Tuesday, August 28, 2018

LIfe Update, a little Object ID research and More

It's been just over two years since I retired from the police department. As a retiree, I've enjoyed a lot of time with my wife, kids and grandkids, spent a lot of hours on my tractor, taken many walks in the woods and generally enjoyed life. As much as I've enjoyed my time off, I've realized I'm too young to be "really" retired.

While trying to figure out what I want to be when (if) I grow up, the field of digital forensics is always at the top of my list. I've missed the fun of learning cool new things and I miss solving cases. I often think back to my first case and how much I enjoyed doing that investigation. Finding what was on the computer and being able to report how and when it got there was so cool. Doing my own testing to find how artifacts were created and using that testing to help me tie the illegal materials in question to a certain user account, eventually getting a conviction was something I'll never forget.

I know that getting into forensics in the private sector won't be easy for me. I've accepted the possibility that it may never happen, but I'm going to give it a try. I know I have much to learn and catch up on. But honestly, learning the material is at least half the fun, right?

Speaking of learning, I watched the Forensic Lunch Test Kitchen with David Cowen a few days ago. In the video, he demonstrated the difference between Windows 7 and Windows 10 when it comes to the creation of an Object ID for a file. I recreated the test he did here and got the same results of course. But I started thinking about what may or may not change those results.

I wondered what might happen if I created the file as David did and then copied it to another location on the disk. I created a file called Never-opened.txt in my Documents folder. It was automatically given an object ID as expected from the earlier test. Next, I copied the file to another folder and used fsutil once again to check for an object ID for the copied file. In this case, no object ID was assigned.

Finally, I cut the file from it's original location and pasted it to another folder. the object ID traveled with the file to its new location. I went back and opened the copied file and as expected, a new object ID was created for it.  This testing all occurred on a Windows 10 Home system.

After talking with David, I've got a few other things I want to test as well. I'll post more when that's been done.

Finally, Brett Shavers wrote an excellent post on his blog How to start a digital forensic lab in your police department. The experiences he talked about were very similar to mine. He's absolutely right that you can make it happen, but it takes a lot of work and commitment to get it done. I was fortunate to have a chief who was very receptive to my ideas and helped me make it happen.

I wrote several grants to get funding for software and hardware. In addition to Federal grants, I was able to obtain funding from two different local foundations and one corporation. I like writing anyway, so getting to write a grant narrative explaining what I wanted and why was an enjoyable part of the process

Brett also talked about training. Like he mentioned, I paid my own way through some of my training (SANS FOR 508, 526 (old version) and 558 (old network forensics course). However, being in law enforcement, I also had the opportunity to attend training put on by the National White Collar Crime Center (NW3C). I took the NW3C BDRA and IDRA courses and those gave me an excellent introduction to the world of forensics prior to my SANS course attendance. If you are in in law enforcement, make sure you take advantage of the courses available to you for free through the NW3C.


That's it for now. I hope to start posting a little more often as time allows. Be well!

No comments:

Post a Comment