Wednesday, May 9, 2012

Repins Forensics this my interpretation of, "Bizarro" forensics, which sadly, REALLY still happens.  I was recently reminded of not only this, but of just how big the forensic world is, how many investigators there are, and how far we still have to go.

Sniper Forensics (SF) is the targeted approach to conducting forensic investigations.  It helps the investigator to use logic to guide his/her investigation to find answers, not just gather data.  Now, I am not going to rehash SF, but I just wanted to mention it briefly for the purpose of comparison.

The opposite of SF would be to illogically and haphazardly gather data that may or may not be relevant to the case (who cares if it makes sense, just pull the plug and gather everything).  You would form your theory of what you or your client thinks happened, and force all of your evidence into that theory.  You would ignore any evidence that was contrary to that theory, and think anyone who actually questioned what you did or the way you did it, is just plain wrong.

When asked questions like, "Did you perform Registry Analysis, Memory Analysis, or Pcap Analysis" you say..."Yes...I found nothing of evidentiary value".  Then I may ask, "OK, what kind of analysis did you perform?  What were you looking for?"  You would answer something like, "I did analysis...I didn't find anything".

You would then defend your lack of findings by stating that the evidence was not clear what took place.  While you can never be 100% certain of what happened, based on my analysis and experience, there was no breach that is evident.

This may sound ridiculous, but it is sadly true.  There are still investigators that think like this, and cases that work like this.  Do you know of any?  I would love to hear your stories of Bizarro Foreniscs!  Email them to me and I will create a blog series with the best of the worst.  Should be entertaining!

I am working on my example now.  It's pretty bad...and yes...we found the breach and it was ugly!


  1. > You would then defend your lack of findings... noting other data. For example, I recently performed analysis of a system where, oddly enough, an admin had gone to great lengths to "clean up". I know, I know...that *never* happens. One of the things that the admin had done was run CCleaner.

    So, in creating my timeline, I noted that there were no application prefetch files available. Was this because the admin had run CCleaner? No, it was because the image was of a Windows 2008 R2 DataCenter edition system, which by default (confirmed by examining the Registry key) does not perform application prefetching.

    "The absence of an artifact where you expect to find one is itself an artifact." This means that we have the knowledge to understand what should be available, as well as the knowledge to go looking if we don't see what we expect to see. So, do we (a) simply note the lack of something, or (b) determine why there is an absence?

    Sadly, in my experience, some do not even do (a)...

  2. I am finding cases where infrastructure security and IT staff are using tools without a complete understanding of what they do. In essence, they are slaves to the tool. Allow me to elaborate.

    For a client (let's call them ACME) asks me to weigh in on the effects of formatting drives,or using CCleaner, or re-Ghosting drives have on persistent data and what a digital forensic analyst may be able to recover. I agree to attend the discussion with the relevant members and staff. Then during the talk, I found through the discussion that some management leads of the technical teams are apparently mis-informed concerning the capability of tools like CCleaner and how some data was still left behind for someone else to recover. The impact of this is whether a future user of a 'cleaned' system could be imperiled by an ineffective 'clearing' of the data, incorrectly believing the drive had been wiped before re-purposing. Not only did the practitioners misunderstand the tool, but its seems they led the managers to believe it would accomplish the needs of wiping the data but in reality did not nor was it truly consistent with the management policy.

  3. "The opposite of SF..."

    If you had to name it, what would you call it? FEFF-Forensics? Blackian Forensics? ;-)