Sunday, August 8, 2010

Tweeting Forensicators

During a recent episode of the Inside the Core Podcast, Joe Garcia of Cybercrime 101 spoke about how he uses Twitter to tap into the collective knowledge of the community.  I held out against using social media for a very long time and it has only been within the last year that I’ve come to embrace at least some of it.

I say some of it because I briefly experimented with Facebook and decided it was wretched.  Its business model is designed around the concept of users being a commodity rather than a customer.  The users gladly input their personal data into the system and Facebook diligently works at turning that personal data into cash for Facebook.  Factor in all of the noise from the games, a mediocre user interface and annoying ads and I’m more than happy not to use it.

Twitter, on the other hand, has turned out to be very useful communication method that I’ve embraced along with many others in the digital forensics community.  I initially created a Twitter account just to see how the system worked.  I didn’t really do much of anything with account for quite some time.  I eventually decided to start following some of the forensic gurus who Tweet and that resulted me becoming actively involved in the digital forensics Twitter community.

It’s a great way to keep up on developments from the community because it tends to work like a form of Digg where the users you follow will determine what sort of news stories, research results and other information appear on your Twitter timeline.  For example, I follow digital forensic and information security gurus like Rob Lee, Harlan Carvey, Richard Bejtlich, Chad Tilbry, Ed SkoudisMike Murr (rumor has it that Mike isn’t actually blue in real life. I refuse to believe this until I see it with my own eyes), Stephen Northcutt and Mike Cloppert. Most of these people use their Twitter accounts to distribute news and commentary on the information security issues of the day.  For example, Richard Bejtlich’s Twitter feed was a must read for those who weren’t able to attend this year’s Black Hat in Las Vegas.  Twitter was also a great source of information during the recent SANS Forensic Summit for those of us who weren’t able to attend.  Because so many people who were at the summit were actively Tweeting about the event, those of us who weren’t there could interact with the participants and experience at least a little bit of the energy of the event.

There are also a lot of our fellow forensicators who also use Twitter to socialize and interact with the community on a more personal level.  The Twitter forensic community has been a nice experience in that it has helped to build a sense of camaraderie that can be hard to establish when you have so many people who are physically separated from each other.   I have found this community to be very helpful when I need to get information to help solve a problem on short notice. For example, I recently ran into trouble with an encrypted device and I was able to get instantaneous help from a variety of forensic experts from around the globe in helping me solve my problem.  A problem that several years ago might have taken me days to get a resolution to through sources like email list servs was able to be solved in a matter of an hour or so through Twitter.

Building up strong relationships is important for professional and technical success.  It can be hard to sell the value of developing strong relationships in an industry that can sometimes be dominated by traditional IT type who aren’t necessarily the most social people to begin with.  I’ve spent a lot of time over the years establishing relationships with other forensic people because I learned very early in my forensic career that since you can’t know everything, it’s important to have relationships with people who can help you when you get into a bind. Through Twitter, I have been able to meet and get to know some great people such as Joe Garcia, Lee Whitfield, Mark “Toolio” McKinnon and many others who I never would have had the opportunity to interact with had I not become involved with the Twitter digital forensics community.

So my advice is to give Twitter a try and become involved with the Twitter digital forensics community.  You can lurk without becoming actively involved and just soak up all of the good knowledge that is passed around the community each day or you can get more actively involved and start to build some productive relationships with your peers.

Reason #217 Why You Shouldn’t Hire A “Computer Guy” To Do A Forensic Examination

Lee posted this sanitized report that came from someone who clearly is a “computer guy” rather than a lethal forensicator.  I have seen this problem first hand and I have heard many similar stories from my fellow examiners who have dealt with this problem in the past.

It’s the same basic scenario that plays out around the globe it seems.  An otherwise sharp attorney has a client who needs an expert to deal with computer evidence during a legal proceeding.  The attorney decides that because it’s computer related evidence, they need a “computer expert” to act as their expert witness.  For whatever reason, they are lured into the trap of thinking that someone with a lot knowledge about computers must also be qualified to do digital forensic work.  Maybe this “expert” even has a Microsoft certification and the attorney thinks that an MCSE qualifies this person to perform a forensic examination.

The report that Lee has in his blog post is the common result and it’s a disaster for the attorney and the client.  A report like this will likely result in a very uncomfortable result if the other side as a competent forensicator who is advising the opposing counsel.   I can only imagine the miserable experience that this “expert” would have had trying to defense this report during a cross-examination. 

If you read the report and find yourself having  a hard time seeing what the problems are in the report, I’d like to gently suggest that you might find a lot of value in taking the SANS Computer Forensics Fundamentals course.  The good news: Rob Lee will be teaching this very course in Las Vegas next month at SANS Network Security 2010.  The bad news: If you take this course next month, you’re stuck with me being Rob’s Teacher’s Assistant.  I’m very much looking forward to helping Rob turn out another batch of lethal forensicators and I hope I get to see some of you there at Network Security 2010.


  1. What's the point in following the folks who tweet? Honestly, I don't get it...just like I don't get it why people what to connect on LinkedIn or Facebook? If all you're going to do is follow someone like a voyeur...what does that do for anyone?

    All of these social networking sites offer us the ability to engage like never before...but simply following someone isn't "engaging"'s just following. All of the communication is one way...

  2. I think you've just presented a problem statement for a number of PhD dissertations, Harlan. :)

    Why are some people passive consumers of social media and others more active participants? I suspect there are a lot of reasons, but I'm curious about demographics. Are older people who are mainly used to being passive consumers of one-way types of media like TV and radio more likely to become passive consumers of social media? Are younger people who grow up with social media more likely to be active participants? I don't know.

    I think one of the reasons why I've become fond of Twitter is because it allows so much interaction between my fellow forensicators in a manner that I haven't experienced before. Up until recently, I mainly communicated with the community through the various email list servs dedicates to computer forensics. That was and continues to be a great experience that has allowed me to form a lot of great relationships over the years. Twitter has been much higher velocity version of that at least based on my experience.

  3. Eric,

    I don't see it as a problem, per se...but something that can be changed if folks really think about it.

    I still wonder, why are so many people interested in simply following/lurking? Why not find one or two things you like, engage, and pursue them?

  4. I think there is a large amount of people in any field who aren't necessarily passionate enough about what they do to get involved with the extra effort required to do research, blogging, etc.

    I also think there is a mentality in information technology in particular that says, "Because I don't know everything, I don't know anything."

  5. Hi Harlan,

    Surely the whole point is that Twitter easily and quickly gives you access to people who you would never have been able to interact with previously. Once you have become more aware of the world there is then the opportunity to engage if you choose to do so?