Tuesday, August 28, 2018

LIfe Update, a little Object ID research and More

It's been just over two years since I retired from the police department. As a retiree, I've enjoyed a lot of time with my wife, kids and grandkids, spent a lot of hours on my tractor, taken many walks in the woods and generally enjoyed life. As much as I've enjoyed my time off, I've realized I'm too young to be "really" retired.

While trying to figure out what I want to be when (if) I grow up, the field of digital forensics is always at the top of my list. I've missed the fun of learning cool new things and I miss solving cases. I often think back to my first case and how much I enjoyed doing that investigation. Finding what was on the computer and being able to report how and when it got there was so cool. Doing my own testing to find how artifacts were created and using that testing to help me tie the illegal materials in question to a certain user account, eventually getting a conviction was something I'll never forget.

I know that getting into forensics in the private sector won't be easy for me. I've accepted the possibility that it may never happen, but I'm going to give it a try. I know I have much to learn and catch up on. But honestly, learning the material is at least half the fun, right?
-------------------------

Speaking of learning, I watched the Forensic Lunch Test Kitchen with David Cowen a few days ago. In the video, he demonstrated the difference between Windows 7 and Windows 10 when it comes to the creation of an Object ID for a file. I recreated the test he did here and got the same results of course. But I started thinking about what may or may not change those results.

I wondered what might happen if I created the file as David did and then copied it to another location on the disk. I created a file called Never-opened.txt in my Documents folder. It was automatically given an object ID as expected from the earlier test. Next, I copied the file to another folder and used fsutil once again to check for an object ID for the copied file. In this case, no object ID was assigned.

Finally, I cut the file from it's original location and pasted it to another folder. the object ID traveled with the file to its new location. I went back and opened the copied file and as expected, a new object ID was created for it.  This testing all occurred on a Windows 10 Home system.

After talking with David, I've got a few other things I want to test as well. I'll post more when that's been done.
-------------------------

Finally, Brett Shavers wrote an excellent post on his blog How to start a digital forensic lab in your police department. The experiences he talked about were very similar to mine. He's absolutely right that you can make it happen, but it takes a lot of work and commitment to get it done. I was fortunate to have a chief who was very receptive to my ideas and helped me make it happen.

I wrote several grants to get funding for software and hardware. In addition to Federal grants, I was able to obtain funding from two different local foundations and one corporation. I like writing anyway, so getting to write a grant narrative explaining what I wanted and why was an enjoyable part of the process

Brett also talked about training. Like he mentioned, I paid my own way through some of my training (SANS FOR 508, 526 (old version) and 558 (old network forensics course). However, being in law enforcement, I also had the opportunity to attend training put on by the National White Collar Crime Center (NW3C). I took the NW3C BDRA and IDRA courses and those gave me an excellent introduction to the world of forensics prior to my SANS course attendance. If you are in in law enforcement, make sure you take advantage of the courses available to you for free through the NW3C.

-------------------------

That's it for now. I hope to start posting a little more often as time allows. Be well!

Friday, June 30, 2017

DFIR Reminiscing

Hello all. I have a new, mostly non-forensics blog that I occasionally post to. I just posted yesterday on a topic that I thought would be interesting to readers of this blog as well. The post is about fun/cool stuff I've acquired over the last few years from conferences and friends. Instead of re-posting it here, just take a look at the post on my Mental Field Trip blog.

Thursday, February 2, 2017

2017 Forensic 4:cast Awards Nominations are Open!

Just in case anyone still stops by this blog, I wanted to post that nominations are now open for the 2017 Forensic 4:cast Awards. Click HERE to go and nominate your favorites. I think the 4:cast Awards are a very good thing for the DFIR community and encourage you to participate. Thanks to the great Lee Whitfield for continuing to run the awards program every year. Your efforts do not go unappreciated.

Regarding my last post way back in July, I was unable to attend ArchC0n 2016 due to illness. I'm really sorry to have missed it, especially since I learned recently that this was the final ArchC0n. Congratulations and thanks to Paul Jaramillo and crew for what was an excellent conference.

Since my retirement, I haven't been especially active in the world of forensics. I did work one case for the local sheriff's office that involved a Raspberry Pi. That was my first Linux related investigation and it was pretty interesting. When I get some time and my thoughts together, I'll try to post about it as it was fun working something different than a Windows case.

Till the next time, take care and don't forget to head over to the Forensic 4:cast website and nominate your favorites for an award.


Friday, July 29, 2016

ArchC0n 2016

 Hello Dear Readers. I hav returned to the blogosphere (I hate that term) to remind you of a great security conference coming up. ArchC0n 2016 will be held August 26 at the Hyatt Regency in St. Louis.

This will be the third annual ArchC0n and once again it looks like it's going to be a great one. I've attended the previous events and had a great experience with each. I cannot recommend this conference enough.

 I like to call ArchC0n the "little con that could" because, for a new conference, they've consistently come up with great speakers and workshops. This year looks to be no different in that respect. Malware is one of  my favorite subjects and there will be plenty of info on that topic presented by Harlan Carvey and Andrew Pease. I've attended several of Harlan's talks over the last few years and can tell you he's an entertaining speaker.

Likewise, I've previously attended talks by Kyle Maxwell, Andrew Hay, Robert M Lee and Scott Roberts. Each of them is someone I look up to in the field and I'm excited to hear them speak again. You can view the full list of speakers and trainers HERE. The program schedule can be found HERE.

I'm planning to attend ArchC0n 2016 and I hope to see you there too. It's a great conference and it's one that I hope will continue to be an annual event for a very long time to come. Follow the ArchC0n Twitter account for news.

Tuesday, April 5, 2016

Farewell to a Friend

As many of you know already, our friend and fellow forensics practitioner, Ken Johnson, was killed last night when the vehicle he was riding in was struck by a drunk driver. To say that those who knew him are saddened by this is an understatement. Ken was a great guy and great at DFIR.

When Windows 8 arrived on scene, Ken began studying its file history and other related features. He became an expert on the subject and presented his findings at conferences. I remember speaking with him after one of his early presentations and he wasn't happy with how he had done. But I was lucky enough to attend several other of his presentations and I remember telling him after one of them how much more confident he seemed at the microphone. Each time I saw him present he was better than the time before and I was so happy to see him doing well.

Ken and I spent quite a bit of time together at the last WACCI conference. I had been asked to fill in for David Nides and present in one of the breakout sessions. Ken was the guy building me up that time. I was nervous, as that was the first (and so far only) time I had presented to a DFIR group. We attended each others talks and he was very supportive, making it sound like I did better than I  probably really did.

When I finally got my first Windows 8 investigation, Ken was the first one to volunteer his assistance. As it turned out, I wound up asking him several things and he was very helpful.  

The last time I saw him in person was a couple years ago at ArchC0n in St. Louis, though we had corresponded occasionally via email, Twitter or Facebook since then. I will miss his friendship and smile. I am thankful I knew him and got to spend a little time with him. I offer my condolences to his wife and children along with his entire family and colleagues at KPMG. Rest in peace Ken.

Wednesday, February 24, 2016

The End

The time has come to say farewell. My time in both law enforcement and in digital forensics is rapidly coming to an end. I have reached the age at which I decided long ago I wanted to retire from police work.

Despite my occasional gripes, law enforcement, specifically my department, has been very good to me and I am grateful. It has been an exciting, boring, depressing, thrilling, scary and interesting job over the last 28 years. It's not every line of work that allows you the thrill of being pepper sprayed and shot with a Taser without being taken to jail shortly thereafter.

Law enforcement opened the door to my entry into digital forensics. I came in to DF barely knowing what it even was, but my interest in computers mixed with my desire to fight crime drove me to get more involved. I've had a few interesting cases, seen a few images and videos I wish I could forget and felt like my work made somewhat of a difference in our community.

Four people in particular made my entry into the digital forensics field so much easier than it could have been. First, Ovie Carroll and Bret Padres helped me just by doing CyberSpeak (sorry Lee) and helping me get a greater understanding of the issues and topics in the field. They also started talking about Twitter in one episode they were the first two people I started following. That led to my becoming acquainted with Luby Novitovic and Mark McKinnon soon thereafter. Both of them were always there to help when I had a question or needed advice. Since that time, I've been lucky to interact and become friends with so many great people in the field.

I have developed some great and close "in-person" friendships with DFIR people I initially met on Twitter. I won't try to name them all here because I will invariably forget someone. At a SANS DFIR conference several years ago I got to meet up with several of my Twitter friends and by the end of it I had a whole new appreciation for corn. Those who were there will understand the reference ;-) By and large, the DFIR people I know are lots of fun and smarter than I'll ever be.

I've always been grateful for the way people in this field are willing to help. There have been several times over the years I've had questions and never once did I have someone tell me to ask Google, even when maybe they should have. I've been fortunate to befriend quite a few people in the field and each has helped me in some way, whether they knew it or not. I have such great respect for so many DFIR people. I have been amazed that course developers, tool creators, authors and other "leaders" in the field  were so willing to provide their email address or phone number so I could ask for advice.

In addition to my DF work in law enforcement, I've also been running a successful part-time business on the side doing forensics, data recovery and general computer troubleshooting and repair. It had been my desire to turn that into a full-time business once I retired from police work. However, for a number of reasons I won't get into at this point, I've decided that isn't the way for me to go.

Furthermore, because of where I live, there are no companies doing DFIR close by that I could go to work for. I have no desire to be on the road the majority of the time, so the "head to the airport and fly out now" jobs probably aren't for me. I now live where I've wanted to live for a long time, surrounded by woods and family close by. I don't intend to move...ever. Because of all this, I don't see any real opportunity to remain in the field. That's not a complaint; it's just the way it is.

While I'm not willing to say I'll never be involved in forensics again, I don't see any likely scenarios for that happening soon. Still, I never say never, so who knows? I've loved learning and practicing forensics and I am grateful for every moment I've spent with it. Furthermore, I am grateful for all the friends I've met in the field and the opportunities I've been given to learn some really cool stuff.

Wednesday, May 13, 2015

Addendum

I completely forgot to mention something in my last post. My friend Tom is doing a Year of Python series on his Ram Slack blog. He is posting a new Python 2 project each week for a whole year in his quest to learn. He's doing some very cool stuff and I recommend you check it out.