Sunday, June 30, 2013

Daily Blog #7: Sunday Funday

Hello Reader,
       It's Sunday! Lenny Zelster did quotes on Sundays, but I'll be honest I don't do much quoting from famous people. So instead, lets have a contest. Every Sunday I'll be posting a question regarding digital forensics, first person to answer gets a prize. This weeks contest will be easy, didn't plan ahead enough to make it difficult :) The prize? A signed copy of the new book!

Rules: First person to comment with the most correct answer wins. Note I said most correct, if you think someone else only answered the question part way you can go into further detail to win. Employees of G-C Partners, LLC are not eligible, as you already have a copy of the book.

I want to use google+ comments for this for the time stamping, no funny business.

So the question: You have been given a forensic image of a Windows 7 system, you have been requested to determine if an external drive has been plugged in. They want to know the following:
  • When was it first plugged in
  • What was it last plugged in
  • What other times was it plugged in
  • What files and directories were copied and/or accessed from the drive
In your answer please list the artifacts and process you would follow to get this data.

You have until midnight PST (GMT -7) 6/30/13 to give it a try.

Good luck!

Saturday, June 29, 2013

Daily Blog #6: The weekly reading list

Hello Reader,
     It's Saturday so we will take a break from the current series and lets enjoy the weekend with some relaxing digital forensic reading. So get a good cup of coffee, a comfortable chair and I'll point you to what I'm reading this week to try to keep pace with the rest of the forensic world.

1. Over on the SANS forensics blog Mike Pilkington has a great article on securing active directory, you can read it here:

When I first started my career it was in information security and I believe it has benefited my forensic work to be aware of how systems are configured by default and what logs existed. Understanding active directory default configuration, how to secure it and what it contains won't just help IR people, when doing internal investigations of IT admins its important to be able to spot the subtle backdoors they leave.

2. If you are doing internal investigations of employees and deal with employees faking replies to emails you owe it to yourself to read Joachim Metz's excellent white paper on his deep dive into the PST structure.

The thread index he discusses is something I've never seen parsed out by another tool and is something I keep in mind now when I'm approaching email investigations. The white paper is part of his libpff project,, which has been updated to work with Office 2007 and forward psts and osts.

3. One of my course co-authors Jake Williams wrote an interesting blog post,, all about how clients place artificial limitations on penetration tests  and remove most of the tests usefulness. It's a good read and if you deal with penetration testers its something you should consider. If you are paying good money for a service, you should get the best evaluation of your network security your vendor can provide without artificial limitations.

4. Lastly this week I'd like to point out that with Windows 8 and Windows Server 2012 now out in the wild (I've had one windows 8 investigation so far) the USN structure has been updated to version 3. You can read the v3 specification here to get an idea of the changes. Make sure your USN parser support the version 3 structure before you try it on Win 8/Server 2012. The triforce will be USN v3 aware in the coming release. If you are not including the USN in your investigations you are missing valuable data.

That's it for today, if you found something interesting this week please leave a link and a description in the comments.

Friday, June 28, 2013

Daily Blog #5: Milestones 3 and 4 detailed

Hello Reader,
                     The conversation from these posts is continuing in the comments and I'd like to ask you to consider joining us. While I enjoy sharing my perspectives we would all benefit from hearing yours as well. Whether you are just getting started or you've been doing this longer than I have, I would hope you would consider providing your experiences with these milestones and what is different in your professional achievements.

    That said today's post will focus on milestones 3 and 4 as we continue up the ladder of skill and sophistication as a digital forensic examiner.

Milestone 3 - You look beyond your tool.
    This is a moment of apprehension for many examiners. You've been well trained on your tool of choice and you might have heard some excellent marketing people explain to you the importance of using only tools like theirs which courts welcome with open arms. However, you also now know that other people are starting to find artifacts your tool does not yet support and you are you realizing you are missing evidence because of it. The development cycle for a major forensic suite is long, so it’s not that your tool of choice doesn't want to integrate every artifact that examiners unearth on a daily basis, it just has to be prioritized into their development schedule before they can implement it.

    You also begin finding limits to the efficiency your tool of choice is providing, whether it's how its presenting data for you to review/export, to how it's handling a support artifact you want to get more data out of, or get things done faster and your tool isn't keeping up. Now is the time when you start looking at the ever widening range of other tools out there. Some examiners gravitate to another large suite tool, for instance many users of TCT, FTK and EnCase will use one of the other three to fill in a gap in functionality. Some users will gravitate to the purity of X-ways in a hope to get deeper into guts of forensics, while others will look to augment their tools abilities with tools that fill a gap like IEF. What's not important is what additional tool (commercial or open source) you adopt into your process but the fact that you've opened yourself to doing so and gotten over the fear of non-vendor created tools. This is an important step and one of many decisions you'll make of what tool to use and whose output to trust as you continue to improve.

    Not all tools are made equal and eventually you may end up like me, with a license of almost every tool because each one handles X better than the others. I'm not going to tell you it’s cheap, and don't think I get anything for free (although I am willing to!), but as your case load grows you'll find that the work justifies the expense.

    If you notice I've mentioned a lot of commercial tools in this post, please do not consider that an endorsement of commercial tools only or a slight towards free and open source tools. I'm trying to make sure this post is relevant to the largest segment of readers. Substitute any tool name you want in this post and the point still remains valid. In my work we use everything we can get our hands on that creates reliable, verifiable output.

Milestone 4 - You get certified with a vendor neutral certification.
    Some examiners who have been in the field a long time may deride my focus on certifications for the new examiner, and that's OK. I didn't get a forensic certification until last year and I'm just now in the process of getting a vendor neutral certification (if I ever find the time to finish!). However, we are the exception to the rule as we started doing computer forensics prior to there being any certifications available to non-law enforcement examiners. That being said, for those of you who aren't cynical forensic veterans, certification is something that more employers, attorneys and judges are looking for. We discussed in Milestone 2 vendor certification and what it skills it actually demonstrates. In Milestone 4 we are looking at certifications not tied to a specific product but towards a provable set of skills, processes, and knowledge in your ability to analyze and report your findings.

    There are many vendor neutral certifications out there these days; CCE, GCFE/GCFA, CFCE, etc... and which one is right for you will depend on many things such as;
  • Are you law enforcement? (CFCE)
  • Do you have a good training budget? (GCFE/GCFA)
  • Are you looking to join an accredited lab? (CCE)

    These are not hard rules, you could get all three and more if you choose to, but it's a decent elimination criteria for you. I will tell you that overall in my opinion that the CCE is winning.  Why? They made a partnership with ASCLD to be recognized as a proficiency test for accredited lab operation. (
    While I and many other people are not looking forward to lab accreditation being forced on us (the day to day paperwork is painful), the partnership bestows a large amount of credibility on the certification and I do plan to obtain it now.

    So I've talked about getting a vendor neutral certification and which to get, but why should you get one? This is what I believe is the important point that many miss. Your vendor certification is great for showing your competency and ability to explain the results your tools show you, but as we just discussed in the prior milestone you've grown beyond your tool. You do not have a certification in these other tools and for many tools there is no certification to be had, so beyond your own ability to demonstrate the tools reliability it’s nice to have a third party body that is attesting to your skills and ability through a written and practical test. These certifications focus more on your ability to understand artifacts, analyze evidence, and write concise reports that find and explain what they have left for you to find.

    If you feel some kind of animosity towards certification programs in general I would advise you to swallow your pride and seriously consider it. While some people, Andy Rosen for example, have enough experience, education and documentable achievements/software/tools/reports behind them to be able to escape this type of scrutiny the rest of us do not. I've been doing forensics for 14 years (this December), written books, created tools, spoken at conferences, taught classes, etc... and I will tell you that I still feel that I need certification now as more judges and attorneys are looking for some way to judge an experts base competence. I'm seeing more depositions' transcripts where attorneys are asking for certification as a way to judge the reliability of reports and understanding of processes/artifacts, and this is especially important when the opposing expert has certification and you do not.

    Tomorrow is Saturday and according to Lenny Zelster he would post interesting reading and quotes on weekends. That sounds pretty good to me so I'll follow the same and look to post the next part of this series on Monday.

Thursday, June 27, 2013

Daily Blog #4: Milestones 1 and 2 detailed

Hello Reader,
                      In my last post we talked about the milestones and optional achievements you can look forward to in your forensic career. This post will go into detail on what it takes to achieve milestones 1 and 2.

Milestone 1 - Your tool defines your workflow.
    When most of us get our first job as digital forensic examiner it's through an employer where we are transitioning roles and not after graduating with a degree in computer forensics, though, that is now a possibility! Without a 4 year foundation in digital forensics backing you up, you and your employer look to make an investment in your career by purchasing a forensic suite and a training package to learn how to use it.

    When you first receive training on how to use a forensic suite, no matter which one, you are amazed at what is suddenly possible. The ability to recover deleted files, carve long deleted data, determine a users activities and all the rest of the data you gain from the tools ability to parse computer forensic artifacts empower you in your first investigations.  You are content at this point by what your tool is able to do and what you have been trained to do with it.

    So let me be clear because as people grow in their experience in skills they begin to look back at this time with disdain at their former selves. There is nothing wrong with your results at this point, any evidence that you find in your investigation is still good evidence. At this stage in your career though you may be missing evidence, not because the tool is faulty but because you have not yet learned all the artifacts that exist. You may miss evidence at this point that can add more to your findings, with the worst possibility being you miss evidence that would have revealed more about whatever the focus of your investigation was.

    In this milestone you also chase the most red herrings as you are still learning to understand what is possible, what the system records, and what's relevant in your investigations. If you are in this milestone I would encourage you to move on to other milestones as quickly as you can. While the results of tool are correct, you are missing artifacts and a bigger picture of the actions of those you are investigating. The only thing you can do to move forward is to get more experience and depending on your budget go to non-vendor training, conferences or read blogs and white papers to start educating yourself on what exists outside of your walled garden.

Milestone 2 - You get certified on your tool.
    This is an important milestone in your career, outside of kudos from those who you give your reports this is your first external validation of your skills and abilities as a digital forensic examiner. What is important to remember at this point is what your vendor certification means. It means that you have shown skill and knowledge in how to perform an examination using their tools. It is not a reflection on your overall knowledge of what is possible and your total capabilities. Many people see a vendor certification as an end point in their credentials and I would encourage you to think outside that box.

    Let me be clear, there is great value in a vendor certification. Many attorneys are getting smart and asking experts if they are certified in the tools they use as a way to judge competency in the results those tools produce. Being able to pass a written test that shows your knowledge of how the tool works, and the ability to successfully retrieve known artifacts through a practical test is great. You're not done though and if your organization views this as 'being done' in your professional path at this point you should stop and think about what their intentions to grow your skills are.

    Once you obtain this certification you'll likely join a mailing list with other certified professionals who can ask each other questions outside of the public view. This is good but remember that there is no confidentiality on those emails and they can be quoted against you in the future. Consider always subscribing and replying from a non-work email address that does not contain your name so your past statements don't come back to haunt you.  You have plenty of time to show people how smart you are, you just may not be as smart as you think you are at this point.

    The other great perk of this milestone is the normal requirement for continuing education anually. This provides a great justification for your employer to pay for you to go to conferences and other training in order to keep the certification. Most employers like having a certified employee as it allows them to show competence to those that are receiving your reports.

    I'll end this daily blog entry by saying, I'm constantly amazed on new artifacts and research that is revealed everyday. Digital Forensics is a science, never forget that, and we have to stay up to date with it to be the best scientists we can be.

Wednesday, June 26, 2013

Daily Blog #3: The progession of the digital forensic examiner

Hello Reader,
    I've been asked these questions many times; "What does it take to become a 'real' digital forensic examiner?", and "What will it take for me to achieve a higher level of understanding and ability?" If you can create verifiable results in any tool that another examiner can recreate and successfully defend your findings I consider you to be a real digital forensic examiner. If you want to know what it takes to grow and become a better digital forensic examiner I decided to make the following list of milestones and optional achievements that an examiner can use to judge their place in their own digital forensic knowledge progression.

    Now this list is just for digital forensics, I don't know enough about the IR world to make a similar list. The list of milestones is not a linear path either, its met as a series of goalposts you can achieve in any order. The purpose of this post is not be judged on what you have not done, but rather to help you see what you can do in your continuing career as a digital forensic examiner. There is truly no ending point as the amount of data we can continue to research and understand grows on a daily basis! My plan is to expand this list into a series of posts that explain each milestone, what it takes to achieve it and how it benefits you. For those of you who want to join me in the overachiever club feel free to do all of them! Otherwise, pick the milestones that mean the most to you and your current needs and make a plan to succeed.

Milestone 1 - Your tool defines your workflow.
    This is where most examiners start, they get access to one tool (it doesn't matter what tool TCT/Encase/FTK/Xways/Prodiscover/SMART/etc..), they get some kind of training and their abilities are defined by what their tool suite can do.

Milestone 2 - You get certified on your tool.
    You've learned enough about your tool and the artifacts it parses to show competency through certification.

Milestone 3 - You look beyond your tool.
    You've found the limits of your tool and discovered there are additional artifacts that would help your investigation, you start using other tools in your investigations to augment your main suite.

Milestone 4 - You get certified with a vendor neutral certification.
    You realize that your vendor certification is great for showing competency in using their tool, but it does not represent your skills of the overall forensic process.

Milestone 5 - You become less about the tool and more about the artifact.
    You start memorizing where all your favorite artifacts are that you use in your investigations, you start comparing tools to see which gives you output you like the most.

Milestone 6 - You understand what's normal and what's missing for multiple versions of the same operating system.
    You've done enough investigations and testing now to be able to spot what's missing and let the users attempts to hide their actions guide your investigation.

Milestone 7 - You master re-creation testing.
    You are a virtual machine master easily testing new artifacts and hypothesis to create defensible results.

Milestone 8 - Your processes and workflow become not only understandable but accepted by 3rd parties.
    You've moved your ideas away from tools and to operating system versions, states and artifacts to the point that any other examiner can replicate your work with any tool.

Milestone 9 - You master more than one operating system's artifacts.
    You've moved beyond the first operating system you learned about and started the quest to learn more about other operating systems artifacts.

Milestone 10 - You understand how file systems store data and can run tests to determine behavior.
    You've moved beyond the artifact to the underlying operating system and file system for a deeper understanding.

Milestone 11 - You've realized that to optimize your workflow you need to learn some basic programming.
    Frustrated by how many separate tools you have to run and combine, you start to write your own scripts to stitch them together.

Milestone 12 - You've found enough deficiencies in the tools you use, you begin to write your own.
    You've learned the artifacts, you've read the white papers, now your ready to get the output in just the way you want it by writing your own version.

Milestone 13 - You've developed your own data structures parsers and you begin looking into new data structures to make new tools.
    You have moved beyond just recreating other peoples tools into creating your own! The digital world is your forensic oyster!

Milestone 14 - You get the artifact bug and spend your free time thinking of what else might exist and start creating testing environments solely to find new artifacts.
    The sheer number of possibilities has taken hold of you and you realize you've found a career for life.

The following are listed as Optional Achievements.

Why optional? Not every position where you will be doing computer forensics will put you in the position to be able to do all of these, but they are nice moments in your career that others will notice. 

Optional Achievement 1 - You submit an affidavit/declaration to the court

Optional Achievement 2 - You get appointed as a fact witness

Optional Achievement 3 - You get appointed as an expert witness

Optional Achievement 4 - You submit an expert report to the court

Optional Achievement 5 - You are accepted by a court as an expert

Optional Achievement 6 - You've contributed a plugin to a tool

Optional Achievement 7 - You've written a white paper on a forensic artifact

Optional Achievement 8 - You start a forensic blog

Optional Achievement 9 - You present research at a forensic conference

Optional Achievement 10 - You write a book on forensics

Optional Achievement 11 - You release a tool

Optional Achievement 12 - You find a new forensic artifact!

Disagree with me? Think I missed something? Want to do more with this? Comment below, lets talk.
In the following days I'll be writing a post per milestone to expound on what I mean and how you can determine if you've achieved it.

Tuesday, June 25, 2013

Daily Blog #2: What I wish I knew when I was starting out

(This entry is part of the Daily Blog series! Click Here for the previous entry.)

Howdy Reader,
                    BTW I'm from Texas, so we say howdy sometimes. Not a lot mind you, but its just something fun to say. I'm taking topics to blog about from readers and Karen Palmer among others submitted some great ideas! One of Karen's questions was ' what do you wish you knew when you first started?'. It's a great question and something I hope will help a lot of people get over some basic fears. This will likely be a multipart series as I think about things, but here is the first.

There is no such thing as a 'court approved' tool. No really, seriously, there is absolutely no such thing. Now, courts have accepted the results of several tools and those tools can now cite case law (meaning past cases) which shows their tools being accepted. What was important though in those cases was not the tool, but the expert who presented the tool and its results to the court. A tool on its own is not admissible, it requires an expert who is knowledgeable in its operation and can explain its results while answering questions about its meaning.

It is the expert, not the tool that defines what will be admissible. Now, the federal rules of evidence do specify the guidelines for a judge to consider what is admissible. For instance here is a rule that was not written with digital evidence in mind but has been adapted to suit it:

Rule 1003 (
"A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate."
If that is not clear to you, any duplicate (and a forensic image is by definition a duplicate of the original evidence bit for bit) you create is admissible by rule 1003, unless there is a genuine question raised by either the opposing counsel or the judge.

So why do we have chain of custody? Well that goes to authenticating the evidence you are looking to get admitted. For a judge looking determine the admissibility of a challenged forensic image, his decision will be based on your testimony regarding the facts of how it came to be in your possession, what you did with it and how you know it is what you claim it to be:

Rule 901 (
(a) In General. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.

(b) Examples. The following are examples only — not a complete list — of evidence that satisfies the requirement:
 (1) Testimony of a Witness with Knowledge. Testimony that an item is what it is claimed to be.
combined with the following which is detailed in the chain of custody and shows the identifying information of the original evidence you made the forensic image of:
(4) Distinctive Characteristics and the Like. The appearance, contents, substance, internal patterns, or other distinctive characteristics of the item, taken together with all the circumstances." 
For the admission of the results of forensic tools the following applies:
(9) Evidence About a Process or System. Evidence describing a process or system and showing that it produces an accurate result.
A report generated by a tool is admissible with the following:

Rule 1006 (
"The proponent may use a summary, chart, or calculation to prove the content of voluminous writings, recordings, or photographs that cannot be conveniently examined in court. The proponent must make the originals or duplicates available for examination or copying, or both, by other parties at a reasonable time and place. And the court may order the proponent to produce them in court."
So the report summarizes the findings, for example of the registry or file system in an understandable form, but other parties are allowed to validate your summary by reviewing the data that was used to produced it.

So there you go, criminal or civil the rules are the same.

What is important in your evidence's successful admission is not the tool you use, although lets be honest; a well known tool may be challenged less than an unknown tool. It is your ability to explain how the tool works, what you did to create the forensic image from the original evidence, and why it is admissible that is important. So don't restrict your choice of tools to those that others tell you is 'court approved' or have great marketing, use the tool that you have the greatest understanding of and can provide the best description of so you can feel confident of its admissibility in the face of a challenge.

I will say that those tools that provide certifications can be very helpful in showing your training and knowledge of the usage of the tool, so if your tool maker provides one it can't hurt to have it.

Talk to you tomorrow!

(This entry is part of the Daily Blog series! Click Here for the next entry.)

Monday, June 24, 2013

Daily Blog #1 More about 'Offensive Forensics' aka For 668

Hello Reader, it's Day 1 of the Zelster challenge,
                I like to always start my blogs with a small hello because I want to make sure you get a feeling of direct and informal communication when you read this. I really enjoy talking to the wide range of people who make up the DFIR industry (especially those looking to enter it), the different perspectives are fascinating and for their situations correct (which is hard to understand at first). The more perspectives you can learn the easier it is to understand what's important to people. The majority of my work since 1999 is acting as an expert in civil litigation and for years that was my only perspective, I really didn't understand the wide depth that DFIR was becoming, in fact I just really knew about DF and not IR. I'd like to think in the last couple years I've become more aware of how wide the space has become and appreciated all the knowledge, tools and work that has come out of those approaching the same artifacts and problems but from different angles.

With all that said, let's talk about 'Offensive Forensics'. I said in the prior post I'm writing a course with Alissa Torres and Jake Williams, two people who have a very wide range of experience not only in forensics but in fighting advanced threats, network security and reverse engineering malware. I would like to think that what I'm bringing to the table is my perspective on traditional digital forensics and the research we've built over the years, especially the Triforce.

The idea behind the course is different than anything else I've seen out there. Many people are taking courses for penetration testing that teach you how to break into a system. Lots of people are taking incident response classes teaching you how to deal with the effects after the break in, triage and remediate. Others are taking classic digital forensic classes learning how to investigate the artifacts and do 'deep dive analysis' . What is missing from all those things is the time between the break in, and the response. It is this time of access, ex-filtration and persistence that we will be focusing in on for Offensive Forensics.

Each module of the class will reveal an advanced adversary technique, seen in the wild from Alissa and Jake. You will learn how to do the same type of techniques the attacker does, using the same tools. You'll then clean up your tracks like an attacker and see what tools exist that allow for what appears to be a clean getaway. Lastly using our research and entirely new techniques we will be developing for this class (very excited about this!) you will learn how to defeat and/or detect the prior technique shown to allow the attacker attempts at stealth to shine a light on their motives, activities and methods.

It's a 6 day class with 5 days of hands on instructions (we have so many labs planned) and ending with a challenge day with a Netwars style competition to see who can solve the puzzle with the techniques taught. We are in the process of writing it now so I hope to keep you apprised of our progress as we move it forward. I don't want to go much deeper than this since the course is in the process of being development and things will change but that is the overall goal we are planning to achieve and we have a heck of an outline to do it with.

If you have questions, feel free to comment below and I'll answer them if I can!

So Day 1 down, 364 more days to go. Talk to you tomorrow!

(This entry is part of the Daily Blog series! Click Here for the next entry.)

Sunday, June 23, 2013

A daring experiment!

Hello Readers,
                  I attended my first SANSfire, and to be honest first SANS event, this week. If you've been following my tweets (that is weird to type out, but... that's our world now) you would have seen that I've signed up to write a SANS course along with Alissa Torres and Jake Williams called 'Offensive Forensics' known in sans terms as FOR 668. I'm very excited about this class as it will be the outlet of all the file system journaling research that you've seen demos of applied in real and practical ways. The class won't be out until next year but we've officially begun work on it and I think everyone dealing with advanced adversaries (internal or external) will benefit from it.

I'll write more about the class later but now onto the point of this blog post. Spending a week at SANSfire I got to spend the week talking to fellow SANS faculty and my coauthors which lead me to hear about Lenny Zeltser's year long daily blogs. I was intrigued by the idea, I am terrible at regular blogging as I try to think up important things to talk about and new research that I feel I can disclose. In a discussion though Rob Lee pointed out that most people don't need the bleeding edge from a daily read, they just want more information into how things work forensically and interesting topics/stories.

So with that in mind, I am going to begin a mission to write one blog entry a day for the next year with the idea that whether long or short I'll just keep passing along those things that I think are interesting, important, misunderstood, etc... as well as updates on the new book (Hacking Exposed Computer Forensics 3rd Edition) and the new course as we move forward.

So at this point I am going to turn it over to you, reader. What do you want to know about? I don't want to resort to recipes (which my wife says is what people actually want to read) so I'm hoping you can shed some light and what actually interests you!

Please leave a comment below, I allow anonymous comments, and lets talk. I would like this to be experiment that benefits the community as a whole.