The 2019 SANS DFIR Summit is over, but not forgotten. At least not for me – a first year attendee. I had a blast during the two day conference, and I hope to attend next year. Here are a few things that come to mind when thinking back on my two-day trip to Austin:
1. I had a front row seat to see and hear, what I’ve only experienced watching YouTube-replays of summit talks. I heard the passion each presenter had for the content they delivered.
2. I was exposed to different subjects outside of my comfort zone. One example was a talk on finding evil in Windows 10 compressed memory. It was new for me and I was in awe of the work put into this talk!
3. I spoke with different people in the community, each with a passion for what they do.
4. I absorbed the energy the summit brings to life in the DFIR community, and will use it to create momentum for myself and those I work with.
Expanding on points 4 and 5…
Point 4 – Meeting new people
It’s always good to shake hands with someone new, or with someone you’ve only connected with through social media. The former lets you learn about someone new, and possibly, something new. There are so many people working in the DFIR space that, getting to know someone and what they do can open up your eyes to new and exciting things. Perhaps, you’ll find a new interest during your meet and greet (topic within DFIR), and more importantly, you have the opportunity to make a new friend (someone in the private sector if you’re in government, or vice-versa).
If you’ve only communicated with someone over social media, then meeting face to face is a great thing to strive for. Social media posts are great for spreading thoughts far and wide, but personally, there’s nothing like meeting someone in person, and just chatting. It doesn’t have to be about DFIR – you can chat about your love for, let’s say… bourbon!
Point 5 – Inspiration and motivation through osmosis
I left the summit inspired and motivated to learn, dig-deep (research things known and unknown), and overall, get better at what I do. My goal is to bring inspiration and motivation to my teammates, so we can continue helping others, asking questions, finding answers, and reaching project goals. How did these feelings of sharing and caring take shape? Seeing others speak passionately about areas of DFIR. It brings out the best in the person absorbing the information.
It’s exciting to hear about the way someone went about researching a problem, and the excitement of finding new information. It’s exciting to hear about a new way of using existing information in a particular case-scenario, as well. For example, Heather Mahalik and Sarah Edwards presented on information that can be used to assist in distracted driver investigations. In addition, Alexis Brignoni and Christopher Vance presented on information left behind by mobile applications after they are deleted. I found the information to be very relevant to my casework. So, the presentations are definitely a source for motivation and inspiration when I return to work, and review analysis I’ve done to date.
By attending the summit, you’ll get a chance to hear the passion in everyone’s voice. People are very excited to share what they see and do in the community, and how they feel about helping others facing the same data sets or problems. My suggestion is – absorb that passion in the air, find your own passion, and dig in to something new. Or, take something old (I use this term loosely), try to look at the same problem from a different perspective, and try to find a solution. Ask questions, ask for feedback, and don’t be scared to… (insert your own end results such as – arriving back at square one, arriving at a different conclusion, a feeling like everything is falling apart).
We need a break from repetitiveness, protocol, standard operating procedures and policies. We need a break from responding to emergencies. We need a break in order to refill our tank with some unicorn magic juice, so we can continue to work effectively, and professionally with our teams. Much like the skills you can take back to work after a SANS class, I am walking away from the summit with momentum and inspiration. I will take both back to my lab, and support a focused work environment . Most importantly, I’m going to help my teammates enjoy what they do.
Last week, I had an excellent time attending SANS FOR585 – Advanced smart phone forensics. The course content and instruction were awesome! Also, I made a few friends along the way. This is all to say that, if you have an opportunity to take this course, I highly recommend it. Not only will you benefit from the course content, and delivery, but you will also have an opportunity to network with classmates. Networking facilitates the exchange of ideas, to include those relating to techniques, tools, and cautionary tales. Tidbits of information from colleagues can prove useful down the line, during an examination.
Personally, here are a few things I’m excited about, and ready to move on, when I return to my lab:
Database inspection using external tools (e.g. SQL Expert is my personal favorite)
Using familiar tools with my new SIFT VM
Purpose – Chrome history parsing
Purpose: Creating timelines from physical images
Tool: Timeline Explorer
Visualizing Plaso generated CSV files
Purpose: Easily calculating hash values (drag and drop)
Organizing casework and workflows
One of the core concepts taught in FOR585 is simply, dig deeper. I guess you can dig all the way down to hex level, and this definitely has its place in mobile forensics. However, I’ll start by emphasizing SQL database inspection via a database viewer. The virtual machine I received with course enrollment, has DB Browser for SQLite preinstalled. In class, students used this tool, to load databases extracted from mobile devices, and to query database tables using SQL statements. Prior to class, I constantly Googled for statement examples, to fit my needs in the lab (and I’ll continue to do so). However, after the course, I feel a bit more comfortable writing statements (still using Google as an aide).
For statement examples, I usually start at this site for help, and more recently (today), I found this site. If neither site floats your boat, Googling something like “SQL statement examples” will yield a list of other sites. If you want a hard copy resource, there’s Paul Sanderson’s SQLite Forensics. I purchased this book at the beginning of the summer, and have yet to really dig-in. It’s on the to-do list, though.
Digging into databases should provide you with a sense of control, more so than only using a forensic tool to parse database contents. You can view raw data, and research any of the fields in the database, which give rise to concern. And, if there is no concern, and you want to validate the output from your tool, database inspection can provide that type of validation. Ideally, it would be nice if our tools did everything correctly, all the time. Such is not the case. So, the sooner you become comfortable with a technique, such as database inspection, the more in-control you’ll feel with findings. If you’re comfortable with working (or even viewing) Excel spreadsheets, you may find it less painful than you think, to inspect databases in the raw.
I think Hindsight’s output does a great job of displaying Chrome related data. It overlays different data sources found within Chrome (e.g. autofill, cache, page visits), and can present the output in an Excel spreadsheet (even in color-coded fashion). There is a way to create a database-output, but I have no experience using this feature.
I’ve used Hindsight on previous occasions, and was happy with the results each time. Given familiarity with the tool, I installed it into my VM to complete a few FOR585 lab. In particular, I used it to parse Chrome data from an iOS extraction, and it did a great job! If you’re a visual person, or just want very organized data representation, take a look at this tool. You won’t regret it.
Visualizing with a timeline
With respect to Plaso, I’ve had some great results using this tool in the past. In particular, it helped me visualize data from an Android device (physical image). The output supplemented what I obtained from my forensic tools. I believe it’s always good to have another set of eyes (so to speak).
In general, timelines can help you hone in on key items, and I use Plaso for this specific purpose. More to the point, I find it helpful when trying to tie pieces of a case together (perhaps those occurring over a period of time). For example, let’s say you’re trying to investigate the way in which photos (stored on a cloud service linked to the phone), mutated into a “hidden” state (locally on the phone). Timeline creation can assist with the isolation of individual events (e.g. photo access, cloud service access, “hidden” state creation), and piece them together.
Some of the other tools I installed in my VM were Eric Zimmerman’s Timeline Explorer and Hasher applications. Timeline Explorer can ingest a Plaso generated CSV file, and display data in spreadsheet-form. Thereafter, the tool can be used to drill-down on the data, for detailed analysis. I have not used the tool to ingest other CSV files, but Eric’s tool intro indicates this is possible. On that note, brain-dump:
To-Do: Dump a Cellebrite-generated CSV into Timeline explorer (maybe from the Timeline or Call log category), and see what I get. If positive results, then repeat with CSV file containing two or more data sets (different phones).
Forensic tool timeline – alternative method
Visualizing different data sets, using a single forensic tool, may be difficult. This can be a function of a few things – the tool’s capabilities (e.g. user interface is not intuitive, or absence of built-in analytical tools like link analysis (e.g. vendor charges extra for this feature). In the past, I’ve exported different data sets to CSV format, and imported them into i2 Analyst Notebook (AN). This is an incredible tool, and I only use a few of its features for link analysis purposes. If you don’t have access to this tool, check with your local resources, such as an intelligence/fusion center, or some other entity that performs analytics.
If i2 AN is not an option, you can export your data to CSV format (assuming your tool allows this), import each data set to Excel, and color code the data. Repeat this step for each data set. Make sure columns are formatted appropriately, and extra characters have been stripped from your data fields (e.g. apostrophes sometimes make it into timestamp fields). Once these steps are complete, it is necessary to merge all data into a single spreadsheet. After doing so, sorting your data based on the timestamp column, brings your device activity into chronological order. More over, given you’ve color coded different data sets, you may be able to uncover key events.
I have found this technique helpful, while searching for intersections among text messages, between two subjects, who share a common third party. There are other applications for this process, I’m sure. Excel does a great job of opening the CSVs. As stated above, there are a few things you need to consider while opening your CSV files, such as the need to clean-up certain timestamps (e.g. removing timezone adjustments ‘UTC-4’). Lastly, there is always the need to color-code each data set, to allow one’s eyes to make an easy distinction between device data. I think this is one of the most significant enhancements you can make to your data (to make it more pleasing to a stakeholder – technical or otherwise).
Swinging back around – Cases and Workflows
So, back to my bullet points listed above. Just hours after finishing class on the last day, I started to map out some ideas related to mobile forensics. I’m big on visual representations of thoughts and processes, so I used XMind to create my visuals. I want to share it with anyone working cases, or simply needs a kick start, for their own purposes. The map isn’t complete, and your mileage may vary due to a few things, such as legal constraints, organizational policies, and tool availability. Disclaimer – the mind map is not ground breaking information. It is simply a collection of items, which can be used to refocus a busy-mind.
One point I will emphasize is the importance of data verification. This can be done by way of a backup plan. The plan may involve some of the individual tools in the FOR585 class (e.g. DB Viewer), or a secondary forensic tool in your own lab – it’s really up to you. I would say it’s even beneficial to reach out to co-workers, and colleagues in other organizations, to determine whether they came up with results similar to those you are trying to verify. Additionally, reviewing previous work done by others in the digital forensics community, is equally as helpful. Here are some of the resources I consult, when I want to start looking for guidance on particular subjects (be it an Android or iOS-related question):
Whatever the backup plan, data verification is key. Dig deep, verify, and use a second set of eyes, to guide your findings.
I want to note the importance of revisiting Internet resources you may have saved. In my particular case, I need to revisit a Youtube video created by Kevin Delong on the topic of using Hashcat against iTunes encryption passwords. Here is his excellent guide. Coincidentally, Kevin referenced this guide in a semi-recent tweet, and it popped up in my feed. He may have been listening to my thoughts – I wonder if his ears were ringing. Maybe? No, probably not. That aside, I’ve re-visited saved resources on numerous occasions, and always learn something new. Here are some of my resources:
Lastly, I’ll touch on scoping casework. Asking questions is an inherent part of analyzing data. Formulating good questions at the front-end of an investigation, will save time on the back-end. Personally, formulating questions leads me to visualize my casework as a set of goals, and their sub-tasks. Please look at the mind map above, and you’ll see this part of my thinking toward the left-hand side. It’s subsequently integrated in the analysis process (right-hand side of diagram).
My next post is going to focus on the ideas of organizing casework, some of the tools I use to accomplish this ginormous task, and inspirations outside of digital forensics. If you have any questions or comments on the ideas I’ve shared above, please leave them in the comments section, or reach out to me directly. Thanks for stopping by!
Good company in a journey makes the way seem shorter. — Izaak Walton
My blogging journey begins thanks to Phill Moore of thisweekin4n6.com. I don’t know how he does it, but he maintains an incredible wealth of knowledge, on a weekly basis. This includes a post on starting a blog, which is why I say – thanks Phill. After a strenuous five minutes involving things like choosing a domain name, and clicking a few option buttons, this blog has taken its first baby steps.
A bit and byte about myself (did you see what I did there) – I live and work in the northeast U.S. I work a caseload involving mobile and computer forensic examinations. The work includes data analysis, as well. What about the road leading up to my current job?
I strongly believe that, my path to digital forensic began in my younger years, while downloading viruses to my Compaq Presario. Hard drive reformatting became one of my hobbies, and I only needed tech support on two occasions, to walk me through the process. In my semi-older years, I took this love for drive-formatting, and supplemented it with a few courses in cybersecurity. Thereafter, I just fell in love with everything having to do with digital forensics. As a result, I wish to pass along some information that I’ve found useful during my journey. All you need is a spark!
Here are a few of the activities I like to classify as “research and development” to continue learning about the field: