And here I sit at another airport, Dallas-Ft. Worth this
time, writing another blog post. And yet
again, I am reminded by an issue that continues to plague my forensic
brethren. The heavy reliance on tools.
I am a member of several forensic/IR mailing lists, I read
the blogosphere, and I try to keep up with many of you on twitter. In addition, I have a strong relationship and
presence with many law enforcement agencies (local, state, federal and foreign)
and the officers assigned to perform DF and IR.
I intentionally don't comment very much, mostly because I don't think
very many people would like my answers, but I help out when and where I can.
So to get right down to it, I still see a strong reliance on
tools to solve cases for you. I have also
seen a number of posts and tweets recently where investigators are trying to
make certain tools do certain things they are either not well suited to do, or
where a much better solution exists. To
all this, I say, "stop"!
Stop stop stop stop it!
Relying on tools to solve your case for you in like relying on a pile of
wood and a nail gun to build your house.
It doesn't work. It's never going
to work. The sooner you come to that
conclusion, the better off you will be.
Instead of simply ranting about tool reliance, allow me to explain
myself.
All of our investigations are made up of data elements. Some have evidentiary value, while others do
not, but it's all there...plain ole data.
Just sitting there waiting to have something done with it. The question investigators SHOULD BE ASKING
FIRST is what question am I trying to answer, not what tool do I need to
use! How in the world could you possibly
know what tool to use before you know what you are going to do, and why? You can't!
Now, I understand that in some cases there are just
"goto" tools. For example, I
use fls in each and every case to create a timeline, I use Log2timeline or
regtime to add registry hives into my timeline, I use Reg Ripper to parse my
registry hives into human readable text, I always dump log files into flat text
with DumpEl, and I always use pstools to dump running process information. So I get that you have to use certain tools
by default to get you to a good starting point...I do the same thing. But that's about where it ends for me.
I don't always pull web history, I don't always scan an
image with AV, I don't always extract the $MFT, and I rarely use EnCase. Why?
Because I don't always have to!
For example, when I know malware has been deployed on a Point of Sale
(POS) system by RDP, why would I need to pull web logs? Answer...I don't. We browser history has nothing to do with my
case. BUT, if I see that malware may
have been downloaded...let's say by reviewing ntuser.dat hives from admin
users, or from evidence I find in my timeline, then OK, I will grab web history
to see if I can find an additional data point that would indicate that my
malware was downloaded via the web...it makes sense in that case to do so.
I don't always scan an image with AV. Why would I?
For those of us that pretty much live and breathe malware, we know that scanning with AV is only going
to be marginally useful, if at all. It's
going to point out known samples or common variants, and that's about it. If the malware is custom, or is a new variant
the scans will be of no value. You are
FAR better off identifying the running processes and looking for common IOCs
and APIs used by the different types of malware depending on functionality. BUT, if I am asked to find all occurrences of
malware on a specific system, regardless of what it is or what it does,
sure...I will scan it...because that's what I was asked to do.
I don't always extract the $MFT...b/c I don't always have
to. Since a timeline is generated from
the Standard Information ($SI) attribute anyway, I already have half of the
$MFT don't I? The only time I would
extract and parse the $MFT...which Harlan's MFT.pl is awesome for...is when I
suspect chronological (aka timestopming) modification has taken place. HOW do I know that timestomping has taken
place if I don't first parse the $MFT and compare the $SI to the File Name
($FN) attribute? I have seen it before,
and I know what the IOCs are. I know
what signs to look for that would lead me to believe that some kind of
modification has taken place. Things
like pre-fetch files that are identical to creation times save for the year,
the mili-seconds field being set to all zeros, and files located with other files I
know to be components of the malware, with different creation times.
So OK Chris...what's your point here? To simply berate us for using and relying to
tools to give us information? We NEED
that information to solve cases...how the heck else are we suppose to do our
jobs?
GREAT point! So let
me answer...USAGE of tools is OK, and like you said, you cannot do your job
without them! Neither can I. RELIANCE on tools to do the work for you is
not OK...and as Cory would say, "it is the suck".
Step back for a moment and breathe in...and breathe out. Clear your head and just think. What are you doing? What question
are you trying to answer? Why? What information do you need to answer that
question? What does the data tell
you? These questions are the essence of
the Sniper Forensics methodology. I
(among others) have been talking about this philosophical shift for four years
and yet there is still considerable resistance in the community, which I really don't understand.
The best tool in your toolbox is your brain. What Harlan has dubbed,
"Wetware". Think through your
cases. Ask a LOT of questions. Actually take the time to answers your
questions. Let the data guide your
theory. It's really not that complicated when you break it down into smaller, more manageable components.
I will close this post with a short story. I was recently asked to assist a LE Officer
with a case he had been working on for a month.
I started by asking him a lot of questions...what are you trying to do?
What was the crime? What
information are you hoping to identify?
How will that information help your case if we find it? How will it change your investigation if the
data is not there? What is the timeframe
of the incident? How do you know that
was the timeframe? What supporting
evidence do you have that indicates that timeframe is accurate? After listening carefully to his answers and
writing them down in my case notes, I knew exactly what to do.
I created my investigation plan. Indicated what I was looking for and
why. I took notes on where I would
likely find that data, what it would generally look like, and what I would do
if I found it, as well as what I would do if I didn't find it. In total, about 30 minutes of
pre-work...maybe 45 since I was drinking a cup of coffee and typing at the same
time.
When I actually put fingers to keyboard I found what the
officer was looking for, and helped him solve the case in...wait for
it...waaaaaaiiiittt for it....15 minutes.
He had been haphazardly looking for "bad stuff" for a full
month...four weeks...30 days. It took me
longer to write my notes and drink my coffee than it did to find the evidence
he was looking for. Why you ask? Because I took the time to use my
Wetware! I actually THOUGHT about what I
was going to do, why, and what I was looking for before I ever put my hands on
the keyboard, mounted an image, or touched any piece of data.
OK Chris...whatever...you show off...it's ONE case. You got lucky. My cases are complicated...it's simply not
that simple for me!
Good point...and maybe you are correct. BUT, I have been using this methodology for
four years, in each and every case. For
us in the SpiderLabs, that equates to just under 1000 cases (yes, we keep
track). So my team, in almost 1000 cases
have seen this methodology work each and every time. Without fail, and without exception. Small cases with a single piece of evidence
(like an SD card) to huge cases with hundreds of systems. It just plain works.
So, for all you naysayers out there, for the skeptics and
the old school "pull-the-pluggers", I say, "try it". Try doing it my way. What do you have to lose? Certainly not more time! What do you have to gain? How about solving your cases in a fraction of
the time you currently solve them in? How
about clearing your ever increasing backlog?
Sounds like a pretty safe trade to me.
Happy Hunting.
