DFIR Training Blog



Think outside the box (literally)

Few clichés are more worn out than the tired “ think outside the box ”. I still stay it, but when I do, I say it to literally mean do not conduct an analysis solely within the physical box (CPU). Remember, everything that happens with data has happened because a person or persons made it happen.  People do not live in a box. They live and operate in the outside world.

People are behind actions .

Every bit of evidence you find has a reason to be there. Someone made it happen. There was a thought, a plan, an intention, and an action to make it happen. For evidence that should exist but does not exist, this lack of evidence carries the same weight since it takes someone to make it appear as if it did  not happen .

Sometimes your job requires fixing a problem (such as a breach) and make it so the problem has a less risk of happening again. In many of these types of jobs, identifying the suspect would be a waste of resources since there is no remedy to the problem other than reducing the risk of the next intrusion. However, if you are in the business of catching bad guys, then you need to literally think out of the box with your forensic analysis.

Identifying the Modus operandi ( M.O.) can help identify the suspect’s intentions and identification. You can find the M.O. through forensic artifacts. You can also find more than just the M.O., like traces of evidence inside the box that lead to clues outside the box, such as geographical locations or the actual names of suspects. Outside the box, interviews with potential suspects, even those who may lie, can give clues as to what to look for inside the box. Just as it is important to validate your forensic findings, it is important to validate (corroborate) investigative findings with other facts. Finding evidence on a device is great, but it is much better when you have information obtained outside the exam that corroborates the evidence on the device.

The way I look at it, when tracking suspects, I use whatever clues I have at hand to lead to the next clue. If starting with digital forensics, that means I want to use that what I find in the box to lead me to a person outside the box. To do that, I need to remember that a forensic analysis is just a forensic analysis. But when you couple it with thinking outside the box, you get an investigation to find your bad guy, and not just data. 


Written by :Brett Shavers

{rscomments option="com_rsblog" id="33"}