Friday, June 30, 2017

DFIR Reminiscing

Hello all. I have a new, mostly non-forensics blog that I occasionally post to. I just posted yesterday on a topic that I thought would be interesting to readers of this blog as well. The post is about fun/cool stuff I've acquired over the last few years from conferences and friends. Instead of re-posting it here, just take a look at the post on my Mental Field Trip blog.

Thursday, February 2, 2017

2017 Forensic 4:cast Awards Nominations are Open!

Just in case anyone still stops by this blog, I wanted to post that nominations are now open for the 2017 Forensic 4:cast Awards. Click HERE to go and nominate your favorites. I think the 4:cast Awards are a very good thing for the DFIR community and encourage you to participate. Thanks to the great Lee Whitfield for continuing to run the awards program every year. Your efforts do not go unappreciated.

Regarding my last post way back in July, I was unable to attend ArchC0n 2016 due to illness. I'm really sorry to have missed it, especially since I learned recently that this was the final ArchC0n. Congratulations and thanks to Paul Jaramillo and crew for what was an excellent conference.

Since my retirement, I haven't been especially active in the world of forensics. I did work one case for the local sheriff's office that involved a Raspberry Pi. That was my first Linux related investigation and it was pretty interesting. When I get some time and my thoughts together, I'll try to post about it as it was fun working something different than a Windows case.

Till the next time, take care and don't forget to head over to the Forensic 4:cast website and nominate your favorites for an award.

Friday, July 29, 2016

ArchC0n 2016

 Hello Dear Readers. I hav returned to the blogosphere (I hate that term) to remind you of a great security conference coming up. ArchC0n 2016 will be held August 26 at the Hyatt Regency in St. Louis.

This will be the third annual ArchC0n and once again it looks like it's going to be a great one. I've attended the previous events and had a great experience with each. I cannot recommend this conference enough.

 I like to call ArchC0n the "little con that could" because, for a new conference, they've consistently come up with great speakers and workshops. This year looks to be no different in that respect. Malware is one of  my favorite subjects and there will be plenty of info on that topic presented by Harlan Carvey and Andrew Pease. I've attended several of Harlan's talks over the last few years and can tell you he's an entertaining speaker.

Likewise, I've previously attended talks by Kyle Maxwell, Andrew Hay, Robert M Lee and Scott Roberts. Each of them is someone I look up to in the field and I'm excited to hear them speak again. You can view the full list of speakers and trainers HERE. The program schedule can be found HERE.

I'm planning to attend ArchC0n 2016 and I hope to see you there too. It's a great conference and it's one that I hope will continue to be an annual event for a very long time to come. Follow the ArchC0n Twitter account for news.

Tuesday, April 5, 2016

Farewell to a Friend

As many of you know already, our friend and fellow forensics practitioner, Ken Johnson, was killed last night when the vehicle he was riding in was struck by a drunk driver. To say that those who knew him are saddened by this is an understatement. Ken was a great guy and great at DFIR.

When Windows 8 arrived on scene, Ken began studying its file history and other related features. He became an expert on the subject and presented his findings at conferences. I remember speaking with him after one of his early presentations and he wasn't happy with how he had done. But I was lucky enough to attend several other of his presentations and I remember telling him after one of them how much more confident he seemed at the microphone. Each time I saw him present he was better than the time before and I was so happy to see him doing well.

Ken and I spent quite a bit of time together at the last WACCI conference. I had been asked to fill in for David Nides and present in one of the breakout sessions. Ken was the guy building me up that time. I was nervous, as that was the first (and so far only) time I had presented to a DFIR group. We attended each others talks and he was very supportive, making it sound like I did better than I  probably really did.

When I finally got my first Windows 8 investigation, Ken was the first one to volunteer his assistance. As it turned out, I wound up asking him several things and he was very helpful.  

The last time I saw him in person was a couple years ago at ArchC0n in St. Louis, though we had corresponded occasionally via email, Twitter or Facebook since then. I will miss his friendship and smile. I am thankful I knew him and got to spend a little time with him. I offer my condolences to his wife and children along with his entire family and colleagues at KPMG. Rest in peace Ken.

Wednesday, February 24, 2016

The End

The time has come to say farewell. My time in both law enforcement and in digital forensics is rapidly coming to an end. I have reached the age at which I decided long ago I wanted to retire from police work.

Despite my occasional gripes, law enforcement, specifically my department, has been very good to me and I am grateful. It has been an exciting, boring, depressing, thrilling, scary and interesting job over the last 28 years. It's not every line of work that allows you the thrill of being pepper sprayed and shot with a Taser without being taken to jail shortly thereafter.

Law enforcement opened the door to my entry into digital forensics. I came in to DF barely knowing what it even was, but my interest in computers mixed with my desire to fight crime drove me to get more involved. I've had a few interesting cases, seen a few images and videos I wish I could forget and felt like my work made somewhat of a difference in our community.

Four people in particular made my entry into the digital forensics field so much easier than it could have been. First, Ovie Carroll and Bret Padres helped me just by doing CyberSpeak (sorry Lee) and helping me get a greater understanding of the issues and topics in the field. They also started talking about Twitter in one episode they were the first two people I started following. That led to my becoming acquainted with Luby Novitovic and Mark McKinnon soon thereafter. Both of them were always there to help when I had a question or needed advice. Since that time, I've been lucky to interact and become friends with so many great people in the field.

I have developed some great and close "in-person" friendships with DFIR people I initially met on Twitter. I won't try to name them all here because I will invariably forget someone. At a SANS DFIR conference several years ago I got to meet up with several of my Twitter friends and by the end of it I had a whole new appreciation for corn. Those who were there will understand the reference ;-) By and large, the DFIR people I know are lots of fun and smarter than I'll ever be.

I've always been grateful for the way people in this field are willing to help. There have been several times over the years I've had questions and never once did I have someone tell me to ask Google, even when maybe they should have. I've been fortunate to befriend quite a few people in the field and each has helped me in some way, whether they knew it or not. I have such great respect for so many DFIR people. I have been amazed that course developers, tool creators, authors and other "leaders" in the field  were so willing to provide their email address or phone number so I could ask for advice.

In addition to my DF work in law enforcement, I've also been running a successful part-time business on the side doing forensics, data recovery and general computer troubleshooting and repair. It had been my desire to turn that into a full-time business once I retired from police work. However, for a number of reasons I won't get into at this point, I've decided that isn't the way for me to go.

Furthermore, because of where I live, there are no companies doing DFIR close by that I could go to work for. I have no desire to be on the road the majority of the time, so the "head to the airport and fly out now" jobs probably aren't for me. I now live where I've wanted to live for a long time, surrounded by woods and family close by. I don't intend to move...ever. Because of all this, I don't see any real opportunity to remain in the field. That's not a complaint; it's just the way it is.

While I'm not willing to say I'll never be involved in forensics again, I don't see any likely scenarios for that happening soon. Still, I never say never, so who knows? I've loved learning and practicing forensics and I am grateful for every moment I've spent with it. Furthermore, I am grateful for all the friends I've met in the field and the opportunities I've been given to learn some really cool stuff.

Wednesday, May 13, 2015


I completely forgot to mention something in my last post. My friend Tom is doing a Year of Python series on his Ram Slack blog. He is posting a new Python 2 project each week for a whole year in his quest to learn. He's doing some very cool stuff and I recommend you check it out.

Friday, January 9, 2015

Nominations Open for 2014 Forensic 4cast Awards!

Hello all,

As the title of this post states, nominations are now open at the Forensic 4cast website for this years awards. These awards ceremony has become a highly anticipated event each year at the SANS DFIR Summit in Austin, Tx. I'm proud to say I've been nominated twice and won once, winning the 2013 Digital Forensic Blog of the Year.
I've already got some nominations in mind for this year and I plan to submit them soon. As far as blogs go, there are several that can be counted on year after year to provide first-rate content. You can always find excellent content on Corey Harrell's Journey Into Incident Response blog and Harlan Carvey's Windows Incident Response blog. I'm still making up my mind over those and a couple others.

Some candidates I'm considering nominating for Digital Forensic Examiner of the Year include Ken Johnson, Eric Zimmerman and Frank McClain. Ken has done some amazing work on Windows 8 forensic artifacts, while Eric has done excellent work in the area of shellbags artifacts and even released a tool called Shellbags Explorer. Frank is this guy who is always there for people. If you're on any of the DFIR related email lists, you've no doubt seen him there. He is often the first to reply to a request for help and can always be counted on for good advice and suggestions.

Without a doubt, I will be nominating The Art of Memory Forensics for Digital Forensic Book of the Year. I don't remember the last time a forensic book generated as much excitement at the time of its release as this one did. It's a huge book with so much good information. I will be very surprised if this book doesn't take the award. Win or lose, I offer my congratulations to Michael Hale Ligh, Jamie Levy, Andrew Case and AAron Walters on the success of this book.

For the software tool category, I'm looking at such good candidates as Brian Moran's Live Response and Eric Zimmerman's Shellbags Explorer. I'm sure others will come to mind, but these two are definitely in the running.

I do very little in the area of mobile device forensics, so I really don't have any opinions on the Phone Forensics categories. Likewise, I haven't had the opportunity to try out any new hardware, so I really have nothing to add there as well.

I'm still making up my mind on other nominations. If I failed to mention you or your favorites above, that doesn't necessarily mean I'm not considering them as well, so please don't be offended. These are the ones that stand out in my mind at this moment. There are so many good people, blogs and tools out there that it's hard to remember each one as I write this.

I hope you'll take the time to submit your nominations. Thanks again to Lee Whitfield for putting the awards program together each year.