DFIR Training Blog



Coffee first, then the analysis

Every now and then (actually, more often than not), I come across a short statement or question on Twitter that packs more punch on second glance than you would first think about.

Justin Boncaldo tweeted yesterday, “What is your favourite way to start an analysis? Mine is with the registry!”

This is an important question to ask because if you start on the wrong path of an analysis, the best result will be that you realize the wrong start, re-start, and accomplish the analysis objective. The worst result is never finding out and not coming to a reasonable conclusion, or any conclusion, or a wrong conclusion in that analysis.

Everyone has their own way of doing things, even in the DFIR world. As long as the commonly accepted methods and processes are followed, we are each free to choose the path that best suits our personalities and skill levels if the path solves our case objectives. Usually, when starting out in a new field, we tend to want to know exactly what to do, step-by-step, because we don’t have the experience to make slight deviations from one task to the next. Normal and expected, and I mean expected in that it should be this way rather than 'winging it' without having any experience to back it up.

Experience* typically gives us the ability to make quicker and better decisions. This applies to any job. A new police detective goes through the same process of learning as does a new forensic analyst. When I first became a detective, I typed a series of lists and steps of how to work a case, from start to finish. Things like: Who to call. The order of the reports in a case jacket. Who gets a copy of the case. Which judges to call for a search warrant. And so forth.

Everything was in a list because I didn’t have the experience to do it any other way. My cases were really small-time in the beginning and took a long time to wrap up each one of them. Experience allowed me to really work the cases by being able to deviate from ‘lists’ as dictated by what happened dynamically in the investigations.  Eventually I could work a case at any level, from buying a quarter gram of crack at the local crack house to ordering a shipping container of drugs from an international crime ring.

The key that I learned in working criminal cases, whether it was a stolen bike report or a homicide, is that before starting the case work, ask questions.

In the DFIR world, this is really important because the amount of data that is generally in front of you can be a career maker (or career killer) in that you could spend an entire career looking at it and never reach your goal, or you may be able to solve it in mere minutes.

Simply, the questions that I ask in every forensic endeavor are the same, and I need the answers before I can make a reasonable start of a plan.

  • What is the OS?
  • What is the case?
  • What is the case objective?
  • What is the time (and money) allotted?

Here are my reasons for these questions, at least for me:

What is the OS?

This is the first question because the rest of the questions hinge on the type of OS. Windows is different than Linux. Encryption is different than non-encryption. An iPad is different than a laptop. Knowing what the OS (and device) is automatically puts my mind in the mode of thinking of where data is stored on the device, how it is stored, and the kind of data that is stored. As an example, I like the Windows registry a lot because of the goldmine of evidence in it, but if the evidence container is a Linux box, thinking about the registry is out of my mind and I can think about Linux-related artifacts.

The OS/device also blends right into the tools that I start planning on using. Yes, I have a favorite tool or two, but my favorite tool for a Windows box is different than my favorite tool for a Mac.

What is the case?

I have been handed machines and been asked to ‘find the evidence’ without knowing what the case was, or at least the details of a case.  I need to know the details of the case, otherwise I promise that I will miss evidence, so I ask and hope that I get the answers to the questions that I ask.

By knowing the case details, I can start some assumptions on what may have happened on the device, and the types of artifacts related to this specific type of case, which blends into the types of tools that I may need to get started.

What is the case objective?

This is a big question because my case objective may or may not be the same as the end client. The end client can be a prosecutor in a criminal case, an attorney in a civil case, or a manager in an internal case. The client, which is the person that you are to provide answers, has an objective to meet. I need to know the objective in order to meet it. So I ask, “What do you need out of this analysis?” This is not the same as asking “Do you need me to make sure this person is innocent or guilty”, but rather, "What exactly do you need to solve this case?"

There are times where I feel that the client may have the wrong objectives, but that doesn’t mean that I go rogue and do what I feel is needed. It does mean that I give my opinion and still let the client decide what is needed because the client probably knows best about what is needed for their case in regards to solving a problem. I am not saying that the client determines how you do an analysis, but that the client knows what they need to answer questions that they have been asked or need to present answers for. I try to be on the same page with the client to have the best work presented to the end audience. Communication is important!

What is the time (and money) allotted?

Like it or not, time and money is a thing that affects every analysis, whether you are in the public or private sector. Time and money is dependent upon how important the analysis is to your client. A “small” case where maybe $100 was stolen may be extremely important to spend all resources on if the $100 theft was from an ultra-secure facility that is responsible for national security. It may be the 'how did this happen' as the most important objective and not the actual $100. Importance is determined by your client (again, the client is whoever is asking you to do the analysis).

Knowing a ballpark figure of how much time that I have to work a case determines how much depth I will go with an analysis, and how fast the analysis goes as well. This also blends right into the types of tools, the specific processes and methods to choose, and determining which areas to focus on while bypassing others due to a lack of time.  Lack of time can be due to lack of resources (money for one), or time sensitive (like a missing child).

In most cases, I ask these questions more than once during the analysis because of what I find (or don’t find) in the analysis. Sometimes the objective can be found early in the analysis and other times it may take longer. Some evidence that I find may even change the objective, such as identifying a more serious allegation/crime.

Your questions will be different from mine and that is okay.  But you can use mine if you like ?


*I inserted "typically" because sometimes, some people refuse to learn from experience, which is defined as both learning from mistakes and learning from doing things right.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="64"}