned out to be very useful communication method that I’ve embraced along with many others in the digital forensics community.  I initially created a Twitter account just to see how the system worked.  I didn’t really do much of anything with account for quite some time.  I eventually decided to start following some of the forensic gurus who Tweet and that resulted me becoming actively involved in the digital forensics Twitter community.

It’s a great way to keep up on developments from the community because it tends to work like a form of Digg where the users you follow will determine what sort of news stories, research results and other information appear on your Twitter timeline.  For example, I follow digital forensic and information security gurus like Rob Lee, Harlan Carvey, Richard Bejtlich, Chad Tilbry, Ed SkoudisMike Murr (rumor has it that Mike isn’t actually blue in real life. I refuse to believe this until I see it with my own eyes), Stephen Northcutt and Mike Cloppert. Most of these people use their Twitter accounts to distribute news and commentary on the information security issues of the day.  For example, Richard Bejtlich’s Twitter feed was a must read for those who weren’t able to attend this year’s Black Hat in Las Vegas.  Twitter was also a great source of information during the recent SANS Forensic Summit for those of us who weren’t able to attend.  Because so many people who were at the summit were actively Tweeting about the event, those of us who weren’t there could interact with the participants and experience at least a little bit of the energy of the event.

There are also a lot of our fellow forensicators who also use Twitter to socialize and interact with the community on a more personal level.  The Twitter forensic community has been a nice experience in that it has helped to build a sense of camaraderie that can be hard to establish when you have so many people who are physically separated from each other.   I have found this community to be very helpful when I need to get information to help solve a problem on short notice. For example, I recently ran into trouble with an encrypted device and I was able to get instantaneous help from a variety of forensic experts from around the globe in helping me solve my problem.  A problem that several years ago might have taken me days to get a resolution to through sources like email list servs was able to be solved in a matter of an hour or so through Twitter.

Building up strong relationships is important for professional and technical success.  It can be hard to sell the value of developing strong relationships in an industry that can sometimes be dominated by traditional IT type who aren’t necessarily the most social people to begin with.  I’ve spent a lot of time over the years establishing relationships with other forensic people because I learned very early in my forensic career that since you can’t know everything, it’s important to have relationships with people who can help you when you get into a bind. Through Twitter, I have been able to meet and get to know some great people such as Joe Garcia, Lee Whitfield, Mark “Toolio” McKinnon and many others who I never would have had the opportunity to interact with had I not become involved with the Twitter digital forensics community.

So my advice is to give Twitter a try and become involved with the Twitter digital forensics community.  You can lurk without becoming actively involved and just soak up all of the good knowledge that is passed around the community each day or you can get more actively involved and start to build some productive relationships with your peers.

Reason #217 Why You Shouldn’t Hire A “Computer Guy” To Do A Forensic Examination

Lee posted this sanitized report that came from someone who clearly is a “computer guy” rather than a lethal forensicator.  I have seen this problem first hand and I have heard many similar stories from my fellow examiners who have dealt with this problem in the past.

It’s the same basic scenario that plays out around the globe it seems.  An otherwise sharp attorney has a client who needs an expert to deal with computer evidence during a legal proceeding.  The attorney decides that because it’s computer related evidence, they need a “computer expert” to act as their expert witness.  For whatever reason, they are lured into the trap of thinking that someone with a lot knowledge about computers must also be qualified to do digital forensic work.  Maybe this “expert” even has a Microsoft certification and the attorney thinks that an MCSE qualifies this person to perform a forensic examination.

The report that Lee has in his blog post is the common result and it’s a disaster for the attorney and the client.  A report like this will likely result in a very uncomfortable result if the other side as a competent forensicator who is advising the opposing counsel.   I can only imagine the miserable experience that this “expert” would have had trying to defense this report during a cross-examination. 

If you read the report and find yourself having  a hard time seeing what the problems are in the report, I’d like to gently suggest that you might find a lot of value in taking the SANS Computer Forensics Fundamentals course.  The good news: Rob Lee will be teaching this very course in Las Vegas next month at SANS Network Security 2010.  The bad news: If you take this course next month, you’re stuck with me being Rob’s Teacher’s Assistant.  I’m very much looking forward to helping Rob turn out another batch of lethal forensicators and I hope I get to see some of you there at Network Security 2010.

Wednesday, August 4, 2010

Newer Blog Template

I started to get eyestrain while reading my own blog and there was at least one other person who mentioned they were having the same issue with the new blog template.  I now understand why major news sites and blogs use black text on a white background. This current template will serve as a temporary one until I can develop something a bit more permanent.  The ultimate goal is to come up with a template that is clean and easy to read.

Monday, August 2, 2010

New Blog Template

When I created the blog, I picked out the most minimalist template that I could get away with because I just wanted to get some content up without agonizing over appearance.  I decided that it’s time to make the blog look a bit better now that it’s gained in popularity.

I’ve been scouring the Internet for awhile looking for a template that would be appropriate, but couldn’t really come up with anything that wasn’t stereotypical.  The standard technical templates are what you’d expect…pictures of computers, mobile phones, countless Matrix themed backgrounds, Windows themes, etc.

I like the white lettering on black background that the SANS Forensic Blog uses so I decided to just use the Blogspot template creator to come up with something workable that I hope you will like better than what I had before.

I have increased the size of the font in addition to using the black and white theme so that it would be easier to read.  I also have to admit that I’m fond of the juxtaposition of the scenic yet barren desert background alongside the highly technical content of the blog itself.

I’ve also put up a live Twitter feed for the AFoDBlog Twitter feed so that readers can get a sense of what I’m putting out through that account.

Wednesday, July 28, 2010

Go After The Flank

There was a thread this week on one of the digital forensic email lists I follow where the initial email was from an examiner who was seeing signs of an anti-forensic wiping program.  The examiner was looking for assistance in determining what program might have been used.  He had performed what any of us would normally do such as looking in places like the registry and so forth.  I responded to the list on how I sometimes approach problems like these in an indirect manner by looking at web history.  An examiner from a government digital forensics lab found the response useful since he’s in the process of training some new examiners and asked if he could pass it along.  Of course, I was flattered that he thought it was useful information so I was happy to see him make us of it in training his new examiners.  I thought I’d share my thoughts with the rest of the team through this blog in case anyone else found it useful also. 

Web history is still good for this sort of investigation also.  It's an indirect way of going after the problem, but one of the things I've learned about digital forensic examinations is that sometimes it pays to flank the enemy, so to speak. 

For example, if you come up empty with the traditional registry forensic searches, hitting an image with something like HSTEX and going over all of the browser history that is available might get you some results.  I've had cases like that where if I can an image soon enough after a application of interest is installed and used, I can see the predictable timeline of events such as the user's Google searches looking for a particular application, the user accessing a specific application's website, the downloading link and sometimes the file access information from IE history when the user starts interacting with the program in question.  

That's why even if you have a user who is using a non-IE browser, you still want to process all of the browser history especially those IE index.dat files because you can still get some interesting file hits from that history.

This is one of the reasons why digital forensics feels like an art sometimes.  It’s certainly a science and we should be using the scientific method early and often in how we approach our jobs. In addition to having a strong analytical approach, one of the things I like to see in an examiner is a healthy amount of creativity and curiosity.  These are qualities that greatly assist in solving challenges that we’re continuously faced with in digital forensic examinations.


I’ve been bookmarking quite a few websites that have come up through my Twitter feed and other resources that I’d like to share with the group.

The HSTEX tool that I mentioned above is Craig Wilson’s awesome web browser history extractor.  You can find it here and it goes together with his Net Analysis product like chocolate and peanut butter.

The first is one that I learned about from Jonathan Krause and that’s ddrescue.  Jonathan pointed out an article at that talks about the use of the tool. This might be a tool that many are already familiar with especially if you are used to doing forensics in a Linux environment.  I’ve recently rediscovered the joys of using Linux in digital forensic examinations so I’m enjoying learning about tools like this.

The next tool of interest is the CAINE Live CD.  I don’t remember how I learned about this tool, but it looks interesting enough where I’d like to play with it more to see if I should add it to the toolbox. The CAINE project is managed by Nanni Bassetti and contains a whole host of forensic tools including the previously mentioned  ddrescue. Another nice feature is the WinTaylor aspect which includes tools like the Nirsoft Mega Report which uses a variety of Nirsoft tools to extract data for a report.

Next up is FirePasswordViewer and, again, I didn’t write down where I learned about this one.  I haven’t tried this program either, but it looks like it could be a useful tool for extracting login passwords from Firefox.  This gets back to the idea of flanking the enemy when it comes to forensic examinations.  If I have an encrypted container that I can’t easily brute force, I might be able to just cut the Gordian Knot by obtaining passwords from easier to attack sources like this and using those same passwords against the encrypted container.  Sure, you used Serpent-Twofish-AES encryption on your TrueCrypt container that you didn’t want the police to examine, but you used the same password that you saved in your Firefox password container to login to your Facebook account.

Lastly, we have the Paladin Live CD from Sumari.  The guys over at the Inside the Core Podcast (see below) talked about it on their most recent episode. I haven’t been able to test this one out yet either, but it’s a Live CD that can be used for making images.  The nice thing is that it can be used to image Macs in addition to PCs.  When people ask me about how long it takes to remove a hard drive from a Mac laptop, I tell them about 15 years.  Four years of undergraduate school, four years of medical school, five years of general surgical residency and a two year fellowship until you have the necessary surgical skills to successfully remove a hard drive from a Mac and to put it back in without the dreaded “Bag O’ Laptop”.

Podcasts and Blogs

I don’t perform Mac forensics, but given that the Inside the Core defeated Forensic 4cast (where I’m a panelist from time to time) and Cyberspeak in the 4cast awards, I thought I’d give it a spin this week.  I have to say that even though this isn’t an area of digital forensics that I’m currently engaged in, I really enjoyed the podcast.  The most recent episode features an extended section on Google Chrome forensics which even though it was geared towards the examination on a Mac platform was useful information for Chrome forensics on a PC.

Ken Pryor put up a great blog post on the SANS Forensic Blog.  Ken provided us with a nice compilation of all of the various test images that we can use for practice and research purposes.  There were quite a few that I didn’t realize were available and I’ll be happily be making use of them in future research efforts.