Tuesday, April 5, 2016

Farewell to a Friend

As many of you know already, our friend and fellow forensics practitioner, Ken Johnson, was killed last night when the vehicle he was riding in was struck by a drunk driver. To say that those who knew him are saddened by this is an understatement. Ken was a great guy and great at DFIR.

When Windows 8 arrived on scene, Ken began studying its file history and other related features. He became an expert on the subject and presented his findings at conferences. I remember speaking with him after one of his early presentations and he wasn't happy with how he had done. But I was lucky enough to attend several other of his presentations and I remember telling him after one of them how much more confident he seemed at the microphone. Each time I saw him present he was better than the time before and I was so happy to see him doing well.

Ken and I spent quite a bit of time together at the last WACCI conference. I had been asked to fill in for David Nides and present in one of the breakout sessions. Ken was the guy building me up that time. I was nervous, as that was the first (and so far only) time I had presented to a DFIR group. We attended each others talks and he was very supportive, making it sound like I did better than I  probably really did.

When I finally got my first Windows 8 investigation, Ken was the first one to volunteer his assistance. As it turned out, I wound up asking him several things and he was very helpful.  

The last time I saw him in person was a couple years ago at ArchC0n in St. Louis, though we had corresponded occasionally via email, Twitter or Facebook since then. I will miss his friendship and smile. I am thankful I knew him and got to spend a little time with him. I offer my condolences to his wife and children along with his entire family and colleagues at KPMG. Rest in peace Ken.

Wednesday, February 24, 2016

The End

The time has come to say farewell. My time in both law enforcement and in digital forensics is rapidly coming to an end. I have reached the age at which I decided long ago I wanted to retire from police work.

Despite my occasional gripes, law enforcement, specifically my department, has been very good to me and I am grateful. It has been an exciting, boring, depressing, thrilling, scary and interesting job over the last 28 years. It's not every line of work that allows you the thrill of being pepper sprayed and shot with a Taser without being taken to jail shortly thereafter.

Law enforcement opened the door to my entry into digital forensics. I came in to DF barely knowing what it even was, but my interest in computers mixed with my desire to fight crime drove me to get more involved. I've had a few interesting cases, seen a few images and videos I wish I could forget and felt like my work made somewhat of a difference in our community.

Four people in particular made my entry into the digital forensics field so much easier than it could have been. First, Ovie Carroll and Bret Padres helped me just by doing CyberSpeak (sorry Lee) and helping me get a greater understanding of the issues and topics in the field. They also started talking about Twitter in one episode they were the first two people I started following. That led to my becoming acquainted with Luby Novitovic and Mark McKinnon soon thereafter. Both of them were always there to help when I had a question or needed advice. Since that time, I've been lucky to interact and become friends with so many great people in the field.

I have developed some great and close "in-person" friendships with DFIR people I initially met on Twitter. I won't try to name them all here because I will invariably forget someone. At a SANS DFIR conference several years ago I got to meet up with several of my Twitter friends and by the end of it I had a whole new appreciation for corn. Those who were there will understand the reference ;-) By and large, the DFIR people I know are lots of fun and smarter than I'll ever be.

I've always been grateful for the way people in this field are willing to help. There have been several times over the years I've had questions and never once did I have someone tell me to ask Google, even when maybe they should have. I've been fortunate to befriend quite a few people in the field and each has helped me in some way, whether they knew it or not. I have such great respect for so many DFIR people. I have been amazed that course developers, tool creators, authors and other "leaders" in the field  were so willing to provide their email address or phone number so I could ask for advice.

In addition to my DF work in law enforcement, I've also been running a successful part-time business on the side doing forensics, data recovery and general computer troubleshooting and repair. It had been my desire to turn that into a full-time business once I retired from police work. However, for a number of reasons I won't get into at this point, I've decided that isn't the way for me to go.

Furthermore, because of where I live, there are no companies doing DFIR close by that I could go to work for. I have no desire to be on the road the majority of the time, so the "head to the airport and fly out now" jobs probably aren't for me. I now live where I've wanted to live for a long time, surrounded by woods and family close by. I don't intend to move...ever. Because of all this, I don't see any real opportunity to remain in the field. That's not a complaint; it's just the way it is.

While I'm not willing to say I'll never be involved in forensics again, I don't see any likely scenarios for that happening soon. Still, I never say never, so who knows? I've loved learning and practicing forensics and I am grateful for every moment I've spent with it. Furthermore, I am grateful for all the friends I've met in the field and the opportunities I've been given to learn some really cool stuff.

Wednesday, May 13, 2015


I completely forgot to mention something in my last post. My friend Tom is doing a Year of Python series on his Ram Slack blog. He is posting a new Python 2 project each week for a whole year in his quest to learn. He's doing some very cool stuff and I recommend you check it out.

Tuesday, May 12, 2015

Trying to learn Python.....again

Every so often, the urge to learn Python reappears and I give it another shot. I work on it for a while and then something happens; I give up, get distracted or otherwise just don't get very far. I've tried various books, YouTube videos, etc, but just never seem to stick with it long.

Despite my inability to code thus far, I do believe it is important for those of us doing any kind of DFIR to at least have a basic grasp of some language, be it Python, Perl, Ruby or what have you. Not only that, I just think it's cool and I want to learn. Having the ability to work up a script to accomplish some task would be great, even if it's not anything anyone else would ever want or need.

The problem with choosing Python is that you also have to decide which Python you want to learn. Python 2.x and Python 3.x are two different animals; at least to some degree. I initially decided on 2.x, since most Python users I know have gone that route and I know there are a lot of available resources for that version.

I created an account at CybraryIT and started taking the free Python course. I've been enjoying this course and the instructor seems knowledgeable. CybraryIT is a wonderful, free training resource and I'm taking another course there as well. They have a couple other courses in the pipeline I'm going to take when they're made available. But I digress.

I recently noticed a new book by Al Sweigart called Automate the Boring Stuff with Python at No Starch Press. I thought it sounded interesting and ordered it, failing to notice the focus was on Python 3. I started reading and really liked Sweigart's style and the material held my attention.

Then, last week I saw the Introduction to Python video series with Jessica McKellar on sale at Oreilly and the focus was on Python 3. Having watched other talks by McKellar on YouTube, I knew that I enjoy her presentation style and that she was someone who knows what she's talking about. I ordered the videos and started watching right away.

I feel like I've finally found some training materials that are really helping me. Maybe it's a combination of that and finally having the resolve to follow through. Whatever the case, I do believe I'm making progress.

So, while I still have interest in Python 2, I've decided to forge ahead with 3 since I've got such great materials to learn from. I may do actual reviews of these materials at some point in the future, but for now I'll only say I'm quite happy with them at this point and plan to continue.

If you decide you want to learn Python 2, I certainly recommend the course at CybraryIT.It's free, so what have you got to lose? If you want to learn 3, then I do recommend the book and videos I mentioned above.

Friday, January 9, 2015

Nominations Open for 2014 Forensic 4cast Awards!

Hello all,

As the title of this post states, nominations are now open at the Forensic 4cast website for this years awards. These awards ceremony has become a highly anticipated event each year at the SANS DFIR Summit in Austin, Tx. I'm proud to say I've been nominated twice and won once, winning the 2013 Digital Forensic Blog of the Year.
I've already got some nominations in mind for this year and I plan to submit them soon. As far as blogs go, there are several that can be counted on year after year to provide first-rate content. You can always find excellent content on Corey Harrell's Journey Into Incident Response blog and Harlan Carvey's Windows Incident Response blog. I'm still making up my mind over those and a couple others.

Some candidates I'm considering nominating for Digital Forensic Examiner of the Year include Ken Johnson, Eric Zimmerman and Frank McClain. Ken has done some amazing work on Windows 8 forensic artifacts, while Eric has done excellent work in the area of shellbags artifacts and even released a tool called Shellbags Explorer. Frank is this guy who is always there for people. If you're on any of the DFIR related email lists, you've no doubt seen him there. He is often the first to reply to a request for help and can always be counted on for good advice and suggestions.

Without a doubt, I will be nominating The Art of Memory Forensics for Digital Forensic Book of the Year. I don't remember the last time a forensic book generated as much excitement at the time of its release as this one did. It's a huge book with so much good information. I will be very surprised if this book doesn't take the award. Win or lose, I offer my congratulations to Michael Hale Ligh, Jamie Levy, Andrew Case and AAron Walters on the success of this book.

For the software tool category, I'm looking at such good candidates as Brian Moran's Live Response and Eric Zimmerman's Shellbags Explorer. I'm sure others will come to mind, but these two are definitely in the running.

I do very little in the area of mobile device forensics, so I really don't have any opinions on the Phone Forensics categories. Likewise, I haven't had the opportunity to try out any new hardware, so I really have nothing to add there as well.

I'm still making up my mind on other nominations. If I failed to mention you or your favorites above, that doesn't necessarily mean I'm not considering them as well, so please don't be offended. These are the ones that stand out in my mind at this moment. There are so many good people, blogs and tools out there that it's hard to remember each one as I write this.

I hope you'll take the time to submit your nominations. Thanks again to Lee Whitfield for putting the awards program together each year.

Friday, January 2, 2015

Happy New Year!

I have been absent from the blogging scene for a while now (again). To be honest, I haven't had a great deal worth writing about and didn't really have time anyway. I did want to mention a couple things, though.

I was pleasantly surprised to be nominated for election to the board of the Consortium of Digital Forensic Specialists and even more surprised to find out I got elected. I gave it considerable though before accepting the nomination. I decided to go for it because I do care about the CDFS and the role it can play in our field. I'll have more to say about it as I get involved with the board. Thank you very much to all those who voted for me.

I was fortunate to attend both the Open Memory Forensics Workshop and the Open Source Digital Forensics conference back in November. As expected, both were very much worth attending. I plan to talk more about them in a (hopefully soon) future post, but I just wanted to say thanks to the Volatility crew and Basis Technology for such a great couple of days. Besides the great talks, I was happy to connect with friends I hadn't seen in a long time. I was also happy I got my copy of the Art of Memory Forensics signed by all four authors. I will be very surprised if this book doesn't win a 4cast award this year I was also the lucky recipient of a $100 Amazon gift card at the OSDF conference!

My friend Carlos Cajigas has a new post up on his Mash that Key blog talking about using the built-in tools in Linux to view text based logs. He goes through auth logs from his Linux server and shows how to use grep, cut, head and other commands to narrow down the data to what you're really wanting to see. This is well worth a read if you find yourself parsing through server logs to the point of driving you nuts.

That's all I've got for right now. 2014 was a great year for DFIR and I look forward to seeing what this new year will bring.

Thursday, January 1, 2015

Book Review--Penetration Testing

Welcome to the long overdue review. I was contacted by the good people at No Starch Press early in 2014 and asked if I would like to review Penetration Testing by Georgia Weidman when it came out. I jumped at the chance, as I had no background in pen testing, but I've always found the subject interesting. I thought learning about attack techniques might help me be a better forensic investigator as well. I received the book soon after the initial contact but due to a number of things failed to get this review done till now. My apologies to No Starch and Georgia Weidman for taking so long to get this posted.

This is a big book, with 20 chapters comprising a total of 476 pages, not including the index. There are supplemental materials and a Linux virtual machine available for download that allow the reader to  work the examples in the book. Additionally, guidance is given on setting up your entire virtual lab. The guidance includes setting up Windows XP, Windows 7, along with Android emulators. I loved how detailed the instructions were for setting everything up. There were quite a few files to download for the labs, but it was well worth my time and bandwidth to get them.

Along with the above, a torrent is available to download the same version of Kali Linux used in the book. I was unable to use it with VMWare Workstation and it turned out it would run in VMWare Player, but not necessarily in Workstation. I wound up building my own Kali virtual machine and used it through all the labs.

The book covers a little programming in some spots, so a programming primer was included. I am definitely NOT a programmer, so I found this primer to be very helpful.

Throughout the rest of the book, topics such as Metasploit, information gathering, finding vulnerabilities and even post-exploitation are covered. Instruction is given on web application testing, wireless attacks, exploit development and mobile device hacking are also covered in great detail.

After reading this book, I understand so much more about penetration testing than I did before. I learned a lot about how pen tester's gather the information and use it to their advantage through social engineering and other means. I also now have a much greater understanding of how attacks are done and I believe that understanding will help me do my work as a forensic investigator even better.

Weidman does an outstanding job of covering a pretty big range of topics in this book. With the wide range of topics, I can see how it would be difficult to put it all in one book and wind up with something that works, but she managed to pull it off. I enjoy her writing style and loved the labs, too. I don't know how long it took her to put this book together, but it's obvious she spent a lot of time writing and creating the labs and supplementary materials.

If you want to learn about many aspects of penetration testing, I highly recommend this book to you. This book is everything, including the kitchen sink and after reading this book you'll come out with a much better understanding of what pen tester's do and how they do it.