@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #26: Interview with SA Eric Zimmerman

Hi Reader,
          When I finished the milestone series I asked that those of you who have hit milestone 14 in your career to email me. Eric Zimmerman was the first brave soul to do so and was willing to be interviewed for the blog on his career, his forensic interests and his views. I think he brought some great answers back and I hope you enjoy his insights. If you have reached milestone 14 and are hesitating until this point to email me at dcowen@g-cpartners.com for an interview, then read this to see what I'm interested in. I don't want to put your investigations, case or research at risk, I want to help others see how you got started and how you got to milestone 14 so they can do the same!

    If you are reading this before noon central on friday 7/19/13 then please come join us for our first forensic lunch where we will talk about the tri-force, our usn research, shadowkit and your questions:

With that said, here is the interview with Special Agent Eric Zimmerman.
EZ: First of all i would like to thank you for the interview opportunity. I like the way you defined the milestones and it serves as a great barometer for people to use in their careers. My progression thru the milestones and optional achievements wasn't linear, but i suspect that's the case with most people.
DC:  How did you get started in computer forensics?
EZ: I got started in forensics years ago as a byproduct of being a computer geek, but i didn't get serious about it until i became an agent and started needing digital forensics in my day to day work. I've been using hex editors for years for a variety of things and started using WinHex about 4 years ago for some case work. I got my EnCE about two years ago using Encase 6. Soon after i fully transitioned to X-Ways Forensics. i have been fortunate enough to work violations where essentially everything involves a computer, so there was ample opportunity to learn and gain experience.
DC: What event in your career propelled you forward the most?
EZ: I would say the biggest benefit to my career was being the case agent and primary forensic examiner in a very technical case involving p2p networks and encryption. In addition to the trial itself, I went through a Daubert hearing and was qualified as an expert in federal court. I wrote hundreds of pages of reports for a wide variety of audiences. Being able to articulate information to people in a way they can relate to is a critical skill. it is not enough to be an expert in digital forensics. you have to be able to convey your findings in a meaningful way to the consumer of that information. Events like a big trial or similar is where you get to finally use all the skills and knowledge you've built up and practiced over the years.
Another major event was winning the 2011 NCMEC award for my work in combating the online sexual exploitation of children. In 2011, my software led to the rescue of at least 45 children, the execution of 330 search warrants, and 222 arrests. To date my software is in use by at least 4000 people in 52 countries.
DC:  Do you remember what lighted your passion for computer forensics, what pushed you forward to Milestone 14?
EZ: My passion began with wanting to understand the underlying technology behind computers. Once you start peeling back the layers you begin to get an understanding of how deep the rabbit hole goes. I tend to get bored easily so having such a wide variety of things to learn keeps it interesting. There is always something new to learn and even more to discover for the first time.
As for what pushed me toward milestone 14, necessity was the biggest thing. After you see the fruits of solving a new problem or reversing a previously unknown artifact you start to see the potential in looking into the unknown. I do not have the ability to do pure research as much as i would like to, so most of my milestone 14 stuff revolves around either my own or my colleagues cases. as new problems come up i work to solve them.
Beyond necessity was wanting to figure out something that was previously unknown. It was a challenge to solve a "puzzle" from scratch with nothing more than some network captures, binary files, a hex editor and some programming skill. A lot of my work involved reverse engineering proprietary, closed source protocols (sorry i cant be more specific than that) and when i started looking into it very little was understood about the protocols and other artifacts. I wrote some cool custom software to assist with things as needed.
Passion for the work is really critical, almost more so than one's technical ability, because without it you may not have the stamina to follow through to the end. Frustration is inevitable but you just have to keep your head down and move the ball forward. Working with a team of people is also very helpful.
DC: What is your favorite forensic artifact?
EZ: In general, the registry, but as to a specific artifact it would be ShellBags by far. It is amazing how much detail is maintained in ShellBags. i have used them to show what was inside encrypted TrueCrypt containers in order to prove intent as well as corroborate other artifacts. in the case of encryption, it basically serves as a means to see the file names, time stamps and file sizes of things inside a container. If you can then tie that information to more concrete artifacts involving file hashes (and therefore the file size) you can peer inside the encryption and say with certainty what is in there.
DC: What are you researching now?
EZ: When i get a break from my cases, my primary focus is continuing to expand the abilities of my live response software, osTriage. Version 1 is for law enforcement/government only but with version 2 i want it to be available to a wider audience. My approach for version 2 is to use plugins to provide functionality vs. a monolithic executable as I did with version 1.
By making the programming interfaces available to anyone, people can write plugins that are meaningful to them in case their particular issue isn't included out of the box. plugin authors can choose to share their work or keep it in-house. I've written the main program in such a way that it works with the interfaces to automatically generate reports,bookmark items of interest, copy files from computers, etc. This lets plugin authors focus on new features and not basic plumbing.
In version 2, I have spent a lot of time focusing on performance and have seen some fantastic gains in speed. For example, my new code can iterate every file and directory on a 256GB hard drive (with over 276,000 files and 59,000 directories) in about 22 seconds whereas the version 1 took over 8 minutes to do the same search. that 22 seconds includes finding pictures, hashing them, and generating thumbnails,exploring archive files, parsing .lnk files, and pulling dozens of pieces of live response data. I demonstrated this at the 2013 Boston Cyber Conference earlier this year in my talk on the need for improved triage techniques.
DC: What inspired you to write a book?
EZ: The inspiration for the book was to be able to unpack the X-Ways manual into a format that more people would be able to relate to based on their existing knowledge in forensics. Our goal wasn't to teach forensics, but rather to explain X-Ways.
The X-Ways manual is a fine piece of technical writing, but few people have the patience or time to penetrate its depths. I really think X-Ways is at the top of the pyramid when it comes to forensic suites but in some circles it has the reputation of being hard to use. Where people can run into trouble is there are a lot of ways to accomplish a goal in X-Ways rather than one linear path as found in other tools.
X-Ways puts incredible power in the hands of the forensic examiner and lets them wield that power in a way that makes sense to them and the case at hand. Once people try X-Ways and get comfortable with it they rarely go back to other tools. I found the best way to jump in was to work a case in X-Ways Forensics solo or in parallel with an existing tool.
With the book in hand you can begin the transition from other tools to X-Ways in a straightforward manner. The book is written in such a way to walk people through its use from initial installation, hard drive imaging, reporting and everything in between.
DC: Where can we buy the book?
EZ: The book is titled "X-Ways Forensics Practitioner's Guide" and is currently available for pre-order at Amazon (http://goo.gl/vWmqa) as well as Barnes and Noble (http://goo.gl/DIJO6). We recently sent our final proofs back to the publisher well ahead of schedule and hope to see the book shipping in August. we have more information as well as software programs I wrote for the book at http://xwaysforensics.wordpress.com/.
DC: What is next for your career? What is beyond Milestone 14 for you?
EZ:  I would like to continue to expand the capabilities of firstresponders and raise the bar when it comes to triage as it relates to what we can cull from computers. I have been focusing on trying to define what the needs of the majority of people are when it comes to digital evidence (at least as it relates to law enforcement). My ultimate goal is to be able to deliver 90% of the relevant information for a case in 10 minutes or so.
For me, moving beyond milestone 14 involves thinking at a more strategic level vs. the day to day existence in the trenches. This involves defining and polishing best practices for colleagues and peers and automating common tasks to act as a force multiplier for understaffed or smaller departments.
DC: What are your favorite tools?
EZ: My favorite tools include X-Ways Forensics (of course) and WinHex, CommView, Wireshark, Edit Pad Pro, RegRipper, F-Response, Directory Opus(Explorer replacement), Visual Studio, Sysinternals stuff, Volatility, and who can forget the Tri-force! The amount of high quality software out there amazes me. there are many gifted developers and digital forensics people out there who put a ton of time into great tools. Some even choose to give their work away. Thanks to all the devs out there! Much of what we can do in digital forensics would not be possible without your contributions.
DC: What do you believe is the greatest challenge facing forensic examiners?
EZ: The ability to separate the wheat from the chaff when it comes to digital evidence. related to this is a continued reliance on outdated workflows when it comes to processing data. I wont mention any names but there are a lot of solutions out there that require a massive amount of up front processing before an exam can start. Combine this with a lack of checkpointing and you have a recipe for pain when things crash.
Storage capacities continue to increase exponentially while our ability to examine that data is only increasing mathematically. it doesn't take long to realize we have to get smarter in how we look at data or the lead times for a full forensics review will continue to get longer and longer. In my estimation, the answer (or at least a partial answer) to this problem is better triage techniques. If we can identify the computers and digital devices that are relevant to us we can focus our efforts on those devices vs the "examine everything" approach most often employed now. We have to find the balance between thoroughness and timeliness in our examinations. Its a tough problem for sure, but one i think the community can solve.
Thanks Eric for the interview, I hope everyone gets something out of it. Tomorrow is Saturday reading and I have some interesting links to share. The big event though is this coming Sunday Funday where we have a prize provided by Magnet Forensics that I think you will want to win! 

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.