Wednesday, May 23, 2012


And here I sit at another airport, Dallas-Ft. Worth this time, writing another blog post.  And yet again, I am reminded by an issue that continues to plague my forensic brethren.  The heavy reliance on tools.

I am a member of several forensic/IR mailing lists, I read the blogosphere, and I try to keep up with many of you on twitter.  In addition, I have a strong relationship and presence with many law enforcement agencies (local, state, federal and foreign) and the officers assigned to perform DF and IR.  I intentionally don't comment very much, mostly because I don't think very many people would like my answers, but I help out when and where I can.

So to get right down to it, I still see a strong reliance on tools to solve cases for you.  I have also seen a number of posts and tweets recently where investigators are trying to make certain tools do certain things they are either not well suited to do, or where a much better solution exists.  To all this, I say, "stop"!

Stop stop stop stop it!  

Relying on tools to solve your case for you in like relying on a pile of wood and a nail gun to build your house.  It doesn't work.  It's never going to work.  The sooner you come to that conclusion, the better off you will be.  Instead of simply ranting about tool reliance, allow me to explain myself.

All of our investigations are made up of data elements.  Some have evidentiary value, while others do not, but it's all there...plain ole data.  Just sitting there waiting to have something done with it.  The question investigators SHOULD BE ASKING FIRST is what question am I trying to answer, not what tool do I need to use!  How in the world could you possibly know what tool to use before you know what you are going to do, and why?  You can't!

Now, I understand that in some cases there are just "goto" tools.  For example, I use fls in each and every case to create a timeline, I use Log2timeline or regtime to add registry hives into my timeline, I use Reg Ripper to parse my registry hives into human readable text, I always dump log files into flat text with DumpEl, and I always use pstools to dump running process information.  So I get that you have to use certain tools by default to get you to a good starting point...I do the same thing.  But that's about where it ends for me.

I don't always pull web history, I don't always scan an image with AV, I don't always extract the $MFT, and I rarely use EnCase.  Why?  Because I don't always have to!  

For example, when I know malware has been deployed on a Point of Sale (POS) system by RDP, why would I need to pull web logs?  Answer...I don't.  We browser history has nothing to do with my case.  BUT, if I see that malware may have been downloaded...let's say by reviewing ntuser.dat hives from admin users, or from evidence I find in my timeline, then OK, I will grab web history to see if I can find an additional data point that would indicate that my malware was downloaded via the makes sense in that case to do so.

I don't always scan an image with AV.  Why would I?  For those of us that pretty much live and breathe malware,  we know that scanning with AV is only going to be marginally useful, if at all.  It's going to point out known samples or common variants, and that's about it.  If the malware is custom, or is a new variant the scans will be of no value.  You are FAR better off identifying the running processes and looking for common IOCs and APIs used by the different types of malware depending on functionality.  BUT, if I am asked to find all occurrences of malware on a specific system, regardless of what it is or what it does, sure...I will scan it...because that's what I was asked to do.

I don't always extract the $MFT...b/c I don't always have to.  Since a timeline is generated from the Standard Information ($SI) attribute anyway, I already have half of the $MFT don't I?  The only time I would extract and parse the $MFT...which Harlan's is awesome when I suspect chronological (aka timestopming) modification has taken place.  HOW do I know that timestomping has taken place if I don't first parse the $MFT and compare the $SI to the File Name ($FN) attribute?  I have seen it before, and I know what the IOCs are.  I know what signs to look for that would lead me to believe that some kind of modification has taken place.  Things like pre-fetch files that are identical to creation times save for the year, the mili-seconds field being set to all zeros, and files located with other files I know to be components of the malware, with different creation times. 

So OK Chris...what's your point here?  To simply berate us for using and relying to tools to give us information?  We NEED that information to solve the heck else are we suppose to do our jobs?

GREAT point!  So let me answer...USAGE of tools is OK, and like you said, you cannot do your job without them!  Neither can I.  RELIANCE on tools to do the work for you is not OK...and as Cory would say, "it is the suck".

Step back for a moment and breathe in...and breathe out.  Clear your head and just think.  What are you doing?  What question are you trying to answer?  Why?  What information do you need to answer that question?  What does the data tell you?  These questions are the essence of the Sniper Forensics methodology.  I (among others) have been talking about this philosophical shift for four years and yet there is still considerable resistance in the community, which I really don't understand.

The best tool in your toolbox is your brain.  What Harlan has dubbed, "Wetware".  Think through your cases.  Ask a LOT of questions.  Actually take the time to answers your questions.  Let the data guide your theory.  It's really not that complicated when you break it down into smaller, more manageable components.

I will close this post with a short story.  I was recently asked to assist a LE Officer with a case he had been working on for a month.  I started by asking him a lot of questions...what are you trying to do?  What was the crime?  What information are you hoping to identify?  How will that information help your case if we find it?  How will it change your investigation if the data is not there?  What is the timeframe of the incident?  How do you know that was the timeframe?  What supporting evidence do you have that indicates that timeframe is accurate?  After listening carefully to his answers and writing them down in my case notes, I knew exactly what to do. 

I created my investigation plan.  Indicated what I was looking for and why.  I took notes on where I would likely find that data, what it would generally look like, and what I would do if I found it, as well as what I would do if I didn't find it.  In total, about 30 minutes of pre-work...maybe 45 since I was drinking a cup of coffee and typing at the same time.

When I actually put fingers to keyboard I found what the officer was looking for, and helped him solve the case in...wait for it...waaaaaaiiiittt for it....15 minutes.  He had been haphazardly looking for "bad stuff" for a full month...four weeks...30 days.  It took me longer to write my notes and drink my coffee than it did to find the evidence he was looking for.  Why you ask?  Because I took the time to use my Wetware!  I actually THOUGHT about what I was going to do, why, and what I was looking for before I ever put my hands on the keyboard, mounted an image, or touched any piece of data.

OK show's ONE case.  You got lucky.  My cases are's simply not that simple for me!

Good point...and maybe you are correct.  BUT, I have been using this methodology for four years, in each and every case.  For us in the SpiderLabs, that equates to just under 1000 cases (yes, we keep track).  So my team, in almost 1000 cases have seen this methodology work each and every time.  Without fail, and without exception.  Small cases with a single piece of evidence (like an SD card) to huge cases with hundreds of systems.  It just plain works.

So, for all you naysayers out there, for the skeptics and the old school "pull-the-pluggers", I say,  "try it".  Try doing it my way.  What do you have to lose?  Certainly not more time!  What do you have to gain?  How about solving your cases in a fraction of the time you currently solve them in?  How about clearing your ever increasing backlog?  Sounds like a pretty safe trade to me.

Happy Hunting.


  1. Great post Chris! I was with you all the way...until you decide to throw in a self serving anecdote. Great, you are superman when it comes to solving the kinds of cases you always see. When's the last time you did an exam that wasnt a POS compromise? When's the last time you had to sort through thousands of emails or bookmark hundreds of illicit images in a case? Completely agree that more thought needs to go into the investigative plan. The questions you list are great and should be a part of every pre-analysis plan. Just leave out the "look what I can do" stuff.

  2. Good points

    Ben W.

  3. @J - I was not at all meaning to come across like that. My point was simply to illustrate the content of my post with a real world example. So, my apologies if I came across arrogant...SO not me.

    To your question about working non-POS cases, I have worked several this year alone. Actually, it's what prompted my recent blog post on the SpiderLabs Anterior blog, and my writing of v4 of Sniper Forensics. Basically adapting the methodology to larger IR cases and showing how it still works.

    No illicit images this year, but I had a big CP case a couple years ago that I helped out on.

    I appreciate you taking the time to read, and I am I glad you liked this latest post. I will be sure to re-read any further posts in which I use personal examples to see if they could be taken as a "look at me" type scenario. Again, totally not me.


    1. Thanks for responding. Perhaps I came across a bit harsh. I simply meant that it would have been less "about me" had you told the story of how you talked with the officer, helped him understand your methods, how he applied your methods and how he found the evidence he had been looking for. It is much different than the tone that comes with "he had been looking for this evidence for a month and I found it before I finished my coffee"(yes I know tone can be difficult in a static medium like a blog). I mentioned the other types of cases simply to point out that not every case can be solved in minutes. Some cases take longer than others. Some cases may require a month's worth of work to complete. That is a fact. I wholeheartedly endorse your methods and try to use them regularly. I wish all examiners would apply them. I apologize if I was overly blunt.

  4. Chris.... as a former LEO and now private sector IR\Forensics guy I appreciate the thoughts and information you share with the "Sniper Forensics" concept. I guess what concerns me is the number of people in private and public sectors that are missing education\training in this elements of digital forensics\investigation methodology. That seems to be something missing from many training and education programs.

    I enjoyed the anecdote........... I try to think about how to train my team\colleagues in scoping out a new case and assessing the situation. Thanks for sharing

  5. J,

    Constructive criticism, that you sign your name to, is always of value within the community. I know and have worked with Chris, and when I read his example, I found it anything but self-serving. In fact, what I've found in the community is that talking about something in general terms isn't nearly as valuable as showing examples of how it can be used.

    I think Chris's example, and others that he's provided, are on point. If you have a case that involves you filtering through thousands of emails, you go after the emails themselves, right? You might parse a PST file, but you don't have to do a lot of extraneous work, because "that's what we always do", and more importantly, you don't have to sit their looking at the monitor wondering how to get started.

    Bookmarking hundreds of illicit images in a case is likely necessary, depending upon the case. In the work I've done to assist LE, determining the files that a user account was used to access, and determining the possibility of someone logging in remotely to view those files has taken 4 - 8 hrs, tops, using only a couple of files.

    Calling these examples "self serving" mischaracterizes both the post and the author.

    1. Chris, sorry for taking the space on your blog to make this comment.

      Harlan, anonymous posting is a choice I make because it doesn't matter who I am. Kinda the point of my initial comment. I too have met Chris in person, though through no fault of his, I'm sure he wouldn't remember me. He does strike me as less than self serving which was why it was jarring to me that he would include the story the way he did.

      True, in cases that relate to emails you would go straight to the emails; that doesn't diminish the volume of emails. Also true that bookmarking images can take a significant amount of time; much more than the 45 minutes described in the post and on occasion much longer than the 4-8 hours you state. Perhaps, keep in mind that the typical LE examiner has many duties that do not allow a consistent amount of time to be spent on conducting an exam. A month's worth of work may in actuality be only 5-10 hours of keyboard time.

      Guys like you and Chris provide a great deal of information to digital forensic community. It is greatly appreciated. It is my hope that more in the community will be willing to post both complements and criticisms. It is only through both that the community can truly grow and improve.

  6. Completely agree. People in my office want to have a checklist for everything. But it doesn't work. There are situations that actually require critical thinking skills, those that have those skills have a clear, noticeable advantage.

  7. Typo: We[b] browser history has nothing to do with my case.

  8. True, in cases that relate to emails you would go straight to the emails; that doesn't diminish the volume of emails. Also true that bookmarking images can take a significant amount of time; much more than the 45 minutes described in the post and on occasion much longer than the 4-8 hours you state. Perhaps, keep in mind that the typical LE examiner has many duties that do not allow a consistent amount of time to be spent on conducting an exam. A month's worth of work may in actuality be only 5-10 hours of keyboard time.
    7 inch digital photo frame