Monday, July 2, 2012

SANS DFIR Summit 2012 - Austin, TX - June 26 & 27


I had the opportunity to speak at the 5th SANS DFIR Summit last week in Austin on "Why Not to Stay in your lane as a Digital Forensic Examiner".  Slides can be found here.  This was the best conference I have attended to date, especially with regards to the sense of community felt amongst attendees.  Thanks to everyone who attended for making it a great experience.  And thanks to Rob Lee for inviting me to be part of an impressive group of speakers.  Not every digital forensic examiner has the opportunity to take a hiatus from casework and switch to the offensive side, like I have had, and I really appreciate being given the "airtime" to talk about what I have learned from the experience.  

Notable presenters included Cindy Murphy for her keynote the first day and her excellent 360 (6 minute) presentation and David Nides, KPMG, who was absolutely amazing in his 360, debuting his GUI frontend to log2timeline.  Nick Harbour, CrowdStrike, my new idol!, presented "Anti-Incident Response" and provided great insight into evasion tactics used to foil today's IR processes.  There were so many great presentations - I apologize for not mentioning everyone's here, but I had to head out early on Wednesday to return to work.  From what I heard, there were some amazing "end of summit" sessions that contained great technical content and were perhaps accompanied by chirping crickets!  Sorry to have missed that and I hope next year's summit is just as fun!


Thursday, March 22, 2012

Parsing MFT Entries

I can’t share with you the specifics of the problems that make up the CFCE Mentor process, but I can tell you that knowing the ins and outs of basic File System structures is key.  Doesn’t give much away, does it?  To understand all of the intricacies of NTFS, I relied heavily on Brian Carrier’s book, File System Forensic Analysis.  My first exposure to this book was when my co-worker and friend (and former cop) lent me his copy WAY back when I was studying for my EnCE (Guidance Software’s EnCase Certified Examiner) certification.  Let me describe the condition of his book – that thing was dog-eared, sticky-tabbed, highlighted and underlined and stunk of blood, sweat and tears.  I don’t think I had ever seen a book in such a “lovingly  used” condition and at the time, I didn’t understand it.  Yet, now after putting the finishing touches on Problem 4 of my CFCE certification, I get it.  I now own two copies (and my husband has one, too!) and I keep one in the back of my car at all times.  I can’t stress enough the many mysteries the book has revealed to me.  Yet, there is one thing I ran into that was NOT in “the book” and I wish to share it here:

If you ever need to find the MFT entry number of a deleted entry, the old-school technique of figuring this out was to count the distance (in bytes) from the start of the MFT (Entry 0 - $MFT) to the start of the entry you needed to enumerate.  Divide this value by the size of an MFT entry (1,024 bytes) and the resultant number will be the deleted entry number.   So, what I didn’t know, until just recently, is that there is an easier way.

At offset 44-47 of each MFT entry for Windows XP and later, the value is also that of the MFT entry number.  (See image below)
So, what does this mean? 
1.)    You need to write on p. 354 of your Carrier book a note in the top margin that offset 44-47 of the data structure of the basic MFT entry represents the Entry Record Number.

2.)    You no longer need to do MATH to figure out the MFT entry number.

This clearly is not easy-to-find information and that is why I was motivated to write this post. I spent DAYS searching for this information and found some very confusing documentation on the subject but no specifics!


Sunday, January 22, 2012

Mentoring in Digital Forensics

After running the gauntlet of forensic certifications, I have come upon one that is meeting my need for mentoring - having someone else look over my methodologies and give me some feedback.  I am currently working through the mentoring portion of the CFCE (Certified Forensic Computer Examiner) certification program through IACIS.  This is historically a certification only open to Law Enforcement, but just a year or so ago, they opened it up to those who meet other criteria. (https://www<dot>iacis<dot>com/certification/cfce_faqs)  What makes this one different is the mentoring phase - where the candidate performs acquisition/analysis/report writing and sends it to the mentor for critique.  The mentors in the program are volunteers - professionals who are just trying to "pass it forward" and further other examiners' knowledge. 

You may ask, "Why is mentoring so valuable?  Doesn't everyone get that through OJT (on the job training)?"  I can answer that question with a simple "No."  In my past experience, some forensics teams have such a heavy workload that the mentoring/on-boarding process is quite brief.  In other instances, managers decide that peer case reviews are a waste of time.  When I asked to initiate a monthly case review at one of my old workplaces, I was told that I must have "low self-esteem" and that our cases were so routine that time spent reviewing the analysis and reporting of a case as a team would be wasted. 

Whatever the reason, the importance of mentoring, or as they call it in the educational realm, "scaffolding", cannot be overlooked.  Scaffolding is a teaching strategy that supports the novice by limiting complexities and gradually removing those limits as he gains more skills and confidence.  For a new forensic examiner, this type of model would involve working cases with another examiner on the team, then performing supervised acquisitions, working up to analysis and report writing.  This type of mentoring is an excellent way to ensure all examiners on a team are aware of and are performing within the organizational SOPs.  No matter how strong a team you have (or think you have), collaboration and group think can strengthen individual skills and build esprit de corps.