Sunday, August 8, 2010

Tweeting Forensicators

During a recent episode of the Inside the Core Podcast, Joe Garcia of Cybercrime 101 spoke about how he uses Twitter to tap into the collective knowledge of the community.  I held out against using social media for a very long time and it has only been within the last year that I’ve come to embrace at least some of it.

I say some of it because I briefly experimented with Facebook and decided it was wretched.  Its business model is designed around the concept of users being a commodity rather than a customer.  The users gladly input their personal data into the system and Facebook diligently works at turning that personal data into cash for Facebook.  Factor in all of the noise from the games, a mediocre user interface and annoying ads and I’m more than happy not to use it.

Twitter, on the other hand, has turned out to be very useful communication method that I’ve embraced along with many others in the digital forensics community.  I initially created a Twitter account just to see how the system worked.  I didn’t really do much of anything with account for quite some time.  I eventually decided to start following some of the forensic gurus who Tweet and that resulted me becoming actively involved in the digital forensics Twitter community.

It’s a great way to keep up on developments from the community because it tends to work like a form of Digg where the users you follow will determine what sort of news stories, research results and other information appear on your Twitter timeline.  For example, I follow digital forensic and information security gurus like Rob Lee, Harlan Carvey, Richard Bejtlich, Chad Tilbry, Ed SkoudisMike Murr (rumor has it that Mike isn’t actually blue in real life. I refuse to believe this until I see it with my own eyes), Stephen Northcutt and Mike Cloppert. Most of these people use their Twitter accounts to distribute news and commentary on the information security issues of the day.  For example, Richard Bejtlich’s Twitter feed was a must read for those who weren’t able to attend this year’s Black Hat in Las Vegas.  Twitter was also a great source of information during the recent SANS Forensic Summit for those of us who weren’t able to attend.  Because so many people who were at the summit were actively Tweeting about the event, those of us who weren’t there could interact with the participants and experience at least a little bit of the energy of the event.

There are also a lot of our fellow forensicators who also use Twitter to socialize and interact with the community on a more personal level.  The Twitter forensic community has been a nice experience in that it has helped to build a sense of camaraderie that can be hard to establish when you have so many people who are physically separated from each other.   I have found this community to be very helpful when I need to get information to help solve a problem on short notice. For example, I recently ran into trouble with an encrypted device and I was able to get instantaneous help from a variety of forensic experts from around the globe in helping me solve my problem.  A problem that several years ago might have taken me days to get a resolution to through sources like email list servs was able to be solved in a matter of an hour or so through Twitter.

Building up strong relationships is important for professional and technical success.  It can be hard to sell the value of developing strong relationships in an industry that can sometimes be dominated by traditional IT type who aren’t necessarily the most social people to begin with.  I’ve spent a lot of time over the years establishing relationships with other forensic people because I learned very early in my forensic career that since you can’t know everything, it’s important to have relationships with people who can help you when you get into a bind. Through Twitter, I have been able to meet and get to know some great people such as Joe Garcia, Lee Whitfield, Mark “Toolio” McKinnon and many others who I never would have had the opportunity to interact with had I not become involved with the Twitter digital forensics community.

So my advice is to give Twitter a try and become involved with the Twitter digital forensics community.  You can lurk without becoming actively involved and just soak up all of the good knowledge that is passed around the community each day or you can get more actively involved and start to build some productive relationships with your peers.

Reason #217 Why You Shouldn’t Hire A “Computer Guy” To Do A Forensic Examination

Lee posted this sanitized report that came from someone who clearly is a “computer guy” rather than a lethal forensicator.  I have seen this problem first hand and I have heard many similar stories from my fellow examiners who have dealt with this problem in the past.

It’s the same basic scenario that plays out around the globe it seems.  An otherwise sharp attorney has a client who needs an expert to deal with computer evidence during a legal proceeding.  The attorney decides that because it’s computer related evidence, they need a “computer expert” to act as their expert witness.  For whatever reason, they are lured into the trap of thinking that someone with a lot knowledge about computers must also be qualified to do digital forensic work.  Maybe this “expert” even has a Microsoft certification and the attorney thinks that an MCSE qualifies this person to perform a forensic examination.

The report that Lee has in his blog post is the common result and it’s a disaster for the attorney and the client.  A report like this will likely result in a very uncomfortable result if the other side as a competent forensicator who is advising the opposing counsel.   I can only imagine the miserable experience that this “expert” would have had trying to defense this report during a cross-examination. 

If you read the report and find yourself having  a hard time seeing what the problems are in the report, I’d like to gently suggest that you might find a lot of value in taking the SANS Computer Forensics Fundamentals course.  The good news: Rob Lee will be teaching this very course in Las Vegas next month at SANS Network Security 2010.  The bad news: If you take this course next month, you’re stuck with me being Rob’s Teacher’s Assistant.  I’m very much looking forward to helping Rob turn out another batch of lethal forensicators and I hope I get to see some of you there at Network Security 2010.