Wednesday, March 07, 2007

An Attempt at Live Response vs Traditional Forensics

There seems to be a great deal of confusion about live forensics versus traditional computer or dead forensics. I'm gonna try to explain it (at least as far as my opinion of it is) by comparing it to Police response to a murder.

Usually the first response to a murder is a patrol car. But even before they arrive, there are usually civilians on the scene disturbing, covering up or otherwise changing evidence either by just their presence or maybe even intentionally if they are the perp. Now in the CF world these "civilians" are the staff IT and others at our clients office. We all know that sometimes the worst enemies to our potential evidence is the employees at the scene.

The patrol car guys are like the IT guys at the client who have the responsibility of being first response to an incident. Their job should be to contain the scene, preserve the integrity of evidence and to identify people on the scene when they arrive. For the IT staff that means following a prepared script usually set up for incidents. But the emphasis is on preservation and containment.

The along come the detectives, whose main job everyone defines as investigative. But in a murder situation even the detectives start out in a preservation/containment mode. Their primary objective is to get all the evidence possible, identify all subjects on the scene, get statements, identify suspects etc. Their "investigation" starts later, once they have the necessary input or evidence, to investigate. This is us, the Forensic Analyst. Typically we think of our job as coming in, getting a dead image and heading back to the lab to "investigate".

BUT, and it's a big but, both the patrol guys and the detectives aren't going to watch a guy running off, or have a witness point out a suspect and not act to take him into custody or otherwise contain him. They aren't going to leave a loaded gun on the scene for someone to pick up. Sometimes the proper response to a murder requires making evidence acquisition secondary to capture of the suspect. Or if the victim isn't dead when they arrive they will trounce all over evidence to save his life. This is live forensics in action.

The police rely on training and "gut response" and experience to know when to go outside normal procedure in a situation. We must do the same. If the "crime" we are responding to involves running processes, memory evidence, network connections other vaporous information we must go outside "traditional" forensics and get it. Sure, it may get questioned in court, but if we have done our job and have documented our actions and their changes, we can get it accepted as valid evidence. Remember, the standard is the best possible evidence, not the ONLY evidence.

I know this doesn't do justice to the live forensics argument, but we gotta have a starting place and we have to convince our clients this is a viable and profitable forensic process.

Tuesday, March 06, 2007

Lessons from USAir??

Since I am in Charlotte NC, I am right smack in the middle of the USAir ticket kiosk fiasco. This morning I was being interviewed on the local News Talk radio, 1110 WBT, on the Charlotte's Morning News, about the Daylight Savings Time issue, when I was asked about US Air and what I would have done differently. My answer was, test the migration well before deploying it in production.

That being said, it made me start thinking about just how complex software is, how easy it is to break and just how easy it would be for someone to intentionally do damage that way. Now, this is fiction, but why couldn't a disgruntled programmer or admin at US Air have purposely sabotaged the code or the kiosk OS to cause this massive headache for the airline? The answer is obviously they could have. Now as a forensic analyst I have all kinds of tools and methods to go back and discover and prove such actions after the fact, but what is there out there that could prevent such a problem or even worse ones. After all this was just the reservation/ticketing system, not air traffic control or flight scheduling.

I am sure the IT folks from USAir are working around the clock and as hard and diligently as they can to solve this "glitch", but isn't this an ideal place for live forensics? Shouldn't there be an effort to get at crucial information that has already been installed and stored on these kiosks at the same time the "fix" effort is going on? When they fix it, most all of the previous install and evidence will be gone. This would be valuable if it was a simple code error or especially if it was malicious. Again, I'm not implying this is any kind of malicious act, I'm just using it as an example of the kind of problems malicious acts could cause.

I believe companies must get onboard with live forensic examinations. Too much valuable information that could go toward solving an incident or at least documenting a policy violation or a hole in procedures is being lost in the real world. Our infrastructure security and the security of corporate concerns is at risk. In the end, it is a matter of bottom line, and the expense is well worth it.

Thursday, February 08, 2007

Gardner Webb Univ

On Friday Feb 9, I will be presenting "Digital Forensics in Fraud Investigations" to the Institute of Management Accountants at Gardner Webb University in Boiling Springs NC. I'll post the results next week.

Also I am trying to get a group started of Forensic Examiners in North Carolina both private and Law Enforcement. If you have any interest, email me

Live System Forensics

I have been spending more time recently preparing myself and my skills set for what I believe is a coming change in Computer Forensics, the increase in Live System Forensics and Acquisitions.

I feel this is going to happen for several reasons such as the increased use of whole disk encryption, larger and larger hard drives, and the increased need to capture and analyze the contents of memory.

As the discussion of live system forensics has come up in various venues, there seems to be a real fear that evidence obtained from a running system would not be allowed into a court of law. This was undoubtedly true once for fingerprints, DNA, and other scientific evidence. I can remember 35 or so years ago when even breathalyzer results had to be fought into evidence in the courts of North Carolina. It’s going to take some Attorney’s who see the value of such evidence, and can see that the only way to obtain it will be live system, and are willing to fight to get it accepted to make this happen.

But it’s also is going to take us, the practitioners to go out and number one leanr how to properly do these exams, number two, to develop the tools and methodologies to properly handle the evidence, and number three, to “sell” this to Attorneys and other investigators as a necessary move.

People like Harlan Carvey and Jesse Kornblum are doing a good job at leading the way researching and developing tools and methodologies for this kind of work. We all need to get on this wagon and help, whether it’s developing, asking questions, bringing up concerns, or getting out and using what is already there.

The forensics forums are full of people asking questions, but we need the right kind of questions. There are enough answers archived about entry into the field, the basics of images etc, what we need is people to experiment, to practice and when you hit a wall or find a new way, share it.

As Harlan told me recently, the bad guys do a great job at sharing their methods without a formal structured group, why can’t we?

Friday, November 03, 2006

Real Life Imaging

Disk Imaging is one of those details of our jobs we find it all too east to take for granted. Imaging in the lab takes on a whole feeling of a robot. Only the necessity of taking detailed notes in the case notebook keeps me from making those mistakes of familiarity.

But in the field it can be really different as I found out AGAIN this week. Seemed a simple job, I had been contracted to go to a small town about 45 miles away, and image 9 drives and then perform analysis on them back in the shop.

After meeting with the attorney, going over the discoveries and interrogatories, we thought we had a good idea of what was involved. The age of the computers in the answers and the fact they said nothing had been repaired or upgraded since 2003 gave us an indication of drives in the 40-80gb range. So I headed off with my field acquisition kit and a box full of 80gb HD's. As always I threw in a couple of 160's "just in case".

Oh woe is me. The defendants didn't quite disclose the whole truth, (maybe not any truth), and I found 12 computers with fairly new drives in the 100-160gb range. Not only that but a couple of the cases were locked. and of course, no one knew where the keys were.

To make things even better, the first day, even though we had a order from a Federal Judge to enter and acquire evidence, the employees on site called the local cops and had us removed from the property. The attorney had to contact the Judge and get us back in the next day under court auspices.

IN short, there is no such thing as a routine day in on site imaging. In the next few days I will discuss how we overcame the lack of information and how we achieved the imaging goal.

Since this blog is going to be aimed at the practical side of forensics I'm going to try and cover real life scenarios and situations we face in the real world everyday.

Friday, October 13, 2006

USB Thumb Response Kit

I've posted this question on Forensic Focus, what would you put one two 1gb thumbs, one for IR and one for CF Live? I want to get as many ideas of what tools people in the field would use or would like to have instantly ready.

Once I get all the ideas I plan to accumulate the tools that are not commercial and post them for download at my website.

I have been looking back at past postings at, and I see a lot of great information and requests for help and response about tools from Harlan, BUT I see very few comments and responses.

Folks, this is no way to build a community. We need active participation and sharing to even come close to keeping up with the bad guys. Have you ever explored how THEY do it???

We are already behind, if we don't get our collective a$$es in gear and start sharing our wealth of knowledge, we'll stay there.

Thursday, October 12, 2006


I've been having a running discussion with Harlan Carvey in the Forensic Focus Forums about innovation in the IR and CF worlds. One of the places we feel there can be innovation is in the area of communication. We are trying to come up with a way to get the word out about threats and solutions, about new tools, those that work and those that don't, and have a place where everyone can find an answer to their questions.

So, the rebirth of my blog. My intention is that my blog in some little way can compliment Harlan's, ( see my links, windowsir) and we can get more people to join us in this endeavor. A blog because of it's chronograhical nature would keep the latest news, tools, threats and solutions right up front where they can be useful. So, join in one of our blogs, post those comments and questions, OR start your own blog to help us out.

Let's build a community of like minded professionals and we can all benefit!